I’m surprised home many technically knowledgeable people on Internet forums still think IPv6 is some niche, unreliable thing.
In my direct experience, in the USA, at least Spectrum, AT&T, and Xfinity (Comcast) still run IPv4, of course, but they also have IPv6 working and on by default on their home internet offerings.
All mainstream computer and mobile OSes support it by default and will prefer to connect with it over IPv4.
‘Everyone’ in many areas is using it. For many of us, our parents are using Facebook and watching Netflix over it. Over 50% of Google’s American traffic is over it. It just works.
T-Mobile, a major phone provider, runs an ISP which is IPv6 only. That is, your phone never gets an IPv4, unless connected to WiFi. They offer home access points with a 5G modem and a router; the external address is also IPv6 only.
It works plenty well. I access everything accessible via IPv6, and the rest through their 464XLAT, transparently.
My LAN still has IPv4, because some ancient network printers don't know IPv6. OpenWRT on my router supports IPv6 just fine. Of course I do not expose any of my home devices to the public internet, except via Wireguard.
If the service area is the same, it's probably tunneled. You'd be surprised how much tunneling ISPs use. They're not connecting your network directly to their network.
For example, I recently attended the IETF meeting in Montreal, which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
Sounds like exactly the sort of thing the IETF's IPv6-only network is trying to shake out.
I went to IETF a few years ago and ran into issues on their IPv6 only network because I host some stuff from home, and my residential ISP doesn't support IPv6 at all. It made me really want to get all that fixed.
My problem with IPv6 is that my ISP (Xfinity) won't give me a static prefix, so every now and again it changes.
Unlike IPv4, my LAN addresses include the prefix, so every time they change it, all my LAN addresses change.
Combined with the lack of DHCP6 support in many devices, this means reverse DNS lookups from IP to hostname can't be done, making identifying devices by their IP essentially impossible.
I think you’re conflating multiple things there. There’s nothing magical about IPv4 that gives your LAN addresses stability when your ISP changes your IP prefix. That’s provided by your router doing network address translation. You send a packet from your address which is 192.168.0.42 (a local address), and your router changes the bytes in the packet so that it comes from X.Y.Z.W (your router’s public address). If you really wanted it to your router could do the same thing for IPv6.
IPv6 also has local addresses, but a lot more of them. Anything starting with fd00::/8 is a local address with 40 bits available as the network number. So you can set up your local network with the prefix fdXX:XXXX:XXXX::/48 (where the Xs are chosen randomly) as the prefix and still have 16 bits left over for different subnets if you want. These addresses do not change when your ISP changes your public prefix.
And if you want to add reverse dns for SLAAC addresses then just have your router listen for ICMPv6 Neighbor Announcement addresses and use them to update your DNS server as appropriate. Or configure your servers to use stable addresses based on their MAC address rather than random addresses (which are better for privacy), and then just configure the DNS as you add and remove servers.
You register addresses based on Router/Neighbor Advertisements in NDP. In your RA, you'd point it to your DNS server, which would then handle registration when hosts check in with their new IP addresses.
For IPv6, multiple addresses on an interface is the norm: an interface has both a public address from your ISP (replacing IPv4 NAT) and a unique local address (replacing stable IPv4 RFC 1918 LAN addresses).
My ISP will route as many /64s to me as I want (I think I get a /48 by default, I guess if I want more than 64k subnets I’d have to justify it)
So I don’t have the changing ip issue. I do however have an issue if I want to change ISP as it’s a whole mess of rules to update rather than a couple of dns entries and two dst nat rule (one per public IP)
I believe the idea in v6 if you have multiple prefixes on the same network - including a local fc00::/7 one for local services. Layers and layers of things to break.
Using Openwrt which pretty much all home routers are built on, all I have to do is tell my router which offset to give my subnets from the prefix and it does the rest.
Both for subdividing up the prefix from the ISP and my ULA prefix I use for internal devices.
I have changed ISPs I think 3 times with no ill effects. Plus it works when my ISP occasionally gives me a new prefix.
The only tweaking I had to do was when I went from an ISP that game me a /48 to one that only gave me a /56. I had been greedy and was handing a /56 to my internal router. I changed that to a /60
and updates it's expectations about which subnets it could hand out and all was good.
But I expect two layers of home routers without NAT is a bit of an exception.
Nope, you're on a LAN, and usually the router has a firewall that blocks inbound connections by default. Some OSs (like Windows) also have their own by-default firewalls that block connections from hosts on different networks out of the box.
Urgh I wish it were like that here in Australia! We have a fast, modern fiber internet connection in inner Melbourne. But my ISP still doesn't support IPv6 at all. I file a ticket about once a year, and I'm always met with more or less the same response - essentially that there's no demand for it.
I'd love to test all the internet services I host to make sure everything works over IPv6, but I can't. At least, not without using a 4to6 relay of some sort - but that adds latency to everything I do.
I just checked - apparently my ISP is "evaluating IPv6" because they're running out of IPv4 addresses and want to use CGNAT for everyone. I suppose its not the worst reason to switch to ipv6. But they've been making excuses for years. I really wish they'd get on with it.
Myeah... I've had weird issues on my network that I could only resolve by disabling IPv6. Granted, it's probably my fault, but if everything still works fine with ipv4 that's fine to me. One day I will get into it and learn how it work and maybe I'll get it figured out... One day...
Random guess: PMTUD? Like on v4, some people fuck up their PMTUD and are incapable of realizing or fixing it, so you have to have some kind of workaround.
If setting your client machine MTU to 1280 (`ip link set mtu 1280 dev eth0` or equivalent) magically fixes it, that's your problem.
Corporate laptop won’t work (their version of windows seems to require an ipv4 adddess on an interface, not sure if that’s a windows thing or a them thing)
Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
My router doesn’t support 64, so I have to use my isp’s which is speed constrained compared with native 4. Ok that’s on my setup. Haven’t tested my 5g provider and where 64 occurs, I’d hope in their network, but how do I configure my dns64.
Still need to provide v4 at the edge and thus 46 nat so I can reach internal v6 only servers from v4 only locations
Perhaps lost of that is because my router doesn’t do 64, but again that just shows that v4 is still essential. I haven’t found a single service that’s v6 only, so if I have to run a v4 network (even if only as far as a 64 natting device) why bother running two networks, double the opportunity for misconfiguration and thus security holes. Enabling dual v6 on my IoShit network would allow more escape routes for bad traffic, meaning another set of firewall rules to manage. Things like SLACC make it harder to work out what devices are on the network, many end user devices are user hostile now and keeping control of them on v4 alone is less work than in v4 and v6.
> Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
> Things like SLACC make it harder to work out what devices are on the network
Again, not true. If you really don’t trust your devices, then DHCP isn’t going to save you. Malicious hosts absolutely can self assign an unused v4 address, and you’ll be none the wiser if you just look at your DHCP leases.
> Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
> To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
Have you done this? Did it actually work for you?
When I tried it, clients would regularly send to router B with an address from router A, and often ignore the priorities. As I understand the RFCs/client behavior, the router priority field is only relevant if multiple prefixes are in a single advertisement, otherwise most recent advertisement wins.
Once you need to aggregate the advertisements, you may as well NAT66, cause it will be easier.
>their version of windows seems to require an ipv4 adddess on an interface
Could be DirectAccess. Microsoft's earlier built-in VPN solution before Always On VPN. DirectAccess works only with IPv4 inbound so you can't use IPv6 only stack. Under the hood it uses a combination of v4-v6 transition and translation protocols, but it still requires the Windows client machines to have IPv4 addresses.
If you can run PowerShell commands on the laptop and if "Get-DnsClientNrptPolicy" returns some DirectAccessDnsServers then it's DA laptop.
For consumer traffic, your probably right. In data centers, cloud computing, and various enterprise networking solutions, IPv4 is still king. I'm sure IPv6 would work fine in all these use cases, but as long as many large tech companies are not exhausting the CIDR ranges they own (or can opt for using private ranges) there is no impetus to rework existing network infrastructure.
The underlay might be v6, but that doesn’t change the fact that people heavily use v4 for the actual workload traffic (i.e. the cloud computing part). EC2 VPCs still default to v4 only last time I checked.
I had working IPv6 in the past, but currently I seem to have no working IPv6. Using Xfinity. I have access to some servers at a friend's place in another city, pretty sure he also doesn't have IPv6. Maybe some phone calls would sort it out, but when "everything" still works (with IPv4), it's hard to care.
That is really bizarre, because I have Comcast and I find their IPv6 support excellent. The only complaints I have are that I wish you could get bigger than a /60 prefix (a /56 would be nice), and that I wish it was feasible to get a static prefix as a residential customer. Granted you said you don't really care to fix it, but if that ever changes I do think you could get them to fix it pretty easily. IPv6 is one of the things they generally do right.
CenturyLink, an ILEC, only offers IPv6 using 6rd gateways. The IPv6 throughput is a fraction of IPv4 and has much higher latency. During peak times, the 6rd gateway saturates, forcing me to stop advertising the prefix to restore internet access. It has been this way for years.
It is also impossible to report IPv6-specific outages. CenturyLink technical support is the worst of the worst, with agents utterly incapable of doing more than pushing a "check ONT" button on their end and scheduling a technician visit with a multiday window. If you ask them for the 6rd configuration information, they act like you're speaking an alien language.
Even among their technicians, IPv6 knowledge is rare. Imagine the guy installing hundreds of dollars of gigabit fibre equipment at your demarc staring you like an idiot because you spoke two extra syllables between "IP" and "address". I'd think the term "IPv6" is chatbot poison if it weren't for the fact it's a human physically in front of me.
The result is their service is effectively IPv4-only.
I had CenturyLink CPE that would crash when a fragmented IPv6 transitted it. That was fun :P. They're also all in on PPPoE and at least on my VDSL2 line, didn't enable RFC 4638 (baby jumbos) to get back to MTU 1500. Pretty happy to be on muni fiber now (although the installation cost was huge).
Ya my router has to do tagged PPPoE through the ONT even though I pay for a static /28. At least I don't have to also do RIP for the subnet like Xfinity requires.
Interestingly, if I pay for their IPTV service the internet side becomes a bare ethernet port over which I can do DHCP for the upstream interface and number the downstream subnet out of my /28.
I have debated paying for TV service as a sanity fee.
There so e obvious caveats that make ipv6 migration impossible for most users:
1. Ipv6 bridges are not practical at scale which means best case is dual use protocols for a decade (or more) which no one wants to support.
2. Actual implementation MUST be ubiquitous (it never will be) some examples - glo fiber in Virginia, and while I can get pfsense assigned a ipv6 address, there is usually no upstream gateway (meaning that if I disable IPv4, I will not have internet). I say usually because of four times I've checked, once I did get assigned a gateway which was unresponsive even to icmp.
Starlink roam - assigns ipv6 but no bridge so if you disable v4 you lose access to most internet.
Frontier FiOS in Florida - does not support ipv6 at all on my node. I have seen business nodes in Orlando/Tampa assign addresses with bridging but again, without browser or dns translation it's not a practical solution.
3. 'Everyone' is not using ipv6, everyone plugs in or logs into a device that has whatever network stack it has. Those users are not suddenly going to jump through hoops simply to avoid CGNAT and get a unique network address
4. Infrastructure; I have two modest half racks on the east coast at decent sized datacenters (esolutions and peak10), neither of those hosts offer ipv6 routing blocks by default. No provider I have gotten quotes for offers ipv6 by default
For example, I recently attended the IETF meeting in Montreal--practically the epicenter of v6 thinking--which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
I'm "niche" - but i had issues with Wireguard being able to connect me through ipv6 to a v4 - other than that i spent most of my time on v6 and as you said it just works
i don't like how these companies dictate standards. It's always the case, but they do spend a great deal of money making sure practices morph into standards.
Microsoft Word DOC. Due to the market dominance of Word, it is supported by all office applications that intend to compete with it, typically by reverse engineering the undocumented file format. Microsoft has repeatedly internally changed the file specification between versions of Word to suit their own needs, while continuing to reuse the same file extension identifier for different versions.
Your goalpost already moved from "IPv6 just works" to "IPv6-only just works" though. ;)
In all seriousness, I have IPv6 enabled and GitHub works just fine for me. Though at a slower speed sometimes because the IPv4 CGNAT is heavily congested in my area.
This! I guess a good number of tech people will have IPv4 home networks long after their non-tech parents, neighbors and friends will be using IPv6 (without even knowing it).
IPv4 in the home is dead easy. You only need to remember the last digit (unless you've got multiple networks, but most won't). You can ssh to any device by remembering that ".1" is router, ".2" is NAS etc. Firewalls are simple.
You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "192.168.0.1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).
I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.
It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.
Tailscale is sexy and it worked fine until one day while roaming it wouldn't connect without "admin work", so I instantly dropkicked it. I'm now using the very unsexy OpenVPN Cloud (free for limited use) and in over two years it has never failed me. Plus it doesn't fuck with the IP addresses with fancypants tailnet addresses - I access devices directly using their DNS names which resolve to private addresses.
So, from inside or outside the home I can access the NAS to watch a movie, sync photos to Immich, print a document, check my IP cameras or ask my wife to put a document on the ancient scanner and access it via the raspberry pi phpscan website (which is on https://scanner.myhome.net)
I'm sure there's a very good reason not to do this and someone will now point it out.
Exactly. I randomly try to "upgrade" to ipv6 in my home once in a while and i always give up because I'd have to do the whole enterprisey setup for no good reason.
Edit:
Basically ipv6 is too complex and automated to hold your home network's whole configuration in your head without effort.
So the techies don't set it up at home unless they have a fetish for overcomplicated setups. They're not familiar with it so they don't push for it at work either.
Adoption is solely driven by ipv4 address space exhaustion. There is no "new toy!" feeling involved.
IMO, not having NAT is a "new toy". It allows end-to-end connectivity again. Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.
You could try fd00::1, fd00::2, ... for short internal static addresses. You don't have to use a random prefix in that range - it's just policy (for good reasons that might not matter for a small network).
v4 networks commonly only get one IP for the whole network, and people use NAT with port forwarding to make inbound connections work. With this setup, an attacker only needs to scan the 65536 ports on the router to exhaustively enumerate every single publicly accessible server on your entire network, which is about 3 megabytes of traffic and takes approximately no seconds.
On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger.
If you want attackers to not know what's behind your router, you want v6.
# IPv6 in the home is dead easy. You only need to remember the last digit (unless you've got multiple networks, but most won't). You can ssh to any device by remembering that ".1" is router, ".2" is NAS etc. Firewalls are simple.
# You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "2003:123:4:5::1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).
# I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.
# It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.
There is literally no difference between v4 and v6 here.
Not all of the skepticism is "does IPv6 work", some of it is "why should I want it as an end user who values privacy and minimal attack surface?"
From my perspective:
• CGNAT is a feature, not a bug. I'm already deliberately behind a commercial VPN exit node shared with thousands of others. Anonymity-by-crowd is the point. IPv6 giving me a globally unique, stable-ish address is a regression.
• NAT + default-deny inbound is simple, effective security. Yes, "NAT isn't a firewall", but a NAT gateway with no port forwards means unsolicited inbound packets don't reach my devices. That's a concrete property I get for free.
• IPv6 adds configuration surface I don't want. Privacy extensions, temporary addresses, RA flags, NDP, DHCPv6 vs SLAAC — these are problems I don't have with IPv4. More features means more things to audit, understand, and misconfigure.
• I already solved "reaching my own stuff" without global addressing. Tailscale/Headscale gives me authenticated, encrypted, NAT-traversing connectivity. It's better than being globally routable.
So yes, my parents are using IPv6 to watch Netflix. They're also not thinking about their threat model. I am, and IPv4-only behind CGNAT + overlay networking serves it well.
"It just works" isn't the bar for me to adopt IPv6. "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will.
IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property, stateless autoconfiguration, the assumption that endpoints should be reachable. That philosophy is baked in. For someone like me, whose threat model treats obscurity, indirection, and minimal feature surface as assets, IPv6 isn't just unnecessary, it's ideologically opposed to what I want.
Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.
Only for IP based trackers. Any webpages embedding facebook/twitter/microsoft/google trackers have already deanonymised you through a variety of fingerprinting techniques. This includes if you use private browsing sessions, and even qubesOS. You get a fuzzy feeling doing the things you do (and I do these things too), but that battle is lost.
> NAT + default-deny inbound is simple, effective security … That's a concrete property I get for free
Depends on your definition of “free”. Is it cheaper to lookup just a connection state table, or is it cheaper to look up both a connection state table and a NAT table?
> IPv6 adds configuration surface I don't want … More features means more things to audit, understand, and misconfigure.
100% agreed. More complexity, more attack surface, more things to go wrong.
> I already solved "reaching my own stuff" without global addressing … It's better than being globally routable.
I do something like this too. It’s more private and more secure. It adds more complexity, and it restricts my ability to access things from terminals I don’t personally own & control unless I create another exposed vector though. “Better” is subjective based on metrics being optimised for.
> IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property
Apologies, but global addressability as a first-class property is exactly how the internet was designed. NAT was originally deployed as a hacky add-on to temporarily alleviate the lack of addressing space in IPv4 until a successor could resolve that.
That said, the internet of the 90s was a very different beast to the internet of today. A lot of your concerns and perspective is absolutely valid and extremely reasonable given the internet of today.
> "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will … Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.
IPv6 can absolutely be configured in ways that just gives you a new addressing scheme and does away with a lot of the other complexity. You’re just very much straying off the happy path, removing complexity by introducing … other complexity.
FWIW, I’m operating my home networks much the same way you do. I’ve also been dual stacking networks since the 2000s. Things have come a long way since the original pure-dogma introduction of ipv6.
> Any webpages embedding facebook/twitter/microsoft/google trackers have already deanonymised you
I bet OP has already blocked at least 3 of them. Private browsing is only a partial solution, blocking/unblocking domains, scripts, etc. on a case-by-case basis is a more reliable way to defend your right to privacy against abusive practices (I'm talking about fine grained adblockers such as uMatrix/uBlockOrigin) daily.
I admit it can be a hassle sometimes, in particular if one explores the net every day, but staying away from bad actors (such as some of those 4) is one way to maybe eventually stop them - even if "vote with your clicks" feels as pointless as "vote with your feet" when you're just one in many millions.
Extremely well. You don’t need an account to have a unique fingerprint that will eventually tie to an identity somewhere, and data brokers exist specifically for this purpose.
To be fair about fingerprinting, there's no such thing as "bulletproof", but I do have a pretty robust setup. DNS level ad and tracker blocking, browser extension level ad and tracker blocking, LibreWolf's extensive anti-fingerprinting measures, kernel-level measures like kloak, I block all third party JS by default, etc. My goal isn't to become invisible and untraceable to nation states (which is essentially impossible when 90%+ of all global ISPs can and do sell netflow metadata, enabling timing and packet size correlation even across multiple hops, even with background traffic forgery / traffic pattern obfuscation), but rather to frustrate lower-level tracking efforts, and mostly to reduce attack surface for security reasons, and to reduce the total amount of information I'm sending to adversaries, even if it technically increases uniqueness. For instance, WebGL, JS JIT, WASM, WebRTC, and even SVG rendering are similarly disabled by default on my browsers, and I may very selectively enable them on a case-by-case basis depending on how important I feel the web property I'm trying to access actually is. I'll spoof my UA, my screen dimensions, and use residential SOCKS5 proxies, one by one, to identify which fingerprinting measures are being used to block me with YouTube, for instance, without enabling JIT compilation or SVG rendering. This approach absolutely does make me more distinctly identifiable (less anonymous), but doesn't necessarily make me less private, nor less secure, if e.g. ad network JS never even runs on my box in the first place. Security is the base of the pyramid, it is the prerequisite for privacy, but doesn't guarantee it. Privacy is the middle layer, it is the prerequisite for anonymity, but doesn't guarantee it. I'm aggressively climbing that pyramid where I can while accepting some tradeoffs where the net benefit is positive to me. I don't think of any of these - security, privacy, or anonymity - as binary properties, but rather a unified journey I am on to enhance gradually and iteratively over time. Switching to IPv6 would greatly complicate and regress my path through much of the journey I've already completed.
If I could leave you with a couple questions: What tangible benefits have you reaped from IPv6 that simply weren't possible on IPv4? Has the ROI for you on going dual stack outweighed the costs on your time, attention, and configuration work required for securely handling edge cases, dealing with weird or unexpected routing issues, for straying from the happy path?
> I’m surprised home many technically knowledgeable people on Internet forums still think IPv6 is some niche, unreliable thing.
The more technically knowledgable you happen to be on the subject, the more you realize IPv6 is some unreliable thing when compared to IPv4. Perhaps no longer niche though.
It's unfortunately still an afterthought for many backbones - and not just US-centric ones. There is a noticeable difference in performance metrics from clients served via IPv4 endpoints vs. IPv6 for web assets in the same locations from the same transit providers.
It is pretty much the opposite of "just works" depending on your definition of "just works". It results in more Traffic Engineering per bit served by a large factor compared to IPv4.
> Peer-to-peer communications such as gaming usually have to deal with NAT traversal, but with IPv6 this is no longer an issue, especially for multiple gamers using the same connection
You know the list of "benefits" is thin when the second item is entirely theoretical. Even though IPv6 doesn't have to do NAT traversal, it still has to punch through your router's firewall which is effectively the same problem. Most ISP provided home routers simply block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.
Even if that were not an issue, my bet is that there are close to zero popular games that actually use true peer to peer networking.
Typically firewalls will record the src and dst header values of outbound IP packets then temporarily allows inbound IP packets that have those values flipped.
