Hacker News new | past | comments | ask | show | jobs | submit login

A confusing aspect of IPv6 is that it's actually a much simpler protocol than IPv4, you often end up assuming you need to configure a bunch of stuff that you really don't have to.

The most common example would be NAT, despite the complexity it adds to IPv4, people often get comfortable with idea of setting up complex subnet hierarchies and feel lost when that all just disappears with IPv6.

The key things to remember when working with IPv6 are:

- IPv6 is very unidirectional, it's not a giant one way waterfall like IPv4/NAT

- Routers don't assign addresses, they advertise "prefixes", usually multiple

- Routers will usually have a prefix for: Internet, WAN, Link-Local (last one being advertised only to nodes directly connected to it)

- Nodes use prefixes to auto-generate an address

- Auto generated addresses are usually in the form of "prefix - device_id" so even if a node has a lot of addresses, they are all mostly the same

- Usually nodes can easily communicate back and forth across multiple local routers with little configuration or hierarchy

- Internet/non-local IPv6 addresses break the rules a bit and don't use a device_id in their addresses in order to protect user privacy

- Even if every node has an external address now, you can still configure your firewall to ensure they are isolated from external connections (which is usually the default anyway). You don't need NAT to securely isolate things.

- Once you get the hang of it you will realize how easy it makes everything and despair that support for it sucks and everyone makes it harder than they need to

Finally for learning resources I honestly recommend just reading the RFCs, I personally learned this way and believe they provide the most direct understanding of the rational behind everything.




I have the technical ability to set up a well structured VPC in AWS with private/public subnets, but I wouldn't know where to start if asked to set up an ipv6-only network.

Is the general model of public/private subnet still valid? Or are you saying in a ipv6-only world, there's no need for separate subnets?

There's something about a server not being assigned an IP address at all that makes me sleep easy at night (in ipv4 world, you know that server is truly unreachable via public internet)


>Is the general model of public/private subnet still valid? Or are you saying in a ipv6-only world, there's no need for separate subnets?

Define "public/private". Your server has an IPv6 address that is globally identifiable. Your gateway may not necessarily route traffic to it.

>(in ipv4 world, you know that server is truly unreachable via public internet)

You don't know that, because a port forward rule on the gateway would route traffic to it after doing NAT. And if you made the effort to know that your gateway doesn't have such a rule, then you can equally make the effort to know that your gateway doesn't have a rule to forward traffic to the server's subnet.


> Is the general model of public/private subnet still valid? Or are you saying in a ipv6-only world, there's no need for separate subnets?

This is one thing that's actually been vastly improved in IPv6 (IMO), though I guess it is somewhat more complicated, it is standardized.

In the IPv4 model, your hosts get 'internal' addresses and some gateway device translates these addresses to/from the associated 'public' addresses as necessary. Behaviour when multiple addresses are assigned is undefined, and there are plenty of weird corner cases with internal hosts trying to hit the public addresses of forwarded services and such.

In the typical IPv6 model, your hosts (if they need to talk to the Internet) get a (or several) Globally Unique Address (GUA), which is routeable on the Internet. Optionally, hosts can also have a Unique Local Address (ULA) which is analogous to an RFC1918 address in IPv4. Because it's codified in the standard, hosts will choose the correct source address depending on the destination they want to talk to; a ULA address if the server is also ULA, and a GUA source will be chosen for talking to GUA addresses.

In a typical corporate network, you'd give hosts both classes of address, and your internal services run on ULA addressing. But in most residential or hosting environments, you'd just use GUA as there is no benefit to segregating things this way.


Its pretty much the same.

The reason why NAT with ipv4 works is because routers by default do not forward any incoming traffic from outside to inside host unless there is an entry in the lookup table based on ports or based on port forwarding rules. The important thing to realize is that the local ip addresses (192.x, 10.x, e.t.c) don't actually matter - they can be replaced with any schema as far as router is concerned, and made public. And this is because the core routing logic of the entry table based on port doesn't change.

Ipv6 implementation doesn't really differ in this. With IPV6 routers can deny incoming traffic to the particular machine without a previous outgoing request connection, just like in the IPV4 NAT implementation. Receiving end knowing the full ip address of the machine (and even then, with privacy extensions, that ip address will no longer be valid in a day) doesn't really do anything against you security wise.

However, unlike IPV4, if you actually want to set up connectivity across networks and in fact enable routers to forward traffic based on the ip address, you don't have to deal with NAT translation, udp hole punching, e.t.c.

And furthermore, forcing harder endpoint security is a good thing. Routers are notoriously easy to exploit in a lot of cases, and once an attacker is on a router, NAT is worthless. Likewise for IoT devices that can be exploited through http based attacks against central servers also give you the same access.


I generally see IPv6 being a better reflection of reality vs the illusion presented by IPv4/NAT. To put it another way, even if your server has no public IP address, if someone punches through your firewall it's not like that matters anymore right? If they have the keys to the kingdom they can change your network to be however they like.

