OK so — I just migrated my personal website to use IPv6 only. It runs on AWS EC2, and my motivation was purely to save on paying the IPv4 fee that AWS is introducing next week. I put it behind Cloudflare which can provide an IPv4 proxy address for site visitors.
But the thing is, even though IPv6 is such well established tech, it was not a great migration experience.
I'm not a network engineer, and you have to figure out how to update a bunch of networking configuration to make this switch on an existing instance, with lots of potential footguns. Even after I got the IPv6 address provisioned and the virtual networking correctly configured, the connectivity was still broken until I found an obscure security group setting that was still set to allow only IPv4 traffic. A lot of basic debugging tools like curl are designed to use IPv4 by default. You have to figure out how to get your webserver (nginx in my case) to listen on the IPv6 interface, which is fiddly. And it's easy to inadvertently break ssh connectivity, which turns out to also be set up to expect IPv4 traffic only...
In the end, it took about 90 minutes of fiddling, including migrating to Cloudflare, fixing DNS, etc. I mean, it's fine. I learned some things.
But if we're all going to switch to an IPv6 world, it would really be nice if the systems and tooling made it slightly easier, somehow.
The thing is, with my mediocre $5 VPS, all I needed to do was copy four lines of config files (as documented by the VPS provider) and open a port in the firewall on the server itself, just like on IPv4.
Amazon is horribly behind on a lot of things (just look how long it took them to get DNSSEC working, and it took them a couple of tries to not break entire domains for people using it!). They're ahead of Azure, but that's about the best you can say about that.
I suppose it makes sense, IPv4 addressing is now an additional method to make money for Amazon, so why make it easy for customers to migrate?
Also their sizeable ipv4 stockpile is kind of a moat and competitive advantage; it's pretty much guaranteed that no other cloud provider can reach their scale while ipv4 remains dominant. So they have some interest in delaying ipv6. It is quite perverse considering that ipv6 really should be quite ideal for hyperscale cloud.
> If AT&T and AWS went IPv6 by default, most of the US would convert over quickly.
Comcast and the mobile carriers went ipv6 years ago, that's already something like over half the US endpoints? It hasn't sped adoption (Github STILL isn't ipv6 for git).
Another example, I've been trying to get Georgia Tech to fix their ipv6 linux mirrors for over half a year, they advertise they support ipv6 and publish AAAA records that don't work. http://rsync.gtlib.gatech.edu/ < check it out.
So yeah, even when it's deployed nobody checks to see if it's still working when ipv4 is fine.
> Thank you for contacting PACE. We appreciate your patience, as we are experiencing a larger volume of incidents and work-related activity. Please be mindful that we will begin our Maintenance Period starting at 6:00 AM on Tuesday, 01/23/2024, and tentatively plan to conclude by 11:59 PM on Friday, 01/26/2024.
I'll continue to follow up here, but it seems like an actual human has read the message this time.
> I'll continue to follow up here, but it seems like an actual human has read the message this time.
Any word? Why not look up email for one of the staff here https://www.pace.gatech.edu/staff seems like they unfortunately don't check any of the primary emails for the mirror as we've not heard from them in a year or two.
Again, we get it if they have upstream issues not being able to support ipv6, but drop the AAAA records and stop advertising it if that's the case, that's not a big request.
If they wanted people to migrate, they could first put a bit of effort into making their tools suck just a bit less on IPv6. It's not even "second class citizen" status, it's more "bastard stepchild of my least-favorite in-law" right now.
Contabo. They've supported IPv6 for a decade now based on the date on their instructions (https://contabo.com/blog/adding-ipv6-connectivity-to-your-se...). Enabling IPv6 comes down to copying "gateway6: fe80::1" to your netplan file, adding the /64 listed in the control panel, and optionally adding an IPv6 DNS server. After a reboot (or sudo netplan apply) you'll have full IPv6 connectivity.
Well, their default images come with a script that'll allow you to `sudo -H enable_ipv6`, but I removed their customisations so I had to do it manually.
They have raised their prices since I last ordered a server there, it looks like €5,45 is the cheapest server you can get these days (includes VAT of course).
In my book, 90 minutes of fiddling in a case like this is pretty fast.'
Ideally it'd be 5 minutes (1 minute to locate and click a checkbox, 4 minutes to test all services from a few locations), but this is still fast. It includes zero tech support tickets, for instance.
For some AWS services, such as Elastic Beanstalk, there appears to be no way to avoid consuming a public IPv4 address on the EC2 instances, except by introducing a NAT gateway.
(And "NAT gateways are an extremely cost prohibitive device in AWS, costing at least as much per day as medium sized EC2 instances!")
I have to appreciate the Brazilian effort for promoting IPv6. I attended a talk on a university about 5 years ago where members of the Brazilian Internet Steering Committee (CGI.br) talked about IPv6 and why it's the future.
It was very informative, and I also found out they offer free courses about IPv6 networking, with certificates included.
I think CZ.NIC offers something similar, but they should be promoted more often so sysadmins can prepare themselves for the eventual shutdown of public IPv4 addresses.
At roughly the same time, Android added 'clatd' so existing apps would just work in an IPv6-only environment via NAT64.
Apple refused to implement clatd, instead forcing app developers to fix their own code. More work upfront, but now iOS apps should have an easier time transitioning their server-side components to IPv6, compared to Android apps.
I mean, I used to rent the $5/month VPS, and it worked well. In fact, it had much nicer developer experience than EC2 for many reasons. But my provider (digitalocean) raised the price, and I don't really need a lot of CPU resources to serve mostly static files plus a couple of tiny server processes that get very very low traffic. So I downsized to a tiny EC2 instance.
I would go back to the 5/mo VPS if it became clearly better than the alternative. I don't really need an IPv4 for what I use it for, though, as long as someone else wants to provide an inexpensive (or free tier) proxy service.
June 6, 2012 is a better date; that was the "World IPv6 Launch Day".
But even that was negligible since nobody actually had IPv6 connectivity. Even now I still don't have a home wifi router that supports it, though at least my ISP does since last year.
The real driver of IPv6 was the rise of smartphones.
It's a tp-link Archer, and since it supports Wi-Fi 6 it must have been from 2019 or later.
Hmm, I just went deep into the settings and there's an IPv6 toggle (disabled by default, and requires playing with menus to make it actually work) now. I don't remember seeing that (and I explicitly checked) when we switched the ISP-side last April. But the firmware is dated after that, so I choose to trust my memory.
Actually trying to connect to ipv6 stuff besides the router itself (in fd00::/8, that's good) just gives "Destination unreachable: Beyond scope of source address" though (probably because I only have an fe80 link-local address though?). If I play with the settings some more I get a ::/64 address, but that just gives me a black hole ... wait, is that even a legitimate address? Do I need to fill in the prefix manually or something?
I'll play with this some more in the morning I guess. But I certainly wouldn't expect a normal user to get IPv6 working under these circumstances if I haven't figured it out yet ...
That's a leftover from back when IPv6 was very new (yes these utilities are that old), and the networking utilities (ping, traceroute, etc) understood only IPv4. It's no longer necessary, all relevant networking utilities have since been upgraded to work with both IPv4 and IPv6; you can use just "ping" with a IPv6 address and it should work.
> You can use just "ping" with a IPv6 address and it should work
Not on BSD-derived operating systems (macOS included). You must use ping6 to ping an IPv6 address (including a hostname that only publishes AAAA records.)
From `man ping6` on macOS Sonoma:
> There have been many discussions on why we separate ping6 and ping(8). Some people argued that it would be more convenient to uniform the ping command for both IPv4 and IPv6.
> The following are an answer to the request:
> From a developer's point of view: since the underling raw sockets API is totally different between IPv4 and IPv6, we would end up having two types of code base. There would actually be less benefit to uniform the two commands into a single command from the developer's standpoint.
> From an operator's point of view: unlike ordinary network applications like remote login tools, we are usually aware of address family when using network management tools. We do not just want to know the reachability to the host, but want to know the reachability to the host via a particular network protocol such as IPv6. Thus, even if we had a unified ping(8) command for both IPv4 and IPv6, we would usually type a -6 or -4 option (or something like those) to specify the particular address family. This essentially means that we have two different commands.
Interesting. I’ve tried macOS and OpenBSD and they both require using ping6 to ping IPv6 addresses. I wonder if FreeBSD changed this recently or if it was always that way. Regardless, macOS is the elephant in the room here as it’s a lot more popular than any of the (other) BSD’s.
I often use ping to check if a machine is alive or is reachable at large. Then it might be more informative if ping tried all addresses the name resolves to. You wouldn't need to specify the protocol version.
ping6 and ping4 are symlinks to ping on my system, and are equivalent to passing -4 or -6 to force a specific version. The default behavior negotiates either fine.
I'm testing with `ping ipv6.google.com` as well as the router IPs. Between each change, I disconnect from wifi.
The router itself has a ping tool and can ping ipv6.google.com just fine. So I assume the upstream options are correct.
For the LAN, I have 4 options:
* ND Proxy gives me an fd/8 address. I can ping the router via its fd/8 or fe80 address, google blackholes.
* DHCPv6 gives me an ::/64 address. I can ping the router via its fd/8 or ::/64 addresses, google blackholes
* SLAAC + Stateless DHCP does not give me any address (I still have the default fe80 address). I can ping the router via its fd/8 or ::/64 addresses, google gives Destination unreachable: Beyond scope of source address
* SLAAC + RDNSS does not give me any address (I still have the default fe80 address). I can ping the router via its fd/8 or ::/64 addresses, google gives Destination unreachable: Beyond scope of source address
In all cases, the IPv6 addresses the router says are its DNS servers blackhole. I do have working DNS returning IPv6 address for google though; presumably because the ipv4 DNS server it advertises (which is the router itself) still works.
If I bypass the wifi router, the ISP router gives me both an address in both fd/8 (in the same /64 as the wifi router gets assigned, which makes sense) and in 2607/16, besides the usual fe80. The ISP router is really bad, all it has is an "it's connected" indicator and a bunch of phone numbers and URLs for support.
Still bypassing, pinging `ip6-allnodes` gives me 3 responses, all with fe80::/64 addresses: my computer, an unknown, and the wifi router; I can ping those addresses, as well as the wifi router's fd/8 address.
Maybe I should play with the router's upstream settings ... "Get IPv6 address" has auto, slaac, dhcpv6, non-address ... since I can ping it from outside that has to be right. If I disable "Prefix delegation" the ::/64 box is editable but it complains about literally anything entered. And I don't have anything meaningful to manually enter a DNS address.
Hm, I just noticed that the last bit of the router's address varies between some of its addresses ...
fd::/8 addresses (really fc00::/7) are ULA addresses [0], defined as non-routable local addresses, so it’s expected that you can’t get out to the internet through just that address.
Do you have any smart home devices? Protocols like Thread and HomeKit establish their own randomly-generated ULA prefixes and advertise them through RA’s (router advertisements) and correctly-configured devices in your LAN will observe the RA for that network and generate a local address for it (including your router.) So just seeing a fd/8 address doesn’t mean your actual router gave you it, it just means that something on your network is using a ULA prefix.
Basically, it’s possible the real problem is that you’re not actually seeing an RA from a “real” (routable) IPv6 subnet when behind your router.
> If I bypass the wifi router, the ISP router gives me both an address in both fd/8 (in the same /64 as the wifi router gets assigned, which makes sense) and in 2607/16, besides the usual fe80
When you do this, can you ping out? (`ping6 2607:f8b0:4004:c17::65` or something to rule out DNS issues.)
> Maybe I should play with the router's upstream settings ... "Get IPv6 address" has auto, slaac, dhcpv6, non-address ... since I can ping it from outside that has to be right. If I disable "Prefix delegation" the ::/64 box is editable but it complains about literally anything entered. And I don't have anything meaningful to manually enter a DNS address
What you want here is dhcpv6 and prefix delegation. This will make your router ask the ISP for a real IPv6 network to use, and upon receiving this from your ISP, will send RA’s out to your local network for a “real” (2607/16 or whatever) network. A prefix length of 64 should do it, unless you need multiple subnets inside your router. (People say dhcpv6 is obsolete by SLAAC, but prefix delegation is a different thing… if you want to have your own router obtain a network prefix from an ISP, DHCPv6+PD is the only way to do this.)
in december 01995 zero nsps and zero isps supported ipv6. you had to be on the 6bone, which didn't even exist until march 01996. also you probably had to write your own protocol stack because there wasn't an off-the-shelf one for your platform. in december 01995 what you had was a paper spec
As a fun aside, global smartphone sales in 2021 were 1.4Bn units. That alone is enough internet devices to exhaust the entire IPv4 address space every three years. I wonder if anyone was imagining that 43 years ago.
And? IPv6 is still under rather heavy development with significant changes still being made. As a user, I wouldn't call it well established because it's shifting too much still.
It's fine. The only breakages I've had are when the ISP's v4 DHCP goes down (v6 websites keep working) or when IPv6 delegation fails somehow and my machines lose v6 (v6 only stuff breaks).
Your mobile phone probably already uses IPv6 (especially if you use VoLTE) and it's fine, too.
What made me disable it was some issue in Linux network stack, with ipv6 broadcast, on by default, exploitable to root execution.
For me it is yet another complex service that I do not need, and that should not be exposed to network. Ipv4 network stack code is far smaller, simpler and way more tested over decades!
Conversion to IPv6 is an item in the 14th Five Year Plan (2021-2025) of the People's Republic of China.[1]
"We will accelerate the large-scale deployment of 5G networks, increase the user
penetration rate to 56%, and promote the upgrade of gigabit optical fiber networks.
We will build up technology reserves for the future deployment of 6G network
technology. We will expand backbone network interconnection nodes, set up a number
of new international communication gateways, and comprehensively promote the
commercial deployment of Internet Protocol Version 6 (IPv6)."
There is a migration schedule.[2][3] As of this month, there are supposed to be no new IPv4 services.
The goal is IPv6 only by 2030. Actual adoption in China is reportedly only 25-30%, though.
It is visible in the APNIC Labs measurement at 30% and within different AS of China Mobile at 65% or better, it depends province by provice, and provider by provider.
I don't call this abysmal at all. It very possibly is higher, there are reasons why APNIC may undercount, but noting that APNIC and Akamai tend to agree on their numbers.
Google's own numbers for China are far lower for reasons which do not affect the APNIC or Akamai data.
1. Most Chinese websites or apps don't work properly or at all in a pure IPv6 setting. They claim to be IPv6 compatible, but have a lot of problems (e.g. images not loading).
2. Most Wi-Fi networks (be it home WiFi, restaurant WiFi, hotel WiFi, school WiFi, etc.) have no IPv6 addresses. Half of the IPv6 enabled WiFi networks I've ever seen are set up by myself.
A lot of people, including young people, throughout Asia don't have computers. A large number of working adults our age (however old you may be) don't touch desktop or laptop computers at all on their day to day. A huge number of people only have phones in their home and only use phones for their work. Plenty of companies also use tablets with specialized apps in places where a western company would use a PC. Finding 20-30 somethings in Asia who are educated and employed who don't know how to use a mouse isn't uncommon. I've encountered it loads of times with new employees in various offices.
Virtually all of India is phones and tablets. It's the highest ipv6 economy. If your criterion is "not handheld devices" then I ask, what makes desktop computers so special?
I believe 80% or more of the planets internet is handhelds.
You think the US home users on comcast are all PC's?
More on the technical side. Most of mobile devices and their modems need (or even allow) zero to no manual configuration, so adopting ipv6 with these hardwares are easy -- the ISP just need to deal with their side.
This is in contrast to "fixed-line" internet devices like computers and their routers.
Something that isn't talked much about IPv6 and I believe has subtle and indirect influence on it's adoption is that it is far far far less human-readable than IPv4.
You can't find me a single sysadmin or casual user who would look at an IPv6 and say, nice, I prefer that one over an IPv4 or find it easier to type or communicate.
You can argue about merits of IPv6 and very reasonably so all day long, but this fact remains.
I don't think governments or other institutions can strong-arm IPv4 out of existence. I don't know what the long term solution would look like, but I strongly doubt it will be IPv6-only. Ever.
I'm a sysadmin and find IPv6 easier to use. You can easily make short ipv6 address just by having a larger prefix and then omitting zeroes (with `::`) in your host-part that you don't need.
Take `2001:db8::1`. Here `2001:db:8` would be your network address and `1` your host-id. For example, a router. `2001:db8:2` could be a server and so on.
The prefix I get from my ISP is a complete 56 bits, more or less. Thus even if I use ::1 on the inside, it's very long and tedious to type. ULAs are better but are still supposed to be 48 bits[1].
"IPv6 addresses are ugly" is only an argument for as long as ipv4 addresses don't cost anything. as soon as they put a price on it, nobody's going to care.
Arguing that "we can price IPv4 out" only reinforces my point; of course, ignoring the fact that it is a pipe-dream. But the fact remains, no one really prefers IPv6 over IPv4.
I started to prefer it after I foundout that with IPv6 every Docker container can have its own IP address and this can be used to solve the hairpin NAT problem.
There is over 1 billion users with less than 5% on IPv6 in China alone.
Some 200 million users in Indonesia with less than 15% on IPv6.
Hundreds of million of users in Africa that are growing at a very fast pace, still on IPv4.
In Europe outside Germany and Belgium, the IPv6 usage is between 5-20% max. Millions of people.
There is also millions of industrial systems, ATMs (heck, some of them still run XP!), and whatnot that will not get IPv6 short of complete replacement.
You can't price IPv4 out with that kind of numbers combined with the fact that it is an extremely open market.
IPv6 adoption is low now, but the answer isn't to just give up and stick with IPv4 forever.
As the extra cost of IPv4 keeps rising it will sooner or later outprice the cost of moving to IPv6.
Similar as with fossil fuel cars -- super convenient, there are petrol stations everywhere. But as the price started rising (assisted by very harsh taxation) suddenly the idea of switching to electric didn't seem so bad.
The original idea was that configuration would be so automatic that humans would never see the addresses. Instead of an admin assigning a name and IP address to each host, the admin would only assign the name. The host would figure out its local topography from Neighbor Discovery then tell the dns where it's connected. I'm not sure how well that worked out in practice.
It didn't work in practice. In many situations names don't work. One example would be games with local lan support, and you use IP addresses to make sure you are connecting to the right server. Other would be tiny embedded devices, that are not powerful enough to scan the network and need a hard-coded or user configurable IP address to connect to the right place.
how would configuring DNS even work without having to see the addresses, and how would SSH'ing to a device on the LAN work without seeing the addresses
NetBIOS/WINS protocol could discover names -> IPs by broadcast, more modernly Zeroconf/Bonjour can do it, and if there's some organization then DHCP servers can register hostnames in DNS when handing out addresses.
ipv6 is so design by commitee that it's ... not worth the trouble ... as a hobbyist. You just described a scenario where you need 3 services for the machines in the same local network to talk to each other.
I'm not willing to spend the time to set it up on my internal network until I start to lose connectivity to some places, sorry.
To be clear, I'm not defending it, just describing it. I was at the IETF meetings where all this was being discussed and remember thinking it would never work.
When people tell me ipv6 is already widely used, I ask them what name I should use when I want to ssh to their ipv6 device, their phone for example. People don't notice ipv6 isn't working because the Internet has evolved into a world of two classes of people, the rich and powerful like Amazon with addressable IP endpoints, and the second class citizens like you and me who can only connect to the rich and powerful, not to each other.
Technically I have a business connection going into my home with a public fixed ipv4 and probably a fixed ipv6, if only i could be bothered to configure pppd and whatever 5 other daemons i need to install.
Problem is, that's not my only fiber. I have two from different ISPs (Romania, so they're cheap). With ipv4 i only need to change the default route to the other router to choose which ISP i use. With ipv6 where my internal machines get an address from the ISP, i don't know where to start.
And I definitely don't want to spend a couple thousand on an "enterprise" multi home router that will do it for me...
> Something that isn't talked much about IPv6 and I believe has subtle and indirect influence on it's adoption is that it is far far far less human-readable than IPv4.
No shit Sherlock: an IPv4 is 4 bytes. An IPv6 requires 16. This is four times as much data, it has to be less readable, that’s just the price of a bigger address space.
Now one could have argued that 8 bytes, heck, even 6 bytes, would have been enough. I guess it would have, but having a /48, or even a /64 range, per user, is quite convenient: we can ditch the NAT (we probably won’t, but we can).
But even then, 8, or even 6 bytes, remain harder to read than 4.
The number of bytes isn't what makes it hard, "habanero eardrum" is 16 bytes and much easier to remember, there probably is a way to make ipv6 addresses easier to use, but hard to do now.
"habanero eardrum" is actually less than 4 bytes -- let's say 12 bits for a common word (eardrum) + 16 bits for an uncommon word (habanero).
If it were 16 bytes, the other options from the same 16-bytes space would be, for example, "\xa3\x80W%\xa3\x82\xa1\xea\x10\xf9\x8b\x07'\xf93J" or "\xf0\xef\x9b\x8f[0\xe5\xb9,\x0b\xd4^\xb00\xed\x00" (chosen by a fair /dev/urandom roll).
If you want to convey 16 bytes using similar encoding, you need to use about 10 to 12 human words -- see for example Bitcoin wallet 12-word seed phrases or https://xkcd.com/936/ (xkcd correct horse battery staple).
For IPv6, if your addresses are not SLAAC, but DHCP or manually assigned, you can go with half of it - the "random" part is the 64bit network prefix.
We just need to agree on a 2^16 word dictionary, each 16-bit segment gets it's own word. Then we can write addresses such as correct:horse:battery:staple::one .
As a private user, as long as I remember the prefix assigned to my connection I much prefer having a stable [prefix]::dead:beef or ::f007:1 and ::f007:2 etc compared to the ever-changing 85.nnn.nnn.nnn v4 address.
Or simply just /think/ of it as a /112 subnet with [prefix]::0001-ffff available - still room for 65535 addresses in that one, more than I'll ever need.
No need to rely on long autogenerated SLAAC addressses if you don't want to, you can have whatever you want after your prefix and you don't have to pad it out with garbage random-ish values. A sysadmin can get creative :)
Of course your ISP will need to have proper v6 support.
How often are you communicating IP addresses? Is that not the point of domains, because humans are rather terrible at remembering sequences of numbers?
> Something that isn't talked much about IPv6 and I believe has subtle and indirect influence on it's adoption is that it is far far far less human-readable than IPv4
What? This comes up in like 95% of ipv6 threads on HN (see also: ‘they should have just added an extra quad to v4 addresses’)
My grand father used the dots in the address!
My father used the dots in the address!
I used the dots in the address!
Henceforth every human being should use the dots in the address till heat death of the universe!
I don’t understand… why do you consider the way longer one to be more readable than the shorter one? I find the colon string a lot easier to read, a lot easier to compare at a glance, and a lot easier to memorize.
We don't know exactly how many address bits we're ultimately going to end up needing. Our only options are to go for "too big" or "too small". Giving how much effort it takes to deploy a new IP protocol, we should err on the side of having too many addresses rather than too few.
On 17 January 2024, the Government of the Czech Republic approved the material "Restarting the implementation of DNSSEC and IPv6 technologies in the state administration". On the basis of this decision, the Czech state administration will stop providing its services over IPv4 on 6 June 2032. Thus, the Czech Republic knows its IPv4 shutdown
In the U.S. I run into issues most commonly with businesses. Consumer ISPs and mobile operators all seem to have IPv6. Hosting providers (and recently cloud providers...) all have dual stack or v6 only. However I don't think I've ever worked anywhere that actually had an IPv6 network (at least on the office side)
In general, no. All operating systems default to using random host bits in SLAAC addresses, each bootup (or change of network interface) will instantiate a new address.
More than that though, IP addresses in both v4 and v6 varieties are unreliable sources for tracking and basically no actor you'd want to guard against depends on them anyway. With mobile phones being common, your public addresses are changing all the time anyway. On IPv4, CGNAT is becoming increasingly more common so that you might share a public IPv4 address with thousands of other people at the same time.
A counterpoint is that by cycling through IPv6 addresses no one can ever tell who is who by addresses alone. Okay, they could probably tell from the IPv6 prefix because the entire company/household shares it, but people used to ("use to" if you live in a Western country, probably) share the same public IPv4 address too so I find that point rather moot.
Another very strong counterpoint to this is that, you can't really build a truly-P2P network nor self-host a service on Internet, when everyone is behind CGNAT. At some point, as IPv4 resources get scarcer, only corporates will have the ability to host services on the Internet, and I don't think it is in their interests to host Tor nodes, for example...
> Which is an advantage from an anti-tracking perspective
Depends. It makes it harder for someone outside your ISP to track you, but it makes it easier for your ISP to track you, and harder for them to justify not keeping logs of where you've connected to (since that data is necessary for their CGNAT system to work).
You get a new IPv6 address very quickly (mostly every day or every week). That makes tracking difficult too. While the prefix is mostly stable, that is akin to the public CGNAT address.
I mean people are just going to log into their gmail account in their chrome browser and it doesn’t matter if you change IP’s every single minute, that identity isn’t changing as often and the relevant information Google wants will be tracked.
SLACC dynamic address are basically the same as IPv4 NAT from this perspective. Everyone who cares has tables of the prefix size assigned to customers in various providers' IP space.
> All operating systems default to using random host bits in SLAAC addresses, each bootup (or change of network interface) will instantiate a new address.
Great, so I can't connect my laptop to my desktop across reboots without setting up some internal dns?
On Windows, you will see a "temporary IPv6 address" and "IPv6 address" on your network configuration screen. On Linux, you will see an IPv6 address without a temporary tag, and an IPv6 address with one, when you run the command `ip address`:
inet6 2406:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:62c9/64 scope global temporary dynamic
inet6 2406:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:a31c/64 scope global dynamic mngtmpaddr noprefixroute
Temporary IPv6 address changes every now and then, but your stable IPv6 address will never change unless your ISP changes your prefix, you change your network, or your network card entirely.
When you are browsing the internet, the OS will use the temporary address for outgoing connections (unless the application forces stable addressing). But when you are hosting a service, you give your users (in this case, your laptop) the stable address.
No, IPv6 devices are typically assigned both a permanent IPv6 address and a temporary one. When using the internet, it uses the temporary address for privacy reasons.
If you want to hand configure your network, set up DHCP and disable SLACC. I wouldn't recommend it, because it just makes life harder, but you can do it.
Even better though, hostname resolution works just fine on link local addresses (fe80::/16), you needn't care about public addresses to communicate on a LAN. Or hell, you're on a LAN, keep configuring IPv4 they way you always have.
With limited IPv4, many places have dynamic IPv4 in a way or another, or have IPv4 behind some sort of NAT, so the actual IP of the accessing device may be hidden, or are private addresses. Anyway, that doesn't mean that i.e. your ISP couldn't be asked what person was using certain dynamic IP at some time.
With IPv6 it depends on implementation. Your device may have a public IPv6 address, persistent or not, and you don't need to be behind some sort of NAT (unless it is something to access ipv4 addresses), so if a lot of those conditions apply you might be tracked.
But there is a lot of conditionals in both sides, and the elephant in the room is that you are tracked for more things than just your IP address.
It can in the near term, as each endpoint has a unique public identifier instead of being mixed with multiple endpoints behind a NAT gateway, but less so over the long term, as privacy addresses are typically rotated at least daily.
Of course, all of this needs to be included in a broader discussion around myriad vectors of tracking and fingerprinting to arrive at a meaningful conclusion.
You can be tracked with either, but IPv6 is not functionally worse than IPv4 in that regard. You could argue that IPv6 is less anonymous than CGNAT, but CGNATs usually have to keep detailed logs, so that balances out.
All the tricks for anonymizing IPv4 (VPN, NAT, Tor, etc.) are equally feasible on IPv6.
Tangentially, I thought Czechia is the modern and practical name for the country. "Czech republic" was used for many years, for reasons which I never understood, even though nobody says "Italian republic" or "German federal republic". If you insist on using an old name, you might as well chose "Bohemia".
Bohemia is one of three historical states comprising the Czech Republic, the other two being Moravia and Silesia. I can't speak for all Czech people, but I can tell you there is a sizable group who don't like the name Czechia because its Czech equivalent "Cesko" while nowadays officially recognized as a short version of the country's name was originally only a conversational short name and it feels far from proper and official both as the Czech version, "Cesko", and in the English translation, "Czechia". I would be interested in a poll of the Czech public quantifying people's preferences towards which name they prefer to see how small a hill I am choosing to die on actually.
BTW the full name includes the definite article, so it is "the Czech Republic".
The reason is very similar to why people from United Kingdom get upset when you call it England. Czechia is at same time name of the main region and (now) the country as a whole.
Funnily enough the distinction between regions exists in english language - Bohemia being the name of the region. So Czechia as name for country could work. But in czech language word for Bohemia region is "Czechia" (there is no Bohemia).
So thats why for years you had people insisting on the Czech Republic. Because you don't want to overlook the other two regions Moravia and Silesia.
> But in czech language word for Bohemia region is "Czechia" (there is no Bohemia).
No. Bohemia is Čechy, Czechia is Česko.
Yes, they are sometimes confused, and maybe people are unhappy with Česko because it's just too similar to Čechy. People from Moravia and Silesia feel underrepresented when someone mistakenly uses "Čechy" (Bohemia) for the entire Česko (Czechia; Bohemia+Moravia+Silesia).
Adoption of IPv6 by large organizations for their services doesn't make IPv4 go away.
And even if ISPs stopped issuing IPv4 addresses to end users, there's nothing stopping anyone from setting up a public VPN into an IPv4-based virtual LAN -- if there was demand for it, it could easily be offered by the same services you're currently using to find "strangers over the internet" right now.
On local networks is where IPv6 is the most advantageous to me right now.
For the Internet use, it's mostly just more addresses to me, but on LANs, there are so many more useful features. Unique link local addresses, various multicast addresses...
I can drop 10 new devices into a VLAN, and ping ff02::1%iface to enumerate them all and start communicating with them right away without any kind of configuration, not even SLAAC or DHCPv6 needed.
Won't you always be able to use it for local networks? I like NAT and regardless of IPv6, I think I'll keep my home network as IPv4 in a NAT and completely block outgoing and incoming per-device-IPv6.
That won't work if you need to access IPv6-only services (as the Czech government will make theirs). In other cases it may "work" but perform worse than IPv6.
Why the desire for a NAT? It's technically possible on IPv6 too (NAT66), but SLAAC dynamic addresses + a non-NAT firewall + possibly ULA are generally a better way to get the combination of privacy + security + local addressing I think most people associate with NAT in IPv4.
> Won't you always be able to use it for local networks?
Well for me until Linux shall support IPv4 my machines shall be on IPv4 behind NAT. And yet I'm enjoying IPv6 with my ISP-provider router transparently doing the heavy lifting and using IPv6.
> and completely block outgoing and incoming per-device-IPv6.
Same. I do just that: it's disable by a kernel parameter, in sysctl and in the firewall, just in case I'd mess up and re-enable one or two of these.
You can pry IPv4 on my LAN from my cold dead hands.
In my case I run a double NAT. I don't consider the subnet which the ISP's router offers to me as something belonging to me, but something the ISP owns. In that subnet I have one honeypot (old Raspi) and a router which treats that subnet as the internet and offers me my own subnet which I call home.
I don't care what the ISP does with the router it provides to me. If it uses IPv6 or whatever. In my case their router will only see another device which is only capable of using IPv4, so it better deal with it.
You can use certainly v4 for however long you like, but you still need to use v6 as well, because you can't connect to v6 addresses using v4. (If you could, we wouldn't need v6 in the first place.)
If you want to avoid v6 altogether, you can use a proxy on the machine you're currently calling your router, and configure all of your programs to use the proxy. But... nobody wants to use proxies.
You know you can assign both IPv4 and IPv6 addresses to the same device? You can access things locally by IPv4 and have it talk to the internet via IPv6. Not sure why you'd want to but it's completely possible.
I'm talking about the LAN address. The globally routable address changes every time I reboot my router, so I don't use that for LAN. But my LAN IPv6 address isn't better. I don't know if it is stable, and it is too long. For example, my current link local address is [fe80::7713:e154:21d8:464]. Who's gonna remember or type that?
This really needs to be an EU-wide thing, and a lot sooner.
Two years till it becomes illegal to offer something on IPv4 for the general public and not offer it on IPv6, two more years and no ISP may route IPv4.
Also no ISP NAT bullshit. A default enabled firewall refusing incoming connections is fine, but the internet should be a network of machines that can talk to each other, and for that to happen it must be possible for owners to accept incoming connections, even if it is for nothing more than remote access to their PCs.
I agree completely, but bigger companies are going to lobby against that. They’ll even give reasonable sounding reasons, such as switching costs or user safety.
Their real reason though will probably be that the truly peer-to-peer networks enabled by a world free of NAT and symmetric bandwidth would undercut their precious market.
Finally, I’m not sure our governments would like the rise of Anarchist networks where speech is so free they can’t even control it. See all the attempts to criminalise or put limits to encryption. Such things would never happen under democracy, but the representative governments we live under are a little different. (Historically, representative government was conceived in explicit opposition to democracy, and democracy lost.)
> the internet should be a network of machines that can talk to each other, and for that to happen it must be possible for owners to accept incoming connections
The importance of this is quite obvious if you’re politicised enough. Stuff like Free Speech.
From the perspective of the US that makes sense. It's legal to say practically everything but hostings will kick you out if they don't like you.
But in the EU speech is restricted and hostings won't kick you out unless you say something illegal... and at that point you'll be in trouble hosting stuff using your home connection.
Its not just that - if we want to be competitive then it should be possible for a hacker to offer a new type of idea and let the world try it out - perhaps a decentralized web, or planet scale IPFS, or something that yet only exists in the head of some 17 year old nerd.
And while Europe is more restricted than the US, it is not like we are the Soviet union.
It's mostly African and Asian countries with (very) low adoptions, and this translates to "screw all the countries too poor to adopt IPv6, and let's reduce their chances in the global economy even more". I'm putting it rather sharp here and I have no doubt that's not what your intent is, but that's absolutely an effect of forbidding IPv4.
There is an actual market for buying IPv4s, meanwhile you can get millions of IPv6 addresses for free. This means that connecting the next billion will be much cheaper if they don't have to compete with companies with far more money.
In the Netherlands all government services must comply to the rules of internet.nl, which, among others, requires IPv6 connectivity.
But for some things you are dependent on others, for instance, the colo not having IPv6. (and in th case of Internet.nl: IPv6 for email is still opt-in on request with Office 365, DANE is not supported yet, etc)
Which is why this time US government for example is only allowing extensions to government agencies on case by case basis, but not to vendors.
AFAIK they allowed extensions for vendors in 1990 and that's why original EOL date for IPv4 continuously slipped until success by Network Translation and its PIX devices helped kill the attempt completely.
The "ancient" code probably already speaks IPv6 due to whatever method used to hook IP connectivity to its VTAM interfaces. Or due to its age it has multiprotocol support anyway.
It's the BSD Sockets using code that is a problem - the OSes has supported v6 for a long time now.
Actually routing IPv6 is usually possible with existing equipment, once you figure out all the settings (and potentially avoid the bugs). What usually ends up being the issue is some side piece of software that isn’t ready to log IPv6 addresses or assumptions made about how long they’ll be in some database somewhere, etc.
I’ve seen hacks around that, like hashing IPv6 addresses down to 4 bytes so you can store them as fake IPv4 addresses :O
Yeah, it's just that it took time to implement, especially since IPv4 ossification (at the time when it was explicitly in works to be removed!) happened partially through introduction of hardware-assisted switching.
But we have had fast path switching for IPv6 for I think 20 years now, and it's generally available. Hell, some big networks, the kind where having fast path switching, moved fully over to v6 and simply do not transit v4 (Deutsche Telekom, for example, whose skeleton network is now "flat" IPv6 network and any v4 traffic is encapsulated to 464xlated
I've heard that under 10 years is the optimal for a long term government project. Anything longer, and it's equal to "forever," and it's never done. This was the rationale for setting the goal of landing on the Moon to within the decade.
For governments maybe, but for banks? They're still desperately trying to transition to IBM databases that were deprecated slightly more recently than their current one.
US gov has been actively pushing for IPv6. You can question the efficacy of their efforts, but the intent is there. Of course I suspect there is lot more inertia of all sorts in US gov compared to CZ, just due size and history.
A bunch of IoT hardware and other microcontroller-based hardware has IPv6 support, but that support is often disabled to save a couple of kilobytes of flash memory. You can buy all kinds of hardware today that lacks IPv6 support.
Of course, if that hardware needs to access IPv6 services, they might as well disable IPv4+ICMP+DHCPv4 support and enable the IPv6 size in firmware, and probably get similar savings.
To be honest, I'm not sure why companies still ship ESP32-like hardware with that little storage given how cheap flash storage is, but these optimisations are more common than one might think or hope.
There are plenty of IPv4 addresses for server use, and IPv4 in client networks is easily accomplished using whatever form of NAT you prefer. DNS64+NAT64 will work fine for IoT crap (not like your thermostat is validating DNSSEC), and a whole bunch of ISPs rely on DS-Lite+CGNAT to allow IPv4 connectivity over their essentially IPv6-only backbone already.
Publicly reachable IPv4 on the consumer side is dying rapidly, but IPv4 LANs and servers can still work exactly because of the versatility IPv6 allows.
> A bunch of IoT hardware and other microcontroller-based hardware has IPv6 support, but that support is often disabled to save a couple of kilobytes of flash memory.
Wait a minute, kilobytes? That much? It’s not like one needs to duplicate the entire IP layer, it seems to me the only changing parts are parsing & generating the packets.
> Disabling CONFIG_LWIP_IPV6 can save about 39 KB for firmware size and 2 KB RAM when the system is powered up and 7 KB RAM when the TCP/IP stack is running. If there is no requirement for supporting IPV6, it can be disabled to save flash and RAM footprint.
> Disabling CONFIG_LWIP_IPV4 can save about 26 KB of firmware size and 600 B RAM on power up and 6 KB RAM when the TCP/IP stack is running. If the local network supports IPv6-only configuration, IPv4 can be disabled to save flash and RAM footprint.
IPv6 takes up more ROM than IPv4, and as far as I know ESP-IDF doesn't actually fully support IPv6 either.
At this point we're talking microcents of storage, but unfortunately the 13KB of size difference can make the difference between "the code fits" and "we need to spend a dollar more per unit".
My it really is kilobytes. Okay I guess my next project will be a TCP-IP stack on an 32-bit RISC-V micro-controller, we’ll see how much code this actually requires. My understanding of IP may be off, but I still feel those numbers are about an order of magnitude bigger than they actually need to be.
I mean, I can fit an entire cryptographic library¹ in 65Kib of RV32IC object code, and it’s not even particularly optimised for this use case. There’s no way the overhead of supporting IPv6 has to be that big.
I think the individual parts will not be that large, but ESP-IDF is a fully features RTOS, not a dedicated microcontroller library. It provides socket APIs that integrate with both WiFi and ethernet, for instance.
If you're optimising for size, I bet you can do a lot better, but that's not really what ESP-IDF is doing. It's providing a network stack for TCP+UDP+IP+DHCP+ICMP+NDP+ARP+DNS with (close to) standard C APIs.
Microcontroller developers can probably download and use smaller libraries if they wanted to, but ESP-IDF provides a rather comfortable development experience compared to stringing together a whole bunch of libraries and talking to the hardware directly.
Still, doing a lot of things is not an excuse for the individual components to be bigger. Not unless you can justify it with interaction between components, stuff like TCP and UDP being aware of what goes on in the IP stack below and having to special case v4 and v6 (made up example, I don’t know if that’s true).
And now I’m wondering how much it would take to implement a full network stack with a nice C API.
Those devices won't necessarily be made obsolete, there are solutions for proxying ipv4 -> ipv6 and I think we'll see many consumer routers enabling those features by default for devices that do not support ipv6.
IPv6 has been supported for ~20 years. Not many devices in any regular use these days with network support, lack IPv6. That pool of devices will be almost entirely gone in 8 years when this is due.
Then there's a veritable black hole of various crappy security cameras, IP phones, and WiFi printers. And they can live for a veeeeery long time.
And I don't think I've ever seen a hotel network with IPv6 support. And I've actually seen a hotel (in Palo Alto) that gives out real IPv4 addresses to clients.
Also, it is eight years in the future. What future devices won't support IPv6?
This is also about the Czech government sites removing IPv4 support. What devices that would be used to access site won't support IPv6? They all do today.
As an aside, I notice a lot of the recent commits to the ESP32 repo are for ipv6 fixes. It already works in the tasmota esp32 builds on devices at my place.
This said, by then, maybe the core OS will not be metal, but Linux on all these device and we'll get top ipv6 support.
More likely, in 2032, well have a bunch of crap, built from very old SOCs running Linux 2.4.
Nobody's sunsetting IPv4. It will fade into obscurity on its own as IPv6 adoption increases and IPv4 addresses become increasingly hard to get, as it should.
IPv4 will be around for a long time. Nobody will care if it is running on internal network. Or quadruple NATed. There are enough IPv4 addresses for sites to have them. But not enough for every user.
Sounds like IPv6-as-botnet-DDoS-prevention is a viable strategy! Can't get DDoS'd by the unmaintained crap if said crap doesn't even speak the required protocol!
One response to EU recycling mandates is to just pull out of those markets. Some website operators just block the EU as it's easier than complying with privacy regulations. When new regulations per the USA's Americans with Disabilities Act mandated captions, a few MOOCs just yanked their videos.
If it's open source I'll delete 90% of the manufacturer provided telemetry/tracking/anti-features and use 1/20th of that free space to add the feature I want.
I'm ignorant on these things, so please inform me - but given IPv6's awful adoption rate, and given how foreign it's numbering scheme is to many, why can't we introduce IPv7 and just extend the IPv4 scheme with additional octets?
Something like 0.0.0.0.0.0.0 and everything without the correct number of octets just gets filled with zeros. So 192.168.0.1 becomes 0.0.0.0.192.168.0.1. Then also don't give out /8's to universities and the like (repeating old mistakes).
This is probably naive, but it seems it would be easier for people to use vs. 2661:919a:023e:911a:44dc:f656:233e:8816
Because the problem is not the numeric representation. The problem is when you get a message from 1.0.0.0.1.1.1.1 to 0.0.0.0.192.168.0.1, and 192.168.0.1 is an IPv4 only device, what are you going to tell 192.168.0.1 about the source address? There's only a 32 bit field in the protocol.
Are you going to lie and tell it it's 1.1.1.1? Congrats, you've just reinvented NAT. Enjoy your stateful boundary system and all that complexity again.
Are you going to add some extension to IPv4 and try convince everyone to upgrade all their hardware, software and configurations? Then you have the exact same problem IPv6 adoption had, except IPv6 adoption is at like 45% globally and your new scheme is at 0%: https://www.google.com/intl/en/ipv6/statistics.html
If you have some other idea, make sure to check it against the list of IPv6 transition mechanisms before commenting - it probably exists for IPv6, and ultimately all of them have been displaced by dual stacking: https://en.wikipedia.org/wiki/IPv6_transition_mechanism
> link -> The graph shows the percentage of users that access Google over IPv6
How does this work in practice, does user equipment end up with dual IPv4 IPv6? if not how do they access IPv4 only sites (of which there are still plenty)?
It's just as you have described, this is called dual stacking and is currently the most common type of IPv6 deployment.
Alternatively, cellular ISPs may make use of NAT64+DNS64. In this case, the IPv4 addresses are combined with a NAT64 prefix (most likely 64:ff9b::/96), producing addresses such as `64:ff9b::198.51.100.1`. It is effectively the same as CGNAT, but pretty much everything is single stacked IPv6 up to the IPv4<->IPv6 border relay in the ISP network.
The way it's supposed to work is the ISP delegates a prefix to the user's router, the router will advertise for that subnet and client devices will use slaac to configure their ipv6 addresses. Meanwhile for IPv4 it operates as normal. For incumbent, mostly wired, Western ISPs that means a pool of IPv4 addresses and subscriber level NAT. For everyone else, that probably means CGNAT.
My ISP gives me both an IPv4 address and a heap of IPv6, most browsers will use what is called Happy Eyeballs to try both IPv4 and IPv6 at the same time and use the one that connects the fastest.
> Are you going to add some extension to IPv4 and try convince everyone to upgrade all their hardware, software and configurations? Then you have the exact same problem IPv6 adoption had
Yeah, so I'm going to say that's just not true. If IPv6 had been significantly simpler (e.g. by mainly focusing on increasing the address space) then adoption would be much higher today – probably universal. The problem is that IPv6 changes a lot, and that implementing it is a fair amount of work. The entire business with tunnel brokers and other compatibility schemes are complex and difficult to use.
To completely change gears now would be silly and too late, but it's been almost 30 years and it baffles me how anyone does not consider the entire thing a spectacular failure. People use Python 3 as a warning about compatibility, but IPv6 is a much larger catastrofuck, and that's largely due to decisions IPv6 people made. Whether IPv6 is "better" or not doesn't even come in to play.
Are you going to lie and tell it it's 1.1.1.1? Congrats, you've just reinvented NAT. Enjoy your stateful boundary system and all that complexity again.
(Shrug) It works. What problem is being solved here, again?
Just look at your favourite game console provider's forum discussions on "NAT types" and you'll see that it really doesn't. Or try self host on CGNAT. Or realise the only direction for IPv4 prices at AWS etc. is up
IPv6 is 128 bits... so we already made a change. Why can IPv7 not be 128 bits as well, but vastly more readable/recognizable than IPv6. Hex is hard on the eyes, especially for those who don't stare at it all day.
If you'd like to figure out a nicer representation for IPv6 addresses, go for it. You needn't break any compatibility for it, just invent a new representation.
I'd argue that the most common format such as 2001:db8::f00f is already pretty darn readable, and not hard to copy+paste when you need bare addresses. Base85 is an alternative if you'd like something that's purely optimized for fewer characters, but it only really helps with exceptionally long addresses like 2001:db8:424b:b4ff:fcb5:b643:f721:b703 becoming 9R}vSk6QzV!G$<lwB;|~
I don't know, I just checked my linux box that takes ipv6 from one of my routers and it's the full 16 bytes, no zeros to skip.
I suppose example.com has a lot of consecutive zeros and is shorter to type...
> (another unlikely situation, to be honest)
Kid calls you when you're out and asks where in your local network the minecraft server is running. Or on which samba server the mod archives are. Real story.
The move to hex is to avoid people having to memorise all these offhands like "so a /27 is x.x.x.0-31". Instead every "4" in the subnet is another digit.
But also do you think 24414.64517.21200.44298.46574.49887.23623.7394 is really that much easier to type? Or 231.22.96.68.14.229.38.41.242.44.72.220.156.50.232.95 if you keep to 8 bit octets?
Maybe I'm weird, but I do in fact think that is easier. People memorize long numbers all the time, such as SSN, phone numbers, account numbers, credit card numbers, etc. People are not very good at memorizing lengthy alphanumeric sequences such as randomized passwords. I don't know why, but it "just is".
But -
> The move to hex is to avoid people having to memorise all these offhands
Point taken. It does seem in practice though people will still have a need to memorize/recognize addresses for various purposes, such as administration/dns/etc.
> People memorize long numbers all the time, such as SSN, phone numbers, account numbers, credit card numbers, etc. People are not very good at memorizing lengthy alphanumeric sequences such as randomized passwords.
It's easy. Long sequence of 10 possible tokens that we're always used to seeing together. Easier to memorize because you subconsciously use any patterns you notice, and with just 10 possibilities the patterns are there. And you've been reading sequences of digits since you were old enough to get given pocket money.
Vs long sequence of 16 possible tokens, of which 10 belong in one cognitive group and 6 in another. The extra 6 you've never memorized before in random order because they're for representing your language and that has other ingrained patterns.
Let's not forget they admitted ipv6 addresses are too long and allow you to skip parts of it so now you have to count the colons carefully...
You don't understand why a sequence of 39 digits might be harder to memorise than sequences of 10? 16 is longest of the examples that people actually memorise (no, people are not memorising their bitlocker keys), and even then they have 1 example that lasts at least 5 years to deal with, instead of however many IP addresses they have to deal with.
Also many of my account numbers and my nations equivalent of a SSN are alphanumeric so 36 vs 16 choices.
I could be wrong, but I do not think it's easier to remember 45465465464938259 then it is to remember the lyrics to a popular song. Now I assume there is some sort of brain difference playing here. But while looking it up most popular memorization strategies are either ram it into your head with repetition or converting it to songs, rhymes, poems, or other word phrases.
It's quite easy to remember things like "Mmm-mmm, went the little green frog one day".
At least the user networks are /64s, so, to some degree, CIDR notation isn't relevant for someone just trying to set up their system - netmask is now always 64 bits. And sure, ISP/Network Engineers still care about /56, /48, /32, etc... but that's their day, and takes about a week to have it ingrained in a way that you almost never could with IPv4.
> But also do you think is 24414.64517.21200.44298.46574.49887.23623.7394 is really that much easier to type? Or 231.22.96.68.14.229.38.41.242.44.72.220.156.50.232.95 if you keep to 8 bit octets?
I mean... yes, actually; I can type those blindly on a normal numpad. I'm sure somebody somewhere has made a hex number pad, but realistically on any normal keyboard entering hex means going back and forth between number and letter keys.
That would be really convenient if : weren't in the middle of the keyboard. Maybe hardcore IP typists need an alternate keyboard layout where * maps to :
You're more than welcome to represent an IPv6 address in some other format. That's just a implementation detail in the UI. You don't need a new wire protocol to do that.
(There's already at least 4 different ways you can write an IPv4 address, and your OS is happy to accept any of them.)
You gotta love how they decided to use colons as part of the notation! But, oops, that is also used for port number notations. Solution? Square brackets:
Yeah it's annoying, I've come across numerous address parsing bugs because of this.
I think the reason they needed to use a different delimiter is because IPv6 addresses can also omit entire portions of zeros as a convenience feature to shorten addresses, which means there are a subset of shortened addresses that look exactly like IPv4 if not for the delimiter.
I think two major problems that IPv6 failed to account for are the unreasonable ambiguity and "global registry" proposed by the Unique Local Address range, e.g. fc00::/7. This was even after having the opportunity to fix the previous mistakes in the fec0::/10 range.
It was entirely inappropriate for small scale personal networking and assumed an "administrative scope" that's too cumbersome and without purpose for most implementations.
I wonder if a dedicated "local" network prefix with a fixed /64 mask and an operating system recognized "alias" would have been a good mechanism to introduce. Something like fec0::/64 with an option to call it "local::". Then you might be able to more easily move from a world of 192.168.10.1, 192.168.10.2 to a world of local::1, local::2, that being translated to fec0::1 and fec0::2.
What do you mean by global registry? ULAs do have a local bit, by setting it to 1 (i.e., fd00::/8) you can have your own ULA range. I am using ULA in my own home network.
Right, and the local bit being 0 is currently undefined, but the original and lasting idea (apparently) is to create a central registry for it, so that in some future case where you have to merge corporate networks with their own ULAs there is zero chance that there would ever be a collision between the two.
Even in so far as the local bit being 1, there have been at least two attempts to create a "voluntary global registry" for your randomly generated prefix, mostly for the same "collision avoidance" stated above.
In either case, somewhat unintuitively, those are still _global_ addresses, and don't have the same level of "non local routing" restrictions that the RFC1918 address space explicitly gained.
It's been a mess, and at some point, the IETF just seems to have given up on it.
They are meant to be globally _unique_ (or effectively so, by utilizing RNG you ensure that it is very, very unlikely for two organizations to have the same ULA), but they are not globally routable.
> Even in so far as the local bit being 1, there have been at least two attempts to create a "voluntary global registry" for your randomly generated prefix, mostly for the same "collision avoidance" stated above.
Like most things people don't like about IPv6, you don't like this because you misunderstand how it's supposed to work.
There is no need for a ULA registry because you're supposed to pick a random prefix within the ULA space. The ULA space has 7 bits already defined, so you're picking a random prefix from a space 57 bits big. The chance that you will pick the same prefix as some other specific person is effectively zero.
(the birthday paradox does not apply because we don't care if your prefix matches anyone else on earth, just the one specific person/organization that you want to merge networks with).
> In either case, somewhat unintuitively, those are still _global_ addresses, and don't have the same level of "non local routing" restrictions that the RFC1918 address space explicitly gained.
Err, what? ULAs are routable and "global" addresses in exactly the same way that RFC1918 addresses are routable and global. They are valid addresses within the address space and the only thing that makes them "not globally routable" is that all routers have certain prefixes baked into the firmware as non-routable. If you don't trust your router not to route them for IPv6, why do you trust it for IPv4?
> Like most things people don't like about IPv6, you don't like this because you misunderstand how it's supposed to work.
Thanks for explaining my own motivations to me, while at the same time denying that any discussed changes are relevant to anyone.
> There is no need for a ULA registry
I was merely summarizing what the public opinion on the matter happens to currently be. Which suggests that the current recommendation to pick a random address and be happy with it is inadequate. The original posts dissatisfaction with being able to deploy IPv6 _conveniently_ also hints that improvements would be welcome by most people.
> ULAs are routable and "global" addresses in exactly the same way that RFC1918 addresses are routable and global.
RFC1918 explicitly defines it's addresses as local and not globally unique. RFC4193 specifies that these addresses are meant to be globally unique. RFC1918 requires a more specific level of filtering than RFC4193, and the definition of "site local" has always had some ambiguity to it.
So, within the very specific and nuanced points I was trying to make, no, they're different.
Agree with the parent that there is no need for a ULA registry for locally assigned addresses under RFC 4193 (which is every one I've ever seen). But there is that option for globally assigning addresses that I'd be intrigued to see if anyone does anything with...
Also important to note that while RFC1918 is roughly equal to RFC4193/ULA, that "site local" is another beast entirely (FECO ) that was, as you noted, ambiguous and was deprecated in rfc3879
Well -that's not entirely true. RFC4193/ULA has a Local Bit that, in my experience, is almost set to 1, so the prefix is FDxx.... At a prior company we rolled out about 25 million nodes all in RFC4193 space (non-routability was a design objective) - and, just to be within spec, we did indeed grab a random /48 for each customer instance we rolled out (and made very good use of the 65K networks we had available within that /48).
But - what if that Local bit is set to 0 - then:
Set to 1 if the prefix is locally assigned.
Set to 0 may be defined in the future.
Presumably there was some thought that there might be a Global Registry that the OP was referring to?
Concur with the rest- and, honestly, RFC 4193 is one of the simply written RFCs out there - understandable within 30 minute read - I'd encourage everyone to dig into it.
Every proposal like that requires changing all the routing hardware anyway, because we effectively ran out of bits in the IP packets to mark anything new. And once you need to change hardware, you may as well just go with a better designed protocol like ipv6.
> This is probably naive, but it seems it would be easier for people to use vs. ...
People don't use IP addresses anymore. DNS and local discovery covers this for anyone apart from geeks and IT people. If it doesn't, it's a bug at this point.
IPv6 was drafted in 1998, and ratified in 2017. 7 years after becoming "official" only 50% adoption rate world-wide is not what I would call stellar either.
It's kind of a misunderstanding to say that IPv6 became official in 2017.
The IETF has multiple standardization levels, with Proposed Standard being the first and Internet Standard being the last (there used to be Draft Standard in between but it was eliminated). Proposed Standards are deemed ready for deployment and lots of important protocols (e.g., TLS, QUIC, etc.) are at Proposed Standard. IPv6 went to PS in 1998, and people have been trying to deploy it ever since, so it's really more like 25+ years since it was official.
Honestly... 50% in 7 years is an impressive achievement, and far from being awful. People often compare IPv6 adoption to things such as HTTPS adoption, but upgrading to IPv6 requires hardware changes on both the ISP side and the customer side, and as we all know, hardware upgrades take forever. It's not unusual to see >10yo equipment running in the wild.
Also even for HTTPS adoption - it was introduced in 1994, and in 2010 even major websites like google and facebook were basically only bothering to secure their login page which is how Firesheep came to be. It was only really that illustration of the business need that caused anyone to start bothering, and despite that demonstration, adoption was below 50% as late as 2018
Industry doesn't adopt a thing until there is a need for it. In 1998, there really wasn't a need for it. Now there is. So now it gets adopted. News at 11.
Also, it's worth to keep in mind the delay on the hardware replacement. There were home routers which didn't support ipv6 even 7 years ago. And there many home routers deployed today which are over 7 years old.
Also, my provider fully supports IPv6 and so does my hardware, but I have to click a button in the control panel to activate it explicitly. That's practically around a million of people who could be on IPv6 right now if they just opted in.
I’ve noticed that the Ubiquiti UDM Pro router has IPv6 turned off by default; and I don’t really want to change the defaults, because idk, maybe something will subtly break, and in any case it works fine as-is…
It looks like it's going to be a few years until not enabling it will start subtly breaking things. ;) It's a trivial change to reverse, so if you're interested, give it a go.
Any change to IPv4 to extend the IP space (eg your example) would require a breaking change to the specification. So this would require changing every router on the planet to support it.
You're also focusing on how the IP address is written when that doesn't really matter. Changing the format isn't dragging out IP adoption.
If you're typing out IP addresses your doing it wrong. We've had DNS for checks watch 40 years.
IPv6 isn't THAT different from IPv4. It's a 128 bit number instead of a 32 bit number. When righting it out we use hex (because it's shorter).
We use multicast instead of broadcast so your Subnets can be bigger
The smallest subnet is /64 so vendors can do optimization hardware.
Routers announce the prefix they route (and a DNS server) and let endpoints autoconfigure(with built in IP conflict detection!). Instead of a stateful DHCP server(which is still an option).
And we let nodes have local and global addresses so issues with the router don't necessarily break local communication. (And they're easy to tell apart, if starts with an f it's a local adress, if it starts with 2 it's a global address)
That's pretty much all that's different. 80% of what's different is the address space.
Having done basic tech support, sometimes typing out addresses is necessary. You'd think mDNS would help computers find your modem when you're first setting up your internet connection, but the super "helpful" modern browsers all try to go to google.com/search?q=myrouter.localnet even if mDNS is providing various IP addresses to try first.
That's not IPv6's fault, but it is a pain. Especially considering that local networks differ from router to router, making it impossible to write a manual to access a router's settings for when the thing needs to be configured before it can connect to the internet.
Of course, in those cases there's nothing preventing manufacturers from providing some 192.168/16 IPv4 addresses for those specific use cases (and not route them to the internet). I've even seen one manufacturer listen on a bunch of 169.254/16 addresses for when DHCP fails somehow, and I think that'd solve the problem perfectly without even needing a DHCPv4 server.
Windows will try to auto configure with a 169.254 link local if DHCP is unavailable. Not sure if anyone is actually using them for LAN. They come up sometimes in point to point or for other shenanigans (commonly on cloud or virtualized networks for special services)
Afaik for Firefox and Chrome you can add a trailing / to prevent it from doing a web search and attempt to do a DNS lookup instead
I sure hope nobody is using 169.254 for LAN (though I suppose you could, just like you could use 100.100) but I discovered it as a pretty smart fallback for routers. I suppose you could hardcode http://[fe80::1]/ on the IPv6 side as well, but I've never seen a router actually do that.
The trailing slash trick sometimes worked, but not always. It took a couple of tries to get working every time I needed it to work. I bet it's some kind of problem on the mDNS layer, but regardless, the quickest way to fix it was to use an IP address.
Another annoyance I have (which isn't the protocol's fault) is that on my phone I can't even hand-type IPv6 addresses because Mozilla is using some kind of regex to detect if things are URLs and that regex doesn't support IPv6. It did for a short while, but the IPv6 regex was too complex and slowed things down, so that was reverted.
>Windows will try to auto configure with a 169.254 link local if DHCP is unavailable. Not sure if anyone is actually using them for LAN. They come up sometimes in point to point or for other shenanigans (commonly on cloud or virtualized networks for special services)
I've seen it done few times for niche devices and I've done it a few times when I needed a really quick network operational and didn't want to bother setting up any supporting infrastructure such as a DHCP server. Never for any production environment though.
I've toyed around with an IPv6 link local only environment but browsers don't support adding the zone identifier[1] for link local addresses. There's workarounds but in most cases for a fully isolated network it's about the same effort to setup a small DHCP server somewhere.
That said it's not a comprehensive solution, Android AFAIK still won't support DHCPv6. To get that to work AFAIK requires router advertisements and some more odd finagling if privacy extensions are enabled on the device.
It's sitting just shy of 45%, based on what Google sees, and growing at a steady pace. The main issue is not technical, it's need. Right now, everything is accessible over IPv4, and probably over IPv6. There's no negative consequences from not having IPv4, it really needs initiatives like this one, and the US federal government one to drive things forwards (US federal agencies have to be single-stack IPv6 within a couple of years, which is forcing every government dealing vendor to get their act together on IPv6)
A couple months ago I got a new router and some stuff didn’t work until I turned off ipv6 (I don’t recall what, exactly)
I tried that solution early because when I first got Google Fiber the Amazon store website didn’t load, on any machine in our house, until I turned off ipv6. If stuff tries to route over ipv6, it doesn’t work, has been my entire experience with the protocol on the open internet (private networks seem Ok)
If you get 10/10 here everything should work.
Most likely your issue was a firewall rule on the IPv6 part, or a misconfigured DNS server (only returning A records)
My home connection fails because it’s disabled (of course).
Kicked my phone over to my T-Mobile cell connection. Finds that I have an ipv6 address, but dies on one of the first tests.
It’s 2024 and I have two major US ISPs available and neither will let me reliably use IPv6 unless I’m on a vpn and the addresses are all private ones that don’t (logically) route to the Internet.
If you mostly dislike the long addresses, you can cut out the second half. You can make your device be 2661:919a:023e:9100::1.
If you want a near-exact equivalent of 192.168.0.1, then you can use fec0::1 or fd00::1. That's even shorter than IPv4! You kind of shouldn't, but it'll work fine for a tiny network.
But as other people have explained, the compatibility will be just as bad. And IPv6 does have address ranges like that. Nobody talks about them because not much can be done with them.
And the reason it's recommended against is that you might later decide to join your local network to another one and then you'll have to renumber them. Which is exactly the same problem with IPv4 local addresses. Except unlike IPv4, there is a mechanism to prevent that ahead of time
40+% adoption rate since the World IPv6 Launch Day in 2012 is not what I would call awful [0].
>extend the IPv4 scheme with additional octets?
To clarify, IPv6 and IPv4 addresses are effectively just a number. On Linux, you can even do `ping 16843009` and see the tool actually pinging the address 1.1.1.1! The octets you see in typical IPv4 addresses, or the hextets in IPv6 ones, are just a way to represent those addresses.
If you think the address representation is the main thing holding IPv6 back, you are thinking it wrong. The most likely reason is actually software & hardware support, and the industry's general sentiment of "if it ain't broken, don't fix it" keeping NATs alive.
>seems it would be easier for people to use
The ship has already sailed. If IPv4 addresses are really that easy to remember, DNS would not have been invented.
Furthermore, when it comes to memorization of IPv6 addresses it's very helpful to split them into two halves. The second half can change rather arbitrarily (to maintain privacy by preventing address tracking), but the first half often won't because it is assigned to you by the ISP.
Oh, I don't use reddit, but AWS... mmmmh... and that makes me think about akamai.
It seems ipv6 is slowed down by big tech, the one with the bucks to move to ipv6, paradox, or they know IPv4 mechanically favor strongley centralized services? As it is toxic to clean and simple p2p protocols?
Because that would be starting from scratch the migration with all the warts and less of the benefits.
About the only part that would be easier is that more people use less broken APIs compared to BSD Sockets, with getaddrinfo and similar solutions ported from XTI/Plan9 finally becoming the norm.
So no more "you need to duplicate code to add support for new IP version".
But that's still worse than migrating to v6, which has widespread hardware support in switching equipment, considerable preference in mobile networks and not only (TL;Dr it's cheaper to use v6 to carry v4 traffic using 464 stateless translation rather than other forms of CGNAT), and some IOT systems (industrial, not home stuff) are v6-only if they have IP connectivity on the embedded side at all.
I cant imagine how much "fun" its going to be trying to lock down a governments systems when every single device on their network is potentially reachable directly from China...
> having a private ip = definately not publicly reachable.
> having a public ip = possibly reachable, depending on what other devices can be compromised on the network.
Lateral movement is hacking 101. Private IPs don't provide any security.
Got a webserver open to the internet and a database server on a private IP only accessible to the web server? Guess how you get to the database server?
You seem to be continually conflating something having a public IP address and it being open to the internet raw dogging it. This is not how things work.
good job all the networks cables are glued in and no one ever plugged a cable into the wrong port, or doing so might result in all the devices behind that firewall getting exposed directly to the internet and no one noticing because everything still works.
but Im done burning karma on this one, good luck have fun.
> good job all the networks cables are glued in and no one ever plugged a cable into the wrong port, or doing so might result in all the devices behind that firewall getting exposed directly to the internet and no one noticing because everything still works.
So just put your database server on an IPv6 ULA (which is not globally routable)? There are other benefits to that, too, you know? Like that you can have a completely static address for the server, which is agnostic to whatever IPv6 prefix gets assigned by your upstream provider.
did the unpaid intern do that before or after the insecure database server accidentally got given a public ip address?
did they also check and update that old office use only IIS server no one uses before the department all got public ips, or wasn't there a lunch budget for that.
Good job not even attempting to secure your office switch ports with whitelisted MACs or whatever, then.
And if you then argue that MACs can be spoofed easily, well, you'd have to get the MAC of the authorised system first. And by that time you've physically broken into the building - you have worse problems than a rogue device or two...
>having a private ip = definately not publicly reachable.
What component of your router prevents a packet with destination IP 192.168.1.2 arriving on the WAN interface from crossing over to the LAN interface and reaching a LAN machine with that IP? Hint: It's the same one that prevents IPv6 packets from making that same crossing.
nothing stops 192.168.1 crossing a wan interface, in fact I and most of the internet rely on being able to do exactly that, the router just needs an appropriate route in its routing table.
set router to an allowlist configuration... and you're done. it's your "NAT" security but without terribleness. some (consumer/smb) routers even come this way out of the box to prevent exactly what you mention
add a software router to the network that hands out public ips to all the devices on the network.
or better, just accidentally switch a cable over from the router to the routers switch, see if anyone notices their private ips all became public ones.
if we're branching in to 'what other devices can be compromised' then that's a concern for any network 'private' IP or not. for example, even on a NATted v4 network if you get the right device (say if it's 'port forwarded', or you get malware on it another way (social engineering) you can pivot that way to another point in the network.
you can supply all the ACLs and firewalling to your heart's content on either private or public, it's just that public addresses have a heck of a lot less shitfuckery when you actually want to do useful things across the internet
if by "heck of a lot less shitfuckery" you mean "makes it a lot easier to exfiltrate all the data on a network" I completely agree, that was pretty much my point.
You seem to fail to grasp that it is the statefulness of NAT that provides security, not the private/public IP distinction. The same statefulness can be obtained by using... surprise, surprise, a stateful firewall. :-D
It is helpful to imagine NAT as a stateful firewall with packet modifying capabilities. Because that's what it is.
If your ISP is doing CGNAT, try pinging random 100.64.0.0/10 addresses. Marvel at the number of pongs you can receive. Hell, we even have online threads talking about this, so it can't be just my ISP being incompetent [0].
My very publically available home server (static IPv6 address, AAAA record) is behind two firewalls. The first is the ISP-supplied router. That handles any attempted connection to any address on its /64 subnet.
The second is UFW on the server itself + fail2ban.
The open ports are 22 and 443.
It's basically as secure as it gets apart from not having it public at all. Public IP != open for all connections on all ports...
Better call up cloudflare and tell them no one wants their business now all the network engineers are as competent and equipped to deal with threats as they are.
Cloudflare's main business is being a CDN that can soak hundreds of gbps in bandwidth of DDoS traffic. Nothing to do with competence, though in your other comments you suggested that plugging things into different switch ports would give them new IPs and make things publicly routable so perhaps you're right to keep using Cloudflare.
and how do you enforce using that firewall rule on tens of thousands of devices, each now with several public and private ips and several thousand routes in and out of the network?
A stateful firewall is prerequisite for NAT implementations commonly deployed in most office and consumer settings due to the session tracking requirement. So you just stop doing the NAT part and the firewall continues to deny untracked ingress connections just like it did when NAT was running.
NAT is only needed if you want to transition from a private network to a public one.
ipv6 still needs nat configuring. nothing changes there.
The only thing that changes from a network administrator perspective is it becomes much harder to ensure devices that should only have a private ip address do not have a public one.
This feels like FUD. You can still assign a block of ipv6 as internal to your network and put it behind a bastion. Forcing ipv6 isn’t the same as going zero trust or something where now everything is publicly routable.
you do know single network devices can have more than one ip address?
afaics, the biggest issue with ipv6 is if its active all devices on a network can easily be coaxed to never route traffic anywhere near the router/firewall the network admistrator intended, simply by handing out extra routing info for alternate networks.
> afaics, the biggest issue with ipv6 is if its active all devices on a network can easily be coaxed to never route traffic anywhere near the router/firewall the network admistrator intended, simply by handing out extra routing info for alternate networks.
This is not unique to IPv6.
ARP spoofing is the v4 version of this attack. RA spoofing is the v6 version of the attack. In both cases, the solution is the same: lock down your L2 by enabling MAC / ARP / RA filtering on your switch.
I have 32 IPv4 addresses, how do I utilize them to hack Amazon?
It doesn't matter that you can get IPv6 addresses, you still need to be able to get onto the L2 network of your victim company to be able to mount RA attacks. You also will somehow need to force them to announce your IPv6 space to their peers.
with IPv4 you cant really, because getting traffic routed to those ips is a major undertaking.
with IPv6, every IPv6 capable device is potentially capable of handing out something like the entire IPv4 space of public ip addresses regardless of how a single firewall or router is configured.
"trying to configure connectivity and access resources using only IPv6 addresses is borderline insane"
what difference do you think it makes who controls the public ipv6 address.
with ipv6, they got one, all devices on the network are now by default accessible from the public internet instead of invisible to it . Thats the whole point of ipv6.
But the thing is, even though IPv6 is such well established tech, it was not a great migration experience.
I'm not a network engineer, and you have to figure out how to update a bunch of networking configuration to make this switch on an existing instance, with lots of potential footguns. Even after I got the IPv6 address provisioned and the virtual networking correctly configured, the connectivity was still broken until I found an obscure security group setting that was still set to allow only IPv4 traffic. A lot of basic debugging tools like curl are designed to use IPv4 by default. You have to figure out how to get your webserver (nginx in my case) to listen on the IPv6 interface, which is fiddly. And it's easy to inadvertently break ssh connectivity, which turns out to also be set up to expect IPv4 traffic only...
In the end, it took about 90 minutes of fiddling, including migrating to Cloudflare, fixing DNS, etc. I mean, it's fine. I learned some things.
But if we're all going to switch to an IPv6 world, it would really be nice if the systems and tooling made it slightly easier, somehow.