You're just asserting that without explination. Please correct me if I'm wrong, but afiak the only difference in NAT hole-punching is that clients don't know their public port mapping ahead of time. This actually doesn't make a huge difference to the process because in practice, you still want a central rendezvous server for automated peer IP discovery. The alternative being that each peer shares their IP with every other peer "offline", as in manually through an external service like IRC or discord, which is a horrible user experience.
They linked a whole article detailing the complexities of specifically NAT traversal.
I should think it obvious that by removing an entire leaky layer of abstraction the process would be much simpler. Yes, you still need a coordination server, but instead of having to deduce the incoming/outgoing port mappings you can just share the "external IP" of each client--which in the IPV6 case isn't "external," it's just "the IP".
>Also NAT is a pretty simple abstraction, it's literally a single table.
...And now, let's try punching a hole through this "simple" table. Oops, someone is using a port-restricted or symmetric NAT and hole punching has gotten just a tad more complicated.
> it just has to be established from the local side
This is exactly the problem. Unless you expect users to manually share their IPs with every other user in a given lobby through an external service, you would need to make a central peer discovery and connection coordination mechanism which ends up looking pretty similar to classic NAT traversal.
The complication starts when such an ephemeral port gets connection from somewhere else, which is the crucial part not the creation of such ports. That is not supported necessarily by firewalls, or not that simple than just having a stateful firewall.
Also NAT66 exists and I use it on my home network so you still have to have the machinery to do NAT traversal when needed. It's nice to use my public addresses like elastic IPs instead of delegating ports. IPv6 stans won't be able to bully their way into pretending that NAT doesn't exist on IPv6.
> Groups of zeros can be omitted with two colons, but only once in an address (i.e. 2000:1::1, but not 2000::1::1 as that is ambiguous)
Can someone explain why it's ambiguous?
On the subject, IPv6 is one of the strangest inventions on the internet. Its utility and practically are obvious no matter how you look at it except... just one thing.
Network-related things are generally easy to remember and then type from memory: IPv4, domain names, standard port numbers. Back in the day it was the phone numbers, again, easy to remember and dial when you need it. IPv6 is just too long and requires copy/paste all the time. This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
> This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
Except if you're using a mobile phone, in which case many telcos hand out only IPv6 addresses to handsets. 2018 NANOG presentation "T-Mobile's journey to IPv6":
Your IPv4 packets are getting tunneled to a CGNAT server which has an IP address pool.
Your website will load faster on cellphones if it supports IPv6. This is because the packets take more direct routes (because they don't go to the central CGNAT server) and because less processing is applied to them. Almost all mobile networks are now IPv6-only, with IPv4 traffic tunneled and CGNATted. Apparently T-Mobile is the rare exception.
I finally clicked when I worked out it was 2^64 subnets . You have a common prefix of you /48, which isn’t much longer than an ipv4 address - especially as it seems everything is 2001::/16, which means you basically have to remember a 32 bit network prefix just like 12.45.67.8/32.
That becomes 2001:0c2d:4308::/48 instead
After that you just need to remember the subnet number and the host number. If you remember 12.45.67.8 maps to 192.168.13.7 you might have
2001:0c2d:4308:13::7
So subnet “13” and host “7”
It’s not much different to remebering 12.45.67.8>192.168.13.7
IPv4 isn't perfect, but it was designed to solve a specific set of problems.
IPv6 was designed by political process. Go around the room to each engineer and solve for their pet peeve to in turn rally enough support to move the proposal forward. As a bunch of computer people realized how hard politics were they swore never to do it again and made the address size so laughably large that it was "solved" once and for all.
I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
My personal preference would have been to open up class E space (240-255.*) and claw back the 6 /8s Amazon is hoarding, be smarter about allocations going forward, and make fees logarithmic based on the number of addresses you hold.
Only if by "political process" you mean a bunch of people got together (physically and virtually) and debated the options and chose what they thought was best. The criteria for choosing IPng were documented:
> I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
The primary reason for IPng was >32 bits of address space. The only way to make them shorter is to have fewer bits, which completely defeats the purpose of the endeavour.
There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
This is a lot of basically sharpshooting, but I will address your last point:
> There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers that could have been used to flag that the first N bytes of the payload were an additional IPv4.1 header indicating additional routing information. Packets would continue to transit existing networks and "4.1" capable boxes at edges could read the additional information to make further routing decisions inside of a network. It would have effectively used IPv4 as the core transport network and each connected network (think ASN) having a handful of routed /32s.
Overlay networks are widely deployed and have very minor technical issues.
But that would have only addressed the numbering exhaustion issues. Engineers often get caught in the "well if I am changing this code anyway" trap.
An explicit goal of IPv6 considered as important as the address expansion was the simplification of the packet header, by having fewer fields and which are correctly aligned, not like in the IPv4 header, in order to enable faster hardware routing.
The scheme described by you fails to achieve this goal.
I am glad you brought this up, that is another big issue with IPv6. A lot of the problems it was trying to solve literally don't exist anymore.
Header processing and alignment were an issue in the 90s when routers repurposed generic components. Now we have modern custom ASICs that can handle IPv4 inside of a GRE tunnel on a VLAN over MPLS at line rate. I have switches in my house that do 780 Gbps.
At the time when it was designed, IPv6 was well designed, much better than IPv4, which was normal after all the experience accumulated while using IPv4 for many years.
The designers of IPv6 have made only one mistake, but it was a huge mistake. The IPv4 address space should have been included in the IPv6 space, allowing transparent intercommunication between any IP addresses, regardless whether they were old IPv4 addresses or new IPv6 addresses.
This is the mistake that has made the transition to IPv6 so slow.
> The IPv4 address space should have been included in the IPv6 space, allowing transparent intercommunication between any IP addresses, regardless whether they were old IPv4 addresses or new IPv6 addresses.
How would you have implemented it that is different from the NAT64 that actually exists, including shoving all IPv4 addresses into 64:ff9b::/96?
They didn't use the reserved bit, because there's a field that's already meant for this purpose: the next protocol field. Set that to 0x29 and it indicates that the first bytes of the payload contain a v6 address. Every v4 address has a /48 of v6 space tunnelled to it using this mechanism, and any two v4 addresses can talk v6 between them (including to the entire networks behind those addresses) via it.
If doing basically exactly what you suggested isn't enough to stop you from complaining about v6's designers, how could they possibly have done any better?
> That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers […]
Great, there's an extra bit in the IPv4 packet header.
I was talking about the data structures in operating systems: are there any extra bits in the sockaddr structure to signal things to applications? If not, an entirely new struct needs to be deployed.
And that doesn't even get into having to deploy new DNS code everywhere.
This would require new software and new ASICs on all hosts and routers and wouldn't be compatible with the old system. If you're going to cause all those things, might as well add 96 new bits instead of just 2 new bits, so you won't have the same problem again soon.
IPv6 is literally just IPv4 + longer addresses + really minor tweaks (like no checksum) + things you don't have to use (like SLAAC). Is that not what you wanted? What did you want?
And what's wrong with a newer version of a thing solving all the problems people had with it...?
There are more people than IPv4 addresses, so the pigeonhole principle says you can't give every person an IPv4 address, never mind when you add servers as well. Expanding the address space by 6% does absolute nothing to solve anything and I'm confused about why you think it would.
Exactly enough to fill out the address, which is always the same length. BTW, IPv4 does basically the same thing. The address 127.1 is equivalent to 127.0.0.1.
Not really the same, the mechanics are different and this particular behaviour is pretty much an accident, not abbreviation.
In IPv4 you also have 127.257 equal to 127.0.1.1, 123456789 equal to 7.91.205.21, and 010.010.010.010 is a well-know DNS server. This notation is also rejected by most implementations.
It is? Those alternate IPv4 notations are all accepted by Linux, FreeBSD, and MacOS. I remember playing around with "alternate notations" 30+ years ago on old SunOS boxes.
I am not clear what your point is. The parent's point stands. A double colon only represents zeros (that were compressed and are not displayed).
Your link does not show different addresses from a valid compression, it shows different addresses from an invalid compression. The link examples what we don't do.
Conversely, if we compress the expanded addresses in your link, we will get 2 different compressed addresses.
> IPv6 is just too long and requires copy/paste all the time.
That is only true for autogenerated/SLAAC IPs. In contrast, manually assigned IPs are often much simpler and easier to remember in IPv6 than in IPv4. I have one common subnet prefix that can be uniformly split to end networks and last number in IP address for such network always end with 0 (and therefore the first device is xxx::1). While in IPv4 i had multiple prefixes, each split non-uniformly based on how many devices was expected to be on that end network, and because most end network prefixes were smaller than /24 (say /26-28), the last number of IP address varies between these networks.
I mean yes, but there’s no escape from the fact that ip addresses need to be longer as amount of devices on the internet already exhausted the pool of IPv4 addresses by multiple orders of magnitude.
I guess it could be possible to implement sort of mnemonic phrases for addresses, à la bip-39, but it would be just trading one kind of pain for another.
I've said this since time immemorial, and networking people often dismiss it. "Just use DNS," say people who have never actually worked netops or devops.
The length of the addresses and the clunky nature of their ASCII representation is absolutely the #1 reason the IPv6 has taken this long. User experience is the most powerful force affecting large scale adoption, and IPv6 has poor UX.
I think the UX is partly fixable by creating less horrible ASCII representation, but this would take a lot of coordination that was hard even back then and is virtually impossible now. If someone told me in 500 years we're still running dual-stack IPv4/IPv6 absolutely unchanged, I'd believe it.
Half the reason (literally) the address looks so bad is not because of IPv6 but because everyone keeps choosing to implement randomized in-subnet addresses and cycle through them for privacy reasons.
E.g. 2600:15a3:7020:4c51::52/64 is not too horrible but 2600:15a3:7020:4c51:3268:b4c4:dd7b:789/64 is a monster by unrelated intent of the client.
This is pretty much on the money. IPv6 addressing can be pretty simple if you design your subnets and use low numbers for hosts. But hosts themselves will forgo that and randomly generate 64 bit random host addresses for themselves - some times for every new connection. Now you have thousands of IPv6 addresses for a single computer speaking out to the Internet.
"Modern" tooling in the consumer space is pretty dire for IPv6 support too. The best you can reasonably get is an IPv6 on the WAN side and then just IPv4 for everything local. At least from the popular routers I've experienced lately.
I’ve been amazed for years at the fact that many of the best routers turn V6 off by default.
Of course I know why. If you turn it on it slightly increases edge case issues as complexity always does. Most people don’t actively need it so nobody notices.
Yes, I forgot about SLAAC and worthless privacy extensions.
Privacy extensions are worthless because there are just sooooo many ways to fingerprint and track you. If you are not at least using a VPN and a jailed privacy mode browser at a bare minimum, you are toast. If you’re serious about privacy you have to use stuff like Tor.
V6 privacy extensions are like the GDPR cookie nonsense: ineffective countermeasures with annoying side effects.
SLAAC sucks too. They should have left assignment up to admins or higher level protocols like with V4. It’s better that way.
Most people are just using the ISP provided router as their gateway today anyways. E.g. ATT fiber is proud to advertise to you that it knows about each of your devices on the ONT+Router combo - that's even the only way to set up a port forward (you can't just type in an IP, you have to pick a discovered device).
"But people can NAT the v4 with another router to hide it!" -> sure, and the same crappy solution works with v6.
"But at least prosumers can replace the ONT via cloning the identifiers and certain hardware" -> also no change with v6.
Randomized addresses do have valid use cases though, particularly when connecting to Wi-Fi networks other than your own when set to randomize the MAC per connection (not just the scanning MAC) as well, but I'm just not really convinced this is a realistic example as framed.
It’s a really complicated rule called “subtraction”. Addresses are always 128 bits long, or 8 groups of four hex digits. 2000::1 is two groups, so you need six groups in between to make 2000:0000:0000:0000:0000:0000:0000:1. But I don’t know why people always ask this, because it’s always the computer you are typing addresses in to that does the subtraction. You never ever have to type out the whole address. Just type the shortened version, because 2000::1 _is_ the whole address.
the :1 is short for :0001 basically and then just put that bit of the address at the very end and put the first bit of the address at the front, and then just fill each missing group inbetween with 0000
Well, okay, show us how to follow those instructions then.
"the :1 is short for :0001 basically" is easy enough: you get 2001::0001::0001.
Then "just put that bit at the very end" -- but which bit? If it means the ":0001", then there's two of them and they can't both go at the very end. If not, then it fails to specify which bit. Either way I don't see how these instructions are followable at all, let alone easily.
My answer was too terse. IF there was two :: in the address, then the length of EACH :: denoted section is not known. It can be either longest left :: or longest right :: and that wasn't defined, because the rule is THERE IS ONLY ONE :: section.
> There are also still a lot of misconceptions from network administrators who are scared of or don’t properly understand IPv6
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
That's more proof that TP-Link should not be trusted than that there is a problem with IPv6, really. Even cheap $20 Aliexpress routers have a firewall enabled by default.
> Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.
Now, if the ER7212PC was a firewall that would be something else.
(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)
Routers and access points are also typically separate device classes. Yet the market has figured out that most consumers
prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?
The problem is that TP-link does not give two cents to security in their products.
> Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
Except the ER7212PC, nor anything else under the Omada (sub-)brand, is not a consumer / household device. The tagline of Omada is "Networks Empower Business":
If you want to haul your boat buy an F-150 pickup and don't complain that your Golf doesn't have enough towing capacity: buy the tool that you need for the problem/job you have. If you want an all-in-one then buy an AiO and not a router.
>> And no, I'm not being pedantic
> You very much are.
Expecting a router to not-route IPv6 is the unreasonable thought.
Are you suggesting that people should buy both a router and a firewall for their home networks? I suppose they should buy a separate Wi-Fi AP as well, and a switch or two, in your opinion?
> Are you suggesting that people should buy both a router and a firewall for their home networks?
I am suggesting the ER7212PC is not a home network device, and thus having the two functions glommed together is an anti-feature in its design. The tagline of Omada is "Networks Empower Business":
You are of course correct, but most people will disagree because the world we live in is a lot messier than what we should do and people expect a base line. You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
> You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
Then buy a device that does default NATing and other consumer-y if you want that. Don't complain that a generic routing system routes IP—whether IPv4 or IPv6—by default.
If you want a firewall buy a firewall. If you want an all-in-one firewall/gateway/AP/whatever, buy it.
In this particular case the "problem" is not in the device but in purchasing the wrong tool for the job at hand. If you want to haul lumber buy a cargo van or pickup truck, not a VW Golf.
> Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
The ER7212PC, nor anything else in the Omada line, is not for residential consumers which is what RFC 6092—"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"—refers to.
And RFC 7084 has two instances of the word "firewall", one (§3.1) in reference to IPv4 NAT:
A typical IPv4 NAT deployment by default blocks all incoming
connections. Opening of ports is typically allowed using a Universal
Plug and Play Internet Gateway Device (UPnP IGD) [UPnP-IGD] or some
other firewall control protocol.
and the other (§4.5) to tunnelling:
S-3: If the IPv6 CE router firewall is configured to filter incoming
tunneled data, the firewall SHOULD provide the capability to
filter decapsulated packets from a tunnel.
I agree that a consumer all-in-one firewall/gateway/AP/whatever should ("MUST"?) have a default-deny rule on incoming connections. But the original complaint that kicked off this sub-thread is about a particular device, which is not a consumer device but a more generic routing system and not a "firewall" as such.
People expect their router to act as a firewall too, via NAT. If you take this away and force people to buy an additional piece of hardware to restore the expected functionality, they won't switch. Simple as that.
All modern NAT routers include a firewall. They don't "act as a firewall too, via NAT", they have both NAT and firewall functionality, even for IPv4. It has been like this for a long time now.
Here's China's current IPv6 plan.[1] It was an explicit objective of the 14th Five Year Plan, now concluding, to get most of China's Internet on IPv6. About 70% of China's mobile users are on IPv6 now. But fixed IPv6 traffic in China is only 27%.
> I spent a WEEK without IPv4 to understand IPv6 transition mechanisms
> NAT64 - the method I’ve setup for this test
> IPv6 is absolutely ready for prime-time and has been for awhile
So... No, you spent a week effectively using both v6 and v4 with extra steps. If someone said "Linux is ready for primetime" but their setup only worked because they ran a bunch of applications in a Windows VM, I'd call that strong evidence that it really wasn't. Same here.
That said... This is from early 2023. Any chance it's better now?
> That said... This is from early 2023. Any chance it's better now?
I accidentally went IPv6 only on my home wifi for a few weeks a while ago. I only noticed when GitHub didn't load (I avoid work things at home, hence accessing GitHub being rare.)
Relatedly, fuck GitHub and their incompetence at rolling out IPv6. It's nothing other than that at this point. Blank, unadulterated incompetence.
> No, you spent a week effectively using both v6 and v4 with extra steps.
It's less steps though. You can do all your network setup in the nice v6 world, and set up v4 emulation for those who need it. Yes, it's not yet practical to turn of v4 entirely, just like it's not yet practical to turn off Rosetta on your ARM mac.
My former colleague Marco Davids from SIDN Labs (the R&D department at the .nl TLD operator) did an experiment in 2021 where he actively disabled IPv4 support on all components in his test network, even disabling the complete IPv4 stack in the FreeBSD kernel (not possible on Linux, at least not at the time). So far, his test is the only thing I know of that came close to an authentic simulation of an IPv6-only world.
AAAA record resolution is the real bottleneck for adoption. Once you have dual stack working, I did a real-world, simple test: Release your ISP IPv4 DHCP lease on the router (kill udhcpc) and flush DNS on your hosts. Now all public DNS lookups must resolve to a IPv6 domain. You will very quickly find many domains on the Internet still don't have AAAA records. Lots of popular services will simply fail to resolve their hard coded domains. QED.
None of the ISPs where I live provide NAT64 gateways. Exactly one advertised it, I signed up almost a year ago and they still haven't enabled it for me yet (I think they don't actually offer it and just forgot to remove the page).
My two IPv6 issues (even having had a HE tunnel in the past):
- My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
- Linode allows transferring v4 addresses between machines, so if I need to rebuild something I can do so without involving my client who usually has control over DNS. They do not support moving v6 addresses, which means that the only sites I have control over that support v6 are the ones that I control DNS.
Making IPv6 a thing seems like it would be super easy if a couple hours could be spent solving a bunch of dumb lazy problems.
> My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
Being a priority doesn't mean it's high priority. It could be a priority, but the lowest ranked one, so other stuff always comes first. :P
T-Mobile wireless US is pretty invested on IPv6, so if they take over the network, they may well push it.
It "finally hit the top of the project list" two years ago so we'll see lol.
It's "T-Mobile Fiber Home Internet" which looks to be a bunch of local ISPs they've been snatching up, so we'll see what happens. USI's customer service and reliability have been amazing so hopefully that doesn't get screwed up.
I try enabling IPv6 every year or so. The last time I tried IPv6 at home I couldn't figure out what my netmask was, nor the size of my allocation. Some folks say my ISP issues /60s, others /64. I couldn't figure out how to get my IP to remain static long enough to have long-running TCP sessions, either. It was a mess and not much better than it was 20 years ago when I first tried it (and had to disable it because it being on broke all sorts of things).
Maybe 2026 will be the year of IPv6. I kinda doubt it given I'm some jackass and dedicated network professionals still don't use IPv6.
Why are you setting up anything? You turn on IPv6, the router figures out its prefix from the upstream router, and then router broadcasts the network to devices.
The netmask for IPv6 is nearly always /64. ISPs give out /60 to allow multiple subnets, but router makes /64 subnets from that.
Not OP, but when I first tried to learn IPv6 for my home internet, I found that it's very important that you get the DHCP-PD prefix size right when configuring your router, or it would just not work at all.
I have Comcast, and they do give me a /56, but you can't ask for a /56 in the DHCP-PD request, because they don't support a single request grabbing all of your prefix space. You have to ask for /60's, which I had to find out through trial and error.
But it may have been even worse (my memory is fuzzy) because I think at one point I did successfully get a /56, but that then exhausted my DHCP allocation, and then after I rebooted my router I couldn't get anything any more. It didn't help that the router I had been using (Unifi security gateway) didn't seem to keep a static DUID that comcast was happy with, so I kept getting new prefixes every time it rebooted.
Comcast probably has so few customers that bring their own cable modem/router at this point that they basically don't have any support for this, you won't get anything from them over the phone, they just push you to pay them to rent their equipment (where they configure all these parts the way their network expects.) You have to be adventurous to run your own equipment with IPv6.
Nah. There are lots of things you’ll need to know.
Does it use SLAAC on the WAN side or DHCPv6? How do I get a range for my lan then, DHCPv6 prefix-delegation? Or maybe it’s statically assigned somehow. Some carrier’s just use link-local ok the WAN, with no public v6 just RAs for the link-local, and a GUA block via IA_PD.
Regardless there are too many ways this is done, and this hampers adoption as it’s not just the “switch it on” operation you suggest.
All of those are handled automatically. The only people who have problems are ones who want to configure manually. More importantly, this is no different than IPv4 where have DHCP or manual.
Nearly every ISP uses DHCPv6-PD cause harder for manual configuration. The range is in the DHCP-PD, your router picks a subnet. The WAN address is automatic, and don't care about it cause never see it. Mine is link-local and hadn't known until I checked.
You find out the addresses after it is configured automatically. This is no different than IPv4 and DHCP.
If you don't want to use the public addresses internally, then you can assign ULA addresses. If you don't want to use MAC derived addresses, assign them static host addresses.
For names, I use mDNS. I don't know the IPv6 address for my server. If I did need it, I would get it from the router.
Probably the largest barrier to IPv6 adoption is the myriad ways IP allocation to clients can be done and the various options that exist.
It’s fine for mobile providers, where the client activation defines what’s needed and the carrier essentially just needs to support two OS’s (iOS and Android).
Also mostly fine for residential when the carrier provides the CPE, and can set it up to work with how they have the network built.
But if you’re managing your own router it can be complex to know exactly what to use. And most ISP support aren’t very good either.
If you happen to be an expert it’s fine, but if you’re a power user not a full time network guy there is still way more complexity than there ought to be.
If you have ATT fiber, it’s a pain in the butt. Their default router will only issue a single passthrough /64 on request. If you have multiple VLANs you have to setup some scripts to ask for more, and even then you only get 8 of them. The gateway reserves the other 8 from the /60 it gets for its own use.
The only way I got IPv6 working well with them was to bypass their gateway. Now all my VLANs have /64, which is the standard subnet size.
I think bypassing their gateway, that is - bringing your own router is the only way to do VLANs, because their gateway is very basic and doesn’t support VLANs at all.
When I moved to an ISP that supported IPv6 earlier this year I ran into niggly problems. Ubuntu failed to update because one of its regional servers was misconfigured. OpenDNS one of its servers seemed not to be there on a regular basis over IPv6. I also had odd behaviour and latency issues where sometimes IPv6 would fail to route for short periods and it would fail and fall back to IPv4.
It was a painful experience of trying to work out if I had misconfigured it, if it was something to do with my opensource router software or if it was my ISP or the end services. I didn't get to the end of working this out and reporting issues and I just gave up. Due to the intermittent nature of the issues I was facing I never managed to get a report of issues my ISP would accept.
So I'll give it some time and give it a try after a year and see if things have improved, but it was definitely not ready for prime time.
> Don’t blame your provider when they deploy CG-NAT, embrace IPv6 and global routing instead.
In theory this makes sense, but in practice my personal experience is that not a single wireline ISP I've ever seen deploy CG-NAT offered IPv6 service at all, nor did any of them indicate any intent or even interest when asked about it.
The mobile providers on the other hand have almost entirely gone IPv6-first, using 6>4 transition methods as the default form of v4 access which I fully support.
4>4 CG-NAT should never have existed and providers who deploy it without offering fully functional v6 should be shamed.
OpenBSD makes it easy to try IPv6 tunnelbroker.net with NAT64/DNS64 if your ISP only has IPv4 ("one more lab test away.." they say).
This has worked for me well for a couple years. I do use a VLAN to keep the IPv6-only network separate (homelab) from video streamers in the household.
In my pf.conf:
# IPv6 tunnel
block in log on $tun6_if all
block in quick on $tun6_if inet6 from fd00::/8 to any
antispoof quick for $tun6_if
# allowed icmp6
pass in quick log on $tun6_if inet6 proto icmp6 icmp6-type {
unreach, toobig, timex, paramprob, echoreq
}
# MSS clamping 60 bytes less than HE 1480
# 20 byte IPv4 tcp header + 40 byte IPv6 ip header
match on $tun6_if all scrub (random-id max-mss 1420)
Am I missing something? Where's the part where he actually talks about his experience in that week? This goes straight from an overview of IPv6 to the conclusions section.
I'm very surprised by the questions in this thread. There are some extremely basic things people are just not understanding. I suspect people hating on IPv6 have not spent the time with it. There is a difficulty in that it does behave quite differently to IPv4, and the lack of private addresses are also probably a shock.
The basic thing proponents don’t understand is that nobody in their right mind can intuitively understand IPV6 addresses because they look like MAC addresses with trisomy and are a pain in the ass to remember or type for absolutely no benefit to the non-network engineer. And there are infinitely more people with home routers and a few dozen devices than there are people running ISPs, fortune 500s, and data centres. Play with your convolution all you want, in 20 years the rest of us will still be happily assigning 192.168.x.x and ignoring it. V4 space running out is no more the average persons problem than undersea cables or certificate authority.
> nobody in their right mind can intuitively understand IPV6 addresses
If someone can't understand "it's longer" then what is wrong with them?
And using hex instead of decimal for magic computer numbers should be more intuitive, not less.
Also structure-wise the first half is the subnet and the second half is the host. That's much more intuitive than IPv4.
> absolutely no benefit to the non-network engineer
If you do anything peer to peer at all, calls or file transfers or games, there's a benefit. And the typical benefit grows over time as more and more ISPs install CGNAT.
> And using hex instead of decimal for magic computer numbers should be more intuitive, not less.
How? Why is using hex any more intuitive than binary or a md5 hash for anyone who doesn’t do networking for a living?
>If you do anything peer to peer at all, calls or file transfers or games, there's a benefit. And the typical benefit grows over time as more and more ISPs install CGNAT.
Again how? I’ve been doing all of those without issue for nearly 30 years. What measurable benefit does the user see that hasn’t been a solved problem since Windows XP?
Will my teams calls suddenly stop saying “poor network connection” on my 1000/1000 rock solid fibre connection? Will torrents suddenly find more seeds and peers? Will my games… have lower latency? Because I can’t think of another way anything networking related could be solved that wasn’t decades ago.
When you say benefit, it should probably be noticeable or measurable in some way that doesn’t involve dashboards and millions of dollars in rack mounted gear.
> What measurable benefit does the user see that hasn’t been a solved problem since Windows XP?
Things being able to connect, and not having to manually port forward (when that's even an option).
Hole punching is super unreliable with CGNAT.
> Will my teams calls suddenly stop saying “poor network connection” on my 1000/1000 rock solid fibre connection?
I don't know how Teams relays data, but for some services yes that could happen if IPv4 can't make a direct connection.
> Will torrents suddenly find more seeds and peers?
Yes. In a typical torrent an annoyingly small fraction of seeds and peers can receive connections. If you're IPv4-only behind CGNAT, you can't connect to them and they can't connect to you. IPv6 opens up a lot more links.
> Will my games… have lower latency?
It depends on how the game is designed. But some games will have lower latency because they can connect people directly instead of with relays.
>How? Why is using hex any more intuitive than binary or a md5 hash for anyone who doesn’t do networking for a living?
Well, what is the address range for 192.168.0.0/27? That's also non-intuitive for a layman as well.
In the end, IP addresses are made for computers, not humans.
And... just FYI,
>Will torrents suddenly find more seeds and peers?
Suggests to me you have absolutely never tried out torrenting under CGNAT. It's painful.
Not a single seeder can _actively_ send the data to you, your client must seek them by itself and it's not uncommon to have only 1-4 seeders connected!
> Also structure-wise the first half is the subnet and the second half is the host. That's much more intuitive than IPv4.
This only applies to /64 blocks, which are by no means standard. For instance, tunnelbroker.net will give you a /48 for free. This means IPv6 addresses are essentially free by the billions, but it's difficult to figure out how big of a block they belong to from the outside.
> intuitively understand IPV6 addresses because they look like MAC addresses with trisomy and are a pain in the ass to remember or type
I have north of 500 IPs I have some relation to. No way I would be bothered to remember them. Typing? Do you type IPv4s all day long? And it's still copy-paste 99% of times.
> for absolutely no benefit to the non-network engineer
Non-network engineer should work with names. And non-engineers don't 'work' with IPs at all. Look at your granpa - he's typing 'bbc' into the search form in the browser to get to bbc.com.
> nobody in their right mind can intuitively understand IPV6 addresses
And 99% of so called engineers can't understand even IPv4. So this is a moot point.
It's easy to tell someone to connect to something like 203.0.113.88. Many of us here, and also normal folks, have been saying dotted-octets like that for decades, now, and there's a familiar patter to the way that addresses like this flow off of the tongue.
It's hard to tell someone to connect to 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. It's literally difficult to say, like saying it is intended to be some kind of test. And on the other end? Sure, we "all" "learned" hexadecimal at some point in school, but regular humans don't use hex so it sounds like missile launch codes (at best) or some kind of sadistic prank (at worst) to them. It reeks of phonic unfamiliarity and disdain.
(This is the part where the DNS folks invariably show up to announce that I'm holding it wrong. And I love DNS; I do. But I'm really not interested in maintaining public DNS for the dynamic addresses at home on my LAN.)
(After that, it becomes time for the would-be abbreviators to appear and tell me that the address for this computer is wrong, somehow, as if I ever had an active part in selecting the address to begin with.)
> It's hard to tell someone to connect to 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e.
If you would like your IPv6 addresses to be more human-friendly, you could use DHCPv6 (in addition to/instead of SLAAC) and end up with addresses like 2001:db8:3c7:4f80::123. Sure, it's 5 groups of e.g. 3-4 hex digits rather than 4 groups of up to 3 digits, but I think it's much easier than your example. You might set your router to use <prefix>::1 and/or fe80::1 (see OpenWRT's ipv6 suffix/ip6ifaceid option).
DNS servers (that you might occasionally have to type into config by hand) tend to have "nice" IPv6 addresses, e.g. Quad9 apparently uses 2620:fe::fe [1].
> But I'm really not interested in maintaining public DNS for the dynamic addresses at home on my LAN.
I think dnsmasq can these days create AAAA records for local machines whose hostnames it learns via e.g. DHCP.
If you have a public server on the internet and your provider gives you a random-looking address using all 128 bits (and no /64 prefix for example) perhaps using (public) DNS is fine.
> After that, it becomes time for the would-be abbreviators to appear and tell me that the address for this computer is wrong, somehow, as if I ever had an active part in selecting the address to begin with
Ok, I'll bite. Why exactly do you not have the ability to select the address?
As a general rule, if you care about an IPv6 address enough that you have to type it in somewhere, you should be assigning it manually, and if you're doing that you can make it a lot friendlier than 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. The whole second half of the address can be shortened to ::<digit>, where the length of <digit> scales logarithmically to the number of memorable addresses you want in that network.
My network at home uses ULA addresses for everything, and I just use my phone number in the first half, so the address of my router at home is e.g. fd21:2555:1212::1, my NAS is fd21:2555:1212::a, etc. The global (GUA) address is something like 2601:abc:def:1201::a, which isn't that bad.
Hell, if you don't care about the potential of conflicts if you ever merge networks with someone else, you can just use fd00:: as your ULA prefix, and your router can be fd00::1, your NAS box can be fd00::2, etc. Shorter than IPv4 addresses!
> Ok, I'll bite. Why exactly do you not have the ability to select the address?
I never said I don't have the ability. I may; I may not. I myself don't know that one way or the other. It's big ball of mystery to me.
What I did say was I didn't have a hand in that long address; ie, I was not involved in making it that way. I don't know by what mechanism (if any) the long address came to be. I don't know if it was assigned, or selected, or a product of /dev/random, or if it was a combination of these things.
I only know that I didn't choose it, and that the way that it is simply sucks.
> As a general rule, if you care about an IPv6 address enough that you have to type it in somewhere, you should be assigning it manually
Perhaps. But that's a twist that we didn't have with the defacto norm that we landed on in IPV4 world some decades ago, wherein: A LAN address was dynamic by default, assigned via a local DHCP server, and presented as a dotted octet. The WAN address was also dynamic, and assigned by someone else's DHCP server, and presented as a dotted octet. The two addresses were never related to eachother.
And in that world: If I wanted to run a local service for someone else (on the internet) to use right now -- today (maybe not tomorrow or next week, but definitely right now), then all I needed to relay to them was the simple dotted octet that identified my WAN interface.
That part was easy with IPV4.
> and if you're doing that you can make it a lot friendlier than 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. The whole second half of the address can be shortened to ::<digit>, where the length of <digit> scales logarithmically to the number of memorable addresses you want in that network.
Maybe my occipital lobe is just broken somehow, but it's hard to look at an address like that and quickly discern where the second half of that address even begins. Why am I looking for a half of it, anyway? (From whence is that "half" delineation deduced?)
But, sure. Half of it, for whatever reason that it is half. So 2001:3c7:4f80:1a01::3 can be one system on the LAN and 2001:3c7:4f80:1a01::4 can be another? And these are complete, unique, world-routable addresses that someone else on the world can connect to with the appropriate firewall rules in-place?
But the first half is assigned by my ISP and changed at their whim, right? I can't reliably connect from 2001:3c7:4f80:1a01::3 to 2001:3c7:4f80:1a01::4 even if those two computers are right next to eachother on my LAN because tomorrow, the first "half" might change -- correct?
I don't like the idea of my LAN's addressing being dictated by whatever ISP I'm using at the moment. (Spectrum is down, switch to hotspot as backup, and oh lol: the LAN is all different now. IPV4, as-implemented, never did that to me.)
> Hell, if you don't care about the potential of conflicts if you ever merge networks with someone else, you can just use fd00:: as your ULA prefix, and your router can be fd00::1, your NAS box can be fd00::2, etc. Shorter than IPv4 addresses!
I don't even know what ULA means.
But it sounds like ULA means something like RFC 1819 10.x.x.x private addresses, wherein: A person can do whatever they want, and it never touches the Internet so it's fine.
That sounds great, in concept. But now we're back to using private, non-routable addresses? Isn't that the same thing we were seeking to avoid?
How does fd00::3 then communicate with the greater internet? NAT?
edit: And then, how is fd00::3 superior to 10.3 [10.0.0.3] on the LAN?
> then all I needed to relay to them was the simple dotted octet that identified my WAN interface.
Then either you must be one of the precious few people who owns a /24 or something for their house and gives each device a global IPv4 address, or you’re forgetting the part where you have to go to your router and pick a random port to forward, and open it up. Otherwise you don’t just “have” an independent WAN address on each host in your network, like you do with a typical IPv6 setup.
> So 2001:3c7:4f80:1a01::3 can be one system on the LAN and 2001:3c7:4f80:1a01::4? And these are complete, unique, world-routable addresses that someone else on the world can connect to with the appropriate firewall rules in-place?
yes
> But the first half is assigned by my ISP and changed at their whim, right?
like your IPv4 WAN address does, yes
(About ULA)> That sounds great, in concept. But now we're back to using private, non-routable addresses?
like IPv4 yes. But in IPv6 you can have both, a ULA (like rfc1918 addresses) and a GUA (an actual routable address) on the same subnet. It’s fine. Use the ULA for your LAN use cases where you need to use a LAN IP address (bonus, it stays the same even if your ISP changes your prefix) and use the GUA for the rare occasion where you need someone on the other side of the world to talk to one of your hosts. You’re gonna have to poke a firewall rule anyway, so you just pick a decent GUA address while you’re at it ($global_prefix::1, etc.) You can do whatever you want, it’s your prefix (until your ISP changes it.)
> How does fd00::3 then communicate with the greater internet? NAT?
no need, it just has another address for global traffic. Typically one of the really long random ones, that’s what they’re for. (They even change for every external service you talk to.). The whole purpose of the long impenetrable fully-populated 128-bit address, is basically only necessary for privacy (I.e. you intentionally want the address to be meaningless.) For anything where you’re persisting an IP somewhere, just pick a better address for it. $prefix::1, whatever. It’s a single ifconfig command even on macOS, ditto Linux. (Windows I have no experience with but I’m sure that too.) Trivial to persist across reboots, etc.
The ISP changing the prefix is a real problem though, and is far too difficult to rely on persisted global addresses for that reason. Using a ULA anywhere you need to configure an IP address locally is the only sane option, and for global addresses it’s simply a huge pain in the ass if you ever get a different prefix.
> edit: And then, how is fd00::3 superior to 10.3 [10.0.0.3] on the LAN?
> There is a difficulty in that it does behave quite differently to IPv4
Which can be fine if you have a /solid/ transition plan to move networks wholesale from v4 to v6. They absolutely failed on this point and almost purposefully refused to carry over any familiar mechanisms to make dual stack easier to manage.
It's a University protocol that escaped into commercial usage based mostly on false fears of global routing table size becoming unmanageable or impossible to store in RAM. The results are absolutely predictable.
In my experience IPv6 has always "just worked" for me in the consumer space. The only difficulty I have found is when implementing it into an existing managed network. Most organisations will not touch it, they're too comfortable with IPv4, unfortunately.
And despite that, the place where I work, has disabled ipv6, rendering our development machines useless for trivial tasks such as debugging our iOS app on a device (which uses ipv6 under the hood)
Reasons given: the security policies say ipv6 is not safe enough.
While these articles are useful in understanding the utility of IPv6, what would really help is an article explaining step by step how to configure a home network using IPv6. The tutorial should answer these questions:
- How to ensure there are no collisions in address space? Translates to, how to pick safe addresses, is there a system?
- How do I route from an external network resource to an internal network resource? Translates to, can you provide syntax on how to connect to an smb share? Set up a web service that works without WireGuard or equivalent?
- How does one segment networks, configure a vlan, set up a firewall?
- if you're talking a private/local prefix, you can use tools like this to generate one: https://unique-local-ipv6.com/. Otherwise DHCPv6 and SLAAC will ensure no collisions for the most part.
- Use global/public addresses on all your devices (using something like prefix delegation) or use NAT.
- Same as IPv4. Prefix delegation will let your ISP assign you multiple networks, and then most routers will break these up into /64 networks for each of your VLANs.
> do you just scramble keys when picking an address?
No. Your ISP or tunnel broker gives you a network prefix. Then you configure SLAAC to use that prefix and hand out addresses within it. Job done.
For example, the prefix might look like 2001:470:e904::/48. Your computers can use any addresses you want as long as they start with that prefix. Since you don’t want to manually hand out addresses to every computer, you configure a router to hand out addresses via SLAAC. Your computers will use SLAAC to discover the prefix from the router, then fill in the bottom 64 bits of the address with a random number. They then ask the local network if anyone is using that full address. If not then they are done and have a working address. If somehow someone is using that address then they try again with a different random number. Servers that want a fixed address will just use their network card’s MAC address (or anything similar, if you want) instead of a random number. The protocol is the same either way.
Notice that this actually gives you some bits of your own to play with, if you want. The full address is 128 bits long. The first 48 were used by the prefix and the bottom 64 by the individual devices, leaving 16 bits in the middle. You could tell your router that the prefix for SLAAC is 2001:470:e904:42::/64, for example, and then use the other subnets for other purposes. Maybe 2001:470:e904:beef::/64 is a special subnet just for your meat freezer and associated monitoring equipment. I don't know, you get to make these things up for yourself. Maybe you manage a corporate network that has a separate VLAN for phones than for normal PCs, and a third VLAN for the guest WiFi. You can give them each a different prefix by embedding the VLAN id into the prefix you advertise via SLAAC.
There’s also DHCPv6 if you want even more control over which addresses are handed out, or you want to subdivide your network even more finely. Or if ISPs ever start handing out smaller prefixes.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Sure, that’s true. But they probably don’t hand out static addresses for IPv4 either. Not without paying extra, that’s for sure. Either way if you want some static identifier for your computer(s) then the solution is the same: DNS.
Of course if you _are_ running a corporate network with a bunch of VLANS like that then you should actually get your own prefix from your RIR rather than from your ISP. Then you purchase IP transit services from your ISP rather than consumer internet access. You can then advertise your prefix(es) via BGP. Again, this is exactly what you would do for IPv4. Same software, same configuration, just longer addresses. The main advantage of this extra work is that you can keep your addresses static even if you move to an entirely different ISP. You can also use the same addresses over multiple connections to multiple ISPs for better redundancy.
This is a good overview. I think the difficulty with IPv6 is that people rely on all of the crutches invented for IPv4 as features: private addressing NATing gives you security (it doesn't) and portability (it does), IPv6 usually uses subnets per physical location making failover difficult, where as IPv4 will use bgp announcements to failover public IPs, etc. I'm not saying one way is better than the other, just that IPv6 is pretty different and people very much have a IPv4 world view.
> But come on! It is a legitimate question, do you just scramble keys when picking an address?
I did give the answer: SLAAC.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Weird, here in the UK all the ones I've had have given me a static /56. Still, the same answer for that (DDNS) exist as for dynamic IPv4 addresses, you still get the advantage of not having to deal with NAT.
What’s the pragmatic solution to ipv6 allowing everybody in my household to be trivially and stably mapped to a unique subnet? I like the accidental semi-randomization that ipv4 and ISP NAT offered and I don’t see anything like it short of putting my entire home net on a VPN (it’s expensive and can’t keep up with my ISP’s bandwidth)
Each device gets directly addressable from WAN with v6 but it also gets a randomised privacy IP that rotates very frequently so each individual device is just as "hidden" as it was with v4+NAT.
Your v6 subnet prefix is no different than whatever WAN-side v4 your NAT had. "Accidental semi-randomization" of the WAN side IP is not something one could reliably count on. Many ISPs just hand over a static-like IP, that is, even when it's supposed to be random the pool of IPs is so constrained that it's usually the same simply through the IP lease surviving power cycling. And that was before CGNAT.
If your concern is being identifiable through your IP then counting on whatever v4 artifact is the wrong move. Use a VPN with randomised exit nodes.
Everybody in your household is already mapped to a single IPv4 address that rarely changes with most ISPs. Mine hasn't changed in over 3 years. My IPv6 /56 prefix delegation hasn't changed, either.
It’s a little different, but you can use ULAs to have a static subnet with static device addresses.
One of the biggest changes from IPv4 when I enabled IPv6 a while back was that it’s fine and normal to have multiple addresses per interface now. ULAs are not globally routable, so I think of them as LAN addresses. Another option that comes to mind is mDNS, but I think support for that is not as widely accepted.
Global addresses can change, just as your home dynamic IPv4 probably did from time to time.
It's true that you won't get CGNAT without having CGNAT. Depending on your concern, it is possible to NAT66 to make your entire network appear as one IP.
I wish I could switch my network to all IPv6 and use NAT64/DNS64, but Android, the world's most popular OS, purposefully disables DHCPv6. I am forced to support IPv4/DHCPv4 for the foreseeable future to support these broken devices.
Of course after over a decade of denying that Android needs some kind of DHCP in IPv6, it seems that Android may finally be getting some kind of solution:
Holy hell the android dhcpv6 situation is deranged. Been following Mr Colitti’s antics for awhile but only just learned of this prefix delegation news. So now I can delegate an entire subnet but can’t just have a regular address. Why oh why can’t we just have a goddamn normal every day dhcpv6 client like every other os on the planet
I can't run SLAAC and DHCPv6 at the same time without giving devices multiple addresses, and Android doesn't support DHCPv6, so I'd have to carve out a separate, SLAAC-based, android-only network. And then figure out firewall rules, multicast reflection, etc.
No control over which source address is used. I'm assigning a lot of clients DHCP reservations so I can use static addresses for monitoring and firewall rules. With multiple addresses on the same network, clients may use their SLAAC address which won't match the firewall rule.
That still doesn’t really make sense. Why not run SLAAC on one subnet and have a single firewall rule for the whole thing? You’re not running any major servers on an Android phone, so it won’t be anything complex.
My point is that they might only be getting 1 /64 from their ISP; or getting a /62 or something small, and needing more subnets anyway. In these situations, you may not have an extra /64 to dedicate to SLAAC for certain devices.
Right. I was merely correcting your statement that SLAAC needs more than 64 bits to work with. But my question remains; do any ISPs hand out smaller delegations than a /64?
I thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else.
Different person here, but no. I never write firewall rules based on individual source addresses. They’re too easy to fake. And with IPv6’s privacy extensions, you never know what source address a given machine will have anyway.
I haven’t had a need for DHCPv6. I’d use DNS (or better, mDNS) to assign a hostname to the destination’s fixed IPv6 address or ULA, both of which are static. I don’t ever manually assign an IPv6 address to a host, though. I just let SLAAC do the thing it was designed for.
No. Admittedly, my firewall rules are all about granting something extra beyond the basics. I only do this for clients I care about anyway, so I can always tell them to use the right address.
Android supports DHCPv6, just not stateful DHCPv6. You can give each device its own /64 or if you really want to track a devices usage you should use an authenticated layer on top of your base network.
In my 25 year career in network engineering, I’ve encounter needing it as a user exactly once, and that was earlier this year. Supabase’s free tier allows direct connections the Postgres only over IPv6. It’s too bad the deploment has been a long drawn and expensive process for everyone.
My ISP has good IPv6 support. I was using it for a while and recently disabled it across my home network for simplicity of maintenance, cutting my vyos config in half. When I need to access something not available on IPv4 I'll set it up again but I'm not convinced that will happen in my lifetime.
I feel this doesn’t really address whether we are losing something privacy or security related by not having NAT. I think my main devices are always updated Mac iPhone or iPad and can handle it, but do I really want my thermostat or doorbell or lock or garage door opener or light switch directly accessible on the Internet or is the nat serving a useful purpose? I don’t feel like this is addressed in this article.
> but do I really want my thermostat or doorbell or lock or garage door opener or light switch directly accessible on the Internet or is the nat serving a useful purpose?
You should, but the exposure from having no firewall is much higher without NAT. Packets with private network IPs are martians on the internet and will not find their way to your device unless they come from the same network and the ISP's infrastructure doesn't drop them. IPv6 addresses are routable across the internet so the packets will most likely get to your router, meaning anyone on the internet can talk to your LAN in the absence of a firewall.
The reality is that consumer router firmware is horrible in every aspect, especially security, and this isn't going to change with IPv6 rollout. I fear the most likely scenario is that ISPs will set up inbound firewalls on their end, and then we'll be even worse off than we are right now.
I have firsthand experience doing that experiment about 3 months ago. Completely removed my IP4 DHCP lease from my ISP at the router. About 50% of the public sites I tried to visit didn't resolve. So many public sites, that I gave up and went back to dual stack after just a day. Google, ChatGPT, and a few other popular sites were fine with pure IPv6 traffic, however sites like eBay and even HN did not resolve. IPv6 simply is still not ready for everyone to just transition into overnight.
Depends on your ISP. If you live in a place where there aren't many IPv4 addresses available, CGNAT is the reason you're seeing a lot of Cloudflare/Akamai/Google CAPTCHAs everywhere, and IPv6 fixes that.
same reasons northern europeans had to invent all sorts of fancy food preservation and complex power struggle societies revolving around crop limitations and war.
Meanwhile closer to the equator, much less progress was needed to live and let live.
In short, Americans are native tribes. we have plentiful IPV4 and couldnt care less about SLAAC or whatever other complex moon sun and seasonal tide gods, salted codfish and salt mining operations. we just dont need to care about long addresses, they're plentiful here.
If you want to use the internet, you need an IP address.
You can share that IP address by putting multiple hosts on the same local network and using parts of the transport later. NAT was invented because of lacking enough addresses.
I don’t think that’s true. But of course it depends how you’re measure the majority of websites.
Most of the figures I see show 60-70% of the top 100 sites do support it. But maybe that does not reflect your usage.
Why do you need it? Maybe you don’t right now since ipv6 only sites are niche. The most tangible advantage I’ve seen is avoiding CGNAT. Gamers in particular don’t like that because it introduces latency. Services like Xbox live definitely do support ipv6 for this reason.
My previous fibre provider in Ireland was Virgin, and as far as I could tell, it was fully IPV6. Every device in my network got a public address, and self hosting stuff from home as was easy as setting up an A record at my DNS host. No faffing around with port forwarding, proxying, nat bullshit or whatever. My memory is hazy, but there might have been some firewall stuff I had to do on the virgin supplied router.
Tbh though the docker problems are very serious and extremely painful to work around. Everything works great apart from Docker which has so many issues - it does not handle IPv6 inbound but IPv4 out well at all (at least as far as I can tell!).
I need to switch my home network to at least use IPv6 externally, because my ISP recently deployed CG-NAT, which made my SSH server that used to work no longer reachable from outside of my LAN.
I guess it would, but remember there are more services out there than just HTTP(S).
For example the last time I had an IPv6-only host I had issues cloning things from github, as "git clone git@github.com..." failed due to github.com not having IPv6 records.
The workarounds we need to enable P2P communication on the internet are a shame... we need turn, stun, webrtc, all this stuff so two computers can talk without a dedicated port forward or public ipv4.
ipv6 is a beautiful protocol, (not perfect, but elegant) with a lot going for it. But the momentum of ipv4 is just too strong.
It's a mess... with no good solution. I tried to turn off ipv4 and github (shame on you) stopped working. But what are we supposed to do? Have the government mandate everyone switch? (oh wait half of US government websites are ipv4 only)
AWS doesn’t offer PTR records for IPv6 addresses, which makes Gmail blacklist my email server’s IPv6 address. I had to disable IPv6 due to lack of PTR records.
The IPv6 spec looks long because it also includes protocols that are separate on IPv4 (DHCP/SLAAC, NDP, depending on the document ICMPv6, mirroring DHCP, ARP, ICMP, NetBIOS, etc.), as well as the addressing schemes that were different RFCs in IPv4 such as multicast/unicast/network classes/subnets.
As for the implementation: just about anything more powerful than an ESP32 has the entire protocol implemented and running already.
I'm typing this on a computer running Android, which means it doesn't support DHCPv6. I would describe it as supporting a subset of IPv6 functionality.
I suppose that could be annoying, but technically DHCPv6 is not part of the IPv6 specification just as the original DHCP was not part of the original TCP/IP specification.
Well, we'll have to see what all the "in-between" bits do. There's a lot in it, that will require implementation by countless layers of routers, switches, caches, firewalls, etc.
Look at Bluetooth, for an example, or TIFF.
I printed out the Bluetooth spec once, just for Ss and Gs. It was over 2,000 pages (double-sided).
I once tried writing a fully-compliant TIFF reader. Didn't go so well.
Those all support IPv6 too. They’re the same computers, and they’ve all supported IPv6 for decades now. The IPv6 spec is a lot shorter than the spec for Bluetooth or TIFF.
Apple requires that all iOS apps on the store function on an IPv6-only network (which is how several large mobile phone networks work), and everything works fine on the application layer.
Huh. I believe that, but didn’t know it (I write apps for Apple kit). I have done low-level networking stuff that would definitely have run into issues, but that was over ten years ago. These days, I rely on the upper layer of the stack.
I really should try an exercise like the one the author did. I’m not necessarily against IPv6, but I’m still a bit skeptical of it. We’ll likely be forced into it, as there’s no alternative, but that’s not exactly a ringing endorsement.
My carrier (NTT docomo in Japan) only provides IPv6 to the end device. Access to IPv4 servers is through DNS64/NAT64, where their DNS server rewrites any DNS response that has an IPv4 in it to [64:ff9b::(the IPv4)] which gets handled by a CGNAT gateway. So anything that looks up a server over DNS and connects to that works fine, but any hard-coded IPv4 address does not.
I presume Apples requirement is there so that all apps work on carriers like this.
The only times I've run into issues is when tethering and forgetting I can't ping an IPv4, or trying to tether a Nintendo Switch (which does not support IPv6)
If your low-level networking code (I assume you mean BSD sockets here) is correct, it shouldn't even need to be aware of v4 or v6. The BSD socket API is designed so that the addresses are in an opaque data structure that you just pass around.
Back when, I did BSD sockets stuff, but generally stay above that, these days.
You're right, and that's my plan.
I have heard, however, that quite a few folks stuck their oars into the IPv6 spec process. I've seen that kind of process before, and the end result can be ... less than ideal ...
> It's unfortunate, but IPv6 doesn't really solve any problems for a home user.
CG-NAT and strict NAT in general. Newer ISPs often force users onto CG-NAT, and my consoles have had numerous issues with NAT in general over the years. ISP routers also often make fixing this an opaque or impossible problem for the user.
I don’t think IPv6 is the best thing ever, but I do think it solves the problems IPv4 did along with some annoying issues IPv4 struggled with.
It does make it easier. IPv6 pinholes are simpler than port forwarding. My IPv4 is not static but my IPv6 prefix is. So I don’t need dynamic DNS. I have no IPv4 port forwards, instead I run snid on a VPS to support legacy internet clients and call it a day.
So you basically have a cloud server and a domain with a wildcard record, and you then forward IPv4 through IPv6?
I think this somewhat proves my point that IPv6 doesn't solve much for self-hosting. You still need some kind of working IPv4 setup. You are using IPv6 in place of either a reverse proxy or something like tailscale, which I suppose is more convenient.
the reason why I explicitely disable ipv6 cause "this shit don't work" (at the moment, will probably change in the future)
- random slowdowns
- horrible routing
- larger packet overhead
- hated by a lot of the people who run the internet
- hated by companies who provide ddos protection
- my poor TCAM cache in my budget routers
- supporting ipv6 is really expensive in chassis routers
However, I believe there is a solution:
Swap ISP's to IPv6 only, swap to IPv4 unless there is an IPv6 route present then directly forward. This solves quite a few issues: Once every ISP has IPv6 you can drop ipv4 and swap directly to ipv6 without having to split your TCAM. This works because IPv6 can encode IPv4 in it.
Hot take: IPv4 might be techinically worse, but it's "politically" (in the classic sense of the word) better.
IPv6 essentially enables "universal internet IDs" for every device, which could streamline a lot of things, but enable a lot of weird surveillance/power balance issues that the cruft of IPv4 is actually incidentally helping guard against.
Again, I'm old enough to remember when e.g. the ISPs were going to try to charge per device in each household.
This hasn’t been the case in decades, every OS defaults to randomly generating the trailing 64 bits of your address and cycling through new addresses periodically. Your IPv6 address is only fixed to your device if you choose to configure it that way.
Since the network half (leading 64 bits) is as fixed as your IPv4 address was, and the host half is random and constantly changing, an IPv6 address is exactly as uniquely identifying as an IPv4 address used to be.
I’m surprised home many technically knowledgeable people on Internet forums still think IPv6 is some niche, unreliable thing.
In my direct experience, in the USA, at least Spectrum, AT&T, and Xfinity (Comcast) still run IPv4, of course, but they also have IPv6 working and on by default on their home internet offerings.
All mainstream computer and mobile OSes support it by default and will prefer to connect with it over IPv4.
‘Everyone’ in many areas is using it. For many of us, our parents are using Facebook and watching Netflix over it. Over 50% of Google’s American traffic is over it. It just works.
T-Mobile, a major phone provider, runs an ISP which is IPv6 only. That is, your phone never gets an IPv4, unless connected to WiFi. They offer home access points with a 5G modem and a router; the external address is also IPv6 only.
It works plenty well. I access everything accessible via IPv6, and the rest through their 464XLAT, transparently.
My LAN still has IPv4, because some ancient network printers don't know IPv6. OpenWRT on my router supports IPv6 just fine. Of course I do not expose any of my home devices to the public internet, except via Wireguard.
Ironically there's T-Mobile Business which is static IPv4 only.
Not here in Germany - our T-Mobile Business access only gets a static IPv6 and our main fiber uplink from Telekom (same provider) gets both.
I suspect it's an acquired property with a sufficiently separate network.
If the service area is the same, it's probably tunneled. You'd be surprised how much tunneling ISPs use. They're not connecting your network directly to their network.
Well, for some value of "just works".
For example, I recently attended the IETF meeting in Montreal, which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
Sounds like exactly the sort of thing the IETF's IPv6-only network is trying to shake out.
I went to IETF a few years ago and ran into issues on their IPv6 only network because I host some stuff from home, and my residential ISP doesn't support IPv6 at all. It made me really want to get all that fixed.
My problem with IPv6 is that my ISP (Xfinity) won't give me a static prefix, so every now and again it changes.
Unlike IPv4, my LAN addresses include the prefix, so every time they change it, all my LAN addresses change.
Combined with the lack of DHCP6 support in many devices, this means reverse DNS lookups from IP to hostname can't be done, making identifying devices by their IP essentially impossible.
I think you’re conflating multiple things there. There’s nothing magical about IPv4 that gives your LAN addresses stability when your ISP changes your IP prefix. That’s provided by your router doing network address translation. You send a packet from your address which is 192.168.0.42 (a local address), and your router changes the bytes in the packet so that it comes from X.Y.Z.W (your router’s public address). If you really wanted it to your router could do the same thing for IPv6.
IPv6 also has local addresses, but a lot more of them. Anything starting with fd00::/8 is a local address with 40 bits available as the network number. So you can set up your local network with the prefix fdXX:XXXX:XXXX::/48 (where the Xs are chosen randomly) as the prefix and still have 16 bits left over for different subnets if you want. These addresses do not change when your ISP changes your public prefix.
And if you want to add reverse dns for SLAAC addresses then just have your router listen for ICMPv6 Neighbor Announcement addresses and use them to update your DNS server as appropriate. Or configure your servers to use stable addresses based on their MAC address rather than random addresses (which are better for privacy), and then just configure the DNS as you add and remove servers.
Keep in mind the WAN AND LAN preferences associated.
what servers?
The things on your LAN that you're connecting to via DNS and IP, which cause the desire to have stable LAN IPs in the first place.
That's what DNS is for... to not need to remember or know numerical addresses.
And DNS is easier to set up if the IP doesn't change constantly.
This conversation is going in circles.
If you're doing your DNS properly it's not really that difficult. If you're statically definining all your DNS you're doing it wrong.
Okay, how do I properly set DNS so it tracks the changing public addresses of my desktop and printer? And I'd better still be able to use SLAAC.
You register addresses based on Router/Neighbor Advertisements in NDP. In your RA, you'd point it to your DNS server, which would then handle registration when hosts check in with their new IP addresses.
Which dns server supports this kind of dynamic dns in practice?
Wow look, DNS has the solutions!
How, exactly, pray tell, is "properly"?
> Unlike IPv4, my LAN addresses include the prefix, so every time they change it, all my LAN addresses change.
Yes, a topic of active discussion at the IETF. See perhaps BCP RFC 9096, "Improving the Reaction of Customer Edge Routers to IPv6 Renumbering Events":
* https://datatracker.ietf.org/doc/html/rfc9096
And informational RFC 8978, "Reaction of IPv6 Stateless Address Autoconfiguration (SLAAC) to Flash-Renumbering Events":
* https://datatracker.ietf.org/doc/html/rfc8978
A few drafts, like "Improving the Robustness of Stateless Address Autoconfiguration (SLAAC) to Flash Renumbering Events":
* https://datatracker.ietf.org/doc/html/draft-ietf-6man-slaac-...
Using ULA seems to be what a lot of folks recommend:
* https://en.wikipedia.org/wiki/Unique_local_address
you should advertise a local prefix (anything in fd00::/8) in your network and it should just work. no need to use the isp-provided prefix for lan.
There are some address source selection problems if you're still using any ipv4 for the local services https://blog.ipspace.net/2022/05/ipv6-ula-made-useless/
Are those problems? If either addressing method works and is reachable, who cares which one end up getting used first?
For IPv6, multiple addresses on an interface is the norm: an interface has both a public address from your ISP (replacing IPv4 NAT) and a unique local address (replacing stable IPv4 RFC 1918 LAN addresses).
My ISP will route as many /64s to me as I want (I think I get a /48 by default, I guess if I want more than 64k subnets I’d have to justify it)
So I don’t have the changing ip issue. I do however have an issue if I want to change ISP as it’s a whole mess of rules to update rather than a couple of dns entries and two dst nat rule (one per public IP)
I believe the idea in v6 if you have multiple prefixes on the same network - including a local fc00::/7 one for local services. Layers and layers of things to break.
Odd.
Using Openwrt which pretty much all home routers are built on, all I have to do is tell my router which offset to give my subnets from the prefix and it does the rest.
Both for subdividing up the prefix from the ISP and my ULA prefix I use for internal devices.
I have changed ISPs I think 3 times with no ill effects. Plus it works when my ISP occasionally gives me a new prefix.
The only tweaking I had to do was when I went from an ISP that game me a /48 to one that only gave me a /56. I had been greedy and was handing a /56 to my internal router. I changed that to a /60 and updates it's expectations about which subnets it could hand out and all was good.
But I expect two layers of home routers without NAT is a bit of an exception.
Use a ULA (unique local address) for everything internal that you want shorter. It's just like rfc1918 addresses except you don't need NAT.
Well.. that's because with ipv6 you're not technically on a lan everything is exposed by default unless you set it all up differently.
Nope, you're on a LAN, and usually the router has a firewall that blocks inbound connections by default. Some OSs (like Windows) also have their own by-default firewalls that block connections from hosts on different networks out of the box.
Is reverse dns even a thing outside of irc and forgetting to give command line tools the "don’t be slow" flag?
If you run a traceroute with DNS on, that is referencing DNS PTR records of those IP addresses.
(same for ping)
Urgh I wish it were like that here in Australia! We have a fast, modern fiber internet connection in inner Melbourne. But my ISP still doesn't support IPv6 at all. I file a ticket about once a year, and I'm always met with more or less the same response - essentially that there's no demand for it.
I'd love to test all the internet services I host to make sure everything works over IPv6, but I can't. At least, not without using a 4to6 relay of some sort - but that adds latency to everything I do.
I just checked - apparently my ISP is "evaluating IPv6" because they're running out of IPv4 addresses and want to use CGNAT for everyone. I suppose its not the worst reason to switch to ipv6. But they've been making excuses for years. I really wish they'd get on with it.
Myeah... I've had weird issues on my network that I could only resolve by disabling IPv6. Granted, it's probably my fault, but if everything still works fine with ipv4 that's fine to me. One day I will get into it and learn how it work and maybe I'll get it figured out... One day...
Random guess: PMTUD? Like on v4, some people fuck up their PMTUD and are incapable of realizing or fixing it, so you have to have some kind of workaround.
If setting your client machine MTU to 1280 (`ip link set mtu 1280 dev eth0` or equivalent) magically fixes it, that's your problem.
Corporate laptop won’t work (their version of windows seems to require an ipv4 adddess on an interface, not sure if that’s a windows thing or a them thing)
Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
My router doesn’t support 64, so I have to use my isp’s which is speed constrained compared with native 4. Ok that’s on my setup. Haven’t tested my 5g provider and where 64 occurs, I’d hope in their network, but how do I configure my dns64.
Still need to provide v4 at the edge and thus 46 nat so I can reach internal v6 only servers from v4 only locations
Perhaps lost of that is because my router doesn’t do 64, but again that just shows that v4 is still essential. I haven’t found a single service that’s v6 only, so if I have to run a v4 network (even if only as far as a 64 natting device) why bother running two networks, double the opportunity for misconfiguration and thus security holes. Enabling dual v6 on my IoShit network would allow more escape routes for bad traffic, meaning another set of firewall rules to manage. Things like SLACC make it harder to work out what devices are on the network, many end user devices are user hostile now and keeping control of them on v4 alone is less work than in v4 and v6.
> Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
> Things like SLACC make it harder to work out what devices are on the network
Again, not true. If you really don’t trust your devices, then DHCP isn’t going to save you. Malicious hosts absolutely can self assign an unused v4 address, and you’ll be none the wiser if you just look at your DHCP leases.
> Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
> To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
Have you done this? Did it actually work for you?
When I tried it, clients would regularly send to router B with an address from router A, and often ignore the priorities. As I understand the RFCs/client behavior, the router priority field is only relevant if multiple prefixes are in a single advertisement, otherwise most recent advertisement wins.
Once you need to aggregate the advertisements, you may as well NAT66, cause it will be easier.
>their version of windows seems to require an ipv4 adddess on an interface
Could be DirectAccess. Microsoft's earlier built-in VPN solution before Always On VPN. DirectAccess works only with IPv4 inbound so you can't use IPv6 only stack. Under the hood it uses a combination of v4-v6 transition and translation protocols, but it still requires the Windows client machines to have IPv4 addresses.
If you can run PowerShell commands on the laptop and if "Get-DnsClientNrptPolicy" returns some DirectAccessDnsServers then it's DA laptop.
For consumer traffic, your probably right. In data centers, cloud computing, and various enterprise networking solutions, IPv4 is still king. I'm sure IPv6 would work fine in all these use cases, but as long as many large tech companies are not exhausting the CIDR ranges they own (or can opt for using private ranges) there is no impetus to rework existing network infrastructure.
> cloud computing
Nope. Large scale DCs are IPv6 only underneath, exascalers like Google and Meta have stated that multiple times. I.e. https://www.youtube.com/watch?v=Q3ird3UDnOA also see various NANOG talks https://www.youtube.com/@TeamNANOG/videos
The underlay might be v6, but that doesn’t change the fact that people heavily use v4 for the actual workload traffic (i.e. the cloud computing part). EC2 VPCs still default to v4 only last time I checked.
Hyper scalers != cloud computing.
A great many home ISPs are also IPv6 only, and tunnel your IPv4 packets.
What about Amazon?
I had working IPv6 in the past, but currently I seem to have no working IPv6. Using Xfinity. I have access to some servers at a friend's place in another city, pretty sure he also doesn't have IPv6. Maybe some phone calls would sort it out, but when "everything" still works (with IPv4), it's hard to care.
That is really bizarre, because I have Comcast and I find their IPv6 support excellent. The only complaints I have are that I wish you could get bigger than a /60 prefix (a /56 would be nice), and that I wish it was feasible to get a static prefix as a residential customer. Granted you said you don't really care to fix it, but if that ever changes I do think you could get them to fix it pretty easily. IPv6 is one of the things they generally do right.
Curious what you’re doing that requires more than 16 SLAAC-enabled subnets (or a lot more non-SLAAC enabled subnets)
CenturyLink, an ILEC, only offers IPv6 using 6rd gateways. The IPv6 throughput is a fraction of IPv4 and has much higher latency. During peak times, the 6rd gateway saturates, forcing me to stop advertising the prefix to restore internet access. It has been this way for years.
It is also impossible to report IPv6-specific outages. CenturyLink technical support is the worst of the worst, with agents utterly incapable of doing more than pushing a "check ONT" button on their end and scheduling a technician visit with a multiday window. If you ask them for the 6rd configuration information, they act like you're speaking an alien language.
Even among their technicians, IPv6 knowledge is rare. Imagine the guy installing hundreds of dollars of gigabit fibre equipment at your demarc staring you like an idiot because you spoke two extra syllables between "IP" and "address". I'd think the term "IPv6" is chatbot poison if it weren't for the fact it's a human physically in front of me.
The result is their service is effectively IPv4-only.
I had CenturyLink CPE that would crash when a fragmented IPv6 transitted it. That was fun :P. They're also all in on PPPoE and at least on my VDSL2 line, didn't enable RFC 4638 (baby jumbos) to get back to MTU 1500. Pretty happy to be on muni fiber now (although the installation cost was huge).
Ya my router has to do tagged PPPoE through the ONT even though I pay for a static /28. At least I don't have to also do RIP for the subnet like Xfinity requires.
Interestingly, if I pay for their IPTV service the internet side becomes a bare ethernet port over which I can do DHCP for the upstream interface and number the downstream subnet out of my /28.
I have debated paying for TV service as a sanity fee.
Ah, good ol’ CenturyLink: “We put the TTY in TTY.” Be happy it’s not IPv4 over telegraph.
"I'm surprised home many technically knowledgeable people on Internet forums still think IPv6 is some niche, unreliable thing."
Where can we read some examples of this
I've read commentary about pros and cons of IPv6 over the years but never anything that suggested IPv6 was "niche" or "unreliable"
NB. The requests is for examples that inspired the quoted statement
In order to have inspired the quoted statement these examples would have to be found in forum comments published before the quoted statement was made
Comments made in response to, i.e., after, the quoted statement would not qualify
The comment from phil21 directly above yours calls IPv6 unreliable.
It is for many.
There so e obvious caveats that make ipv6 migration impossible for most users: 1. Ipv6 bridges are not practical at scale which means best case is dual use protocols for a decade (or more) which no one wants to support.
2. Actual implementation MUST be ubiquitous (it never will be) some examples - glo fiber in Virginia, and while I can get pfsense assigned a ipv6 address, there is usually no upstream gateway (meaning that if I disable IPv4, I will not have internet). I say usually because of four times I've checked, once I did get assigned a gateway which was unresponsive even to icmp.
Starlink roam - assigns ipv6 but no bridge so if you disable v4 you lose access to most internet.
Frontier FiOS in Florida - does not support ipv6 at all on my node. I have seen business nodes in Orlando/Tampa assign addresses with bridging but again, without browser or dns translation it's not a practical solution.
3. 'Everyone' is not using ipv6, everyone plugs in or logs into a device that has whatever network stack it has. Those users are not suddenly going to jump through hoops simply to avoid CGNAT and get a unique network address
4. Infrastructure; I have two modest half racks on the east coast at decent sized datacenters (esolutions and peak10), neither of those hosts offer ipv6 routing blocks by default. No provider I have gotten quotes for offers ipv6 by default
I'm in Europe. My country ISPs have actually too many ipv4 addresses so zero ipv6 support at any of them.
Well, for some value of "just works".
For example, I recently attended the IETF meeting in Montreal--practically the epicenter of v6 thinking--which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
It’s still a pain to manage ipv6 AWS infrastructure via Terraform.
I'm "niche" - but i had issues with Wireguard being able to connect me through ipv6 to a v4 - other than that i spent most of my time on v6 and as you said it just works
> It just works.
Until you want to like, use GitHub.
There is a clean bifurcation between just works and Microsoft compatible.
i don't like how these companies dictate standards. It's always the case, but they do spend a great deal of money making sure practices morph into standards.
they figured out the "de facto standard" game...
for example:
Microsoft Word DOC. Due to the market dominance of Word, it is supported by all office applications that intend to compete with it, typically by reverse engineering the undocumented file format. Microsoft has repeatedly internally changed the file specification between versions of Word to suit their own needs, while continuing to reuse the same file extension identifier for different versions.
https://en.wikipedia.org/wiki/De_facto_standard
Whoa! Did you see where those goalposts went?
Presumably, they were working before Microsoft came up and they needed to be embraced, extended and extinguished.
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
Your goalpost already moved from "IPv6 just works" to "IPv6-only just works" though. ;)
In all seriousness, I have IPv6 enabled and GitHub works just fine for me. Though at a slower speed sometimes because the IPv4 CGNAT is heavily congested in my area.
If you count that as IPv6 just working, sure.
I use ipv4 on my internal lan, and turn off ipv6
It is well supported, easy to configure, private, secure.
...and I don't have to configure and secure ipv6 in parallel
This! I guess a good number of tech people will have IPv4 home networks long after their non-tech parents, neighbors and friends will be using IPv6 (without even knowing it).
IPv4 in the home is dead easy. You only need to remember the last digit (unless you've got multiple networks, but most won't). You can ssh to any device by remembering that ".1" is router, ".2" is NAS etc. Firewalls are simple.
You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "192.168.0.1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).
I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.
It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.
Tailscale is sexy and it worked fine until one day while roaming it wouldn't connect without "admin work", so I instantly dropkicked it. I'm now using the very unsexy OpenVPN Cloud (free for limited use) and in over two years it has never failed me. Plus it doesn't fuck with the IP addresses with fancypants tailnet addresses - I access devices directly using their DNS names which resolve to private addresses.
So, from inside or outside the home I can access the NAS to watch a movie, sync photos to Immich, print a document, check my IP cameras or ask my wife to put a document on the ancient scanner and access it via the raspberry pi phpscan website (which is on https://scanner.myhome.net)
I'm sure there's a very good reason not to do this and someone will now point it out.
> IPv4 in the home is dead easy
Exactly. I randomly try to "upgrade" to ipv6 in my home once in a while and i always give up because I'd have to do the whole enterprisey setup for no good reason.
Edit:
Basically ipv6 is too complex and automated to hold your home network's whole configuration in your head without effort.
So the techies don't set it up at home unless they have a fetish for overcomplicated setups. They're not familiar with it so they don't push for it at work either.
Adoption is solely driven by ipv4 address space exhaustion. There is no "new toy!" feeling involved.
IMO, not having NAT is a "new toy". It allows end-to-end connectivity again. Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.
You could try fd00::1, fd00::2, ... for short internal static addresses. You don't have to use a random prefix in that range - it's just policy (for good reasons that might not matter for a small network).
> Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.
Yeah, and my Windows box is again accessible from the outside with whatever services MS deems to run by default...
Yes, there are firewalls, but isn't it better if a potential attacker doesn't even know what's behind my router?
P.S.: Since webrtc showed up to do whatever it wants with my network, peer to peer has started to mean "donating resources to some company" to me.
v4 networks commonly only get one IP for the whole network, and people use NAT with port forwarding to make inbound connections work. With this setup, an attacker only needs to scan the 65536 ports on the router to exhaustively enumerate every single publicly accessible server on your entire network, which is about 3 megabytes of traffic and takes approximately no seconds.
On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger.
If you want attackers to not know what's behind your router, you want v6.
> to exhaustively enumerate every single publicly accessible server on your entire network
Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible...
# IPv6 in the home is dead easy. You only need to remember the last digit (unless you've got multiple networks, but most won't). You can ssh to any device by remembering that ".1" is router, ".2" is NAS etc. Firewalls are simple.
# You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "2003:123:4:5::1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).
# I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.
# It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.
There is literally no difference between v4 and v6 here.
So why bother with v6?
Yes the largest companies have the most resources. Makes sense.
Most do not.
There are far more single person, small, and mid sized companies that do not.
This includes b2b, regional ISPs, etc.
Not all of the skepticism is "does IPv6 work", some of it is "why should I want it as an end user who values privacy and minimal attack surface?"
From my perspective:
• CGNAT is a feature, not a bug. I'm already deliberately behind a commercial VPN exit node shared with thousands of others. Anonymity-by-crowd is the point. IPv6 giving me a globally unique, stable-ish address is a regression.
• NAT + default-deny inbound is simple, effective security. Yes, "NAT isn't a firewall", but a NAT gateway with no port forwards means unsolicited inbound packets don't reach my devices. That's a concrete property I get for free.
• IPv6 adds configuration surface I don't want. Privacy extensions, temporary addresses, RA flags, NDP, DHCPv6 vs SLAAC — these are problems I don't have with IPv4. More features means more things to audit, understand, and misconfigure.
• I already solved "reaching my own stuff" without global addressing. Tailscale/Headscale gives me authenticated, encrypted, NAT-traversing connectivity. It's better than being globally routable.
So yes, my parents are using IPv6 to watch Netflix. They're also not thinking about their threat model. I am, and IPv4-only behind CGNAT + overlay networking serves it well.
"It just works" isn't the bar for me to adopt IPv6. "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will.
IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property, stateless autoconfiguration, the assumption that endpoints should be reachable. That philosophy is baked in. For someone like me, whose threat model treats obscurity, indirection, and minimal feature surface as assets, IPv6 isn't just unnecessary, it's ideologically opposed to what I want.
Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.
> Anonymity-by-crowd is the point
Only for IP based trackers. Any webpages embedding facebook/twitter/microsoft/google trackers have already deanonymised you through a variety of fingerprinting techniques. This includes if you use private browsing sessions, and even qubesOS. You get a fuzzy feeling doing the things you do (and I do these things too), but that battle is lost.
> NAT + default-deny inbound is simple, effective security … That's a concrete property I get for free
Depends on your definition of “free”. Is it cheaper to lookup just a connection state table, or is it cheaper to look up both a connection state table and a NAT table?
> IPv6 adds configuration surface I don't want … More features means more things to audit, understand, and misconfigure.
100% agreed. More complexity, more attack surface, more things to go wrong.
> I already solved "reaching my own stuff" without global addressing … It's better than being globally routable.
I do something like this too. It’s more private and more secure. It adds more complexity, and it restricts my ability to access things from terminals I don’t personally own & control unless I create another exposed vector though. “Better” is subjective based on metrics being optimised for.
> IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property
Apologies, but global addressability as a first-class property is exactly how the internet was designed. NAT was originally deployed as a hacky add-on to temporarily alleviate the lack of addressing space in IPv4 until a successor could resolve that.
That said, the internet of the 90s was a very different beast to the internet of today. A lot of your concerns and perspective is absolutely valid and extremely reasonable given the internet of today.
> "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will … Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.
IPv6 can absolutely be configured in ways that just gives you a new addressing scheme and does away with a lot of the other complexity. You’re just very much straying off the happy path, removing complexity by introducing … other complexity.
FWIW, I’m operating my home networks much the same way you do. I’ve also been dual stacking networks since the 2000s. Things have come a long way since the original pure-dogma introduction of ipv6.
> Any webpages embedding facebook/twitter/microsoft/google trackers have already deanonymised you
I bet OP has already blocked at least 3 of them. Private browsing is only a partial solution, blocking/unblocking domains, scripts, etc. on a case-by-case basis is a more reliable way to defend your right to privacy against abusive practices (I'm talking about fine grained adblockers such as uMatrix/uBlockOrigin) daily.
I admit it can be a hassle sometimes, in particular if one explores the net every day, but staying away from bad actors (such as some of those 4) is one way to maybe eventually stop them - even if "vote with your clicks" feels as pointless as "vote with your feet" when you're just one in many millions.
How well do those 4 trackers track you if you don't have accounts with any of them?
Extremely well. You don’t need an account to have a unique fingerprint that will eventually tie to an identity somewhere, and data brokers exist specifically for this purpose.
Thank you for the thoughtful response.
To be fair about fingerprinting, there's no such thing as "bulletproof", but I do have a pretty robust setup. DNS level ad and tracker blocking, browser extension level ad and tracker blocking, LibreWolf's extensive anti-fingerprinting measures, kernel-level measures like kloak, I block all third party JS by default, etc. My goal isn't to become invisible and untraceable to nation states (which is essentially impossible when 90%+ of all global ISPs can and do sell netflow metadata, enabling timing and packet size correlation even across multiple hops, even with background traffic forgery / traffic pattern obfuscation), but rather to frustrate lower-level tracking efforts, and mostly to reduce attack surface for security reasons, and to reduce the total amount of information I'm sending to adversaries, even if it technically increases uniqueness. For instance, WebGL, JS JIT, WASM, WebRTC, and even SVG rendering are similarly disabled by default on my browsers, and I may very selectively enable them on a case-by-case basis depending on how important I feel the web property I'm trying to access actually is. I'll spoof my UA, my screen dimensions, and use residential SOCKS5 proxies, one by one, to identify which fingerprinting measures are being used to block me with YouTube, for instance, without enabling JIT compilation or SVG rendering. This approach absolutely does make me more distinctly identifiable (less anonymous), but doesn't necessarily make me less private, nor less secure, if e.g. ad network JS never even runs on my box in the first place. Security is the base of the pyramid, it is the prerequisite for privacy, but doesn't guarantee it. Privacy is the middle layer, it is the prerequisite for anonymity, but doesn't guarantee it. I'm aggressively climbing that pyramid where I can while accepting some tradeoffs where the net benefit is positive to me. I don't think of any of these - security, privacy, or anonymity - as binary properties, but rather a unified journey I am on to enhance gradually and iteratively over time. Switching to IPv6 would greatly complicate and regress my path through much of the journey I've already completed.
If I could leave you with a couple questions: What tangible benefits have you reaped from IPv6 that simply weren't possible on IPv4? Has the ROI for you on going dual stack outweighed the costs on your time, attention, and configuration work required for securely handling edge cases, dealing with weird or unexpected routing issues, for straying from the happy path?
> I’m surprised home many technically knowledgeable people on Internet forums still think IPv6 is some niche, unreliable thing.
The more technically knowledgable you happen to be on the subject, the more you realize IPv6 is some unreliable thing when compared to IPv4. Perhaps no longer niche though.
It's unfortunately still an afterthought for many backbones - and not just US-centric ones. There is a noticeable difference in performance metrics from clients served via IPv4 endpoints vs. IPv6 for web assets in the same locations from the same transit providers.
It is pretty much the opposite of "just works" depending on your definition of "just works". It results in more Traffic Engineering per bit served by a large factor compared to IPv4.
> Peer-to-peer communications such as gaming usually have to deal with NAT traversal, but with IPv6 this is no longer an issue, especially for multiple gamers using the same connection
You know the list of "benefits" is thin when the second item is entirely theoretical. Even though IPv6 doesn't have to do NAT traversal, it still has to punch through your router's firewall which is effectively the same problem. Most ISP provided home routers simply block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.
Even if that were not an issue, my bet is that there are close to zero popular games that actually use true peer to peer networking.
Punching through just a firewall is much easier than punching through a typical NAT+firewall setup
https://tailscale.com/blog/how-nat-traversal-works
How do you punch trough firewalls? You have to manually open them, punching through firewall would be a firewall vulnerability.
This is a common function of uPnP, which I've seen as features in router config pages since the mid 2000s.
https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_tr...
Typically firewalls will record the src and dst header values of outbound IP packets then temporarily allows inbound IP packets that have those values flipped.
You're just asserting that without explination. Please correct me if I'm wrong, but afiak the only difference in NAT hole-punching is that clients don't know their public port mapping ahead of time. This actually doesn't make a huge difference to the process because in practice, you still want a central rendezvous server for automated peer IP discovery. The alternative being that each peer shares their IP with every other peer "offline", as in manually through an external service like IRC or discord, which is a horrible user experience.
> You just asserted that without explanation.
They linked a whole article detailing the complexities of specifically NAT traversal.
I should think it obvious that by removing an entire leaky layer of abstraction the process would be much simpler. Yes, you still need a coordination server, but instead of having to deduce the incoming/outgoing port mappings you can just share the "external IP" of each client--which in the IPV6 case isn't "external," it's just "the IP".
I already am aware of how NAT traversal works. Linking a generic article explaining it is not a meaningful response.
Also NAT is a pretty simple abstraction, it's literally a single table.
>Also NAT is a pretty simple abstraction, it's literally a single table.
...And now, let's try punching a hole through this "simple" table. Oops, someone is using a port-restricted or symmetric NAT and hole punching has gotten just a tad more complicated.
Agreed; Or they're using CG-NAT, or consumer grade NAT behind CG-NAT, or....
> it still has to punch through your router's firewall
That's why most routers use a stateful firewall. Then nothing has to "punch through" it just has to be established from the local side.
> block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.
This is why STUN exists.
> my bet is that there are close to zero popular games that actually use true peer to peer networking.
For game state? You're probably right. For low latency voice chat? It's more common than you'd think.
> it just has to be established from the local side
This is exactly the problem. Unless you expect users to manually share their IPs with every other user in a given lobby through an external service, you would need to make a central peer discovery and connection coordination mechanism which ends up looking pretty similar to classic NAT traversal.
The complication starts when such an ephemeral port gets connection from somewhere else, which is the crucial part not the creation of such ports. That is not supported necessarily by firewalls, or not that simple than just having a stateful firewall.
Getting a streamer’s IP attracts DDoSes and doxxing, so yeah it’s generally considered a vulnerability to use P2P in games
Yeah, p2p is fine only with friends, people you know, otherwise it's like posting your private address for everybody to see.
Not having a congested CGNAT in the mix at 4pm every day is a nice benefit.
Also NAT66 exists and I use it on my home network so you still have to have the machinery to do NAT traversal when needed. It's nice to use my public addresses like elastic IPs instead of delegating ports. IPv6 stans won't be able to bully their way into pretending that NAT doesn't exist on IPv6.
> Groups of zeros can be omitted with two colons, but only once in an address (i.e. 2000:1::1, but not 2000::1::1 as that is ambiguous)
Can someone explain why it's ambiguous?
On the subject, IPv6 is one of the strangest inventions on the internet. Its utility and practically are obvious no matter how you look at it except... just one thing.
Network-related things are generally easy to remember and then type from memory: IPv4, domain names, standard port numbers. Back in the day it was the phone numbers, again, easy to remember and dial when you need it. IPv6 is just too long and requires copy/paste all the time. This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
2000:1::1 would expand to 2000:0001:0000:0000:0000:0000:0000:0001
2000::1::1 could be 2000:0000:0000:0000:0001:0000:0000:001, or 2000:00000000:0001:0000:0000:0000:001
There's ambiguity on where to fill in the five groups of 0000 in the second case.
The second address is invalid. You can only use :: once per address.
Edit: Whoops. Didn't read what the above post was in response to. My bad.
That exactly what was the question about and they explained why it is invalid…
> This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
Except if you're using a mobile phone, in which case many telcos hand out only IPv6 addresses to handsets. 2018 NANOG presentation "T-Mobile's journey to IPv6":
* https://www.youtube.com/watch?v=d6oBCYHzrTA
From 2014, "Case Study: T-Mobile US Goes IPv6-only Using 464XLAT":
* https://www.internetsociety.org/deploy360/2014/case-study-t-...
But who cares about mobile phones, right? They're only second-grade devices.
my tmobile 5g modem has ipv4 but changes ip every single page load, it's wild
I'm used to cablemodems with static ipv4 for months basically until mac changes
Is it per chance 100.64.0.0/10?
* https://en.wikipedia.org/wiki/IPv4_shared_address_space
It could be 21.0/8
ref:https://old.reddit.com/r/tmobileisp/comments/1gg7361/why_is_...
I booted an LTE router using a T-Mobile SIM.
Within an hour I had changed WAN IP. Both were from AS749 US-DOD NIC
They were cgnat'd behind TMble's advertised asn.> my tmobile 5g modem has ipv4 but changes ip every single page load, it's wild
They're probably using CG-NAT, though IP changes that often is a bit aggressive.
> They're probably using CG-NAT, though IP changes that often is a bit aggressive.
TMobile uses IPv4 addys in DOD's address space. They do change unexpectedly often.
And yeah. Being DOD IPs, they're cgnat'd behind tmobile's public ASN.
Your IPv4 packets are getting tunneled to a CGNAT server which has an IP address pool.
Your website will load faster on cellphones if it supports IPv6. This is because the packets take more direct routes (because they don't go to the central CGNAT server) and because less processing is applied to them. Almost all mobile networks are now IPv6-only, with IPv4 traffic tunneled and CGNATted. Apparently T-Mobile is the rare exception.
I said this in a previous post and was shot down hard. I think you are right. Every time I look at a ipv6 address my brain goes “fack this”.
> Every time I look at a [long] ipv6 address my brain goes “fack this”.
I do get that but I also get 'There are so many I could have all I wanted ... or I could if any of our fiber ISPs would support it, that is'
I finally clicked when I worked out it was 2^64 subnets . You have a common prefix of you /48, which isn’t much longer than an ipv4 address - especially as it seems everything is 2001::/16, which means you basically have to remember a 32 bit network prefix just like 12.45.67.8/32.
That becomes 2001:0c2d:4308::/48 instead
After that you just need to remember the subnet number and the host number. If you remember 12.45.67.8 maps to 192.168.13.7 you might have
2001:0c2d:4308:13::7
So subnet “13” and host “7”
It’s not much different to remebering 12.45.67.8>192.168.13.7
> especially as it seems everything is 2001::/16
I was sort of expecting that this week.
I had to transcribe a v6 addy for a WAN-WAN test (a few mi apart).
That's when I noticed that Charter (Spectrum) had issued
ref: https://bgp.he.net/AS33363#_prefixes6The current global unicast space is actually limited to just 2000::/3.
https://www.iana.org/assignments/ipv6-address-space/ipv6-add...
IPv4 isn't perfect, but it was designed to solve a specific set of problems.
IPv6 was designed by political process. Go around the room to each engineer and solve for their pet peeve to in turn rally enough support to move the proposal forward. As a bunch of computer people realized how hard politics were they swore never to do it again and made the address size so laughably large that it was "solved" once and for all.
I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
My personal preference would have been to open up class E space (240-255.*) and claw back the 6 /8s Amazon is hoarding, be smarter about allocations going forward, and make fees logarithmic based on the number of addresses you hold.
> IPv4 isn't perfect, but it was designed to solve a specific set of problems.
IPv4 was not designed as such, but as an academic exercise. It was an experiment. An experiment that "escape the lab". This is per Vint Cerf:
* https://www.pcmag.com/news/north-america-exhausts-ipv4-addre...
And if you think there wasn't politics in iPv4 you're dead wrong:
* https://spectrum.ieee.org/vint-cerf-mistakes
> IPv6 was designed by political process.
Only if by "political process" you mean a bunch of people got together (physically and virtually) and debated the options and chose what they thought was best. The criteria for choosing IPng were documented:
* https://datatracker.ietf.org/doc/html/rfc1726
There were a number of proposals, and three finalists, with SIPP being chosen:
* https://datatracker.ietf.org/doc/html/rfc1752
> I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
The primary reason for IPng was >32 bits of address space. The only way to make them shorter is to have fewer bits, which completely defeats the purpose of the endeavour.
There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
This is a lot of basically sharpshooting, but I will address your last point:
> There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers that could have been used to flag that the first N bytes of the payload were an additional IPv4.1 header indicating additional routing information. Packets would continue to transit existing networks and "4.1" capable boxes at edges could read the additional information to make further routing decisions inside of a network. It would have effectively used IPv4 as the core transport network and each connected network (think ASN) having a handful of routed /32s.
Overlay networks are widely deployed and have very minor technical issues.
But that would have only addressed the numbering exhaustion issues. Engineers often get caught in the "well if I am changing this code anyway" trap.
An explicit goal of IPv6 considered as important as the address expansion was the simplification of the packet header, by having fewer fields and which are correctly aligned, not like in the IPv4 header, in order to enable faster hardware routing.
The scheme described by you fails to achieve this goal.
I am glad you brought this up, that is another big issue with IPv6. A lot of the problems it was trying to solve literally don't exist anymore.
Header processing and alignment were an issue in the 90s when routers repurposed generic components. Now we have modern custom ASICs that can handle IPv4 inside of a GRE tunnel on a VLAN over MPLS at line rate. I have switches in my house that do 780 Gbps.
It is irrelevant what we can do now.
At the time when it was designed, IPv6 was well designed, much better than IPv4, which was normal after all the experience accumulated while using IPv4 for many years.
The designers of IPv6 have made only one mistake, but it was a huge mistake. The IPv4 address space should have been included in the IPv6 space, allowing transparent intercommunication between any IP addresses, regardless whether they were old IPv4 addresses or new IPv6 addresses.
This is the mistake that has made the transition to IPv6 so slow.
> The IPv4 address space should have been included in the IPv6 space, allowing transparent intercommunication between any IP addresses, regardless whether they were old IPv4 addresses or new IPv6 addresses.
How would you have implemented it that is different from the NAT64 that actually exists, including shoving all IPv4 addresses into 64:ff9b::/96?
Ideally, 464XLAT should have been there from the beginning and its host part (CLAT) should have been a mandatory part of IP stack.
> The IPv4 address space should have been included in the IPv6 space […]
See IPv4-mapped ("IPv4-compatible") IPv6 addresses from RFC 1884 § 2.4.4 (from 1995) and follow-on RFCs:
* https://datatracker.ietf.org/doc/html/rfc1884
* https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresse...
But v6 did do what you're describing here?
They didn't use the reserved bit, because there's a field that's already meant for this purpose: the next protocol field. Set that to 0x29 and it indicates that the first bytes of the payload contain a v6 address. Every v4 address has a /48 of v6 space tunnelled to it using this mechanism, and any two v4 addresses can talk v6 between them (including to the entire networks behind those addresses) via it.
If doing basically exactly what you suggested isn't enough to stop you from complaining about v6's designers, how could they possibly have done any better?
> That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers […]
Great, there's an extra bit in the IPv4 packet header.
I was talking about the data structures in operating systems: are there any extra bits in the sockaddr structure to signal things to applications? If not, an entirely new struct needs to be deployed.
And that doesn't even get into having to deploy new DNS code everywhere.
Imo they should have just clawed 1 or 2 bits out of the ipv4 header for additional routing and called it good enough
This would require new software and new ASICs on all hosts and routers and wouldn't be compatible with the old system. If you're going to cause all those things, might as well add 96 new bits instead of just 2 new bits, so you won't have the same problem again soon.
IPv6 is literally just IPv4 + longer addresses + really minor tweaks (like no checksum) + things you don't have to use (like SLAAC). Is that not what you wanted? What did you want?
And what's wrong with a newer version of a thing solving all the problems people had with it...?
There are more people than IPv4 addresses, so the pigeonhole principle says you can't give every person an IPv4 address, never mind when you add servers as well. Expanding the address space by 6% does absolute nothing to solve anything and I'm confused about why you think it would.
> Network-related things are generally easy to .. type from memory [but] IPv6 is just too long
I was reminded of this 2d ago; I was testing one IPv6 WAN from another. DDNS had failed so I didn't have my usual crutch to lean on.
> Can someone explain why it's ambiguous?
Because you don’t know how many zeroes are on each side around the 0001 in the middle.
It can be 2000:0000:1:0000:0000:0000:0000:1 or 2000:0000:0000:0000:0000:1:0000:1 etc.
This shortcut system of ipv6 only makes it worse. It's too hard to remember how it works.
Is it really hard to remember? A hint is in the syntax itself. What's in between the two colons '::'? Nothing. In other words, all zeros.
IPv4 also has a similar, though rarely documented or utilized, shortcut system. Try `ping 1.1` for example. It expands to 1.0.0.1.
":: is all zeros" is too hard??
How many zeros?
Exactly enough to fill out the address, which is always the same length. BTW, IPv4 does basically the same thing. The address 127.1 is equivalent to 127.0.0.1.
Not really the same, the mechanics are different and this particular behaviour is pretty much an accident, not abbreviation.
In IPv4 you also have 127.257 equal to 127.0.1.1, 123456789 equal to 7.91.205.21, and 010.010.010.010 is a well-know DNS server. This notation is also rejected by most implementations.
It is? Those alternate IPv4 notations are all accepted by Linux, FreeBSD, and MacOS. I remember playing around with "alternate notations" 30+ years ago on old SunOS boxes.
But IPv6 is "too hard"
There are a total of 8 groups of 4 hex digits, so 8 minus however many groups you already have.
google.com: 2607:f8b0:4009:819::200e (5 groups) -> 2607:f8b0:4009:0819:0000:0000:0000:200e (3 groups of added zeros)
a ULA address: fd2a:1::2 (3 groups) -> fd2a:0001:0000:0000:0000:0000:0000:0002 (5 added)
localhost: ::1 -> 0000:0000:0000:0000:0000:0000:0000:0001
However many are left. In what circumstances do you care?
However many it takes to make the whole A::B number exactly 128 bits long.
“Enough”
It's not just ":: is all zeroes"
… such as?
https://news.ycombinator.com/item?id=46338674
That's a post about invalid things that are not IPv6 addresses.
In IPv6 addresses, :: is all zeroes and there's no ambiguity.
I am not clear what your point is. The parent's point stands. A double colon only represents zeros (that were compressed and are not displayed).
Your link does not show different addresses from a valid compression, it shows different addresses from an invalid compression. The link examples what we don't do.
Conversely, if we compress the expanded addresses in your link, we will get 2 different compressed addresses.
> IPv6 is just too long and requires copy/paste all the time.
That is only true for autogenerated/SLAAC IPs. In contrast, manually assigned IPs are often much simpler and easier to remember in IPv6 than in IPv4. I have one common subnet prefix that can be uniformly split to end networks and last number in IP address for such network always end with 0 (and therefore the first device is xxx::1). While in IPv4 i had multiple prefixes, each split non-uniformly based on how many devices was expected to be on that end network, and because most end network prefixes were smaller than /24 (say /26-28), the last number of IP address varies between these networks.
I mean yes, but there’s no escape from the fact that ip addresses need to be longer as amount of devices on the internet already exhausted the pool of IPv4 addresses by multiple orders of magnitude.
I guess it could be possible to implement sort of mnemonic phrases for addresses, à la bip-39, but it would be just trading one kind of pain for another.
I've said this since time immemorial, and networking people often dismiss it. "Just use DNS," say people who have never actually worked netops or devops.
The length of the addresses and the clunky nature of their ASCII representation is absolutely the #1 reason the IPv6 has taken this long. User experience is the most powerful force affecting large scale adoption, and IPv6 has poor UX.
I think the UX is partly fixable by creating less horrible ASCII representation, but this would take a lot of coordination that was hard even back then and is virtually impossible now. If someone told me in 500 years we're still running dual-stack IPv4/IPv6 absolutely unchanged, I'd believe it.
Half the reason (literally) the address looks so bad is not because of IPv6 but because everyone keeps choosing to implement randomized in-subnet addresses and cycle through them for privacy reasons.
E.g. 2600:15a3:7020:4c51::52/64 is not too horrible but 2600:15a3:7020:4c51:3268:b4c4:dd7b:789/64 is a monster by unrelated intent of the client.
This is pretty much on the money. IPv6 addressing can be pretty simple if you design your subnets and use low numbers for hosts. But hosts themselves will forgo that and randomly generate 64 bit random host addresses for themselves - some times for every new connection. Now you have thousands of IPv6 addresses for a single computer speaking out to the Internet.
"Modern" tooling in the consumer space is pretty dire for IPv6 support too. The best you can reasonably get is an IPv6 on the WAN side and then just IPv4 for everything local. At least from the popular routers I've experienced lately.
I’ve been amazed for years at the fact that many of the best routers turn V6 off by default.
Of course I know why. If you turn it on it slightly increases edge case issues as complexity always does. Most people don’t actively need it so nobody notices.
Yes, I forgot about SLAAC and worthless privacy extensions.
Privacy extensions are worthless because there are just sooooo many ways to fingerprint and track you. If you are not at least using a VPN and a jailed privacy mode browser at a bare minimum, you are toast. If you’re serious about privacy you have to use stuff like Tor.
V6 privacy extensions are like the GDPR cookie nonsense: ineffective countermeasures with annoying side effects.
SLAAC sucks too. They should have left assignment up to admins or higher level protocols like with V4. It’s better that way.
Privacy extensions are the reason your ISP can't make you pay money for the number of internet-connected devices at your house.
Most people are just using the ISP provided router as their gateway today anyways. E.g. ATT fiber is proud to advertise to you that it knows about each of your devices on the ONT+Router combo - that's even the only way to set up a port forward (you can't just type in an IP, you have to pick a discovered device).
"But people can NAT the v4 with another router to hide it!" -> sure, and the same crappy solution works with v6.
"But at least prosumers can replace the ONT via cloning the identifiers and certain hardware" -> also no change with v6.
Randomized addresses do have valid use cases though, particularly when connecting to Wi-Fi networks other than your own when set to randomize the MAC per connection (not just the scanning MAC) as well, but I'm just not really convinced this is a realistic example as framed.
If ISPs tried that, everyone would just go back to using NAT, even for IPv6.
I think you just changed my mind. I hadn’t thought about that angle.
Respect for considering new information.
whats the rule to say where the first 1 floats between the 2000: and the :1 at the end? the :: rule says "all zeros" but not how long.
It’s a really complicated rule called “subtraction”. Addresses are always 128 bits long, or 8 groups of four hex digits. 2000::1 is two groups, so you need six groups in between to make 2000:0000:0000:0000:0000:0000:0000:1. But I don’t know why people always ask this, because it’s always the computer you are typing addresses in to that does the subtraction. You never ever have to type out the whole address. Just type the shortened version, because 2000::1 _is_ the whole address.
They were answering the question of why "2000::1::1" would be ambiguous if it was allowed.
the :1 is short for :0001 basically and then just put that bit of the address at the very end and put the first bit of the address at the front, and then just fill each missing group inbetween with 0000
"just"
Yes, in fact "just". This isn't remotely hard.
Well, okay, show us how to follow those instructions then.
"the :1 is short for :0001 basically" is easy enough: you get 2001::0001::0001.
Then "just put that bit at the very end" -- but which bit? If it means the ":0001", then there's two of them and they can't both go at the very end. If not, then it fails to specify which bit. Either way I don't see how these instructions are followable at all, let alone easily.
These types of complaints are how I know the objection to v6 is not serious.
My answer was too terse. IF there was two :: in the address, then the length of EACH :: denoted section is not known. It can be either longest left :: or longest right :: and that wasn't defined, because the rule is THERE IS ONLY ONE :: section.
Posed as a question, disingenuously.
> There are also still a lot of misconceptions from network administrators who are scared of or don’t properly understand IPv6
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
That's more proof that TP-Link should not be trusted than that there is a problem with IPv6, really. Even cheap $20 Aliexpress routers have a firewall enabled by default.
Agreed.
I believe that was more a bug in the firmware that's been fixed for a while now.
In case of the ER7212PC, it’s only fixed in the v2 hardware revision.
No free upgrade.
A bug that was implemented, because ipv6 is more complex to secure.
> Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.
Now, if the ER7212PC was a firewall that would be something else.
(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)
Routers and access points are also typically separate device classes. Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?
The problem is that TP-link does not give two cents to security in their products.
> And no, I'm not being pedantic
You very much are.
> Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
Except the ER7212PC, nor anything else under the Omada (sub-)brand, is not a consumer / household device. The tagline of Omada is "Networks Empower Business":
* https://www.omadanetworks.com
If you want to haul your boat buy an F-150 pickup and don't complain that your Golf doesn't have enough towing capacity: buy the tool that you need for the problem/job you have. If you want an all-in-one then buy an AiO and not a router.
>> And no, I'm not being pedantic
> You very much are.
Expecting a router to not-route IPv6 is the unreasonable thought.
Are you suggesting that people should buy both a router and a firewall for their home networks? I suppose they should buy a separate Wi-Fi AP as well, and a switch or two, in your opinion?
> Are you suggesting that people should buy both a router and a firewall for their home networks?
I am suggesting the ER7212PC is not a home network device, and thus having the two functions glommed together is an anti-feature in its design. The tagline of Omada is "Networks Empower Business":
* https://www.omadanetworks.com
Expecting that a router to not-route IPv6 by default is to misunderstand its purpose.
You are of course correct, but most people will disagree because the world we live in is a lot messier than what we should do and people expect a base line. You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
> You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
Then buy a device that does default NATing and other consumer-y if you want that. Don't complain that a generic routing system routes IP—whether IPv4 or IPv6—by default.
If you want a firewall buy a firewall. If you want an all-in-one firewall/gateway/AP/whatever, buy it.
In this particular case the "problem" is not in the device but in purchasing the wrong tool for the job at hand. If you want to haul lumber buy a cargo van or pickup truck, not a VW Golf.
'firewall' is just a colloquial term for packet filtering, which is a term for a class of functionality that could be provided by a router.
Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
> Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
The ER7212PC, nor anything else in the Omada line, is not for residential consumers which is what RFC 6092—"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"—refers to.
And RFC 7084 has two instances of the word "firewall", one (§3.1) in reference to IPv4 NAT:
and the other (§4.5) to tunnelling: I agree that a consumer all-in-one firewall/gateway/AP/whatever should ("MUST"?) have a default-deny rule on incoming connections. But the original complaint that kicked off this sub-thread is about a particular device, which is not a consumer device but a more generic routing system and not a "firewall" as such.People expect their router to act as a firewall too, via NAT. If you take this away and force people to buy an additional piece of hardware to restore the expected functionality, they won't switch. Simple as that.
All modern NAT routers include a firewall. They don't "act as a firewall too, via NAT", they have both NAT and firewall functionality, even for IPv4. It has been like this for a long time now.
> All modern NAT routers include a firewall.
AFAICT the ER7212PC is not a "NAT router" but just a "router".
Even some switches have ACL functionality for the IP layer, but they're sold as switches and not as firewalls.
Sure, but people still use NAT as a way to secure their internal network, so it's effectively acting as a firewall.
Here's China's current IPv6 plan.[1] It was an explicit objective of the 14th Five Year Plan, now concluding, to get most of China's Internet on IPv6. About 70% of China's mobile users are on IPv6 now. But fixed IPv6 traffic in China is only 27%.
[1] https://www.cac.gov.cn/2025-05/20/c_1749446498560205.htm
Their IPv6 deployment rate saw a huge jump from 40ish% to 53% after this report though.
https://stats.labs.apnic.net/ipv6/CN
> I spent a WEEK without IPv4 to understand IPv6 transition mechanisms
> NAT64 - the method I’ve setup for this test
> IPv6 is absolutely ready for prime-time and has been for awhile
So... No, you spent a week effectively using both v6 and v4 with extra steps. If someone said "Linux is ready for primetime" but their setup only worked because they ran a bunch of applications in a Windows VM, I'd call that strong evidence that it really wasn't. Same here.
That said... This is from early 2023. Any chance it's better now?
> That said... This is from early 2023. Any chance it's better now?
I accidentally went IPv6 only on my home wifi for a few weeks a while ago. I only noticed when GitHub didn't load (I avoid work things at home, hence accessing GitHub being rare.)
Relatedly, fuck GitHub and their incompetence at rolling out IPv6. It's nothing other than that at this point. Blank, unadulterated incompetence.
> No, you spent a week effectively using both v6 and v4 with extra steps.
It's less steps though. You can do all your network setup in the nice v6 world, and set up v4 emulation for those who need it. Yes, it's not yet practical to turn of v4 entirely, just like it's not yet practical to turn off Rosetta on your ARM mac.
My former colleague Marco Davids from SIDN Labs (the R&D department at the .nl TLD operator) did an experiment in 2021 where he actively disabled IPv4 support on all components in his test network, even disabling the complete IPv4 stack in the FreeBSD kernel (not possible on Linux, at least not at the time). So far, his test is the only thing I know of that came close to an authentic simulation of an IPv6-only world.
https://www.sidnlabs.nl/en/news-and-blogs/can-we-do-without-...
AAAA record resolution is the real bottleneck for adoption. Once you have dual stack working, I did a real-world, simple test: Release your ISP IPv4 DHCP lease on the router (kill udhcpc) and flush DNS on your hosts. Now all public DNS lookups must resolve to a IPv6 domain. You will very quickly find many domains on the Internet still don't have AAAA records. Lots of popular services will simply fail to resolve their hard coded domains. QED.
https://whynoipv6.com/
None of the ISPs where I live provide NAT64 gateways. Exactly one advertised it, I signed up almost a year ago and they still haven't enabled it for me yet (I think they don't actually offer it and just forgot to remove the page).
No, because unfortunately the need for v4 hasn’t changed. In other words many sites and parts of the internet remain only on v4.
Until nearly everything is on v6 too it won’t be realistic to ditch the mechanisms that provide v4 access.
My two IPv6 issues (even having had a HE tunnel in the past):
- My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
- Linode allows transferring v4 addresses between machines, so if I need to rebuild something I can do so without involving my client who usually has control over DNS. They do not support moving v6 addresses, which means that the only sites I have control over that support v6 are the ones that I control DNS.
Making IPv6 a thing seems like it would be super easy if a couple hours could be spent solving a bunch of dumb lazy problems.
> My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
Being a priority doesn't mean it's high priority. It could be a priority, but the lowest ranked one, so other stuff always comes first. :P
T-Mobile wireless US is pretty invested on IPv6, so if they take over the network, they may well push it.
It "finally hit the top of the project list" two years ago so we'll see lol.
It's "T-Mobile Fiber Home Internet" which looks to be a bunch of local ISPs they've been snatching up, so we'll see what happens. USI's customer service and reliability have been amazing so hopefully that doesn't get screwed up.
I try enabling IPv6 every year or so. The last time I tried IPv6 at home I couldn't figure out what my netmask was, nor the size of my allocation. Some folks say my ISP issues /60s, others /64. I couldn't figure out how to get my IP to remain static long enough to have long-running TCP sessions, either. It was a mess and not much better than it was 20 years ago when I first tried it (and had to disable it because it being on broke all sorts of things).
Maybe 2026 will be the year of IPv6. I kinda doubt it given I'm some jackass and dedicated network professionals still don't use IPv6.
Why are you setting up anything? You turn on IPv6, the router figures out its prefix from the upstream router, and then router broadcasts the network to devices.
The netmask for IPv6 is nearly always /64. ISPs give out /60 to allow multiple subnets, but router makes /64 subnets from that.
Not OP, but when I first tried to learn IPv6 for my home internet, I found that it's very important that you get the DHCP-PD prefix size right when configuring your router, or it would just not work at all.
I have Comcast, and they do give me a /56, but you can't ask for a /56 in the DHCP-PD request, because they don't support a single request grabbing all of your prefix space. You have to ask for /60's, which I had to find out through trial and error.
But it may have been even worse (my memory is fuzzy) because I think at one point I did successfully get a /56, but that then exhausted my DHCP allocation, and then after I rebooted my router I couldn't get anything any more. It didn't help that the router I had been using (Unifi security gateway) didn't seem to keep a static DUID that comcast was happy with, so I kept getting new prefixes every time it rebooted.
Comcast probably has so few customers that bring their own cable modem/router at this point that they basically don't have any support for this, you won't get anything from them over the phone, they just push you to pay them to rent their equipment (where they configure all these parts the way their network expects.) You have to be adventurous to run your own equipment with IPv6.
Nah. There are lots of things you’ll need to know.
Does it use SLAAC on the WAN side or DHCPv6? How do I get a range for my lan then, DHCPv6 prefix-delegation? Or maybe it’s statically assigned somehow. Some carrier’s just use link-local ok the WAN, with no public v6 just RAs for the link-local, and a GUA block via IA_PD.
Regardless there are too many ways this is done, and this hampers adoption as it’s not just the “switch it on” operation you suggest.
All of those are handled automatically. The only people who have problems are ones who want to configure manually. More importantly, this is no different than IPv4 where have DHCP or manual.
Nearly every ISP uses DHCPv6-PD cause harder for manual configuration. The range is in the DHCP-PD, your router picks a subnet. The WAN address is automatic, and don't care about it cause never see it. Mine is link-local and hadn't known until I checked.
I need to know what IPs they might assign to my network, and then what IPs are to be assigned to my computers (or what I can assign statically).
You find out the addresses after it is configured automatically. This is no different than IPv4 and DHCP.
If you don't want to use the public addresses internally, then you can assign ULA addresses. If you don't want to use MAC derived addresses, assign them static host addresses.
For names, I use mDNS. I don't know the IPv6 address for my server. If I did need it, I would get it from the router.
Probably the largest barrier to IPv6 adoption is the myriad ways IP allocation to clients can be done and the various options that exist.
It’s fine for mobile providers, where the client activation defines what’s needed and the carrier essentially just needs to support two OS’s (iOS and Android).
Also mostly fine for residential when the carrier provides the CPE, and can set it up to work with how they have the network built.
But if you’re managing your own router it can be complex to know exactly what to use. And most ISP support aren’t very good either.
If you happen to be an expert it’s fine, but if you’re a power user not a full time network guy there is still way more complexity than there ought to be.
If you have ATT fiber, it’s a pain in the butt. Their default router will only issue a single passthrough /64 on request. If you have multiple VLANs you have to setup some scripts to ask for more, and even then you only get 8 of them. The gateway reserves the other 8 from the /60 it gets for its own use.
The only way I got IPv6 working well with them was to bypass their gateway. Now all my VLANs have /64, which is the standard subnet size.
I think bypassing their gateway, that is - bringing your own router is the only way to do VLANs, because their gateway is very basic and doesn’t support VLANs at all.
You can do VLANs with their gateway but only IPv4, or you have to write custom scripts to ask for additional IPv6 delegations.
Interesting. Which model of their gateway do you have? I have BGW320 and it definitely doesn’t support vlan tagging.
When I moved to an ISP that supported IPv6 earlier this year I ran into niggly problems. Ubuntu failed to update because one of its regional servers was misconfigured. OpenDNS one of its servers seemed not to be there on a regular basis over IPv6. I also had odd behaviour and latency issues where sometimes IPv6 would fail to route for short periods and it would fail and fall back to IPv4.
It was a painful experience of trying to work out if I had misconfigured it, if it was something to do with my opensource router software or if it was my ISP or the end services. I didn't get to the end of working this out and reporting issues and I just gave up. Due to the intermittent nature of the issues I was facing I never managed to get a report of issues my ISP would accept.
So I'll give it some time and give it a try after a year and see if things have improved, but it was definitely not ready for prime time.
> Don’t blame your provider when they deploy CG-NAT, embrace IPv6 and global routing instead.
In theory this makes sense, but in practice my personal experience is that not a single wireline ISP I've ever seen deploy CG-NAT offered IPv6 service at all, nor did any of them indicate any intent or even interest when asked about it.
The mobile providers on the other hand have almost entirely gone IPv6-first, using 6>4 transition methods as the default form of v4 access which I fully support.
4>4 CG-NAT should never have existed and providers who deploy it without offering fully functional v6 should be shamed.
OpenBSD makes it easy to try IPv6 tunnelbroker.net with NAT64/DNS64 if your ISP only has IPv4 ("one more lab test away.." they say).
This has worked for me well for a couple years. I do use a VLAN to keep the IPv6-only network separate (homelab) from video streamers in the household.
In my pf.conf:
and in /var/unbound/etc/unbound.conf: Done. I don't have 464XLAT on Win11 but I do want to know if there's a hard coded IPv4 address anyway. I never had an issue.Forgot the most important part of pf.conf!
Am I missing something? Where's the part where he actually talks about his experience in that week? This goes straight from an overview of IPv6 to the conclusions section.
I'm very surprised by the questions in this thread. There are some extremely basic things people are just not understanding. I suspect people hating on IPv6 have not spent the time with it. There is a difficulty in that it does behave quite differently to IPv4, and the lack of private addresses are also probably a shock.
The basic thing proponents don’t understand is that nobody in their right mind can intuitively understand IPV6 addresses because they look like MAC addresses with trisomy and are a pain in the ass to remember or type for absolutely no benefit to the non-network engineer. And there are infinitely more people with home routers and a few dozen devices than there are people running ISPs, fortune 500s, and data centres. Play with your convolution all you want, in 20 years the rest of us will still be happily assigning 192.168.x.x and ignoring it. V4 space running out is no more the average persons problem than undersea cables or certificate authority.
> nobody in their right mind can intuitively understand IPV6 addresses
If someone can't understand "it's longer" then what is wrong with them?
And using hex instead of decimal for magic computer numbers should be more intuitive, not less.
Also structure-wise the first half is the subnet and the second half is the host. That's much more intuitive than IPv4.
> absolutely no benefit to the non-network engineer
If you do anything peer to peer at all, calls or file transfers or games, there's a benefit. And the typical benefit grows over time as more and more ISPs install CGNAT.
> And using hex instead of decimal for magic computer numbers should be more intuitive, not less.
How? Why is using hex any more intuitive than binary or a md5 hash for anyone who doesn’t do networking for a living?
>If you do anything peer to peer at all, calls or file transfers or games, there's a benefit. And the typical benefit grows over time as more and more ISPs install CGNAT.
Again how? I’ve been doing all of those without issue for nearly 30 years. What measurable benefit does the user see that hasn’t been a solved problem since Windows XP?
Will my teams calls suddenly stop saying “poor network connection” on my 1000/1000 rock solid fibre connection? Will torrents suddenly find more seeds and peers? Will my games… have lower latency? Because I can’t think of another way anything networking related could be solved that wasn’t decades ago.
When you say benefit, it should probably be noticeable or measurable in some way that doesn’t involve dashboards and millions of dollars in rack mounted gear.
> What measurable benefit does the user see that hasn’t been a solved problem since Windows XP?
Things being able to connect, and not having to manually port forward (when that's even an option).
Hole punching is super unreliable with CGNAT.
> Will my teams calls suddenly stop saying “poor network connection” on my 1000/1000 rock solid fibre connection?
I don't know how Teams relays data, but for some services yes that could happen if IPv4 can't make a direct connection.
> Will torrents suddenly find more seeds and peers?
Yes. In a typical torrent an annoyingly small fraction of seeds and peers can receive connections. If you're IPv4-only behind CGNAT, you can't connect to them and they can't connect to you. IPv6 opens up a lot more links.
> Will my games… have lower latency?
It depends on how the game is designed. But some games will have lower latency because they can connect people directly instead of with relays.
>How? Why is using hex any more intuitive than binary or a md5 hash for anyone who doesn’t do networking for a living?
Well, what is the address range for 192.168.0.0/27? That's also non-intuitive for a layman as well.
In the end, IP addresses are made for computers, not humans.
And... just FYI,
>Will torrents suddenly find more seeds and peers?
Suggests to me you have absolutely never tried out torrenting under CGNAT. It's painful.
Not a single seeder can _actively_ send the data to you, your client must seek them by itself and it's not uncommon to have only 1-4 seeders connected!
> Also structure-wise the first half is the subnet and the second half is the host. That's much more intuitive than IPv4.
This only applies to /64 blocks, which are by no means standard. For instance, tunnelbroker.net will give you a /48 for free. This means IPv6 addresses are essentially free by the billions, but it's difficult to figure out how big of a block they belong to from the outside.
Regardless of the prefix size, a subnet is always /64 in IPv6. A shorter prefix simply means you can have more /64 subnets.
> intuitively understand IPV6 addresses because they look like MAC addresses with trisomy and are a pain in the ass to remember or type
I have north of 500 IPs I have some relation to. No way I would be bothered to remember them. Typing? Do you type IPv4s all day long? And it's still copy-paste 99% of times.
> for absolutely no benefit to the non-network engineer
Non-network engineer should work with names. And non-engineers don't 'work' with IPs at all. Look at your granpa - he's typing 'bbc' into the search form in the browser to get to bbc.com.
> nobody in their right mind can intuitively understand IPV6 addresses
And 99% of so called engineers can't understand even IPv4. So this is a moot point.
I agree.
It's easy to tell someone to connect to something like 203.0.113.88. Many of us here, and also normal folks, have been saying dotted-octets like that for decades, now, and there's a familiar patter to the way that addresses like this flow off of the tongue.
It's hard to tell someone to connect to 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. It's literally difficult to say, like saying it is intended to be some kind of test. And on the other end? Sure, we "all" "learned" hexadecimal at some point in school, but regular humans don't use hex so it sounds like missile launch codes (at best) or some kind of sadistic prank (at worst) to them. It reeks of phonic unfamiliarity and disdain.
(This is the part where the DNS folks invariably show up to announce that I'm holding it wrong. And I love DNS; I do. But I'm really not interested in maintaining public DNS for the dynamic addresses at home on my LAN.)
(After that, it becomes time for the would-be abbreviators to appear and tell me that the address for this computer is wrong, somehow, as if I ever had an active part in selecting the address to begin with.)
> It's hard to tell someone to connect to 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e.
If you would like your IPv6 addresses to be more human-friendly, you could use DHCPv6 (in addition to/instead of SLAAC) and end up with addresses like 2001:db8:3c7:4f80::123. Sure, it's 5 groups of e.g. 3-4 hex digits rather than 4 groups of up to 3 digits, but I think it's much easier than your example. You might set your router to use <prefix>::1 and/or fe80::1 (see OpenWRT's ipv6 suffix/ip6ifaceid option).
DNS servers (that you might occasionally have to type into config by hand) tend to have "nice" IPv6 addresses, e.g. Quad9 apparently uses 2620:fe::fe [1].
> But I'm really not interested in maintaining public DNS for the dynamic addresses at home on my LAN.
I think dnsmasq can these days create AAAA records for local machines whose hostnames it learns via e.g. DHCP.
If you have a public server on the internet and your provider gives you a random-looking address using all 128 bits (and no /64 prefix for example) perhaps using (public) DNS is fine.
Opinions my own.
[1] https://quad9.net.
> After that, it becomes time for the would-be abbreviators to appear and tell me that the address for this computer is wrong, somehow, as if I ever had an active part in selecting the address to begin with
Ok, I'll bite. Why exactly do you not have the ability to select the address?
As a general rule, if you care about an IPv6 address enough that you have to type it in somewhere, you should be assigning it manually, and if you're doing that you can make it a lot friendlier than 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. The whole second half of the address can be shortened to ::<digit>, where the length of <digit> scales logarithmically to the number of memorable addresses you want in that network.
My network at home uses ULA addresses for everything, and I just use my phone number in the first half, so the address of my router at home is e.g. fd21:2555:1212::1, my NAS is fd21:2555:1212::a, etc. The global (GUA) address is something like 2601:abc:def:1201::a, which isn't that bad.
Hell, if you don't care about the potential of conflicts if you ever merge networks with someone else, you can just use fd00:: as your ULA prefix, and your router can be fd00::1, your NAS box can be fd00::2, etc. Shorter than IPv4 addresses!
> Ok, I'll bite. Why exactly do you not have the ability to select the address?
I never said I don't have the ability. I may; I may not. I myself don't know that one way or the other. It's big ball of mystery to me.
What I did say was I didn't have a hand in that long address; ie, I was not involved in making it that way. I don't know by what mechanism (if any) the long address came to be. I don't know if it was assigned, or selected, or a product of /dev/random, or if it was a combination of these things.
I only know that I didn't choose it, and that the way that it is simply sucks.
> As a general rule, if you care about an IPv6 address enough that you have to type it in somewhere, you should be assigning it manually
Perhaps. But that's a twist that we didn't have with the defacto norm that we landed on in IPV4 world some decades ago, wherein: A LAN address was dynamic by default, assigned via a local DHCP server, and presented as a dotted octet. The WAN address was also dynamic, and assigned by someone else's DHCP server, and presented as a dotted octet. The two addresses were never related to eachother.
And in that world: If I wanted to run a local service for someone else (on the internet) to use right now -- today (maybe not tomorrow or next week, but definitely right now), then all I needed to relay to them was the simple dotted octet that identified my WAN interface.
That part was easy with IPV4.
> and if you're doing that you can make it a lot friendlier than 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. The whole second half of the address can be shortened to ::<digit>, where the length of <digit> scales logarithmically to the number of memorable addresses you want in that network.
Maybe my occipital lobe is just broken somehow, but it's hard to look at an address like that and quickly discern where the second half of that address even begins. Why am I looking for a half of it, anyway? (From whence is that "half" delineation deduced?)
But, sure. Half of it, for whatever reason that it is half. So 2001:3c7:4f80:1a01::3 can be one system on the LAN and 2001:3c7:4f80:1a01::4 can be another? And these are complete, unique, world-routable addresses that someone else on the world can connect to with the appropriate firewall rules in-place?
But the first half is assigned by my ISP and changed at their whim, right? I can't reliably connect from 2001:3c7:4f80:1a01::3 to 2001:3c7:4f80:1a01::4 even if those two computers are right next to eachother on my LAN because tomorrow, the first "half" might change -- correct?
I don't like the idea of my LAN's addressing being dictated by whatever ISP I'm using at the moment. (Spectrum is down, switch to hotspot as backup, and oh lol: the LAN is all different now. IPV4, as-implemented, never did that to me.)
> Hell, if you don't care about the potential of conflicts if you ever merge networks with someone else, you can just use fd00:: as your ULA prefix, and your router can be fd00::1, your NAS box can be fd00::2, etc. Shorter than IPv4 addresses!
I don't even know what ULA means.
But it sounds like ULA means something like RFC 1819 10.x.x.x private addresses, wherein: A person can do whatever they want, and it never touches the Internet so it's fine.
That sounds great, in concept. But now we're back to using private, non-routable addresses? Isn't that the same thing we were seeking to avoid?
How does fd00::3 then communicate with the greater internet? NAT?
edit: And then, how is fd00::3 superior to 10.3 [10.0.0.3] on the LAN?
> then all I needed to relay to them was the simple dotted octet that identified my WAN interface.
Then either you must be one of the precious few people who owns a /24 or something for their house and gives each device a global IPv4 address, or you’re forgetting the part where you have to go to your router and pick a random port to forward, and open it up. Otherwise you don’t just “have” an independent WAN address on each host in your network, like you do with a typical IPv6 setup.
> So 2001:3c7:4f80:1a01::3 can be one system on the LAN and 2001:3c7:4f80:1a01::4? And these are complete, unique, world-routable addresses that someone else on the world can connect to with the appropriate firewall rules in-place?
yes
> But the first half is assigned by my ISP and changed at their whim, right?
like your IPv4 WAN address does, yes
(About ULA)> That sounds great, in concept. But now we're back to using private, non-routable addresses?
like IPv4 yes. But in IPv6 you can have both, a ULA (like rfc1918 addresses) and a GUA (an actual routable address) on the same subnet. It’s fine. Use the ULA for your LAN use cases where you need to use a LAN IP address (bonus, it stays the same even if your ISP changes your prefix) and use the GUA for the rare occasion where you need someone on the other side of the world to talk to one of your hosts. You’re gonna have to poke a firewall rule anyway, so you just pick a decent GUA address while you’re at it ($global_prefix::1, etc.) You can do whatever you want, it’s your prefix (until your ISP changes it.)
> How does fd00::3 then communicate with the greater internet? NAT?
no need, it just has another address for global traffic. Typically one of the really long random ones, that’s what they’re for. (They even change for every external service you talk to.). The whole purpose of the long impenetrable fully-populated 128-bit address, is basically only necessary for privacy (I.e. you intentionally want the address to be meaningless.) For anything where you’re persisting an IP somewhere, just pick a better address for it. $prefix::1, whatever. It’s a single ifconfig command even on macOS, ditto Linux. (Windows I have no experience with but I’m sure that too.) Trivial to persist across reboots, etc.
The ISP changing the prefix is a real problem though, and is far too difficult to rely on persisted global addresses for that reason. Using a ULA anywhere you need to configure an IP address locally is the only sane option, and for global addresses it’s simply a huge pain in the ass if you ever get a different prefix.
> edit: And then, how is fd00::3 superior to 10.3 [10.0.0.3] on the LAN?
> There is a difficulty in that it does behave quite differently to IPv4
Which can be fine if you have a /solid/ transition plan to move networks wholesale from v4 to v6. They absolutely failed on this point and almost purposefully refused to carry over any familiar mechanisms to make dual stack easier to manage.
It's a University protocol that escaped into commercial usage based mostly on false fears of global routing table size becoming unmanageable or impossible to store in RAM. The results are absolutely predictable.
I haven't spent a lot of time with my power grid either, but I do expect the light to go on when I press the switch.
(Needing to dedicate time for it is, to some extent, either a failure of the protocol or at least a contributor to the lack of adoption.)
In my experience IPv6 has always "just worked" for me in the consumer space. The only difficulty I have found is when implementing it into an existing managed network. Most organisations will not touch it, they're too comfortable with IPv4, unfortunately.
And despite that, the place where I work, has disabled ipv6, rendering our development machines useless for trivial tasks such as debugging our iOS app on a device (which uses ipv6 under the hood)
Reasons given: the security policies say ipv6 is not safe enough.
While these articles are useful in understanding the utility of IPv6, what would really help is an article explaining step by step how to configure a home network using IPv6. The tutorial should answer these questions:
- How to ensure there are no collisions in address space? Translates to, how to pick safe addresses, is there a system?
- How do I route from an external network resource to an internal network resource? Translates to, can you provide syntax on how to connect to an smb share? Set up a web service that works without WireGuard or equivalent?
- How does one segment networks, configure a vlan, set up a firewall?
- if you're talking a private/local prefix, you can use tools like this to generate one: https://unique-local-ipv6.com/. Otherwise DHCPv6 and SLAAC will ensure no collisions for the most part.
- Use global/public addresses on all your devices (using something like prefix delegation) or use NAT.
- Same as IPv4. Prefix delegation will let your ISP assign you multiple networks, and then most routers will break these up into /64 networks for each of your VLANs.
- SLAAC - the address spaces for IPv6 are so huge, collisions are extremely unlikely outside of intentional actions.
- Open holes through firewalls, point DNS at the address, and it should just work, the joys of actually having public addresses.
- Same way as with IPv4 mostly. The only real difference is because SLAAC assumes a /64 you probably want your networks to be at least that big.
> extremely unlikely outside of intentional actions.
But come on! It is a legitimate question, do you just scramble keys when picking an address?
> the joys of actually having public addresses.
If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
> do you just scramble keys when picking an address?
No. Your ISP or tunnel broker gives you a network prefix. Then you configure SLAAC to use that prefix and hand out addresses within it. Job done.
For example, the prefix might look like 2001:470:e904::/48. Your computers can use any addresses you want as long as they start with that prefix. Since you don’t want to manually hand out addresses to every computer, you configure a router to hand out addresses via SLAAC. Your computers will use SLAAC to discover the prefix from the router, then fill in the bottom 64 bits of the address with a random number. They then ask the local network if anyone is using that full address. If not then they are done and have a working address. If somehow someone is using that address then they try again with a different random number. Servers that want a fixed address will just use their network card’s MAC address (or anything similar, if you want) instead of a random number. The protocol is the same either way.
Notice that this actually gives you some bits of your own to play with, if you want. The full address is 128 bits long. The first 48 were used by the prefix and the bottom 64 by the individual devices, leaving 16 bits in the middle. You could tell your router that the prefix for SLAAC is 2001:470:e904:42::/64, for example, and then use the other subnets for other purposes. Maybe 2001:470:e904:beef::/64 is a special subnet just for your meat freezer and associated monitoring equipment. I don't know, you get to make these things up for yourself. Maybe you manage a corporate network that has a separate VLAN for phones than for normal PCs, and a third VLAN for the guest WiFi. You can give them each a different prefix by embedding the VLAN id into the prefix you advertise via SLAAC.
There’s also DHCPv6 if you want even more control over which addresses are handed out, or you want to subdivide your network even more finely. Or if ISPs ever start handing out smaller prefixes.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Sure, that’s true. But they probably don’t hand out static addresses for IPv4 either. Not without paying extra, that’s for sure. Either way if you want some static identifier for your computer(s) then the solution is the same: DNS.
Of course if you _are_ running a corporate network with a bunch of VLANS like that then you should actually get your own prefix from your RIR rather than from your ISP. Then you purchase IP transit services from your ISP rather than consumer internet access. You can then advertise your prefix(es) via BGP. Again, this is exactly what you would do for IPv4. Same software, same configuration, just longer addresses. The main advantage of this extra work is that you can keep your addresses static even if you move to an entirely different ISP. You can also use the same addresses over multiple connections to multiple ISPs for better redundancy.
This is a good overview. I think the difficulty with IPv6 is that people rely on all of the crutches invented for IPv4 as features: private addressing NATing gives you security (it doesn't) and portability (it does), IPv6 usually uses subnets per physical location making failover difficult, where as IPv4 will use bgp announcements to failover public IPs, etc. I'm not saying one way is better than the other, just that IPv6 is pretty different and people very much have a IPv4 world view.
> But come on! It is a legitimate question, do you just scramble keys when picking an address?
I did give the answer: SLAAC.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Weird, here in the UK all the ones I've had have given me a static /56. Still, the same answer for that (DDNS) exist as for dynamic IPv4 addresses, you still get the advantage of not having to deal with NAT.
What’s the pragmatic solution to ipv6 allowing everybody in my household to be trivially and stably mapped to a unique subnet? I like the accidental semi-randomization that ipv4 and ISP NAT offered and I don’t see anything like it short of putting my entire home net on a VPN (it’s expensive and can’t keep up with my ISP’s bandwidth)
Each device gets directly addressable from WAN with v6 but it also gets a randomised privacy IP that rotates very frequently so each individual device is just as "hidden" as it was with v4+NAT.
Your v6 subnet prefix is no different than whatever WAN-side v4 your NAT had. "Accidental semi-randomization" of the WAN side IP is not something one could reliably count on. Many ISPs just hand over a static-like IP, that is, even when it's supposed to be random the pool of IPs is so constrained that it's usually the same simply through the IP lease surviving power cycling. And that was before CGNAT.
If your concern is being identifiable through your IP then counting on whatever v4 artifact is the wrong move. Use a VPN with randomised exit nodes.
Everybody in your household is already mapped to a single IPv4 address that rarely changes with most ISPs. Mine hasn't changed in over 3 years. My IPv6 /56 prefix delegation hasn't changed, either.
It’s a little different, but you can use ULAs to have a static subnet with static device addresses.
One of the biggest changes from IPv4 when I enabled IPv6 a while back was that it’s fine and normal to have multiple addresses per interface now. ULAs are not globally routable, so I think of them as LAN addresses. Another option that comes to mind is mDNS, but I think support for that is not as widely accepted.
Global addresses can change, just as your home dynamic IPv4 probably did from time to time.
It's true that you won't get CGNAT without having CGNAT. Depending on your concern, it is possible to NAT66 to make your entire network appear as one IP.
what exactly do you mean by "trivially and stably mapped to a unique subnet"?
I wish I could switch my network to all IPv6 and use NAT64/DNS64, but Android, the world's most popular OS, purposefully disables DHCPv6. I am forced to support IPv4/DHCPv4 for the foreseeable future to support these broken devices.
> I wish I could switch my network to all IPv6 and use NAT64/DNS64, but Android, the world's most popular OS, purposefully disables DHCPv6.
It does not "disable" DHCPv6. It does not support DHCPv6. Android (really Lorenzo Colitti) in/famously WONTFIX adding DHCPv6 client support:
* https://issuetracker.google.com/issues/36949085
Of course after over a decade of denying that Android needs some kind of DHCP in IPv6, it seems that Android may finally be getting some kind of solution:
* https://android-developers.googleblog.com/2025/09/simplifyin...
* Via: https://blog.ipspace.net/2025/09/android-dhcpv6-prefix-deleg...
Hopefully, having admitted (?) the error of their ways with being SLAAC-only they'll also add 'regular' DHCPv6 in addition to DHCPv6-PD.
Holy hell the android dhcpv6 situation is deranged. Been following Mr Colitti’s antics for awhile but only just learned of this prefix delegation news. So now I can delegate an entire subnet but can’t just have a regular address. Why oh why can’t we just have a goddamn normal every day dhcpv6 client like every other os on the planet
Android supports SLAAC and has good support transitional tech like xlat464 and DHCP option 108.
I have used these on my network and office to move to IPv6-only for Android.
What about lack of DHCPv6 prevents you from using IPv6 on Android?
I can't run SLAAC and DHCPv6 at the same time without giving devices multiple addresses, and Android doesn't support DHCPv6, so I'd have to carve out a separate, SLAAC-based, android-only network. And then figure out firewall rules, multicast reflection, etc.
Why is giving multiple addresses a problem?
No control over which source address is used. I'm assigning a lot of clients DHCP reservations so I can use static addresses for monitoring and firewall rules. With multiple addresses on the same network, clients may use their SLAAC address which won't match the firewall rule.
That still doesn’t really make sense. Why not run SLAAC on one subnet and have a single firewall rule for the whole thing? You’re not running any major servers on an Android phone, so it won’t be anything complex.
SLAAC can only run on a subnet that's larger than /64, which they might not have access to.
Strictly speaking it can and does run on subnets that are exactly /64. Does anyone actually hand out smaller delegations today?
My point is that they might only be getting 1 /64 from their ISP; or getting a /62 or something small, and needing more subnets anyway. In these situations, you may not have an extra /64 to dedicate to SLAAC for certain devices.
Right. I was merely correcting your statement that SLAAC needs more than 64 bits to work with. But my question remains; do any ISPs hand out smaller delegations than a /64?
There are APIs in Linux to control source address selection but might be fiddly https://www.davidc.net/networking/ipv6-source-address-select...
Ah, this makes sense.
I thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else.
Works great for me.
Don't you have problems with clients using the wrong source address and not matching firewall rules?
Different person here, but no. I never write firewall rules based on individual source addresses. They’re too easy to fake. And with IPv6’s privacy extensions, you never know what source address a given machine will have anyway.
Interesting. How do you deal with destination addresses on your local network? DHCPv6 like the other poster and myself?
I haven’t had a need for DHCPv6. I’d use DNS (or better, mDNS) to assign a hostname to the destination’s fixed IPv6 address or ULA, both of which are static. I don’t ever manually assign an IPv6 address to a host, though. I just let SLAAC do the thing it was designed for.
No. Admittedly, my firewall rules are all about granting something extra beyond the basics. I only do this for clients I care about anyway, so I can always tell them to use the right address.
Android supports DHCPv6, just not stateful DHCPv6. You can give each device its own /64 or if you really want to track a devices usage you should use an authenticated layer on top of your base network.
Why can't you use stateless autoconfig?
Because I want to control the suffix assigned to devices for firewall rules and monitoring purposes.
Seems like the wrong layer unless your network has more than one router/gateway.
Use MAC as the key for firewall and monitoring. Then you don't have multiple rules per device.
”You’re holding it wrong”
World IPv6 day 6-6-26, just turn IPv4 off. Let the world catch up.
I said the same thing for 6-6-16 too.
Uh, I like that!
I have some services on IPv6 only, but it rarely convinces anyone that they need IPv6 connectivity …
In my 25 year career in network engineering, I’ve encounter needing it as a user exactly once, and that was earlier this year. Supabase’s free tier allows direct connections the Postgres only over IPv6. It’s too bad the deploment has been a long drawn and expensive process for everyone.
My ISP has good IPv6 support. I was using it for a while and recently disabled it across my home network for simplicity of maintenance, cutting my vyos config in half. When I need to access something not available on IPv4 I'll set it up again but I'm not convinced that will happen in my lifetime.
I feel this doesn’t really address whether we are losing something privacy or security related by not having NAT. I think my main devices are always updated Mac iPhone or iPad and can handle it, but do I really want my thermostat or doorbell or lock or garage door opener or light switch directly accessible on the Internet or is the nat serving a useful purpose? I don’t feel like this is addressed in this article.
> but do I really want my thermostat or doorbell or lock or garage door opener or light switch directly accessible on the Internet or is the nat serving a useful purpose?
You should have a firewall, regardless of v4/v6.
You should, but the exposure from having no firewall is much higher without NAT. Packets with private network IPs are martians on the internet and will not find their way to your device unless they come from the same network and the ISP's infrastructure doesn't drop them. IPv6 addresses are routable across the internet so the packets will most likely get to your router, meaning anyone on the internet can talk to your LAN in the absence of a firewall.
The reality is that consumer router firmware is horrible in every aspect, especially security, and this isn't going to change with IPv6 rollout. I fear the most likely scenario is that ISPs will set up inbound firewalls on their end, and then we'll be even worse off than we are right now.
I have firsthand experience doing that experiment about 3 months ago. Completely removed my IP4 DHCP lease from my ISP at the router. About 50% of the public sites I tried to visit didn't resolve. So many public sites, that I gave up and went back to dual stack after just a day. Google, ChatGPT, and a few other popular sites were fine with pure IPv6 traffic, however sites like eBay and even HN did not resolve. IPv6 simply is still not ready for everyone to just transition into overnight.
A bit ironic that HN did not resolve.
Dual-stack with a public IPv4 address is by far a preferable way to access the v4 internet than being stuck behind a provider NAT64 box.
Totally understand why carriers may want IPv6 mostly and a v4-free core. But as an end user dual stack just seems simpler.
As a normal user: why do I need IPv6?
As far as I know, the majority of websites (about 70%) do not support IPv6.
Depends on your ISP. If you live in a place where there aren't many IPv4 addresses available, CGNAT is the reason you're seeing a lot of Cloudflare/Akamai/Google CAPTCHAs everywhere, and IPv6 fixes that.
same reasons northern europeans had to invent all sorts of fancy food preservation and complex power struggle societies revolving around crop limitations and war.
Meanwhile closer to the equator, much less progress was needed to live and let live.
In short, Americans are native tribes. we have plentiful IPV4 and couldnt care less about SLAAC or whatever other complex moon sun and seasonal tide gods, salted codfish and salt mining operations. we just dont need to care about long addresses, they're plentiful here.
You need it because there aren’t enough IPv4.
If you have a mobile device with data, you’re likely already using it.
Do we really need all the mobile phones and IoT devices of the world to be publicly addressable? Is that even a good thing?
If you want to use the internet, you need an IP address.
You can share that IP address by putting multiple hosts on the same local network and using parts of the transport later. NAT was invented because of lacking enough addresses.
CGNAT is a guarantee that you have plausible deniability on the internet. NAT is also a guarantee that you are not addressable from the internet.
It’s a feature.
I don’t think that’s true. But of course it depends how you’re measure the majority of websites.
Most of the figures I see show 60-70% of the top 100 sites do support it. But maybe that does not reflect your usage.
Why do you need it? Maybe you don’t right now since ipv6 only sites are niche. The most tangible advantage I’ve seen is avoiding CGNAT. Gamers in particular don’t like that because it introduces latency. Services like Xbox live definitely do support ipv6 for this reason.
My previous fibre provider in Ireland was Virgin, and as far as I could tell, it was fully IPV6. Every device in my network got a public address, and self hosting stuff from home as was easy as setting up an A record at my DNS host. No faffing around with port forwarding, proxying, nat bullshit or whatever. My memory is hazy, but there might have been some firewall stuff I had to do on the virgin supplied router.
Interesting. I did finally find a use for IPv6 which I wrote up here: https://martinalderson.com/posts/i-finally-found-a-use-for-i...
Tbh though the docker problems are very serious and extremely painful to work around. Everything works great apart from Docker which has so many issues - it does not handle IPv6 inbound but IPv4 out well at all (at least as far as I can tell!).
I wonder about the possibility of running your own email server behind a domestic IPv6 address.
Most of the domestic IPv4 networks have port 25 blocked for incoming connections. Maybe in the IPv6 realm things are bit more relaxed.
I need to switch my home network to at least use IPv6 externally, because my ISP recently deployed CG-NAT, which made my SSH server that used to work no longer reachable from outside of my LAN.
You can use a NAT-traversing VPN like tailscale to work around this.
If Google would announce that Chrome is dropping IPv4 support in n months, that would probably get things moving. ;)
I guess it would, but remember there are more services out there than just HTTP(S).
For example the last time I had an IPv6-only host I had issues cloning things from github, as "git clone git@github.com..." failed due to github.com not having IPv6 records.
A quick search revealed this open 3+ year old discussion - https://github.com/orgs/community/discussions/10539
You’re in luck, github is in the process of moving to azure!
Would have to be ChatGPT these days.
The workarounds we need to enable P2P communication on the internet are a shame... we need turn, stun, webrtc, all this stuff so two computers can talk without a dedicated port forward or public ipv4.
ipv6 is a beautiful protocol, (not perfect, but elegant) with a lot going for it. But the momentum of ipv4 is just too strong.
It's a mess... with no good solution. I tried to turn off ipv4 and github (shame on you) stopped working. But what are we supposed to do? Have the government mandate everyone switch? (oh wait half of US government websites are ipv4 only)
We did this to ourselves...
AWS doesn’t offer PTR records for IPv6 addresses, which makes Gmail blacklist my email server’s IPv6 address. I had to disable IPv6 due to lack of PTR records.
Not being able to setup a spam server in aws is a feature.
It’s not a spam server. I self host email for personal and non marketing business use. Don’t assume everyone running their own email is a spammer.
I'm pretty underwhelmed by IPv6. It looks like the typical "horse designed by committee."
I suspect that what will actually end up being implemented, will be a core subset of the spec.
We'll have to see what's still standing, when the dust settles.
The IPv6 spec looks long because it also includes protocols that are separate on IPv4 (DHCP/SLAAC, NDP, depending on the document ICMPv6, mirroring DHCP, ARP, ICMP, NetBIOS, etc.), as well as the addressing schemes that were different RFCs in IPv4 such as multicast/unicast/network classes/subnets.
As for the implementation: just about anything more powerful than an ESP32 has the entire protocol implemented and running already.
As long as the SDKs to apps make it simple, we'll be good. I haven't seen much, so far.
Your computer, and every other computer on the planet, already supports the entire IPv6 spec. There is no subset.
I'm typing this on a computer running Android, which means it doesn't support DHCPv6. I would describe it as supporting a subset of IPv6 functionality.
I suppose that could be annoying, but technically DHCPv6 is not part of the IPv6 specification just as the original DHCP was not part of the original TCP/IP specification.
Well, we'll have to see what all the "in-between" bits do. There's a lot in it, that will require implementation by countless layers of routers, switches, caches, firewalls, etc.
Look at Bluetooth, for an example, or TIFF.
I printed out the Bluetooth spec once, just for Ss and Gs. It was over 2,000 pages (double-sided).
I once tried writing a fully-compliant TIFF reader. Didn't go so well.
Those all support IPv6 too. They’re the same computers, and they’ve all supported IPv6 for decades now. The IPv6 spec is a lot shorter than the spec for Bluetooth or TIFF.
Just because the physical and link layers support it, doesn't mean the application layer will.
You could say the same for Bluetooth chips.
I've seen stuff, man...
Apple requires that all iOS apps on the store function on an IPv6-only network (which is how several large mobile phone networks work), and everything works fine on the application layer.
Huh. I believe that, but didn’t know it (I write apps for Apple kit). I have done low-level networking stuff that would definitely have run into issues, but that was over ten years ago. These days, I rely on the upper layer of the stack.
I really should try an exercise like the one the author did. I’m not necessarily against IPv6, but I’m still a bit skeptical of it. We’ll likely be forced into it, as there’s no alternative, but that’s not exactly a ringing endorsement.
My carrier (NTT docomo in Japan) only provides IPv6 to the end device. Access to IPv4 servers is through DNS64/NAT64, where their DNS server rewrites any DNS response that has an IPv4 in it to [64:ff9b::(the IPv4)] which gets handled by a CGNAT gateway. So anything that looks up a server over DNS and connects to that works fine, but any hard-coded IPv4 address does not.
I presume Apples requirement is there so that all apps work on carriers like this.
The only times I've run into issues is when tethering and forgetting I can't ping an IPv4, or trying to tether a Nintendo Switch (which does not support IPv6)
If your low-level networking code (I assume you mean BSD sockets here) is correct, it shouldn't even need to be aware of v4 or v6. The BSD socket API is designed so that the addresses are in an opaque data structure that you just pass around.
Back when, I did BSD sockets stuff, but generally stay above that, these days.
You're right, and that's my plan.
I have heard, however, that quite a few folks stuck their oars into the IPv6 spec process. I've seen that kind of process before, and the end result can be ... less than ideal ...
Every few years I check to see how far away Virgin Media are from offering IPv6. Just checked again... nope!
https://www.havevirginmediaenabledipv6yet.co.uk/
People keep saying that IPv6 allows you to more easily host services, but you still have to support IPv4.
Try connecting to your IPv6-only service on Hotel WiFi -- you usually can't.
It's unfortunate, but IPv6 doesn't really solve any problems for a home user. And I say this as someone that has deployed IPv6 at home before.
> It's unfortunate, but IPv6 doesn't really solve any problems for a home user.
CG-NAT and strict NAT in general. Newer ISPs often force users onto CG-NAT, and my consoles have had numerous issues with NAT in general over the years. ISP routers also often make fixing this an opaque or impossible problem for the user.
I don’t think IPv6 is the best thing ever, but I do think it solves the problems IPv4 did along with some annoying issues IPv4 struggled with.
It does make it easier. IPv6 pinholes are simpler than port forwarding. My IPv4 is not static but my IPv6 prefix is. So I don’t need dynamic DNS. I have no IPv4 port forwards, instead I run snid on a VPS to support legacy internet clients and call it a day.
https://github.com/AGWA/snid
So you basically have a cloud server and a domain with a wildcard record, and you then forward IPv4 through IPv6?
I think this somewhat proves my point that IPv6 doesn't solve much for self-hosting. You still need some kind of working IPv4 setup. You are using IPv6 in place of either a reverse proxy or something like tailscale, which I suppose is more convenient.
I tried that, but my HN addiction ended it.
HN has IPv6 now.
If Reddit would finish adding IPv6, almost all of my browsing would be IPv6.
My ISP has IPv6 since years and I'm on 6 as well.
NAT-less network is really cool, I can serve content directly from anything from my LAN.
We should really leave IPv4 and move on.
the reason why I explicitely disable ipv6 cause "this shit don't work" (at the moment, will probably change in the future)
- random slowdowns
- horrible routing
- larger packet overhead
- hated by a lot of the people who run the internet
- hated by companies who provide ddos protection
- my poor TCAM cache in my budget routers
- supporting ipv6 is really expensive in chassis routers
However, I believe there is a solution: Swap ISP's to IPv6 only, swap to IPv4 unless there is an IPv6 route present then directly forward. This solves quite a few issues: Once every ISP has IPv6 you can drop ipv4 and swap directly to ipv6 without having to split your TCAM. This works because IPv6 can encode IPv4 in it.
Hot take: IPv4 might be techinically worse, but it's "politically" (in the classic sense of the word) better.
IPv6 essentially enables "universal internet IDs" for every device, which could streamline a lot of things, but enable a lot of weird surveillance/power balance issues that the cruft of IPv4 is actually incidentally helping guard against.
Again, I'm old enough to remember when e.g. the ISPs were going to try to charge per device in each household.
This hasn’t been the case in decades, every OS defaults to randomly generating the trailing 64 bits of your address and cycling through new addresses periodically. Your IPv6 address is only fixed to your device if you choose to configure it that way.
Since the network half (leading 64 bits) is as fixed as your IPv4 address was, and the host half is random and constantly changing, an IPv6 address is exactly as uniquely identifying as an IPv4 address used to be.
Afaik, at least Fedora has the privacy extensions disabled by default.
> Again, I'm old enough to remember when e.g. the ISPs were going to try to charge per device in each household.
I don't really see that coming again and if it does you can just do NAT66 just like you can do NAT4.
You and I can, yes.
But, network effects.