If your network is a house, and your firewall is the front door, then all NAT does is force you to have a weird fractal room layout where rooms are inside rooms, inside rooms. But if a dude breaks in through your front door, it doesn't matter how many rooms you have, he will find what he wants.

IPv6 lets you have as much rooms as your want and lets you optionally send mail to specific ones. If someone breaks in they still have access to everything, but instead of having to navigate a fractal house, they have to navigate a house with a nicer layout and a trillion doors.

The metaphor is falling a part a bit here but my point is that if your server has some form of physical network connection that eventually leads to the internet, it's address scheme isn't going to help you much, even if it makes you sleep better.


> Is the general model of public/private subnet still valid?

You're getting replies that are tiptoeing around the truth, saying that the answer to this is basically 'yes' when it sure looks like the answer is firmly 'no.' My home IPv4 network isn't routable, it is a private network. If my IPv6 address is globally unique and addressable by someone across the world, my network is not private in the way that most people have come to understand the term. I'm just part of the public network but with a firewall to stop unwanted packets from reaching my local nodes.


> My home IPv4 network isn't routable, it is a private network.

An IPv6 network with a firewall configured to disallow incoming traffic isn't routable, it is a private network

> If my IPv6 address is globally unique and addressable by someone across the world, my network is not private in the way that most people have come to understand the term.

In what way? All NAT does is funnel traffic over one address (or more), that address is still exposed to the internet and it's your firewall that prevents that incoming traffic. If your firewall is compromised, then NAT isn't protecting you from anything, your network will absolutely be routable despite what you are suggesting. The assumptions you are making are part of the reason why NAT can be dangerous.

> I'm just part of the public network but with a firewall to stop unwanted packets from reaching my local nodes.

This is an oxymoron, you are either a part of the public network or you are not. The only thing that has changed is the semantics.


Thanks, that helps a lot.

This got me reading about IPv6 again. I'm trying to figure out how we'd set up an IPv6 network in the case where we have 1) Two upstream ISPs, mostly for failover, but could be loadbalanced too. 2) Internal servers with assigned DNS

My initial thoughts were that for each of the two ISPs, each host (e.g. personal desktop or laptop) would use the IPv6 prefix and end up with two addresses. But in the interest of having an internal address for internal servers, we'd need yet another IPv6 prefix for internal use. That makes 3 IPv6 addresses per host.

Does that make sense? I read about getting Provider Independent (PI) address prefixes, which would allow use to consolidate to a single IPv6 prefix, but from what I read, that costs money and should generally be used for large organizations. Ugh.


You don’t have to be a large corporation to have your own IP space. Getting your own IP space assigned by an authority like ARIN and getting a BGP AS number is the way to go here. I think ARIN allocates out IPv6 space out for free or low cost. There are yearly maintenance fees involved but should still be affordable for a small business. If this is for home use, then yeah that would be overkill.


If you want failover-independent IPs you can keep using NAT, ie NPTv6, at the gateway level and not bother with giving public IPs to your LAN machines.


Have you implemented NPTv6 before? What routing product(s) have you implemented this with? Do you happen to have some documentation links handy?

In my experience, this capability is missing from most off-the-shelf solutions, and in the cases where it is available, the documentation of this feature is missing or incomplete.


That's possible, but my understanding is that NPTv6 is strongly discouraged. Part of the point of IPv6 is do away with NAT and the problems caused by it.

I was hoping there was a better way.


Use the GUA prefix from the main ISP. During failover, retract it and switch to the GUA prefix from the second ISP. Prefix translate any stragglers that don't switch to the new prefix for whatever reason.

For active/active you can distribute both prefixes, but you don't get much control over which network clients pick. You can do the same thing here though: NAT only the outbound connections that you specifically want to steer onto the other ISP.

This way you avoid most of the problems of NAT.


NPTv6 is different from IPv4 NAT and doesn't really have the same issues.

A different solution I've seen proposed for networks with multiple ISPs is to advertise both public prefixes to the network and let each client endpoint figure out which egress to use. This seems like a worse idea though.

The most official approach is to get your own public IPv6 prefix and work with your ISPs to BGP route that to you on both links. However, home and small business ISPs generally don't offer this.


Yes, that is correct. But not having NAT is the same as having addresses that depend on the subnet prefix.


Ok, i'll bite.

> Auto generated addresses are usually in the form of "prefix - device_id" so even if a node has a lot of addresses, they are all mostly the same

> Internet/non-local IPv6 addresses break the rules a bit and don't use a device_id in their addresses in order to protect user privacy

So a device needs to have both an internal address and an "Internet/non-local" address in IPv6?

Plus one for WAN and Link-Local?

4-5 addresses per device?


It is very normal for devices to have multiple IPv6 addresses. Pretty much every device will have at least two: a link-local address and a public address. When autoconfigured, some devices generate both a long-term and a temporary public address.


Actually there can be an arbitrary number of addresses per device, thanks to the privacy extensions. Since your “device id” is a simple derivation of your MAC address, technically you could be tracked across ipv6 networks through that.

