I remember while trying to figure out why Microsoft was blocking emails that IPv6 SMTP source addresses had a much higher risk of being blocked despite having done all the required stuff like PTR, SPF, DKIM. Microsoft's form to submit delisting an IP address does not even accept an IPv6 address: https://sender.office.com/
I wouldn't be surprised if that's intentional. There's an explicit hesitance on the part of mail providers to accept v6 mail, since they use IP addresses as a reputation mechanism. IPs that originate spam mail get summarily executed, and getting new IPs that have a high antispam reputation is actually quite expensive.
In other words, it's a Sybil-resistance mechanism, called Proof-of-IPv4. It works specifically because v4 addresses are scarce. v6 addresses are not nearly as such. Everything that makes IPv6 great for the Internet at large makes it terrible for mail providers. For example, because the original v6 design wanted to eat lower link layers, it reserves half the v6 address for an embedded MAC64. This never really panned out, but it's terrible for security, so every v6-capable OS nowadays will rotate addresses every few hours. The average machine will have hundreds of addresses. How do you assign a usable notion of per-IP reputation to that?
You could use v6 subnets for reputation, but there's still 64 subnet bits - enough to stick an entire IPv4 subnetwork inside of each IPv4 address. Some ISPs actually will assign a /64 per customer (because Comcast needs something to sell to Business customers), while others assign /56s or /48s. So there isn't even one granularity of subnetting that you can use for reputation tracking on v6.
Meanwhile, v4 pricing is getting worse and worse, which is great for mail providers. They don't necessarily need to turn a profit on incoming mail, but they do need to make it expensive for people who want to send lots of spam.
This could likely be the reason for poor IPv6 support but highlights the importance of shifting (much more) to domain based reputation. If a domains reputation is at risk, you can bet domain holders will be extremely careful not to allow outgoing spam.
Spammers and scammers already use domains as a disposable commodity creating them or using hacked ones for single campaigns and moving on. Part of filtering based on IPv4 is not only scarcity but accountability. When the owner of the netblock reassigns the ip and its already blacklisted it can create a problem for them and incentivize them to police their own network. Domains are also worse in that its easier to use fake information and be untraceable. its also understandably easier to get a response legal or otherwise from a co-location or isp than a domain registrar. Maybe ipv4 will always be preferred for email just because its more difficult/expensive and therefore less appealing for temporary malicious use.
Domains are less scarce than addresses. By design you can create as many subdomains as you like. (e.g. `abc.spam.com` is too low-rep? Now let's try `def.spam.com`...) You might imagine negative reputation to travel up to parent domains, but that causes problems with public suffixes and TLDs. (e.g. is `microsoft.com` a bad domain because it's got the same TLD as `spam.com`?)
The whole point of using a scarce identifier is to allow for a "neutral" reputation for new identifiers. If identifiers are less scarce, then known-bad actors can get free reputation (from bad to neutral) by just starting over with a new one. Which means that you have to distrust neutral reputation more. Without some level of scarcity of identification, introductions don't really work, because I have no idea if the new host I'm being talked to from today is just the one I banned yesterday wearing a different mask. This ultimately implies e-mail moving to some kind of federated whitelist system rather than the current system of federated blacklists.
Subdomains are not as much a problem as you would think. There is a resource ( https://publicsuffix.org/ ) that lists all public suffix domains. All direct subdomains of these are in full control of all their own subdomains, and thus can share the same spam reputation.
e.g. when .com is on the list, and .somesite.com is not on the list, mail@somesite.com is from the same entity as mail@subdomain.somesite.com
Didn't publicsuffix effectively get DoSed by one of Apple's new requirements, causing a ton of people to apply to have their suffixes added to the list?
From what I gathered from that, publicsuffix is a poorly-funded semi-volunteer org that shouldn't be relied upon for anything critical.
They unfortunately use both domain and ip based reputation scores. The problem is there are effectively an infinite number of usable domains. Even after eliminating the sub-domain problem the fact is there are simply too many possible domain names that can be created and discarded on the fly for less than $5 a pop. Given the fact that bad reputation decays, they can simply rinse a repeat that process practically forever so long as they manage to make more than $5 per hour from thier spam. IPv4 addresses however, are far more scarce which is why most spam email opperations try to take over existing legitimate small email servers (commonly small businesses with thier own domain get targeted) in order to send out thier spam. Every time they succeed they use it not only to send spam emails, but Trojan viruses to all users contacts in the hope of infecting other businesses. They can even achieve this without infecting the server itself, but simply getting recipients to unknowingly run a script that tells Outlook to send the emails from whatever addresses the users has access to.
Filtering based on domain reputation has the same problem as trying to filter based IPv6 address reputation. They can easily change thier domain name at any time, and most spam operations do it every 15 minutes or so.
This also has a secondary problem for legitimate domain buyers. If the domain name they buy was previously used for spam that reputation will affect thier business for quite a while. There's actually a market where people buy domains with bad reputations, setup small legitimate businesses and get the reputation cleaned up, then sell the site domain and business for a substantial profit because a site with a good reputation history and established line of business will show up higher on internet searches.
Or more strict enforcement by the world on SPF, DMARC and DKIM policies
The problem of spam is actually solved, the problem is no one setups any of these security parameters correct, large and small companies alike all have bad SPF Records, bad or no DMARC, etc etc etc
Go to any internet-related forum and search history for those keywords. You will find countless stories of seemingly technically people who in the end give up on self hosting and switch to managed mail provider. Because even if you solve those policies perfectly, a personal mail server will have such a low rate of outgoing mail that all the big players will effectively treat it as history-less server and will occasionally route the mail into the black hole. There is no recourse for that.
If 99% of contacts you want to send mail to are on google/yahoo/microsoft you have to play by their rules. And those rules are effectively "send mail internally or gtfo".
I have self hosted personal mail for over a decade. There are occasional hiccups with deliverability to new gmail addresses, but that is it. In those cases, once a recipient marks me as not spam once, there aren’t any more problems.
I think maybe once in the last 3 years I ended up in someone’s spam box, total. In fact I just sent to a new gmail address and to a university I have never contacted before this week and both were delivered without issue.
Setting up DKIM/SPF/etc isn’t that hard and it’s fairly easy to verify with existing tools FYI.
It would be amazing if those of you who have successfully self-hosted would get together and make a comprehensive write-up of how to self-host without getting blacklisted. I frequently see comments on both sides of this ("I can't send anything!" vs. "You just have to do it right") and it seems like if there could be some resource (that cuts down the complexity as far as is reasonable) on how to do this from the ground up, there could be much more wide-spread adoption of self-hosting.
Personally, I'm hesitant because I don't know if the end of all my effort will be constant blacklisting. If I could be confident that if I do it right I won't get blacklisted, I probably would.
I think the parent is perhaps just lucky. A reason given for mail not getting to Microsoft servers was that a server IP controlled by the same hosting company had in the past been on a blacklist.
I was happy to move hosts to one that was considered trusted, but there was no way for me to know the IPv4 addresses the company had in the past, never mind if they'd been on a pertinent blacklist at some time.
Based on that I think it could work, but there are no guarantees that outside, historical characteristics won't screw things up for you.
I think I agree with you (RE: make a comprehensive write-up), but I also seem to remember thinking the same thing when I was setting up the latest iteration of the server and then googling it and finding that such a guide already exists :) Part of the problem is that it's an evolving system and things change over time.
Spam is an interesting problem. Assuming one self-hosts and makes their email address publicly available, then one can get a metric for how much spam is flying around. Eventually one will try to stop spam from coming to their inbox, and on doing so one might build a mental model for how the big mail providers combat spam and realize why one's emails are not being delivered. Then one might realize that one is sending mail that one would not willingly receive! And then take action to resolve.
In general though, there is some base effort to establish trust, and as long as you don't ruin it by sending spam, then you shouldn't end up on a blacklist. If you find that your IP was on a blacklist before it became yours, then work with the people that are blacklisting - but at that point it does become a bit of a job. I actually ran into an issue in my professional life where an AWS WAF rule started alerting on one of our own servers hosted in AWS because someone had previously used the IP for malware C&C.
Anyway - I will think on this and see if I can write something up. It's a good idea. My main concern is that there is a gap between the way I did things (sysadmin style) and the "new" way of doing things (containerized).
I use shared hosting and my trick is to only send emails that are more important to the recipient than to myself. In this way, if they don't receive it, they complain and then I resend it from gmail instead.
The biggest thing people do wrong with self hosting email is using residential IPs which are almost universally black/grey listed. Using a provider like linode, and checking the IP reputation ahead of time gave me better results when I self hosted.
That's not them doing something wrong though. There's nothing wrong in hosting a server at home. The problem is clearly the black/grey lists if they black/grey list residential IPs just because.
Might want to check the Terms of Use / AUP on your Residential service, because every one I have ever read says you can not host email, and 80% of them say you can host any server of any kind.
Now most of them do not actually enforce it unless you become a problem, but most of them do put active measures on the network to stop SMTP Servers
For example here is a Exerpt from Comcast AUP prohibiting email and web hosting [1]
>>>use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers;
Google Fiber AUP[0] allows for hosting of anything for non-commercial purposes. Email is allowed as long as the email sent is not "unsolicited bulk commercial email". Time to update that worldview :) Every time we repeat something like "no one allows self hosting", the more people that will hear it and repeat it and make it a self fulfilling prophecy.
Why? Google Fiber is Available to less than 1% of US Households. Comcast is the largest Residential ISP last I looked in about 60-70% of US Markets...
ATT has the same policy, and I believe most of the other Cable Providers do as well. My guess would be over 90% of Residential Internet Plans today have a policy inline with Comcast not Google Fiber
Pointing to an outlier to the norm does not mean i need to update my worldview at all.
i don't know about that. i've always used leased gigabit connections for my email. this article is about Hetzner specifically, which I've leased tons of servers and additional IPs from. AFAIK you don't know the IP you'll be getting until you pay for it unless things have changed recently.
With Tools like Mail-In-a-Box it is not really the tooling
The people that say "I Cant send anything" are likely trying to setup it up on a Residential or "Business" (which is really just a Residential with a slightly better SLA and less overselling) Internet Circuit... Not an Enterprise Internet Circuit
Hint: If they are trying to bundle TV Services with your Internet you are not on an Enterprise Line.
Even if you buy a dedicated IP from these services they still make is hard to impossible to send email on the circuit
you are confusing spam filtering with blocked emails.
The issue people have trying to send mail is with the latter, where the email won't even show up in the spam filters, it will either be blocked by the mail system or silently ignored.
When mail has gone undelivered due to non-spam reasons, I typically receive a bounce.
On my server, when I block a message due to trust, I reject the connection. When I block due to spam, the message is received but goes in the spam folder.
I get reports from Google/Microsoft/etc when other people try to send using my domains but their messages fail due to DKIM/SPF failures.
I just want to push back against the “it’s impossible to self host email” meme that seems comes around occasionally. Every time I’ve run into an issue there has been a solution.
> On my server, when I block a message due to trust, I reject the connection.
Is that how Google/Microsoft/etc. do it too? If not, then your practice really doesn't matter. Most of my friends have an @gmail.com address, so if Google would pretend to accept mail from my hypothetical mail server, but instead just drop it on the floor, that's a non-starter for me hosting my own mail.
I have never had a problem sending to gmail or Microsoft addresses that didn’t involve at least making it to the spam box. I can’t speak with absolute certainty how every email admin handles things, but I have run into issues sending mail to some domains where I got a bounce and was able to reach out to the admins and get it corrected. Accepting mail for delivery but failing to deliver must be a violation of some RFC or email standard as it makes it impossible to send mail as a non-megacorp.
What I would like to get across is that self hosting is not impossible or unacceptably unreliable. If Google and Microsoft have policies that make it difficult to send messages to gmail or hotmail users, that isn’t a reason in and of itself that we should not self host. It’s a reason that we should work with Google/Microsoft to have better policies - but accepting things as they are and writing off self hosting as impossible is eventually accepting control of email by a limited handful of corporations, which I don’t think is a good thing.
I've also had luck with self-hosted solutions. Gawd, email is a really backwards technology these days isn't it?
But...I've also been in the unfortunate position of leasing IPv4 addresses which were already blacklisted by various sources. It's not a terribly easy problem to solve if you need to contact customers NOW without using a 3rd party solution.
I'd imagine personal emails trigger different flags than a bulk newsletter from a small business. One of the key suggestions on setting up a mail server (or even something like Amazon SES) is to 'warm up' by progressively sending more and more emails. Volume and uniqueness are a big part of filters.
As the saying goes, the best time to plant a tree was 10 years ago, the next best time is today. Maybe it is tough to get trusted by the major providers in a short time period today, but if it’s something you’re interested in, don’t let that stop you!
Running a mailserver with correct DKIM, DMARC etc is not that difficult.
I recently made a presentation that has a full explanation of the techniques, why they exist and how they work, on Hetzner Cloud (from the original post):
Self-Hosted Mail servers have the problem that most ISP's will automatically add all of their Service IP;s to BlackLists specifically to prevent people from running mail services on their Internet connections.
Unless you have a Commercial Line that has be specifically designated for hosting content then it is likely any IP you are issued is added to Google/Microsoft/etc Blacklist by the ISP. Most of them clearly spell out in their terms that running a Mail Server on the circuit is forbidden.
I don't see why this is downvoted. Domains assign reputation to mail instead of the source IP, and it's fairly obvious that just buying a new domain and spamming from it would tank that domain's reputation for quite a while, even with proper spf/dkim and dmarc p=reject. If all of these are set up, you won't have issues sending from bad shared IPs like the default SES ones.
You often have to build a domain reputation first. Certainly for Microsoft hosted email. I for instance show users with a Microsoft email a plain mailto:support@domain.tld link on my contact/support form. This way the first email is from them to me which helps building reputation and minimizes the chances of my response going straight into the spam box or worse, silently dropped. Regular users can fill in a proper form and submit it from the support page.
I get more spam from Microsoft and other tech giants than anyone else.
It's the companies whom you rely on for email that are the worst abuser e.g. airlines need to inform you about delays and abuse this trust with holiday adverts incessantly.
Any company that claims to require your email for two factor auth should be given automatically generated fines for every email they ever send that is not auth related.
I like it. I've always wanted to promote mailto: links over silly contact us forms (and all the hoops you have to jump through to keep them functional and not abused) but never had a really good argument for non-techy folks and lots of pushback that mailto: is "not standard" and "does not work for some people" with very little evidence. This is a nice story for the 'pros' column.
Classifying IP sets is a fantastic idea, I’ve seen mail bounce for the ASN. That parameter is unchanged between IPv4 and IPv6. Certainly, you can do it only when the provider is a classic spam heaven.
>Some ISPs actually will assign a /64 per customer (because Comcast needs something to sell to Business customers), while others assign /56s or /48s. So there isn't even one granularity of subnetting that you can use for reputation tracking on v6.
This is what is hindering adoption everywhere to be honest.
All of my forums, wikis, and game servers reject ipv6 purely for the same reason.
given abuse coming from a given IPv6 address: which subnet do I need to block to stop the user behind that address
(for fraud detection it switches from block to identify)
for IPv4 this is generally the /32 (the single IPv4 address)
for IPv6 it's probably a /64, but may be a /56 or even a /48, and on some crappy providers even a /128
if the subnet is smaller than you think it is you risk banning an entire ISP (or country), whereas if if it's too large the abuse continues
it's quite a complicated problem as by design you can have subletting (subnetting!) within a block, e.g. a VPS provider gets a /48 from its ISP, and then they sublets out /64s to their customers (while not necessarily giving them all their own RIPE/ARIN records)
can i ask a question? is it possible for people to "own" ipv4 addresses? like we can own domain names? something like /29 Subnet or /28?
if i spent like a hundred bucks or something, i dont know... just asking. how would that work, does that "bring your own ip" that vps providers talk about mean this?
> do need to make it expensive for people who want to send lots of spam.
You can use cloud providers, sure small ones do get blacklisted (which happens to also benefit Microsoft as they also are a cloud provider) but they can't really blacklist Googles or Amazons Cloud.
They now have a dual stack EC2 API endpoint. But you have to go out of your way to use as it is on a totally different domain, and also it is limited to few regions. us-east-2 region for example
Our reason for this is that customers may have IP-based rules in their IAM policies. If we silently turned on IPv6 for existing endpoints, those policies would suddenly break without notice. Hence new names and SDK options for dual-stack.
Same with GCP, they just announced IPv6 availability for VMs in the last few days. Unbelievably you couldn't even get a IPv6 address for a GCP instance up to now! APIs don't work over IPv6, and lots of other stuff doesn't as well.
Microsoft + Email has been a combo from Hell for many years, blocking IPv6 addresses, deliverability issues all the time, psychotic Spam detector, complete disregard for the most basic rules on how Email works and the list goes on.
My first experience with MS Exchange long time ago was that the team responsible for the infrastructure (company with more than 100k employees) committed to reboot the server once a week, because otherwise it would blow up.
Oh, my first contact with Exchange was discovering that the recently updated server couldn't read any of the backups on the proprietary format of the pre-update version of it. It seemed to be a common enough occurrence, because the email people just shrugged and started hacking the backup. I don't think that group was ever capable of restoring any Exchange backup, normally because of Exchange's problems.
But that was a long time ago. From what I hear, things are different now.
Same with Google's Report IP problems form, if you tries to put an IPv6 address it will always return: "Invalid IP address" and wouldn't let you submit the form.
The irony here is that much of the inter-service traffic on the internet could already be sent over IPv6 without anyone noticing. Getting end users onto IPv6 is always going to be a challenge as, well, ISPs, but when my mail server talks to your mail server there's no need for this to be IPv4.
Also it can be said that connection between mail servers can be IPv4 even if IPv6 is mostly used in the world. It seems that there are pros to keep IPv4 reputation from GP, so possibly it happens.
Not that this matters much, as the chance to get an IP address delisted is pretty slim anyway.
I've completely given up to try to get my personal mail server delisted, as I can't even get Microsoft to tell me why they blacklisted it in the first place.
Instead I'm nowadays just rejecting all incoming emails originating from Microsoft with a message telling the sender to use another non-Microsoft email account.
It's just stupid. I never had problems with any other mail provider, but trouble with Microsoft as long as I can think of.
I think they only block /16 or maybe /24 blocks... Meaning they block entire ISP networks... What I do is to simply sign up to many cheap VPS until I get an IP that is not blocked... Then relay all e-mails via that server. I guess spammers have the same tactic, but it does work.
Microsoft has been ab-using IPv4 in context of Mail to target-specific hinder competition, so they have a lot of reasons to not support IPv6 well where this isn't as much doable.
(For example Microsoft has blocked whole IPv4 ranges of cloud providers (i.e. Microsoft Azure competition) for E-Mail, supposedly because of abuse. But all cloud providers are used by people "producing bad mails" and somehow only small to mid-sized ones are blacklisted while e.g. Google or Amazon are not and to be clear that had not been cloud providers in some arbitrary small country but e.g. the EU).
IPv6s are too cheap for most mailbox providers to take seriously. If someone sends spam, you need to block their IP, but they also need to lose money. Spammers don't care if they lose an IPv6. They'll just send spam from another.
That's to be expected. All it does is ensure the accuracy of the email sender. Which finally lets you attach reputation to domains instead of addresses.
Because most email providers will block you if yo don't have them now. And because of that, if you get blacklisted you need to buy a new domain, not just a new ip address.
But how can you possibly deliver email via IPv6 if their MX host doesn't have IPv6 address at all?
$ host hotmail.com
hotmail.com has address 204.79.197.212
hotmail.com mail is handled by 2 hotmail-com.olc.protection.outlook.com.
$ host hotmail-com.olc.protection.outlook.com.
hotmail-com.olc.protection.outlook.com has address 104.47.57.161
hotmail-com.olc.protection.outlook.com has address 104.47.58.161
On the other side, if a host announces that they have an IPv6 address - do you think they do it mostly for spamers?
$ host gmail.com | grep handled | head -n1
gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.
$ host gmail-smtp-in.l.google.com.
gmail-smtp-in.l.google.com has address 173.194.73.27
gmail-smtp-in.l.google.com has IPv6 address 2a00:1450:4010:c1c::1a
exactly, we're operating a fleet of SMTP servers and IPv4 procurement is big problem. We do by asking AWS to allocate a block and send email traffic via those IPs. We want to adopt IPv6 but the current email infrastructure doesn't support this.
If only ISPs actually bothered giving out IPv6 addresses to their customers. It's 2021, I have a 1 Gbps FTTH connection and still no trace of IPv6. This is a complete disgrace.
My ISP have at one point stated that they did not have ANY plans to provide customers with IPv6, as there was no demand. This is beyond stupid, of cause there's no demand, the average user isn't even demanding an IPv4 address. They don't know that they need one.
Claiming that they don't see a return on investment is equally silly. Most ISPs have rolled out fibre, or new equipment in the last 10 years. They could just have rolled out IPv6 when new equipment came online over the last decade.
Maybe the ISP deliberately bought equipment without IPv6 support, like we did, but by accident. Two years ago we bought new Cisco equipment, for a remote office, only to discover that there where no IPv6 support. So back to Cisco it went. Why did Cisco even bother to make network equipment that doesn't support IPv6?
Still, it's better than IBM who claims IPv6 support in their software, but haven't bothered to test it the last 7 years, so it doesn't actually work in the current versions.
> Why did Cisco even bother to make network equipment that doesn't support IPv6?
The same reason credit-card payment terminal people sold almost-EMV terminals to retailers in the US around 2010-2015: so their customers will come back 5 years later needing another upgrade to something they should have bought originally.
ISP says there's no demand for IPv6 addresses. There's no demand because other people don't have them. Others don't have them because ISPs don't issue them.
It's not circular logic, it's no loose ends.
Reminds me of a story in The Dragon Book. (compiler design book from the 1970s) FORTRAN IV doesn't (didn't) allow arrays with more than three dimensions. Because programmers didn't write programs using arrays with more than three dimensions. Programmers didn't write programs using arrays with more than three dimensions because the compiler didn't allow arrays with more than three dimensions.
I imagine if you only have IPv6 then some parts of the internet will stop working, and customers will then blame the ISP. I can see why ISPs keep the status quo when it probably costs them very little to do so.
Eh, in Germany most ISPs will only give you DSLite for new contracts - Dual Stack Lite where you only get a NATed private IPv4 address but full IPv6 connectivity.
My contract is from 2014, no IPv6 at all, but also a real IP and not behind a CGNAT. Kabel Deutschland/Vodafone business account (which is available for everyone and doesn’t mention anything about NAT)
Nah. My home internet is originally Dual-Stack lite IPv6 mainly with IPv4 being tunneled over an Enterprise-like NAS (so my outgoing IPv4 connections share the address with other users).
I just switched to full dual stack (by leasing a static IPv4 address from my provider) to be able to handle incoming connections for my VPN. As long as you don't want to host anything on IPv4, dual stack lite is fine.
I think both Sprint and T-Mobile have been assigning handing out IPv6 to end devices for a couple of years now. A much smaller NAT64 pool of IPv4 addresses is used for customers trying to reach v4 resources. Of course this would break self hosted things on v4 but that's still a better state than what CGNAT from various carriers is giving people at home (i.e. broken inbound v4 and no v6 at all).
There will never be an ipv6 only internet while there is an ipv4 only internet. ISPs will just CGNAT 10,000 users through one ipv4 address. An ipv4 address will be something like a post code where everyone in the same city/area gets the same address.
> This is beyond stupid, of cause there's no demand, the average user isn't even demanding an IPv4 address.
In other words: the demand is for connectivity--or rather the services being connect gives you, like the ability to view YouTube videos and see tweets--not for addresses.
In Switzerland it is a level of insanity above this. Major ISPs are now promising 10Gbit and 25Gbit fibre to the home, but only one ISP natively supports IPv6 (init7, not the country's major provider Swisscom).
This is utterly bonkers. While the ethernet cables they give out can likely do 10Gbit (but definitely not 25Gbit) very few people have 10Gbit-capable ethernet or wifi chipsets and there is no way they will actually be able to routinely transmit data at this speed.
Swisscom do 6rd and don't offer static IPv6 either presumably because of how 6rd works. So it is a pain to configure anything except using their own box.
> While the ethernet cables they give out can likely do 10Gbit (but definitely not 25Gbit) very few people have 10Gbit-capable ethernet or wifi chipsets and there is no way they will actually be able to routinely transmit data at this speed.
Bit of future proofing, the fibre cables will be in the ground for 10 years and who knows whether consumer devices can routinely do 10G by then. The cost is dominated by the price of digging up the roads, not by sticking a few extra strands in the ducts.
Yeah future proofing makes sense. I'd hope they'd do that anyway if only because once they get out of my building it isn't just a fibre cable for me but for business connectivity too. There's a couple of data centres in my town that host for local businesses so the interconnect need is there.
It just feels a bit dishonest to sell a 10G connection and tell the user to speed test on the router's web portal when their PC won't get remotely near that.
Speaking of insanity: I'm a customer with init7. Great service!
You know what's not great? I live in a new building. It was built in ~2015. It's not even on Google Street View.
They decided to go with a commercial solution ("digitalStrom") for Ethernet that caps out at 100Mbit.
I now have to use Wifi to get anywhere close to the 1Gbit I pay for. The lack of forethought (or the grift for the company that bought that tech) is astounding.
Reading this in Germany, I'd happily overpay for a 1Gbit connection even though I couldn't use it. Unfortunately, the fastest available connection here is a 50mbps, and thats a significant improvement. Three years ago, we were limited to a 16mbps connection for a household of four.
But I wouldn't be surprised if my 50mbps connection is as expensive as your connection, presumably while offering worse service.
60€ / month plus a one-time-fee of 100€. if you want 25 gbit/s (and if the POP supports it), you pay a one-time-fee of 310€. But the availability is currently very restricted to urban regions
In Italy a 1Gbps/200Mbps FTTH connection is around €25-30/mo, without any upfront setup cost. Some ISPs even gives out Fritzboxes as their free router, and even include a landline number with unlimited phone calls.
A 50Mb/10Mb connection often cost around 30€/Month + 70€ one time in Germany but:
- You often only get it in city areas, I say city areas because metro areas include small settlements around the city still connected with the metro. And in many experience it's quite likely the best you can get in that settlements is either way less or unreliable high latency LTE.
- There are faster contracts like 250Mb/40Mb for 45€/Month but availability is spotty, and companies will sell it to you even if not technical available. E.g. most 100Mb contracts say serving 60Mb would still be "valid" for your 100Mb contract.
- It's not uncommon that many DSL of different people will go through choke points in areas with high population density but not that much money, so speeds dropping sometime randomly noticeable are not uncommon.
- It's common that if there are technical problems (which are not uncommon when switching providers) it can take days to fix them, my previous (small) company went a month without proper internet connection due to this, they fell back to using a LTE router temporary but they had to buy it themself it wasn't provided by the internet provider.
A good point is that all the internet contracts tend include a land line phone number and tend to have "unlimited" data volume (which isn't always truly unlimited, but close enough to unlimited).
Frequent stories include internet being so bad that it frequently is short term temporary(<15min) unavailable, randomly temporary super slow internet, or a supposedly 100Mb internet connection frequently slowing down to close to 1Mb causing video conferences to fail. And that is in the city.
Outside of cities it's common to have insanely slow internet all the time to a point that people fall back to use LTE->WLAN routers, but then it's common to hear that the LTE is frequently overloaded around "rush hours" making people at the "outer ranges" of the closest LTE tower lose connection.
The state of the German internet infrastructure is kinda a sad joke.
Through I should note that things differ depending on the area of Germany you are in.
Anyway the best thing I can buy (and get) in my area (in a relatively wealthy area of Berlin) is ~60Mb/10Mb connection which is somewhat reliable (fails 0-4 times every day for ~1-5min each, but it only happens between 2am and 6am, so ok, not a problem and at least one failure is probably the router).
EDIT: Just to be clear the biggest joke are not the ISP's but the politicians which let themself be bribed not only to tolerate but actively support this situation. Through it's also incompetence not to long ago some politician responsible for making regulations in this area stated (and believed) that ???Kb (forgot the actual value but it was less then 1Mb) is high speed internet. It's sad if politician are stuck years in the past and are so arrogant and incompetent that educating them about their mistake is destined to fail.
This spotty internet in Berlin is interesting. I have a Vodafone cable and I get 5 minute cuts to tje connection every now and then. Usually around 6pm to 8pm. Always five minutes, the modem blinks the lights and internet is back on. Every now and then it happens earlier and that really sucks when having a zoom meeting.
I monitor my internet with Grafana and can provide stats for these problems for the past few years...
Major city + wonky phone line means you can't even get 50 Mbps via DSL, and the landlord having a deal with some specific cable provider can cut off that avenue.
I only actually pay for 100Mbits symmetric. Quite a lot of VPSes only offer that anyway, even now.
But yes it doesn't make sense for local wiring at all. 1Gbit-capable LAN cabling is cheap and ubiquitous. On the other hand it sounds like you have wired ethernet in your building... that's also quite unusual. Mine (70s) does not :)
Swisscom as a older RSP probably is sitting on a huge block of IPv4 addresses, whereas newer RSPs usually have much smaller blocks. Hence older RSPs tend to continue with IPv4 as they have enough addresses to do this, whereas newer ones are pretty much forced to migrated to CG-NAT/IPv6 to conserve their IPv4 space. I see this here in New Zealand too: Spark, which was previously the state owned Telecom New Zealand, has so many IPv4 addresses they have done nothing at all in regards to IPv6 because they have no economic incentive to do so. In contrast, many of the other RSPs here have much smaller IPv4 blocks so CG-NAT/IPv6 is becoming the norm now for the smaller/newer RSPs.
At least you can get speedy connections. Here in the NL offers still start at 40/5-type connections, and ISP have you pay premiums to get 300/500 Mbit. If you're lucky, you can sell your first born for 1Gbit.
Offers starting at 40/5 is already good, in Berlin offers currently start at 10/2 with 100GB volume limit for 25€/Month with 2 year minimum contract duration.
(Through to be fair you get 50/10 for 30€/Month without limit.)
Pff, I pay €40/month for my 1Gbit/s FttH Tweak connection. You’re painting a very bleak picture, but NL internet isn’t that bad unless you only have an old ADSL-style phone line, and that is rare nowadays.
Because those small affordable ISPs are only available in tiny service areas. Most people still must choose between DSL and cable (horribly expensive), and fibre from KPN if they're lucky.
Offering connections in the Mbit range anno 2021 _is_ bleak, compared to some countries.
DSL is indeed a joke, but Ziggo cable and KPN fiber together have near universal availability these days. Cable isn't that much more expensive than a dedicated fiber but tends to come bundled with TV and phone only.
Personally I'm using as a provider "solnet.ch" (I'm their customer since a very long time and so far I'm very happy with them - it's a small provider headquartered in the canton Solothurn, but my connection originates from the canton Zurich), and so far it doesn't seem that they'll offer IPv6, so this matches your statement.
On the other hand, if I remember correctly, I think (not sure and I cannot check this now) that I did have to modify my DNS configuration of my email server related to IPv6 when my parents changed from Swisscom to Sunrise (in 2020 or 2019 - my mother uses my email-server and the IPv6-entries weren't configured correctly) => can it be that Sunrise is using IPv6 as well, at least partially?
I might be wrong, especially regarding what you mean with "natively" (maybe you mean that customers get "only" an IPv6-address, the access to the IPv4-network being fully relayed at the ISP-level?).
So by natively I mean that if you look at the packets there is only ipv6. 6rd, hurricane electric and so on, you can use these tunnels to get the functional equivalent of having IPv6 at home, but between you and the point-of-presence (the other end of the line your router is connected to where Swisscom decide to do something with your packet) is IPv4.
Customers actively have to opt in to 6rd on Swisscom and actively have to set up hurricane electric and other IPv6 tunnels. Which means connectivity is limited to people who are going to do that, so service providers on the internet must offer IPv4.
Depends on the location. If iWay does have a POP in your network, they can offer native IPv6 because their DHCP does support it. If they don't have a POP, they often (need to) use Swisscom to "proxy" your packages (like Crossover7). And because the Swisscom DHCP Server can't assign IPv6 leases currently, your router needs to tunnel IPv6 packages in IPv4 packages to the infrastructure of iWay.
That is suprising, why? Can most people even use that much speed? Netflix only need so much bandwith. Good for homelabs, just most people don't have them.
An average webapp loads half of npm on first visit then makes about a million additional requests to make all the frameworks happy. When do you think can work?
For this, latency is the real problem. Even a 10 MB script bundle will be reasonably fast to load on 50 Mb/s; getting all those requests out is what takes time.
iirc fibre7 ceo said that they did it "because they can", to put pressure on the incumbant telcos and also to reduce complexity with simply connecting customers at the best speed supported by the infrastructure.
I agree, it s one of the cheapest, they deliver and have custom solutions on request.
The cheapest is monzoon which offer dsl and ftth without contract (month-by-month basis)
IPv6 is a hard sell for the average customer and because of that to the ISPs that provide service to them.
IPv6 doesn't make anything go faster, or let customers access anything they can't already access and quite likely it will make difficult to diagnose networking problems which break stuff (speaking from personal experience with IPv6 here!).
I don't think ISPs will be motivated to give out IPv6 addresses routinely until there are important areas of the internet which are IPv6 only. Until that point they would just be making more support burden for themselves.
And I can't see important stuff going IPv6 only any time soon since you don't make a new and exciting service which the majority of people can't access.
But there is motivation for ISP to use IPv6. They save a ton of money on IP addresses, and they don't need the infrastructure to keep a NAT.
And I don't mean only the cost of running it, in my country for example by law the ISP has to maintain a log for 5 or 10 years of all the IP addresses assigned to the user, and in case of a NAT even of all connection and source ports associated with each client. That is a cost that you will save with IPv6, just assigning an entire /64 subnet to every customer.
Of course you will start to save money at the point where we can switch off IPv4, that is not something we will see tomorrow, but if we don't start, the problem will not become better with time, but worse.
IPv6 is an investment for ISP, more than customers (that it's not true they don't care, they maybe don't understand the technical details, but when they find out that they can't play online with their PlayStation/Xbox because they are behind a NAT, they will complain to the ISP).
> They save a ton of money on IP addresses, and they don't need the infrastructure to keep a NAT.
I don't see that at all.
Everyone still needs an IPv4 to the outside world for compatibility, and pretty much all the time 24/7, so they wouldn't be saving money at all.
And why do they need a NAT? My NAT only happens on my personal router, not at the ISP level. It's not something that concerns the ISP at all.
So I don't understand any of the motivation you're describing.
(And if there are legal requirements around recording connections and ports and whatnot, you'll still have to record each connection made under IPv6 as well right? And may I ask where you live that every TCP connection you establish gets logged for 5-10 years? Recording your assigned IP address is one thing -- and for most people's home connections it rarely changes -- but I've never heard of recording every connection.)
I agree with you. From an ISP's perspective I don't see why IPv6 would be cheaper. Any change at all, even a positive change, is expensive at the scale ISPs operate at. And NAT is cheap.
One small thing, though:
> My NAT only happens on my personal router, not at the ISP level. It's not something that concerns the ISP at all.
"Carrier-grade" (what a laughable term) NAT exists. You are fortunate that your ISP does not implement it. Do you happen to have a business plan, or a gigabit plan?
There is also ds-lite which I've read comcast uses extensively. Here customers get ipv6 addresses only, and share a pool of v4 addresses when they exit the ISP's network.
Just crappy-expensive regular Optimum in NYC, and Time Warner before that.
No I've never had carrier NAT. People often need to connect to their home computers from the internet for various purposes -- remote desktop, media server, SSH, NAS, printing, whatever -- which carrier NAT wouldn't allow, as far as I understand it.
I understand ISP's don't want you running high-traffic web servers on a home contract, but I thought it was still considered essential everywhere to at least be able to connect to your personal IP address from the internet for personal usage. (For home internet -- not mobile, obviously.)
> I thought it was still considered essential everywhere to at least be able to connect to your personal IP address from the internet for personal usage.
Yes! CGN, asymmetric bandwidth plans, dynamic IP addresses, they're all treating the customer as a consumer. As if it's just a cable hookup. It's a shame, really. CGN shouldn't exist.
UDP "hole-punching" would still work with CGN, but in most cases you would need cooperation of a third party. There are also trickier ways like what samy.pl/pwnat does.
I'm on FIOS in NYC now, but when I was on optimum and spectrum they both gave me IPv6 delegations and, as far as I could tell, they never changed. Honestly I would not have switched to FIOS in hindsight -- it's not much better and I don't think I'll ever have IPv6 :(.
Plenty of people are stuck with CG-NAT – with (sometimes) the option of paying for a "business" connection with a routable IPv4 address. Customers of smaller/newer ISPs, or even larger ISPs in some countries, are affected. On IPv4, they are second-rate internet users, limited to consumption only.
The world moving to IPv6 helps them, since they can then use the internet equally, running servers, remote desktop, etc.
> And may I ask where you live that every TCP connection you establish gets logged for 5-10 years?
The EU started doing this, then removed the obligation, then decided it was a threat to democracy and banned it [1]. But since Brexit happened, the UK can continue with whatever they're planning [2].
> Everyone still needs an IPv4 to the outside world for compatibility...
Is this really true/correct?
Assuming that an ISP would implement a pure IPv6-network for its customers, wouldn't their customers by typing on their PCs e.g. "ping 1.2.3.4" in their terminals be routed automatically through "[internal IPv4 network between customer and ISP] => [ISP's public IPv6 address in Internet being translated to their SINGLE allocated IPv4-address] => [target's IPv4 address]", and then back (to get the ping-reply)? So, some kind of "magic" IPv4[internal customer]=>IPv4[internal ISP] => IPv6[external ISP]=>IPv4[external ISP] => IPv4[target], using NAT or however it's called?
I'm absolutely not good in relation with networking, especially not IPv6 (in theory simple, that was at least the tone of the articles that I read a few years ago, but at that time it has been quite difficult for me to set it up on my root servers), so what I just wrote might be plain wrong :P
It's trivial to send packets from IPv6 to IPv4.
The other direction doesn't work, because there isn't enough address space (32 bit for IPv4, 128 bit for IPv6).
> Everyone still needs an IPv4 to the outside world for compatibility, and pretty much all the time 24/7, so they wouldn't be saving money at all.
Yes, but a more and more services pass to IPv6 you can start to resize your IPv4 infrastructure, and arrive at a point where you will switch it off entirely, as it was done for the transition from analog television to digital one (of course we talk about at least 20 years, but if we don't start it we would never see it).
> And why do they need a NAT? My NAT only happens on my personal router, not at the ISP level. It's not something that concerns the ISP at all.
They need a NAT because they don't have so many public IP address to give one to each customer. So they introduce a second level of NAT, where a group of customers share the same IPv4 public address. That of course causes a lot of problems, especially for online gaming where it's required to open ports, or in general for applications that use p2p protocols.
And so if you want a public IP address dedicated to your connection you have to pay more. I don't know the situation in the US, perhaps your IPS have a ton of public IP addresses they purchased in the past so they can afford to assign to each customer one dedicated address, in my country it's no longer the case with most home connection ISP (and all the mobile ones).
> (And if there are legal requirements around recording connections and ports and whatnot, you'll still have to record each connection made under IPv6 as well right? And may I ask where you live that every TCP connection you establish gets logged for 5-10 years? Recording your assigned IP address is one thing -- and for most people's home connections it rarely changes -- but I've never heard of recording every connection.)
No you don't. The law requires you be able in case of a crime to identify the customer that originated a particular connection. It means that the police goes to the ISP with the time, IP address and source port of the connection and the IPS has to tell the identity of the customer. The method how this is achieved depends on the technology used.
With an IPv4 with public dynamic address, they have to maintain the log of the PPPoE connections, to know at one time the customer that had that address. Not that difficult.
With an IPv4 with a NAT, a group of users shares an address, thus the information of only the address is not sufficient to identify the customer that did that connection. So they have to log all the connection opened by the customer, so they an know, from the IP address and the source port of the connection from which customer originated the connection.
With IPv6, you don't have any of these problems. With so many addresses you can just statically allocate a /64 block of IP addresses to each customer, and basically don't keep any dynamic record.
Of course it's also better for the customer since he has a static IP address if he wants to self host something at home, without using unreliable dynamic DNS services. And nowadays with all the new IoT and domotic stuff having a public address is important (for example just think about accessing security cameras remotely).
Here in Japan, IPv6 is actually "fast" because of the network architecture.
Flets is most popular FTTH service that available nationwide by telco. Traditionally it only provides IPv4 service via PPPoE, but the architecture is inefficient and getting old so they started IPv6 service directly on Ethernet (called IPoE, a bit funny). VoIP Telephony service is also provided by IPv6 so the network called NGN.
Now the traditional PPPoE service is getting very slow due to they won't invest very well for old architecture equipment. Instead, they advice to use IPv6 IPoE for faster connection. For IPv4 connectivity, ISPs offer v4 over v6 solution like DS-Lite, MAP-E, and 464XLAT for home (shared v4 address) or IPIP for dedicated v4 address.
Many people use both IPv6 IPoE (fast) and IPv4 PPPoE (slow) because their router don't support v4 over v6, or just prefer dedicated IP for lower costs (like me), so it's important for service operator to enable IPv6 connectivity, to provide faster service. Please support IPv6!
One of the largest ISPs in the UK (BT) provides dual stack connectivity as standard. Their CPE is configured to enable dual stack LANs as standard. Few consumers login to their CPE to change anything.
Are you using their CPE, and a recent one at that? Several RSPs here in New Zealand are starting to enable IPv6 on new CPE gear they supply to end users (although Spark, our equivalent to your BT, has remained the only large provider to not do any IPv6 at all). I'm finding that this is becoming a situation where if you don't use the RSP supplied gear it can be tricky to get IPv6 up and running on your own gear. I used Ubiquiti gear previously which I had trouble getting IPv6 working until someone who worked for my RSP pointed out that their PPPoE stack is IPv4 only, I needed to redo my config to DHCP/IPoE instead (was a TIL moment when I realised my RSP offers both PPPoE and DHCP/IPoE over the same connection). Replaced my Ubiquiti with Microtik and I can't get IPv6 to work at all even with config that seems to me to be the equivalent to what I had on the Ubiquiti gear.
I think it was 5 or 10 years ago, but there were some websites that did exactly that. I distinctly remember setting up an ipv6 gateway so I could get access to free newsgroups. I think there was other stuff as well, I just don't remember it all.
My ISP assigned my home an IPv6 address, but the net result is that I get captchas and bot checks endlessly. Even a simple grocery order on Walmart's website yields a dozen "Are you a robot" interruptions during a session.
I have never bothered digging into it, just noticed a pretty irritating rise in bot gates after enabling IPv6 through the router (though it could be entirely coincidental). I of course still have an IPv4 address.
Walmart uses a litany of external services, presumably including real-time threat/bot analytics. For instance AdobeDTM, which does indeed serve via ipv6. It seems possible that IPv6 could be playing a part regardless of the status of the base site. These bot gates aren't at HTTP responses, but are in client interrogations and javascript triggers while interacting with the page.
Where do you live? Here in Canada I've had native IPv6 through Rogers for the better part of 10 years and have never had problems in any way. In fact I have IPv4 straight up disabled on a few devices because v6 has been marginally faster in any test I've done. So far Reddit and HackerNews are the only two websites I regularly visit without v6 support (why?).
I (the guy two comments up) am in Canada through another provider. Whether the address range just isn't as well known and documented on whitelists, or one of my neighbors (IPv6 wise) runs botnets, there is no doubt that it is treated as much more suspicious traffic when I'm going through IPv6.
And this is well known in the industry. The IPv4 world has had enormous mapping and trust ratings and understanding -- coupled with a scarcity that gives range owners or operators a higher incentive to care about what happens on it -- while a lot of people are still completely in the dark about IPv6 and still treat it like some scary unknown.
> The IPv4 world has had enormous mapping and trust ratings and understanding
Indeed, and residential ranges are wholesale blocked from participating in various services, because of abuse through compromised hosts in residential networks.
Budget cloud providers are wholesale blocked from participating in various services, either at thier local edge, or the remote edge, because of abuse through deliberate malicous customers and/or compromised hosts.
I have Google Fiber, and I can't say I get a ton of captchas (other than sites that have them for everyone, e.g. unauthenticated contact forms). The only downside to v6 was I had to get a new router because my old one couldn't route v6 at gigabit speeds (could easily do gigabit symmetric on v4 only, but topped out at 400/400 Mbps on dual-stack).
Back when I had Spectrum (which was Charter in my area pre-merger), their v6 worked fine as well.
Here in Baltimore County, Maryland, Comcast provides my cable modem an IPv4 and IPv6 address. Is that unusual? I'm not sure, but I think Time Warner in New York also allocated IPv6.
AIUI, Time Warner had rolled out ipv6 pretty widely before the merger and becoming Spectrum. I have had native dual-stack ipv4/ipv6 from TWC/Spectrum for several years now, in the RTP, NC area.
Comcast will hand you the smallest routable ipv6 network (/64) by default, however people have had varying success with prefix delegation hints to get larger address spaces.
Without passing judgement on a) medium.com articles, b) Comcast or c) pfsense here is an article that covers making IPV6 work in that specific instance. https://circuitguy.medium.com/home-network-virtualized-pfsen... - Worst case scenario someone can take this and adapt it to opnsense or their OS of choice.
Comcast will happily hand out a prefix delegation larger than a /64 if you ask for it, and set the prefix delegation request to 1 instead of 0.
This is done because many routers were built with bad IPv6 support that requested a /48 even though they only needed a single /64 for a LAN and Comcast was handing out /60's (their largest size) like candy with almost no use.
So my config was to request two prefix delegation, one tagged 0, which would always get a /64, and then one tagged 1 which would get a /60.
Not sure if you still can do it or not, but at one point you could continue to ask for prefix delegations (/60's) and get even more address space.
Note: ia-pd 0 will only ever pull a /64, even if you ask for a /60 all you'll ever get back is a /64. ia-pd 1 on the other hand will allow you to pull anywhere from a /64 to a /60.
Yes, this means you get 16 + 1 /64's to use.
On top of that I pull a single /128 for the external interface of my router.
Is there a problem with handing out /60s like candy? A /48 isn't even unreasonable as a baseline, and personally I'd say home users should always get at least /56 if they want it.
Comcast used to provide /56's but they tightened that down to just a /60.
I personally don't think there is an issue with handing out /60's like candy, but I am not Comcast and can't speak for their network engineering team which made the decisions they made for their millions of customers.
To my knowledge, actually, by default, Comcast solely provides IPv6 by default... but then if you plug in a device that requires (or is configured to require) IPv4, it'll give you an IPv4 address. During the transition, I'd occasionally find weird things would spontaneously break on consumer PCs, like old Office Click-to-Run versions which didn't support IPv6, and then discover the user no longer had an IPv4 address.
Usually happens if the customer's computers connect to the Comcast gateway directly. If they have their own router, it usually gets an IPv4 address.
Comcast is dual stack, and will hand out IPv6 and IPv4. There are times when their IPv4 DHCP server is slow or seems to be out to lunch though, and during that time you might get IPv6 only.
That is probably just a side benefit. Your two largest ISPs pushing IPv6 are Verizon and Comcast, because they're also (including wireline and mobile) the largest ISPs. The number of IPv4 addresses they'd need to meet their customers needs would be astronomical if they didn't find any excuse to go IPv6 only where possible.
People like to shit on Telefonica/o2, and after half a year of trying to get my bills corrected I can see why. But I've had dual stack on my DSL for several years now without issue (caused by them).
Giving you a dual stack IPv4/6 address (with IPv4 often NATed) is one of the thinks the German ISPs do well.
But for many other thinks there are to often to many problems including bad availability of speeds about 50Mb/10Mb and they still selling you faster speeds which technically can't be delivered.
And for many areas of Germany it boils down to:
- If you live in a city and only go for 50Mb it's often ok (but even in cities there tend to be areas with faulty installations causing problems for the citizens in that area for years, e.g. my sister and a co-worker of mine had/have that problem).
- If you live in the metro area but not in the city it's spotty sometimes going with LTE is better, sometimes it's not, sometimes you should by both to make sure at least one of them works (my former co-worker had that problem).
- If you live outside the metro area it's random either you get reliable reasonable fast internet if you buy from the right provider or you get less then 1Mb no matter what provider you choose (multiple of my friends had/have that problem).
I also remember having IPv6 in Germany for years now, but it came with lots of problems: routers cannot forward things properly, thus self-hosting at home becomes tricky, or playing games with friends without dedicated servers (yes, they still exist, no, not all support IPv6). It gets even worse with "DS-Lite", where multiple customers share the same external IPv4 address, to enable support for all the webservices not supporting IPv6 yet.
All in all, I had so many troubles with setting up anything behind IPv6 or DS-lite, that I asked my ISP to give me an additional IPv4 address, so that I don't have troubles. While they usually provide bad service, this came for free -- but other ISPs, for example my parents' ISP, want you to pay 50 or more euros per month for an "enterprise contract" to get a dedicated IPv4. I still haven't found a way for my dad to setup his old webcam server at home such that others can reach it from the outside world, and I tried every couple months over the last 6 years or so.
Besides provider sometimes have strange port rules it's not uncommon for them to forcefully change your IP from time to time, even if there is an open connection. It tends to happen at night and it tends to be a forceful disconnect from your router to the outside world for <5min.
At least I ran into this frequently (multiple times a week, I really need to fix my sleep cycle).
I considered such options before but if I remember correctly, the webhost does not allow SSH. However, I haven't checked for some time and I will definitely look into this, thank you!
Have you tried Tailscale? It is a quite simple way to create a private subnet to easily access servers behind a nat. Install a raspberry somewhere in your parents house and you can share the whole subnet with all the devices connected to the same account.
I have a Vodafone cable in Berlin and it gives you one ipv6 address in NAT mode. Not really helping if using your own router and needing more than one ipv6 address (that is typically the case).
I do VPN from the router, giving me a proper /64 block...
I've been on FiOS for almost 10 years. Every few months, I check to see if I or any other FiOS customer has IPv6. It's been on in one testing market (or two) for years, but nothing else outside that.
I first discovered this when I started presenting a terraform demo from home, and it broke because at least one of the AWS modules didn’t support IPv6. When developing I only used my Xfinity connection, which gives an IPv4 address. Apparently my laptop had switched to my other wifi Network right before the presentation. Luckily the interviewer was understanding, and we used the experience as a troubleshooting exercise.
I've been using ipv4 because I use LTE with ATT or TMobile links for the past 7 years (RV full time) and I can't wait for a modern internet connection that doesn't suck.
I have AT&T Fiber along with my sister and parents. They live 20 and 30 miles west of me. Both of them have IPv6 but I don't and I live in a bigger city in the area. I don't understand.
Are you using the AT&T provided router equipment? On my connection I'm using a Microtik and I had to actually "request" a dhcpv6 and all of a sudden it started getting IPv6.
Just got an Orbi WiFi setup. Great hardware but v6 was disabled by default and enabling it is under “advanced.” This is a fairly new product in 2021. ISP supplies it no problem.
I loath this normally, but this is one case where we really need the government to set standards. Everybody is better of on IPV6:
1. Mandate that all ISPs have a fully functional IPv6 assigned for each IPv4 given to customers. It must route just as their IPv4 does. If a customer doesn't have an IPv4 number, they must assign as many IPv6 as if the customer had one IPv4.
1. Mandate that all servers and all services accessible over IPv4 be accessible over IPv6
1. Institute sufficient fines for businesses that don't follow these requirements.
I'm still waiting for Hetzner to support servers (physical and virtual) without public IPv4 addresses. I could easily free up the ~50 public addresses I'm using. One public IP will do, I can reverse proxy everything else.
But there's no support for that. So every time I spin up a 1 vCPU tiny VM, which will never connect to the public internet, I'm wasting an expensive resource. Sorry.
If you are willing to go ipv6-only on Vultr.com it brings the price of their smallest virtual-server option down to $2.50/month (the same server offering with an ipv4 address costs $3.50/month). It's nice to see them offering that kind of discount, but I have no idea whether or not there's anything similar for their more powerful offerings.
The only downside is you cannot do BGP on those IPv6-only hosts, as their BGP speaker is IPv4-only, so you cannot BYOIPv4 to those hosts, unless you route via their private network to another IPv4 enabled host first.
Oh, I wasn't even aware that was a thing. How does that work? Don't you have to buy blocks of IPv4 (which would be rather expensive) and then route them all the the Host. What advantage would Bringing your own IP have anyway?
> If you want some serious redundancy nothing beats running services anycast with BGP across multiple cloud providers.
Unless they're TCP services. Or stateful UDP services. Then you're in for a world of pain if you try to anycast them.
The list of sensibly anycast services is surprisingly low. Stateless UDP services, essentially, which isn't a big list. Especially if you're the kind of person who's using Vultr's cloud, and not a megacorp.
If you have the resources to develop backend state sync, you're probably still better serviced with a (set of) load balancer(s).
No way. Stateful TCP over anycast works fine reliably to many nines.
I run a CDN with anycast BGP, this obviously uses TCP. Works great. I've also done it with a global network of physical datacenters and our own transit/peering network but eventually migated to the cloud for reasons.
This is absolutely awesome. I'm not sure if you're a maintainer of this list, but, this is VERY useful. You just found me a provider who is scratching an itch for a specific niche location which I've had for years. I owe you a beer or three.
Huh, I just deployed one yesterday. And I'm looking at the Vultr "deploy instance" page right now and it's showing both the $2.50/mo and $3.50/mo options, at least in the "New York (NJ)" location.
This! I don't see any reason for _internal infra_ to use IPv4, if it's under your control. At least AWS lets you have "private" IPv4's only. (Dunno about the situation with GCP or Azure, happy to learn about that.) But I'd gladly set up my stuff in IPv6 and expose only the endpoints in IPv4.
Unfortunately the mantra of "ain't broke, don't fix" is law at some companies. Pushing IPv6 will be met with immediate resistance because it brings no benefits but does add the risk of something not supporting it yet.
Been pretty happy with them over the years. Pricing is good. They have a presence in Germany and in Finland, so uptime is usually excellent. The physical hardware has been an excellent experience, we've had two (!) broken drives in ~8 years. Both times the drive was replaced within half an hour. We replace most physical machines after 3 years just to be on the safe side.
We've experienced some networking issues, usually not on the Hetzner network, but there have been some peering issues with some ISPs over the years. Generally nothing too bad.
Their Cloud API is a joy to work with. It obviously isn't anywhere near as future rich as AWS, but it's got everything we need, and we can spin up VMs with a couple of simple HTTP requests.
With my previous employer, we deployed several thousand VMs at Hetzner (incidentally, we were one of their biggest customers in Germany). Really can recommend, billing was fair, support was quick and their Infrastructure worked without a hiccup for multiple years.
Im just waiting for them to offer a k8s environment…
Hetzner is great: professional, high quality, and cheap, cheap, cheap.
Their margins are low, however, so I understand it is possible to get fired as a customer if your support burden is too high and your ROI goes negative, so be on your best behavior to keep access to those prices.
> I understand it is possible to get fired as a customer if your support burden is too high and your ROI goes negative, so be on your best behavior to keep access to those prices.
That's not a nice statement.
It sounds like Hetzner will cancel your contract as soon as you submit a support request, which is not true (I personally opened in ~May 5-10 tickets within a few days when trying to boot from UEFI).
I really do not think that they track single customers in relation to their single ROIs.
We have IIRC ~1k VMs there. It's rather unreliable - VMs are migrated often, so you have to expect failure. But as you have to factor failure in in any case, our company's position has been that constant failure avoids complacent design, and so we are very happy with them (and they keep our mitigation systems well fit).
Working with them is nice, the APIs are a breeze, and are really dirt cheap. And they take security very seriously.
currently having 2 root servers in germany and 1 in Finland.
If I remember correctly I had within 8-10 years at least once a full unexpected shutdown of a server (don't honestly remember how long in took until it was back online, it was a few years ago).
A few weeks ago I could not reach for ~4 hours my (new!) server in Finland from my own Internet provider at home (it was super weird - I could ping any other server in Finland/world but not the Hetzner stuff) but at the same time it was absolutely reacheable from my mobile phone and from other ping-test-sites in CH and D => interesting, probably something to do with my ISP but I'm wondering why exactly my Hetzner server was involved, mmmhhhh... .
Maintenance downtimes (few) are scheduled and communicated by email.
Throughput is good - currently writing a web crawler and I can go up from time to time to at least 50MiB/s download if I want to (BUT I try to be "nice" to not get banned :) and anyway my processing queue cannot currently keep up with that rate).
Support is good - servers in Germany want tickets to be written in german, servers in Finland want tickets to be written in English. Both are fast (e.g. initial reaction time usually max ~1h to pick up a ticket, answers to replies usually within minutes), german support can be verbose, finnish support wasn't at all in my case (e.g. if you ask "I have problem X because blahblah so I was wondering if maybe boot on disk #2 is disabled in the BIOS?" they might just reply with "boot activated").
About HW replacement: I had so far only 1 HDD failure (some years ago, in a classic mdraid5 array) => I opened a ticket and pasted the proof of the drive failing together with the output of "smartctl" to identify the drive => got a reply asking for a downtime => agreed to the downtime and shut down the server at that time => drive was replaced and the server was booted => I then resync'ed the mdraid and that was it.
About HW upgrades: opened a ticket asking details about feasibility & pricing => got back a statement 1-4 hours later => sent back a reply agreeing to it => I was asked a few minutes later by the tech team "when" to perform the upgrade => I replied "now" and shut down the server => a few minutes later the server was up and running with the extra 32GB RAM.
So, all in all, as you probably understood, I'm currently happy with them. The costs are ok for me (especially for the servers that have >=10 HDDs - is there a better offer anywhere, honestly asking?), the reliability of the infrastructure is good, the support is good.
I was before (many many years ago) at OVH (good support + reliable, at that time) but it then became very expensive therefore I left them. Nowadays they have a more differentiated offering, but it looks messy to me, and bigger servers like the ones that Hetzner offers (e.g. 8+ CPUs with 3+ HDDs and 1 NVMe/SSD) seem to be extremely expensive to me.
Yeah, me too. Was confused why they needed to have an IP at the beginning, coming from AWS, since they have internal networking now. The public IP doesn't serve any purpose for me, and would perhaps also improve security.
Vultr has v6 only servers which come at a slight discount. I think it will become more common and they can be useful for some tasks like running chat bots and stuff for APIs with v6 support.
Yeah, and many other tech sites. It is kind of sad when even sites that are run by supposedly more knowledgeable people are standing in a way of adoption.
As a user, I have IPv6 disabled at my router. It is just easier for me to see xxx.xxx.xxx.xxx style IPs everywhere and avoid the cognitive load of IPv6.
As a tech entrepreneur, I run multiple popular websites that have hundreds of thousands of users. I get emails from users daily. With congratulations, feature requests etc. So far, nobody ever requested IPv6 support.
I have no idea what would happen if I enable IPv6 on my servers. Probably some desaster would strike because some of the code expects xxx.xxx.xxx.xxx style IPs.
What would be the steps to test this? Run the application locally in a Docker container and somehow make the requests to the container go over IPv6?
If you enable IPv6, and test it yourself (you can use an IPv6 tunnel if your ISP does not support it), then you should be able to quickly go over the main features of your site and see if you have any issues (IP logging, for example).
It would be rather unusual to run a web stack that assumes strictly IPv4. Maybe if you have an SQL field that logs IPs, and a developer was very clever and optimized for IPv4, but that's pretty rare.
I am a strong advocate of IPv6 and early adopter, but would never bother emailing a website about it. Even GitHub. For a long time, AWS didn't have any IPv6 support (I'm sure it's part of their business plan too, to charge extra for IPv4 eventually).
As a hosting provider, the main benefit of IPv6 is that I can have unique IP addresses for my users. Nowadays, most people on mobile and more and more ISPs use a very small IP pool (CG-NAT), not to mention offices behind NAT (ignoring very large offices who use proxies).
I assume your scenario is that you don't currently use IPv6, so you probably can't assign a subnet of your /48 block of IPv6 range to be routed to your docker host. You can probably use a subnet from a reserved range in that case, for example from:
https://en.wikipedia.org/wiki/Unique_local_address
With that new subnet set up, you would at least be able to test the services running inside containers from that host itself.
In my own experience I never encountered services that don't work with IPv6 at all, but as others mentioned the most common issues are with truncated addresses in a db column designed for IPv4 or log parsers that refuse to match on IPv6. Worst case I found was a log based rate limiter that ignored IPv6 addresses and therefore let all requests using that stack pass.
That is correct - please first enable ipv6 and assign it a subnet in your /etc/docker/daemon.json, then restart the service. Details at:
https://docs.docker.com/config/daemon/ipv6/
Abuse rate limiting often relies on the scarcity of IPv4 addresses.
If, for example, you limit a user to one concurrently used account per IP (which some gaming sites do to discourage cheating/griefing by one person playing multiple players at the same time), this breaks.
This can also be revenue relevant if e.g. the ability to have multiple accounts per IP is a paid feature.
Out of curiosity - did you get any users feature-requesting HTTP/2 or HTTP/3? SameSite cookie attributes? jquery library version upgrade? Anything low-level like that...
They would "request" low level things if something breaks because of those. That certainly happened in the past. But it is very rare. So rare that no example comes to mind right now.
You don't have to enable v6 internally, you can just put v6 addresses on your public endpoints. Create a little testing environment and access it exclusively via v6 to test for bugs.
> So far, nobody ever requested IPv6 support
I have actually put in feature requests for v6 support before (probably not your stuff, since I have no idea what you work on).
You don't have to use really long IPv6 addresses. If you get a /48, you can leave all the rest of the bits zeroed out, and they'll be shown as "::" in the notation; then your whole address is just a triplet like X:Y:Z::, where each individual X might be between 1 and 4 characters long.
If you run your own ASN, you'll probably get a /32 IPv6, then the shortest possible address is even shorter than with a /24 IPv4:
xxxx:xxxx::
is shorter than
xxx.xxx.xxx.x
Of course, for privacy, you're supposed to get a randomly-generated 64bits, but you can disable that setting in your favourite address, and use static addressing.
That’s the same reason i gave up and disabled ipv6… i think i might be too old to wrap my head around it. Ipv6 seems really complicated to setup compared to ipv4.
It is not complicated. It is using different conventions.
You can say that ZFS/BTRFS are more complicated than XFS/EXT4 + device mapper, but while it may be slightly more complicated, the more important thing is that they are different.
It took me a while for IPv6 to "click". I still don't like a couple of RA/NDP related settings, but it works and is much much easier not to deal with NAT.
Personally I find it a lot more complicated, and not just because it is different. Part of it is inherent complexity, part of it is that it's still evolving as a specification, part of it is ISP's not following best practices, part of it is lacking software support.
I'm trying to keep IPv6 enabled. But every few months I hit some issue where IPv6 is the reason stuff stops working or I can't get something to work, and it's just oh-so-tempting to switch off IPv6.
"You will find that on the LAN host, their default route and gateway point to the Link-Local address of the machine acting as the IPv6 gateway/router. This is entirely normal and expected."
Germany's largest mobile network (45m customers) has been phasing in IPv6 over the past couple of weeks. Wondering if that already made an impact in this chart.
At this point I was wondering if it would be reasonable to use ipv6 exclusively. I figured ipv6 addressing is reachable by most by now. That's until I tried to reach ipv6.google.com and it failed. So I answered my own question.
At the current rate (approximately linear over the last 10 years), in just 30 more years we'll have 100% adoption.
Realistically adoption will slow down if nothing changes, everyone willing to put the effort in for zero immediate reward has already done so, and some will allow their support to degrade due to low usage.
At some point I guess ipv4 availability will really start to collapse and adoption will speed up again.
Not sure which will come first to be honest, but better if adoption is relatively high when the shit evebtually hits the fan, to avoid the temptation of insane NAT solutions.
I bet that at some point we'll have another inflection point, as the IPv4 prices soar and the IPv6 becomes commonplace enough for some (free/hobbyist-run?) services to say: "sorry, IPv6 only".
An inflexion point can go either way, the question is have we already passed that point with v6 or is this the start of a decline that ends with it failing to replace v4? (Stealing this from Geoff Huston, see page 41 of his presentation [0])
Or someone less tech savvy but legally savvy figures out that IPv4s are scarce resources, just like, for example, housing, and finds a way to impose their use through regulation in some contexts and to ban their use in other contexts.
Markets generally are good for determining allocation of scarce resources. They push people with the ability to substitute to do that, in this case, use ipv6. Pay for ipv4 so nobody takes more than he needs. Imperfect but probably the least bad option, just waiting to get ipv6 over time hasnt worked so maybe scarcity and high prices do it.
> At some point I guess ipv4 availability will really start to collapse and adoption will speed up again.
I think this will be more like a linear function. As the IPv4 prices increase, the IPv6 adoption increases until it reaches 100%. I don't think that there will be a collapse.
IPv6 adoption figures are artificially inflated by
LTE and 5G smartphone connections (which are invariably IPv6) whereas landline/DSL/DOCSIS connections are still IPv4 on so many ISPs.
I'll say one thing about Comcast in the US: they have atrocious customer service, scummy upselling, and that horrid wi-fi network sharing... but they do 2 things that mean I'll forever give them a free-pass:
1. They have CBC channels in the US so I can watch the Olympics without watching NBC's horribly dumbed-down, artificially time-shifted, and condescending feed.
2. They have a rock solid IPv6 network for everyone.
My ISP had some sort of v4 outage where only v6 worked fine. That was really nice except that even services or games that supposedly work over v6 rely on v4 and are borderline unusable without it.
Yeah I had some issue where my home router's NAT died so IPv4 broke, but IPv6 kept working. My wife said that Google, YouTube, Facebook etc work but nothing else does. It didn't take me long to realize what was happening.
You should still get an IPv4 address with the VM for free. But you can make sure you support IPv6 anyway for the day, when even the very first IPv4 will cost extra.
I imagine that we're going to see more articles like this where IPv4 is getting more and more expensive until it becomes absurd. Once it gets too expensive, then providers will have a reason to supply IPv6 - cost. It's the only way I can see an ISP making this move.
20 years ago I was a student, testing IPv6 at the UNH-IOL and we also thought it was right around the corner.
NAT has been so successful, that IPv6 is shocking to users who cannot even fathom why public traffic is being introduced to what was 'supposed' to be a private network.
Heh. A lot of folks don't remember the days before NAT, when people had public IPv4 on their desktop. I worked at a couple of ISPs and one early startup that was set up that way. No firewalls, either!
Here at several Dutch universities, the WiFi still hands out public IP addresses, sometimes with a firewall, often without. At the particular university I'm at right now, every device has a publically reachable IPv4 address just as the system was originally intended.
This leads to some very peculiar traffic being routed around. For example, some kind of Logitech gaming driver is broadcasting a constant of packets with someone's PC stats to my publically reachable desktop/server/laptop, because the software thinks it runs behind a trusted NAT. There's also a HUGE amount of devices you can connect to if you open the Windows network overview because everyone clicked "home network" when Windows asked them what kind of network eduroam is supposed to be.
It's funny how scared people are when they realise they're not behind any strict firewall. They all know they shouldn't be disabling the firewall on their devices anyway, or so they claim, but this method of networking still instills fear into people as if NAT is a security measure (NAT slipstreaming works, NAT is not a firewall!)
Are there any security risks with using a public IP address though? I also use EduRoam at a Dutch university, should I treat it as sceptically as a coffee-shop WiFi? (Assuming it’s marked as a public network). Also, shouldn’t your university’s firewall stop such a Logitech driver sending data (if it’s an uncommon port)?
After reading up about public IP addresses I realised that my (Dutch) ISP has also provided me a public IP... and that the Netherlands has a lot more IP addresses per capita than most European countries.[1]
Most ISPs in Western companies will hand out public IPs because they were bought when they were cheap.
The danger associated with public IPs is not that high as long as you use software that binds to localhost instead of 0.0.0.0 for network services or use a firewall on your PC. The problem is that many software developers don't expect end user devices to be reachable from the internet so security practices are sometimes lax.
When I was at university in Cape Town, the IT department started rolling something like this out for main campus network, but didn't necessarily tell everyone. I remember one day getting spammed emails from a compute cluster I managed because of failed root ssh logins and was totally confused how IPs from China were able to connect to a network I thought was internal/private to the university.
NAT (standard one to many SNAT) is absolutely a firewall. You can't connect to the machines behind it from outside, which serves the exact same purpose as a default deny inbound firewall.
This is a false meme right up there with "docker is not a security boundary".
That is not true. It is problematic in general but in some limited cases it is possible. For example, neighbors on WAN network could just send packets with dst address from your private LAN range directly to the WAN port of your router.
If the router is configured as both NAT (SNAT) and firewall, it will drop such packet as not associated with any existing flow, but if it is just configured as SNAT, then such packet would be just forwarded inside unmodified.
You can't easily connect to devices behind NAT but that's more of a restriction than a security measure. Once you can trick a device into making an outgoing connection, you can bypass a lot of security in most NAT implementations [0], allowing an attacker access to any port of the victim computer. A variant was also discovered and later hot-patched [1] that could even expose other devices in the internal network.
NAT was never designed to be a security boundary and should not be considered one. It's only a matter of time until the next NAT slipstreaming attack is discovered. That doesn't mean your computer is in some kind of immediate danger or that you should cut your internet cable right now, of course. It's just good to know what does and what doesn't work when it comes to your network security and why IPv6 changes very little.
In fact, I'd argue that most IPv6 routers are actually more secure than IPv4 NAT because incoming traffic will never be translated as if it came from your router like some NAT implementations do, and incoming traffic is usually always blocked. The lack of a need for parsing and interpreting network packets makes your firewall a lot easier to reason about.
Docker is not designed as a security boundary, but it does provide some security functionality if used correctly that would otherwise be a pain. Sticking something in a docker container and just running it as root is dangerous, but Docker makes it easy to apply strict, complex security measures, which its security bonus comes from.
NAT is the opposite, it's supposed to work like magic. That's why network protocols like UPnP were invented, not to automate firewall management, but to make application use transparent to the user.
I remember these days, and they were pretty ridiculous. One time I was playing Quake in middle school, talking some smack. Someone didn't like it and threatened to crash my computer. I didn't believe it. "Oh yeah, do it!" And they did. Got my IP from the server (the server listed users and their IPs) and bada-bing: BSOD! I was floored. I don't remember the exact Windows 95 exploit, but it was a staple for a while. It was nice when firewalls came out and you could at least have something between you and the Internet.
Just had a memory trip to the early 00s. Anyone remember the Windows Messenger Service alerts that would randomly pop up? It was such a common thing, and the only fix was to turn off the service altogether in Windows XP.
When I went to college in the mid 90's, we had a similar setup. All public IP, no firewalls, 10 megabit ethernet jacks in each dorm room. The entire school was on a single T1, however.
Did your return it voluntarily, or what happened to it? I know several folks (myself included) with our own personal /24's from the 90's. Mine is routed to my home lab.
I gave it up voluntarily. I had no need for it for a time and so I just returned it.
I don't understand the idea of having arbitrarily limited amount of numbers and selling them. A lot of companies just got them for free and are now selling them for huge bucks because rather than do what I did -- return public good you are not using -- they decided to hog it until such time it becomes scarce good.
I have invested in cryptos, stock markets, startups… and probably the most profitable assets ever were several ripe ipv4 prefixes that we owned for years. Insane.
How did you get them? I checked a few years ago to see if I could buy a /29 or something small and remember thinking I couldn’t do it as an individual.
We obtained them in late ‘00 for our tech company. We used them for several years, but the cloud was gaining momentum and we gave up using our own colo platform. We sold them in 2017, redistributing the benefits to the partners of the company as dividends. Fully compliant with the tax laws of my country, of course.
Ah, thanks. That’s kind of the impression I got. 20 years ago you could get them by asking, but now it’s much more difficult and you have to get them routed somewhere / use them right away.
The smallest routable network on the Internet is a /24, so you wont be able to buy/own anything smaller than that, you would usually rent from your service provider.
At the same time IPv6 adoption basically stopped except a few countries like US, China, Japan, India, Canada, Brazil, and most of the Europe (sorry if missed someone). The rest of the world looks like simply don't care.
> US, China, Japan, India, Canada, Brazil, and most of the Europe
That's about half of the worlds population (and I bet more than half of the internet-connected population). If those countries start going exclusively IPv6, the rest of the world cannot afford to don't care much longer.
It's insane to think that just the 6 countries mentioned are ~44.4% of the world's population - but the whole of Europe (~52 countries) are only 9.45%.
I live in Norway, we have some of the best mobile internet speeds in the world, meaning that mobile internet infrastructure in this country is pretty good.
And yet here we are in 2021 and my carrier is only giving me IPv4 access by default. No IPv6. This is with 4G connection and 70GB data per month by the way, for which I pay about $50 per month for the subscription.
They'd care if they suddenly lost access to a bunch of services because they don't have an IPv6 address. The problem is that basically no one is going to cut off people from accessing their website just because their ISP is too cheap.
I asked my mobile service provider when they might start supporting IPv6, and got the answer that they have enough IPv4 addresses, so no plans to implement IPv6. The mind boggles.
This is odd/amusing, because in US as far as I know there are no carriers doing IPv4 anymore - it's all IPv6 with 464xlat or equivalent translation proxies.
And these are companies with more IPv4 than your carrier most likely.
The sheer size of the US and thus the US market drives this in part.
Suppose you're a "big" ISP in Norway. Maybe you have almost half a million customers, and your corporate growth plan says you want a million customers by 2030.
Your engineers need a way to address all the backend infrastructure on your network. So, they give it all 10/8 addresses. No problem. "Do you need IPv6? Our customers are saying they want it?" "Not really, put it on the nice-to-have list and we'll get to it when we get to it".
In contrast your American equivalent has 20 million customers and hopes to expand to 40 million customers by 2030. Their engineers ran out of addresses in 10/8 for infrastructure years ago. So there are awful, miserable hacks they can do, but just go to IPv6 solves the problem. And hey, since your backend network is IPv6 anyway, you can just as well give it to your customers.
Once you bite the bullet, IPv6 first is actually cheaper. But most organisations aren't set up to think that way. The big changes resulting from the pandemic illustrate that. Can some (many? almost all?) of your office workers be more effective if they don't spend an hour every day commuting and then sit in a small cubicle most days of the week? The answer to that question didn't change from May 2019 to May 2020 but whether your employer knew the answer changed.
Meanwhile, American datacenters are still handing out IPv4 addresses like candy.
I know a few people who got 5 "usable" addresses with each dedicated server from a provider that shall go unnamed. That actually eats up an entire /29 per server. None of those people ever use more than 1 IP. The datacenter doesn't even bother to configure the remaining IPs on a default install.
On a side note, I've had a terrible experience trying to use Hetzner in the past. I had some machines at Scaleway at the time and I decided to try Hetzner as well. I filled some sign up form and received a reply email that basically said:
"We've evaluated your sign up data and we've decided to not do business with you. Your account was rejected and we won't review it again for the next six months."
There was nothing shady in my sign up data. It took me a moment to realize that the reply e-mail was real. Crazy stuff.
They have a reputation of doing this kind of opaque "verification" asking for ID and nonsense like that. meanwhile there are still a lot of botnets being hosted there: https://www.spamhaus.org/news/article/813/spamhaus-botnet-th... . Even digitalocean is doing better.
No. I got a reply from an automated system with no reason whatsoever. They also state that they wouldn't read any replies, since they don't have the manpower to double check each and every account rejection.
I am sorry for your experience, but Hetzner is a european Hoster in Germany and mostly does business with german and european companies. Rejecting a customer because he is on another continent is a valid reason for me.
The sole overhead of doing the accounting and even abuse handling for other continents is probably not worth the money.
Maybe it isn't clear from their page and they should be more open about which markets they serve.
Just as another data point, I am from Europe and my application was accepted very quickly. Im currently using Hetzner for most of my personal cloud stuff and have been very happy with their services thus far.
Yep. A “dedicated root server”, though, is dedicated hardware. They start at about 30-40 €/mo. TFA does not mention cloud servers (virtual machines) at all.
Virtual machines from Hetzner, however, always come with an IPv4 address. For security reasons, I’d much prefer to get them without one (I disable the interface and firewall it 100% anyway), but it’s not an option to get a virtual machine without the public IPv4 address. One would think they’d provide that option if they are already hitting commercial limits with the IPv4 address space.
> For security reasons, I’d much prefer to get them without one (I disable the interface and firewall it 100% anyway), but it’s not an option to get a virtual machine without the public IPv4 address.
I agree and hopefully without leaking anything: This is also an request within their customer forum [1].
You don't leak anything as the link doesn't seem to be accessible publicly (at least for me).
But it also feels kind of strange to me, that they complain about IPv4 shortage while still handing them out with each VPS instance despite a lot of users actually don't need or even don't want to have them. There should be an option, or even a small fee for a public IPv4 on cloud servers.
> You don't leak anything as the link doesn't seem to be accessible publicly (at least for me).
Yes, the forum requires registration and is open for customers only. That's why I said that I hope I don't leak anything (by saying that this topic was discussed in their (private) forum).
This (firewalling the IPv4) is actually a great idea, I never considered it before because I use their basic downtime metrics / alerts - but that could easily be pushed to IPv6 (or just another external service entirely).
Hetzner has always been one of the cheapest providers when it comes to pricing for additional IP addresses. I'm surprised it took this long for them to be forced to raise the prices. This affects me, but I understand why they have to do it.
Just this week I tried to turn on IPv6 for my sister’s home network and guess what…even with FTTH it’s IPv4 only. Two decades later and we still don’t have a basic feature that we knew we needed three decades ago.
IPv6 adoption is sadly a chicken or egg problem. Most residential ISPs near me provide IPv6 along with IpV4. But since so many of the internet still doesn't work with IPv6, and because ISPs have run out of IpV4 addresses to assign, they have started using CGNAT to assign a single public IpV4 to multiple customers. This means you can't self host servers of any kind which sucks. Some ISPs don't use CGNAT, and have therefore become popular with gamers, tech people, and so on. But I imagine this will change eventually. Hopefully if enough tech people start hating CGNAT and wish that the internet just worked with IPV6, they will push adoption elsewhere (as most people just won't care).
Well, I remember reading a blog post from someone who analysed IPv4 address pricing, and concluded it was increasing quadratically (ah, here it is https://www.retevia.net/address-pricing-2019-and-beyond/). The noise is so high it seemed such certainty seems a little out of place, but clearly it is going up and it's growth rate is at least linear and much bigger than inflation.
Given that's true, what happens next is not so hard to predict. The price will continue to go up for a while, but then it will hit an inflection point. It's an inflection point because what makes IPv4 attractive is better connectivity. Network effects in other words. But once the real migration starts, connectivity will swing in towards IPv6, so an IPv4 address will be worth less than an IPv6 address. Which is to say it will be worth nothing.
That translates into a rapid rise in price presumably artificially inflated by speculation, then the bubble will pop, the bull will turn into a bear, and the price will drop off a cliff.
In other words, you will know the transition to IPv6 has happened when you see that price crash.
Yeah, my ISP does an IPv4 (static is an extra cost) and a full IPv6 /56 assignment.
Beyond that, though, I think a lot of the fundamentalism around "IPv6 should mean everything is always available, if you don't like that get gud at network security" has been incredibly counter-productive. IPv4 NAT has given a certain level of network security to consumers, and IPv6 defaulting to always-on, all-the-time is not a comforting story.
But the same class of device that currently provides NAT to the end user could just as easily provide a default-deny firewall. It's not as though it's easier for Netgear to implement NAT than a basic firewall.
There is no reason why you can't host something behind CGNAT: you just have to use NAT-PMP or PCP to allocate a public exterior port. The issue is then whether anyone on either side supports that... but it isn't really NAT's issue.
Still waiting for my ISP to actually implement IPv6 addresses for fixed connections. It's only been about 7 years since the Transport and Communications Agency issued a recommendation to issue IPv6 addresses with consumer connections.
The monthly fee I can understand (but also feel there is a bit of mark-up on it to nudge customers towards IPv6).
I guess since it's their service, they have an absolute right to charge what they like (and let the competition decide) but the set up fees are just not going market rates.
Point I'm trying to make is - charging € 435.20 per month for a /24 is expensive but sort of ok ... but the € 4864.00 set-up fee?
Seriously? It costs € 152.00 for a /29 subnet but it costs 32x MORE to set up a /24 subnet? Is it really 32 times more work to set up?
Hetzner is a host living at a price and popularity point where they always have to consider massive scale abuse.
I'd imagine this is a major incentive for long-term ownership of their freshly acquired IP space instead of churning them through customers to end up on every blacklist for every conceivable type of service.
I've done no work to diagnose where the failure is, but I have Google Fiber, with the supplied Google Wifi device, am on my Google Pixelbook running Google's Chrome OS, and I cannot access Google via IPv6. I don't think I could have a more streamlined setup where Google has full control from end to end to make IPv6 a reality. I can find blog posts by Google talking about the importance of IPv6 adoption, and yet I can't access ipv6.google.com.
Great, so now there is a marketplace for IPs meaning that there are people solely making money buying and selling IPs pushing the price up irregardless of usage.
Yea, and I really want this to happen. I want it to get expensive enough to the point where cloud providers realize they are literally throwing away money by participating in these markets rather than just adopting ipv6 and solving the challenges that come with it. That's how we move forward. They aren't going to do anything until theres $$s on the table.
Speculation might make it harder to get fixed IPv4 addresses for hobby projects, but in the long run it means there are IPv4 addresses available on the market for situations that actually need them rather than having them all tied up in lower-value services or ones which could have been done just as well over IPv6.
I am curious, as there's a lot of mature software out there that will never be updated to make the jump to IPv6; is there a way to emulate IPv4 traffic over IPv6 to support old software?
I mean, I guess there is with 4in6 and Tunnel Setup Protocol? But I've not seen it done yet in the real world.
I think maybe if some quirky software developer wrote something popular that only worked over IPv6, maybe we'd see a slight uptick.
This is the inevitable and foreseeable result of the scarcity of IPv4 addresses, and it perversely discourages IPv6 adoption. Once something has a cost, it has the potential to become revenue generating, and once that happens the incentive for companies changes to preserving the revenue stream. At that point, why would they make the effort to provide a free alternative?
I think this is good news for IPv6 deployment. As ISPs start charging more for IPv4, companies will finally have a financial reason to seek the alternative.
It's sort of like taxing carbon to make non-carbon energy more competitive.
It won't generate revenue but investment into ipv4 can be used to build a moat around your cloud business. Anyone who wants to compete with the big cloud vendors now needs not just a global network of data centers and good uplinks, but also a large pool of ipv4 addresses.
It would be very rare that any company passes the wholesale cost directly to the customer. There’s almost always some kind of markup, even for things like “administrative overhead”. Maybe that’s not widespread now, but the clear trend is reduced supply and increasing demand, so the costs will definitely go up.
I was just thinking this when reading the email Hetzner sent me. Would it be a good investment to buy 1000 IPv4 addresses now and sell them in a few years?
The thing that's saleable is routable IPv4 address space. That is, blocks of addresses which can just be announced somewhere by a new owner. I can't meaningfully sell say 81.2.89.126 even though that address is "mine".
The RIRs still manage this namespace. Their rules only allow transfers of space to LIRs that have a justified need for the addresses, the "sale" just allows you to bump their request to the top of the queue matched against your return of those addresses. At exhaustion (where most regions are now), the queue won't move unless either some kind soul gives back some addresses or, more likely they sell those addresses to somebody not at the front of the queue.
So, you can't really just buy 1000 IPv4 addresses. You would need to create an entity that needs 1000 addresses, that could buy them, and then it could use them, but then that's not really an "investment in IPv4 addresses" it's a company (ISP? Cloud provider maybe?) that you founded and provided some capital to in the form of the address space it needed.
Seems like a bad long term investment, since there's a plan for them to be worthless eventually. Economically speaking, if the market is rational, the price should tend down over time.
Of course the market may not be rational (it's obviously not super liquid, either), and it's very plausible the price creeps up over time before eventually crashing, or that we never get to widespread IPv6 adoption after all. Maybe you have some insight that they are underpriced at the moment and IPv6 adoption is further away than the market thinks. But I wouldn't contemplate this as an investment unless I had some plan to collect rent for the assets to make up for the expected eventual depreciation.
This whole problem could have been avoided if IPv6 would be easier to memorize. I feel like especially when setting up networks, the v6 part is not as natural as v4. It is simply additional overhead and causes a lot of "scratching my head" moments.
Otherwise there would be no reason to not leave v4 behind and just move on.
> This whole problem could have been avoided if IPv6 would be easier to memorize.
Thankfully, we have DNS. A lot of ISP issued consumer CPEs now automatically create lan-local DNS entries for clients based on hostname provided by the client at dhcp time, a lot of clients also natively support mDNS, and there are plentiful free DNS providers if none of the above applies to you, and you can't host your own.
Remembering IPs isn't something that people should need to do at this point in our networks maturity.
Agreed. If, in 1997/98, the ipv6 spec had been "prefix 2 more 8 bit values at the beginning" - and all existing addresses moved in to 0.0.a.b.c.d - we could have had a much easier path for migration (imo). And yes, it wouldn't have been "128 bit!" but we still would have had 255 more address spaces of 4 billion each, which would have bought us some more time. I think we'd have been further along that migration path than where we are now, after 23 years.
I mean we've managed to stretch v4 for 20 years longer than anyone thought possible. Adding one more bit to the address would have doubled the size of the v4 space, so another 8 bits would have been plenty.
Yep. But... "now every star in our galaxy can have their own /16 block!". That's a paraphrased recollection I have from some networking colleague in '98 when this all was coming down. It seemed a strange goal, and I'm presuming he was just trying to illustrate how 'vast' IPv6 was.
IPv6 addresses theoretically should be easier to memorize & work with than IPv4 thanks to the double colon shorthand acting as a wildcard for zeros and due to it being hex grouped rather than octet grouped.
As an example 2001:0db8:0000:0000:0000:0000:0370:7334 could be written as 2001:db8::370:7334 instead (notice that leading zeros were also culled). This paired with the fact that hexadecimal tends to be easier to memorize and doesn't have the strange subnet masking logic like IPv4, gives it a lot of advantages over IPv4's address notation.
The problem is that it's almost like router firmware and ISPs go out of their way to make their addresses harder to work with by filling out all 8 hex groups in the addresses they grant. Considering the sheer amount of available IPv6 addresses, it's from my understanding, completely unnecessary and I'm really curious if they have any kind of justification or technical reasoning for doing this.
1. easier routing tables if you can add meanings to specific bit ranges of your ipv6 address. In the tightly assigned ipv4 networks we have arrived at this is a bit annoying.
2. If the ipv6 conventions were that you set, say the highest 5 hex groups to 0, and use the lowest 3 hex groups for addresses, it would still be 65536 times as large as the ipv4 space and would suit most needs for the mid term future. You could even write ipv6 addresses nicely using e.g. ::ef13:2.1.7.100. This is a valid ipv6 notation! If this space ever got too tight one could open another one of the available hex groups and use two hex group prefixes. But I think when this happens, a lot of configurations would break because they'd assume that only 48 bits are used of the total 128. To prevent router,switch,firewall, etc. vendors from putting any such assumptions into their devices, using the full 128 bits from the start is a good option.
I understand that, but right now people are able to get by with IPv4 only, and aren’t going to switch until they have to. The long term reality isn’t going to make someone voluntarily switch.
It's impossible to make an addressing scheme that's both memorizable, and abundant enough for the foreseeable future of the Internet. The human brain just isn't capable of dealing with numbers on that scale, which is why we invented computers in the first place.
> It's impossible to make an addressing scheme that's both memorizable, and abundant
Not really. In fact, pretty much anything would have been easier to memorize than this colon-separated nonsense, which makes URL parsing more difficult, and which is so stupidly complex that it has a special syntax to ignore repeating zeros.
An IP address is fundamentally a 32-bit or 128-bit binary number, and hexadecimal is the most human-friendly base to represent those. Decimal gets pretty hairy once you introduce CIDR prefixes that aren't 8-bit aligned.
The [IPv6]:port syntax is unfortunate, but I'm not sure what they'd have done instead. Dotted hexadecimal would be ambiguous, because "1.2.3.4.5.6.beef.de" looks like a DNS hostname.
Zero compression exists because it's more convenient than writing all those zeroes, especially with CIDR prefixes like "2000::/3".
I think browser are advanced enough to parse [IPv6]:port.
Note that they can even distinguish octal and decimal IPs, for example this is working in Chrome, Firefox and the Windows ping utility:
I mean, when you start a new VM on Hetzner (or AWS/GCP/Azure/DO/whatever) you don't memorize that address.
But cloud or not, if you setup a private network with v6 you can get a nice /48 prefix, and you give out /64 prefixes to VMs, so you'll have 48 unchanging bits to memorize (or put it into a .txt to have it near). And most of that will probably be zero anyway.
For example 2a00:1450:4001 is a /48, and 2a00:1450:4001:082b /64. Only change is "082b".
I know, it's not the same as just remembering 1.1.1.1, but most of the people working with v4 never had so simple addresses to work with. (And if we're talking about 10.0.0.0/8 and other private addresses, well, folks can continue to use them, if they want to endlessly debug NAT and static routing hacks.)
Not necessarily remembering cloud adresses, but it is fairly easy to design v4 networks. Subnet masks for example are short and understood with a brief glance at them.
If v6 would be simpler, it would also be the first choice for more local networks, hence more widespread.
Plenty. If you expect to access it from IPv4-only networks, you'll have to provide a gateway. Additionally, things like Docker interoperate very poorly with IPv6.
The issue would be more or less the same. You'd have to buy new hardware and check all software anyway but would drop many of the benefits of the IPv6 we have. E.g. in enterprise networks, it is very nice you don't have to think about the size of a subnet for a VLAN anymore, you just give every VLAN /64 and it will suffice. The extra address space is also nice for autoconfiguration and much more we don't even think about yet. I think, IPv6 is ok as it is. A practical protocol is never perfect and will not please everybody but IPv6 stood the test of time, there is considerable traffic over IPv6 and we are slowly, but surely getting there.
Adding IPv6 support has never really been the issue. It's in every single piece of hardware or software I have. The problem is that people don't want to use it, as evidenced by the fact that people avoid it on overlay or virtual networks and use IPv4 if possible.
The very slight convenience you mention is far outweighed by 32+ digit IP addresses.
Also please don't bring up DNS. Anyone arguing that DNS is a solution to this problem has never done devops or IT.
Actually, IPv6 addresses cannot be longer than 32 digits. Some practical ones can be rather short, usually just slightly longer than a comparable IPv4 address. Such addresses would be used where remembering/ recognizing the exact IPv4 or IPv6 is relevant, such as the DNS servers or the network hand-off IP/ floating-IP on a firewall cluster or something like that that are used for the bring-up of other services. I have done my fare share of devops/ IT/ administration and engineering of largish enterprise and campus networks.
You would be surprised how much hardware and software doesn't support IPv6 properly. Sometimes it is the basic things, sometimes the more advanced stuff but that just means it takes a second or multiple days to find out. The problem is, it just is a similar but different protocol so you have to be quite diligent and check everything you need for the device/ service to work.
People do all kinds of stuff on underlay and overlay networks. E.g. some Dell VxRail hyper-converged appliances use IPv6 for the management network https://i.dell.com/sites/csdocuments/Shared-Content_data-She.... This is basically just link-local addresses for L2 reachability if I remember correctly but they could've gone with IPv4 there as well. It certainly would be more common for enterprise appliances to not rely on IPv6 for anything even when it shouldn't make a difference whether you do.
I wonder if part of this pricing scheme is to counter (or at least to short-term profit from and eventually change the behavior of) the provider being abused by spammers/scammers who could previously scoop up benign reputation IPv4 addresses from the far corners of the world and pull them over to Hetzner for very little $.
ARIN has been constantly raising prices on both IPv4 AND IPv6 registrations and fees. It's really annoying because you'd think you'd get a break for adopting IPv6 but nope.
I've expressed my disagreement on the public mailing list but it seems like it is happening anyway.
There's a cost to switching to IPv6 and a cost to buying IPv4 addresses. When the cost to buying IPv4 addresses exceeds the cost of switching, people will switch. In my humble opinion, there is no problem - we just underestimate how much change costs.
* AWS in July 2021: 0.005 USD/hour = 3.65 USD/month.
* Hetzner in July 2021: 0.84 EUR/month = 1.00 USD/month.
* Hetzner from January 2022: 1.70 EUR/month = 2.02 USD/month.
With a 19 EUR = 22.58 USD setup fee at Hetzner since August 2021:
x * 1.00 + 22.58 = x * 3.65;
22.58 = x * (3.65 - 1.00)
x = 22.58 / (3.65 - 1.00) = 22.58 / 2.65 = 8.52 months to recoup the setup fee compared to AWS.
With the Jan 2022 monthly price increase:
x * 2.02 + 22.58 = x * 3.65;
22.58 = x * (3.65 - 2.02)
x = 22.58 / (3.65 - 2.02) = 22.58 / 1.63 = 13.85 months to recoup the setup fee compared to AWS.
It's interesting that the 19 EUR per IPv4 setup fee applies to both single IP addresses, as well as full subnets -- /24 now has a whopping 4864 EUR setup fee! (19*256=4864) Ouch!
iCloud Private Relay, coming in iOS 15, does appear to be native IPv6. I wonder if this will have a noticeable effect on IPv6 adoption stats when it's released to the public[1]?
The problem I have is that IPv6 is unusable right now.
Most server software cannot properly handle blocking of increasing IPv6 subnets.
And not only that, but my ISP assigns the same /64 subnet to me for months.
Who needs cookies anymore if you can just track the /64?
Even unplugging the router for a day won't assign a different prefix for me.
Cookies are used because people want to track users across networks. They might be on their mobile phone on home wifi, then on 4G, then at their office, etc.
On IPv6, your OS should also enable the privacy extensions, so that your device has two IPs: a stable one for incoming, and a randomly changing IP for web browsing. Sure, it's the same subnet, but it would be silly to rely on this considering the many other ways we can track users.
My ISP gives me a /56, and many provide a /48. That's huge. We are 4 people, each with 2-3 devices, and frequent guests on our wifi. Pretty sure such a database would be highly unreliable. And some ISPs rotate the allocated subnet, some make it static. You would probably have the same level of reliability with an IPv4 database currently ("IP visitor from a niche US-based ISP" is probably the same user, and you could dedupe by browser and other data).
And then jurisdictions such as the EU, Canada and California would consider the IP address to be PII, and it would be illegal to contribute to such a database.
Again, there are much more easier ways to track people on the Internet.
No, it doesn't. Your ISP is the one who can take that decision away from you. I have Google Fiber, and my public IPv4 address has not changed in around six months, while my IPv6 block has changed twice in that same time. This is despite replacing my router and several multi-hour power outages. I believe the only reliable way to get a new IPv4 address is to call support.
I'm still waiting for VPCs in Hetzner. In theory within a VPC you assign IPs in the internal range, so no need to public IPv4. I know this is not a solution for everyone, but at least for me it would mean:
- 1 public IP for my nginx server
- N private IPs for my application/db/monitoring servers within the VPC
VPCs exist in Hetzner and you can set up networks in Hetzner Cloud now and also even link with Robot -- they're called vSwitches and they can connect to Hetzner Private networks:
SRV records or a similar tech would end the artificial ipv4 shortage. Services run on ports, there are plenty of open ports.
I get why Google and Facebook and the like are pushing the technology hard; it enables casual tracking of individual devices by third parties which are normally blinded.
It presents a 48bit address space for services, which is ultimately what everyone care about. Having the "service location" protocol be part of the transport OSI Layer in TCP was a design flaw IMO. That should have been handled higher in the stack.
If I wanted to buy a block for speculation (thus helping accelerate ipv6), would it need to be crazy large to even be worth it? I imagine the buyers are less interested in 4000 ips here, 200 ips there, right? Like they’ll want /16, /8, etc?
> If I wanted to buy a block for speculation (thus helping accelerate ipv6)
IPv4 sells for ~$40/IP right now.
The smallest block you can buy that is Internet routable is a /24.
If you're buying, you're likely buying from another speculator, so you're not helping accelerate anything, you're simply a(nother) middle man in a (series of) sale(s) of a commodity, looking to profit until the block eventually gets sold to a user.
None of that is said with any judgement, mind, as I've traded a /22 of IPv4 space for quite a handsome profit over the last few years. Just don't pretend there's any altruism or benefit to anyone else from your speculative activities.
Is the speculation actually possible? I keep reading conflicting opinions. Some say anyone can buy a block via auction, but some say even then you need to be vetted as a "valid" owner by the registry themself. What was your experience?
Any other purchase reason is likely to result in ARIN pulling your "ownership" entirely when they discover it.
From what I understand most of what's being sold off right now on ipv4 auctions are from companies who had too much IPV4 that they no longer need, or companies that were liquidated.
Well, don't let whatever application you run access arbitrary networking of any kind.
Like, literally hide the LAN adapter from it.
Then add a virtual adapter for/from the VPN software.
This worked from the beginning on for IPv4 and IPv6 (probably also more exotic networking protocols) on Linux, though I don't know how hacky the Windows equivalent to this is.
There aren't enough IPv4 addresses. It's not difficult arithmetic. It is possible for someone to be hoarding and someone to be wasteful and there not to be enough of something to go around. Those aren't distinct ideas only one of which can be true for a namespace.
Let's try a little thought experiment. Abe, Carol, Emma, Gerald, Isobel, Kate and Mark are at the place. Everybody is hungry. Three pizzas are delivered. Each person will be able to eat about half a pizza, or else they'll still be hungry.
Carol and Isobel announce that as Vegetarians they ought to have the two veggie pizzas. Carol eats half of hers and says she's keeping the other half "to eat later". Isobel realises her pizza has red pepper on it, she doesn't like red pepper and so she throws about half the pizza away as "contaminated". All five other people are left to share the Pepperoni pizza, they all still feel hungry after dividing it equally.
Was there hoarding? Yes Carol hoarded half a pizza. Was there waste? Yes Isobel wasted half a pizza. Was there not enough pizza? Yes, three pizzas is enough to properly feed six people and there were seven people eating even before Carol and Isobel announced they were keeping the veggie pizzas to themselves.
Whenever I see articles like this (and there have been tons over the past decade), I can never stop thinking about how poorly designed IPv6 was for adoption. Tons of other people have commented on this, but if we simply extended the IPv4 address space, instead of having a parallel space with IPv6, the transition would have gone much more smoothly IMO.
How would that even work? The IPv4 address fields are 32-bits. If you extend them, you have a new protocol, just like IPv6. There could've been some parallel efforts (like opening up the 240/4 former class-E space for assignment), but that would just be a short term patch.
IPv6 has been available for over 20 years. This is way longer than IPv4 was available when the Internet went "mainstream" in the mid-90's. ISPs need to get their ass in gear.
This post is an "oldie but goodie", I think it's been around probably at least 20 years, and the section titled "The IPv6 mess, part one: incompatibility" explains what I'm talking about.
I agree that IPv6 roll-out strategy has been broken from the beginning but how does "extending the space" help here? You still need to add support to the new space in all relevant layers. What does the extension strategy change here?
This pricing is highway robbery, how is the incremental setup of an IP in a /29 (only 6 usable addresses out of 2^3=8) when setting up 8 (at $19/IP) total $152? I can see how the monthly rate would change, but upfront setup that high? I guess I won't be using Hetzner going forward..
> I can see how the monthly rate would change, but upfront setup that high?
Presumably this is to make it untenable for spammers to churn through multiple blocks of /24s at little to no cost.
Also, a /24 is going for around $10k to buy or sell on the IPv4 market now, or approx 50% of their setup fee, making it much more economical to buy your own space, which is probably what they'd rather you did, since giving you 256 IPs means thats 256 more servers that they cant sell.
EDIT: and before the response of "but I only want a /29", if there's no incremental setup cost to get a larger block, that approach will get abused by nefarious users. This is why we can't have nice things.
EDIT2: ..and a /29 still means 8 more servers that can't be sold. There's opportunity costs involved in leasing IP space that could be better used elsewhere. As the cost of acquisition of IPv4 space goes up, so does the cost to the end user.
>Presumably this is to make it untenable for spammers to churn through multiple blocks of /24s at little to no cost.
This is exactly what it does. Hetzner Cloud will also, to the dismay of my ssh known hosts, keep assigning you the same IPv4 addresses until it becomes the LRU in their pool for a new customer so you can't do this.
Did u even read the reasoning? IPv4 prices are rising for last 5 years (or even more) price increase is nothing new (my ISP is taking 7 euro per month for IPv4, few years ago it was 2 euro)
They want to encourage people to buy individual addresses if that works for them. Because that way they can offer them individual bits and pieces rather than having to find contiguous chunks.
Yes, but what's also interesting is other large IPv4 block holders who aren't governments. Will large public companies start selling off their address space to pad profits in order to appease/please shareholders?
How are you going to "force" legacy address holders to give up their space? Especially government agencies, which helped to build the early internet? Early registrations, pre-dating ARIN and the other registries, are basically property. You don't even get charged for them unless you sign a "legacy registration agreement."
DOD-NET essentially uses their space as RFC 1918 space, they have never announced it.
Property, in many cases, this one included, should be bound to making actual use of it.
Some of nets (25/8, the CGNAT space) are essentially so established as private-equivalent, they should just be officially declared private. Connectivity to these will forever be spotty now that they made their way into corporate networks.
That’s a good way to suddenly get those organizations to magically start using those IPs suddenly - if you threaten to take unused IP blocks away, I’m sure those orgs will somehow find a way to “use” them.
We used up 256 /8 blocks in roughly three decades. That's roughly 9 per year. Even if we are more conservative now, freeing up a /8 here or there will not significantly change the situation. 32 bits are woefully inadequate no matter how you slice them.
They're using them, just not very efficiently. There are already rules forcing you to give up unused blocks (although they do not apply to some very old ones).
Looks like they are also raising pricing for the cheapest cloud instances, and additional Floating IPv4 addresses.
CX11 is up +40%, CPX11 is up +14% and Floating IPv4 addresses are up +200%.
Existing instances/floating IPs will stay at the old prices, unless rescaled.
Per email, no announcement link that I can find yet:
---
Important customer information: Price adjustment for new CX11 und CPX11 and Floating IPv4 addresses
Dear Client
from the moment we launched Hetzner Cloud in 2018 we have continuously been working on expanding our platform and offering you an excellent price/performance ratio in cloud computing. Unfortunately, the prices to acquire IPv4 addresses have since increased dramatically and we have no choice but to respond. For a long time now, the pool of available IPv4 addresses has been almost empty at RIPE, the European IP address management agency. That's why RIPE stopped assigning IPv4 nets. Because of this situation, there is now a fast-growing market in IPv4 address trading with many active brokers, such as on https://ipv4.global/reports/. Supply and demand determine the price at IPv4 brokers, so the prices have skyrocketed.
We have tried hard to avoid passing on these higher prices to our customers, and have accepted the economic loss until now. However, the prices have increased so dramatically that we can no longer do this. We unfortunately must increase our prices.
Starting on 1 August 2021, the price for newly created Floating IPs (IPv4) will be increased as stated below.
Starting on 1 September 2021, the price for newly created Cloud Servers (CX11 and CPX11) will be increased as stated below.
Product Price per month / hour up until now Price per month / hour, effective 1 Sept 2021
Cloud Servers:
CX11 3.088€ / 0.00496€ 4.328€ / 0.00682€
CPX11 4.328€ / 0.00744€ 4.948€ / 0.00806€
Existing Cloud Servers are not affected by this price adjustment. Please note that these prices also apply to rescaling, effective September 1, 2021.
Product Price per month up until now Price per month, effective 1 Aug 2021
Floating IP:
IPv4 1.24€ 3.72€
Existing Floating IPs are not affected by this price adjustment.
All prices incl. 24% VAT.
Demand for IPv4 addresses will likely remain very high. And we will need to continue to purchase nets. We assume that the prices for IPv4 addresses will continue to rise, and that we will also need to increase our prices again in the future. Prices for IPv4 will likely remain high until after IPv6 has become much more popular.
We are confident that this is still a good price/performance ratio and hope for your understanding.
If you have any questions, we are happy to help. To open a support request, please go to the menu item Settings on your Cloud Console. We hope that you continue to place your trust in us as we are constantly working to expand our services and you can look forward to several new features that are already on our roadmap.
With the +1€/month (+VAT) price increase for the CX11 instances, I'd happily drop the public IPv4 address from most of my instances for a 1€/month discount.
Hetzner is a spammer / scammer hell hole. I didn't even realize they had clean ip addresses. Anyone spin up an instance recently and test deliverability?
Good feedback - maybe I'm getting them confused with another of the AWS lite folks (linode or ...). I had a miserable time on one of these with just trashed IP address rep (but unlimited bandwidth supposedly).
Digitalocean used to offer unlimited bandwidth (not anymore). They are completely trashed, half on DNSBL, most people I know drop traffic from them due to relentless bruteforcing and abuse.
I remembered one of these players and just being totally shocked had how bad they were in this area - like no care - despite trying to compete with AWS. I don't remember if there was also internal to their network scan / attack stuff going unaddressed in addition to just issues with deliverability out (non marketing) but I honestly felt like I was working with kids vs adults a bit (this is some time ago though).
I'd been told I was an idiot for paying for AWS and that there was lots to be saved on their unlimited bandwidth etc - but it ended up being absolutely not worth it. AWS support is really good. They seem to take abuse issues quasi seriously etc.
Yeah I don't know what is up with digitalocean. I can think of several things, like free EDU credit (abused relentlessly, seemingly mostly by CN/IN with fake edu emails or stolen identity ones) and $5 to $10 free trials, though this has been reduced a bit via card requirements.
They do have very long term customers that are abusive as fuck, spray high-PPS port scans and bruteforces out under the false guise of security research (with no IRB, no studies, no affiliation or notice of who they are), pretty much floods that abuse has ignored.
Stuff like this really hinders adoption.