Therefore most modern oses will create a time limited random address (within the prefix) to use. When the connections using that address have died, the address is retired. New addresses are generated on a periodic basis. So if you have long lived connections you could have several active privacy addresses at the same time.


The internal address is optional, it's only useful if you want to have a known address if your uplink is down so you can do maintainance.

You only need two addresses:

- a global address

- a link-local address


Not clear. How do i reach a device in my local network? Via the optional internal address if my uplink is down and via my link-local address if my uplink is up?

Is the link-local address any good if i'm on wifi but want to ssh into a wired host in my home?

Are you getting my point yet?

Edit: actually I won't wait. The point is it's needlessly overcomplicated. It was done by a commitee that didn't even consider people could try to set up their home network. It's good enough for the enterprise (except cloud sellers it seems) and the plebs should just buy a router.

They also didn't consider someone would try to use the command line, since those addresses are not typable.


I think you are a bit confused.

A global address is an address that is routable over the internet. You can reach it from anywhere as long as your firewall permits so.

A link-local address is never routed. It is only valid on a single network segment. You can use it if your uplink is down and you don't have multiple networks at home. It is usually derived from the MAC address of your NIC.

There are some special link-local multicast groups, ff02::1 is the 'all nodes' address. If you send something there it will be received by all hosts on the link.

ff02::2 is 'all routers' - this will be received by all routers on the link. There are more [0].

If you have multiple internal networks and want to reach hosts without an uplink, you can use the unique local address range fc00::/7

This functions just like 10.0.0.0/8 on IPv4 and is only routed within your site.

[0] https://www.iana.org/assignments/ipv6-multicast-addresses/ip...


> Is the link-local address any good if i'm on wifi but want to ssh into a wired host in my home?

Lets breath and think about this for a second, you want to know how to reach a device on your local network, your host has a "link-local" address. Could there be a connection here?

The answer is yes because it's in the name, it's literally in the name, why are you confused? What is over complicated about this?

Back when I was in college I did IPv6 compliance testing as a part time job. Me and random other freshman computer science + IT students were able to pick this up after a day or two of training (aka reading RFCs) with next to zero network experience. I really can't help but see your complaints about complexity as nothing but the whining of a child. (we also exclusively used the commandline)


> your host has a "link-local" address. Could there be a connection here?

Maybe. Or maybe not. It could apply only to hosts connected via the same switch? Or same AP? That's how i read link-local. It's obvious to you because you already know.

> see your complaints about complexity as nothing but the whining of a child

So point me to an overview of ipv6, enough to manually configure a small network, that is clear and complete. Not the RFCs please, I don't want to learn to configure an enterprise (or university) network.

Last time I searched for one there wasn't one.


Yes link-local is only local to the link (same broadcast domain).

But most home networks are bridged on layer 2 anyway.

IPv6 allows for a design where you don't have everything on the same broadcast domain but actually use subnets for e.g. the WiFi network. But since you still want to retain IPv4 compatibility, this is usually not an option in home networks.

> So point me to an overview of ipv6, enough to manually configure a small network

Just enable router advertisements on your router (likely already the case) to announce a /64 prefix that was derived from the prefix you got from your ISP. You also want to enable RDNSS so DNS server information is included with the router advertisement. (also usually the default)

Then enable SLAAC on your hosts (already the default) to automatically select an address based on the prefix from the router advertisement. A /64 is big enough that the router doesn't have to individually assign addresses. Hosts can just pick one and if they are polite, ask if it's already used by someone else (duplicate address detection).

Presto! You now have IPv6 connectivity.


> Just enable router advertisements on your router

Thats not “manually”. Thats clicking in the routers UI. My idea of manually is roll your own Linux.

Worked just fine for ipv4, looks like a full time job for 6.


Then install radvd to enable router advertisements.


One thing I wish they had done with the much larger address space is make it easy for an individual to get their own block of IPv6 addresses. Letting enthusiasts experiment with their own address space seems like it would help with knowledge / adoption.


I’m a network engineer by trade and think that would be cool, but I don’t think it’s a great idea to have a bunch of amateurs all of a sudden participating in BGP for numerous reasons. It’s certainly possible for an individual to setup a LLC, get an allocation from ARIN + AS number, order a business ISP connection w/ BGP and get an adequate router. It’s a high barrier of entry and won’t be cheap. Making that easier will likely lead to more widespread BGP issues (intentional or unintentional), filling up router TCAMs with even more prefixes, etc.

There’s already communities out there for hobbyists to play with/learn BGP on private networks over VPN tunnels if you really want to.


Big evil Comcast gives out a /60 to residential customers if you ask for it (via setting a DHCP option). That allows for 16 networks to work with.


DHCPv6 Prefix Delegation. If you're a business customer, you get a larger allocation seemingly depending on the size of your IPv4 static block. I've been given /56 and /54 from their business service. It's quite nice.


Thanks for the insightful primer!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: