People still working in IT, thoughts on IPv6?
People still working in IT, thoughts on IPv6?
Now currently I'm not in the workforce, but in the past from my work experience, apprenticeship and temp roles, I've always seen ipv4 and not ipv6!
Hell, my ISP seems to exclusively use ipv4 (unless behind nats they're using ipv6)
Do you think a lot of people stick with the earlier iteration because they have been so familiar with it for a long time?
When you look at a ipv6, it looks menacing with a long string of letters and numbers compared to the more simpler often.
I am aware the IP bucket has gone dry and they gotta bring in a new IP cow with a even bigger bucket, but what do you think? Do you yourself or your firm use ipv4 or 6?
Mostly I’m scared I’ll write a firewall rule incorrectly and suddenly expose a bunch of internal infrastructure I thought wasn’t exposed.
Cloud infra engineer here.
Answer: I don’t think about it. Nothing fully supports it, so we pretend it doesn’t exist.
That's exactly my experience with it.
Some certificates are even annoyed by IPv6 and they won't install until i remove any trace of it from the DNS. This should also pretty much be the only occasion I'm forced to deal with IPv6, instead of glancing over it while working on the server configs.
Which is why "nothing" supports it
Well if you want to be the one who retrofits google cloud to support it more widely, go to town. But I’m sure as hell not going to bother, I have other work to do. And also I don’t work at google.
People still use IPv4 because companies are slow to adopt new technologies. They see it as a huge money drain and if there is not a visible or tangible benefit to it then they won't invest in it. IPv6 is definitely a growing technology, it's just taking it's sweet time. For reference, currently the IPv4 has just under a million routes in the global routing table while IPv6 has ~216K routes. About 5 years ago it was something like 100K for IPv6 and not much has changed for IPv4.
I personally do not like the addressing of IPv6. It's not just the length, but now you have to use colons instead of period to separate the octets which leads to extra key strokes since I have to hold shift to type in a colon. It's a minor thing, but when networking is your bread and butter it adds up.
There are also some other concerns with IPv6. Since IPv6 tries to simplify routing by doing things like getting rid of NATing it also opens us up to more remote attacks. It used to be harder to target a specific user or PC that's behind a NATed IP but now everything is out in the open. I'm sure things will get better as more and more people use it and there will be changes made to the protocol however. It's just the natural evolution of technology.
I am very surprised to hear your ISP is not using IPv6. Seems like they're a little behind the times. Unless they just don't offer it to residential customers, which is still a bit behind the times too I guess.
Iv6 doesn't try to simplify routing and remove nat. that's just how things work. Nat is a workaround for ipv4.
Ipv6 is around since 1998. that's not slow to adopt, at that point it is just plain refusal from some because of the costs you mentionend
Ipv6 does simplify routing. It has less headers and therefore less overheard. IPv6 addressed the necessity of NAT by adding an obscene amount of possible IPs. Removing the necessity of NAT also simplifies routing as it's less that the router has to do.
Ipv6 as a concept was drafted in the 90s. It didn't start actually being seriously used until ~2006/7ish.
Time isn't the only factor for adoption. Between the adoption of IPv4 and IPv6, the networking stack shifted away from network companies like Novell to the OSes like Windows, which delayed IPv6 support until Vista.
When IPv4 was adopted, the networking industry was a competitive space. When IPv6 came around, it was becoming stagnant, much like Internet Explorer. It wasn't until Windows Vista that IPv6 became an option, Windows 7 for professionals to consider it, and another few years later for it to actually deployable in a secure manner (and that's still questionable).
Most IT support and developers can even play with IPv6 during the early 2000s because our operating systems and network stacks didn't support it. Meanwhile, there was a boom of Internet connected devices that only supported IPv4. There are a few other things that affected adoption, but it really was a pretty bad time for IPv6 migration. It's a little better now, but "better" still isn't very good.
IPv6 has a policy of throwing more address space at stuff to make routing simpler, though.
IPv4 will individually route tiny slices of address space all over the world, IPv6 just assigns a massive chunk of space in the first place and calls it a day.
Repeat after me kids:
NAT 👏 is 👏 not 👏 a 👏 security 👏 feature
I think djb was right, over twenty years ago: The IPv6 mess
The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space.
There was an alternative proposal that was backward-compatible with IPv4, but I’ve forgotten the name now.
Oh man, that would have been so great. Think of all the networking stacks that could have just been silently upgraded. Just some letters/numbers appended to the front or back. If you only get x bytes then prepend with zeroes. Adoption would have been mostly transparent.
Yup. For those that don't know, that's essentially how utf-8 works -
We turn it off in our office. It doesn’t benefit us.
You could also make the argument that ipv4 through NAT is better for privacy since it obfuscate what, and how many devices are connected to where.
When I was first looking into IPv6, people were talking about how you can self-assign an address by simply wrapping an IPv6 address around your MAC address. But that practice seems to have fallen out of favour, and I'm guessing the reason is, as you say, the whole privacy thing? There's a lot of pushback these days against any tech that makes it easier to fingerprint your connection.
With modern IPv6 (say, Windows 7 or later?) IPv6 privacy extensions solve this problem. Basically, you get a whole bunch of addresses. One based on your MAC address so you can port forward/allow incoming connections in the firewall, and then a bunch of rotating random addresses used for outgoing connections. People that know your prefix and MAC address can find your listening PC, but websites won't get your MAC address.
As for fingerprinting, thanks to NAT slipstreaming you can choose between "video calling software breaks" and "every malicious ad can access any port on your device" or in some extreme cases "every malicious ad can access any device in your network". Some websites have also been caught scanning IPv4 networks to figure out where your router lives using standard Javascript, so your IPv4 network isn't any better protected. At least with IPv6 a website can't take ten seconds to scan 255 addresses and figure out how many devices are on your network!
IPv6 has privacy addresses, though. Stuff on my network generates a new random address every day and uses that address for outgoing connections, so you can't really track individual devices inside my network.
Just annoyed when I need to specify port when using IPv6. Needs to add square bracket to workaround ambiguity of colon is kinda bad. How can they decide to use colon instead of another special character??
Company currently uses IPv6! For awhile firewall rules kept biting us as we’d realize something worked in ipv4 but not IPv6 but now I forget it’s even a thing really.
I once paid for a vpc host that was exclusively IPv6 and was shocked how many things broke. I was using it for a discord bot and the discord api didn’t even properly support IPv6 …
I have IPv6 at home, at work, on my phone, and my hotspot. I have them on my websites and servers. IPv6 is everywhere for me. I use it all the time. Most people do and don't even realize it.
IPv4 still reigns supreme on a LAN, because you're never going to run out of addresses, even if you're running an enterprise company. IPv6 subnets are usually handed out to routers, so DHCPv6 can manage that address space and you don't need to know anything unless you're forwarding ports on IPv6.
For the Internet, just use hostnames. There's literally zero reason to memorize a WAN address when it could be an A/AAAA record.
a teammate implemented it because he thought it would be a good resume project. it added more maintenance work to a lot of pieces, forever. there is no measurable benefit to the business
Both my employer and my home ISP use IPv6 since many years now and so does all my own stuff, it's wonderfully convenient to have a globally unique address for everything that I connect to the network.
IPv6 was "just around the corner" when I was studying 20+ years ago. I kept a tunnel up until the brokers shut down.
I've been hosting some big (partly proprietary) services for work, and we've been IPv6 compatible for a decade.
My ISP finally gave me native IPv6 earlier this year, which gave me the push to make sure my personal hosting does IPv6 as well. Seems like most big players services support it today. It's nice to not have the overhead that CGNAT brings.
IPv6 got a bit of a bad reputation when operating systems defaulted to 6to4 translation but never actually managed to work.
A lot of networks were designed with ipv4 and NAT in mind. There really isn’t a cost benefit to migrate all your DHCP scopes, VLANs, Subnets, and firewall rules to IPv6 and then also migrate 1000’s of endpoints to it.
Much cheaper to just disable ipv6 entirely on the internal network (to prevent attacks using a rogue dhcpv6 server etc) and only use ipv6 on your WAN connections if you have to use it.
With NAT existing, I'm not sure there's a significant reason to switch anymore.
Plus the "surprise" privacy and security benefits of just... not having every network connected device directly addressable by anyone else on the global network. The face of the internet and networking in general, plus the security and safety concerns around it, have changed dramatically since v6 was first created.
NAT is just security by obscurity and actually not really security at all. What's protecting you from incoming scans, etc is your network firewall. That firewall works just the same for IPv6. Blocking incoming traffic for your home network is usually the default setting in your ISP issued router anyway.
Working as a network engineer, NAT in a large scale customer environment can quickly devolve into a clusterfuck. Many times we had week long reachability issues due to intermediate ISPs NATing unexpectedly.
My nemesis is GCNAT, which adds another layer of NAT because some ISPs don't have enough public IP space for all their customers to go around.
I have a customer where their ISP just assigned one of their locations public IPv4 addresses. Neither the customer, nor the ISP owned that address space. Their logic was that this address space is registered on a different continent, so it's basically fair game to use it themselves. Granted, they only route it internally for a MPLS network, but still...
What I'm getting at is that NAT increases complexity and breaks properly routed end to end connections. Everyone kinda fucks up with NAT, especially ISPs (in my opinion anyway).
I can really recommend the IPv6 study material from the major internet registries (took the v6 courses from RIPE NCC myself).
IPv6 is so much simpler for subnetting, writing firewall rules,... IMO the addresses just look kinda clunky.
NAT is just security by obscurity and actually not really security at all.
“Security” was not the purpose of NAT. That was just a side effect that became overly relied on out of convenience.
NAT is just security by obscurity and actually not really security at all. What's protecting you from incoming scans, etc is your network firewall. That firewall works just the same for IPv6. Blocking incoming traffic for your home network is usually the default setting in your ISP issued router anyway.
Working as a network engineer, NAT in a large scale customer environment can quickly devolve into a clusterfuck. Many times we had week long reachability issues due to intermediate ISPs NATing unexpectedly.
My nemesis is GCNAT, which adds another layer of NAT because some ISPs don't have enough public IP space for all their customers to go around.
I have a customer where their ISP just assigned one of their locations public IPv4 addresses. Neither the customer, nor the ISP owned that address space. Their logic was that this address space is registered on a different continent, so it's basically fair game to use it themselves. Granted, they only route it internally for a MPLS network, but still...
What I'm getting at is that NAT increases complexity and breaks properly routed end to end connections. Everyone kinda fucks up with NAT, especially ISPs (in my opinion anyway).
I can really recommend the IPv6 study material from the major internet registries (took the v6 courses from RIPE NCC myself).
IPv6 is so much simpler for subnetting, writing firewall rules,... IMO the addresses just look kinda clunky.
I've used IPv6 at home for over 20 years now. Initially via tunnels by hurricane electric and sixxs. But, around 10 years ago, my ISP enabled IPv6 and I've had it running alongside IPv4 since then.
As soon as server providers offered IPv6 I've operated it (including DNS servers, serving the domains over IPv6).
I run 3 NTP servers (one is stratum 1) in ntppool.org, and all three are also on ipv6.
I don't know what's going on elsewhere in the world where they're apparently making it very hard to gain accesss to ipv6.
I try to force everything to use IPv6. It's a huge pain to support IPv4 as a selfhoster. I never had to specify an IP manually, DNS exists for a reason.
I want to love IPv6 but it's unfortunately still basically impossible to get good proper IPv6 in the first place.
At home I'm stuck with fairly broken 6rd that can't be hardware accelerated by my router and the MTU is like 1200 which is like 20% bandwidth overhead just for headers on the packets.
On the server side, OVH does have IPv6 but it's not routed, so the host have to pretend to have all the IPv6 addresses and the OVH routers will only accept like 8 of them in use before its NDP table is full, so assigning an IPv6 to every Docker container fails miserably.
IPv6's main problem is ISPs are so invested in NAT and IPv4 infrastructure they just won't support IPv6. Microsoft, Google and Apple need to team together and start requiring functional IPv6 to create user demand, because otherwise most users don't know about CGNAT and don't care. Everything needs to complain about bad IPv6 connectivity so users complain to ISPs and pressure them into fixing it.
We were offered a /32(?) for like 1000$/yr… sounds like a good deal tbh
IPv6 or IPv4?
A /3 of IPv4 for that price is impossible, that'd be 10% of the entire IPv4 space. A /29 (32-3) would be more reasonable but 1k for a block of 8 IPs would be a massive ripoff.
Doesn't make sense for IPv6 either, as that'd be exactly the global unicast range (2::/3), but makes sense they'd give you like a huge block in there, maybe a /32 as that's what they assign to an ISP. As an end user you usually get a /48.
I enjoyed getting the IPv6 certification from Hurricane Electric. Everyone should learn about it! https://ipv6.he.net/
Off topic, but I love Hurricane Electric's website. Simple, but not ugly. Straight to the point. I find it quite charming in contrast to the hyper designed, but barely functional sites of other companies. (fuck you HPE)
I still have my IPv6 sage shirt somewhere.
Also don't forget that if you're stuck on an old network, as long as your router replies to pings you can get a tunnel for a /48 and a bunch of /64s for free. That's 65536 networks of 2^64 IP addresses to play around with. Make your own traceroute puns! Experiment with routers in virtual machines using real addresses! Make your IP address end in dead:beef:cafe!
And if you complete the quiz, they'll send you a free t-shirt. That's pretty cool.
Another thing that makes no sense is if my ISP provided prefix changes -which it will- this affects the IP addressing on my local network. Ain't noboby got time for that if you're managing a company or having anything other than a flat home network with every device equal.
IPv6 is just people shouting NAT BAD, but frankly having separate address ranges inside and outside a house is a feature. A really really useful feature. Having every device have a public IP6 address I'd an anti-featute.
if my ISP provided prefix changes... affects the IP addressing on my local network.
IPv6 is just people shouting NAT BAD... Having every device have a public IP6 address I'd an anti-featute.
If you're working in IT then you should find a new career.
Widespread IPv6 adoption is right there with the year of the Linux desktop. It's a good idea, it's always Coming Soon™ and it's probably never going to actually happen. People are stubborn and thanks to things like NAT and CGNAT, the main reason to switch is gone. Sure, address exhaustion may still happen. And not having to fiddle with things like NAT (and fuck CGNAT) would be nice. But, until the cost of keeping IPv4 far outweighs the cost of everything running IPv6 (despite nearly everything doing it now), IPv4 will just keep shambling on, like a zombie in a bad horror flick.
As an email guy, I would love IPv6, but it just isn’t gonna happen (for me).
Have been using it since late 90s, stopped using it with the shutdown of SixXs as there still were no viable native options in pretty all my infra locations. Recently started using it again as I finally have an ISP providing proper v6.
In next 10-20 years everyone will use IPv6
We mainly use ipv4, but recent laws that all public sector websites are to use IPv6, we have had to update our stack.
Now we can do IPv6 public endpoints with ipv4 backends.
We disable IPv6 often when troubleshooting a network issue. Nothing that I have seen requires IPv6, and turning it off solves more issues than we would expect even today. It’s not the first thing I’m going to try, but I’ll often do it if I have to reboot anyway.
I also uninstall Dell Optimizer and Dell Optimizer Service on sight regardless of the issue because that evil will cause problems eventually. Best to just eradicate it on sight.
You should rather find out why things break with IPv6. The best time to make IPv6 work is now.
You can pry my v4 addresses from my cold dead hands.
ipv6 isnt real.
We are going full v6 with SIIT-DC (rfc7755) with our next hardware refresh. Our mother site doesn’t but we don’t care what they do as that’s not our problem
IPv6 after so many years still is a victim of the chicken-egg-problem. People don't need it because services don't support it because people don't need it because ... and so on and so forth. I try to enable IPv6 wherever I can and I didn't have a propblem for ages. Dual stack is stable and there are actually a good amount of services that support it.
I think we should all push to implement IPv6 so that IPv4 can finally be laid to rest. Using IPv4 makes everything a bit more expensive because it is so damn expensive to get a stupid number. If someone is really scared that every computer has a publicly routable IP, and if you really think you can not configure a firewall, there is a private IPv6 space and you can use NAT with IPv6. It's not recomended but it's possible. I'd still say using a firewall is not harder and just as safe.
And there is the fact that you can make so many subnets which can make your internal network so much safer. You can controll better how packages are sent to groups because broadcast was dropped in favor of multicast. There is IPSec Support built in. Secure Neighbor Desicorvery to prevent attacks like ARP spoofing. There are a lot of reasons to implement IPv6 and even to switch to IPv6 only if possible.
Why should I use IP6 in my small home network?
Or in an SMB where there are less than 100 IP's used on a daily basis?
First I have to pay the cost of transition, along with the risk of things not working while I do this, and then the risk of something new being added and not working.
There's simply no value in these environments to switching, and a lot of risk.
Now let's look at Enterprise, where you have thousands of desktops, probably thousands of servers, extensive networking that already works (along with many, many devices that don't support IP6, like printers, scanners, access control devices, surveillance hardware, etc, etc). Are you going to pay the tens of millions to transition, and assume the risk?
IP6 is good for backbone right now. It will slowly transition into LAN for larger environments (think Enterprise when they setup new network segments, since they're buying new hardware anyway. But only after extensive testing.
But IP4 is just fine for small networks, and I don't see any reason for IP6, ever, for home and SMB LAN.
Why should I use IP6 in my small home network?
- No NAT. Especially in a home network NAT can be a hassle.
- A bit more anonymity through changing temporary adresses.
- Some people don't even have a real IPv4 address anymore in their home and only connect through CGNAT. That means that if you disable IPv6 on your computer you only use CGNAT.
- The fact that EVERYONE needs to transition to IPv6 or it doesn't make sense.
Or in an SMB where there are less than 100 IP’s used on a daily basis?
- No NAT. NAT is no firewall. If you can't set up a firewall you are honetly not qualified to be a network admin.
- Easier VPN S2S-VPN. I had a few instances where the internal IP ranges clashed.
- All the other advancements of IPv6
- The fact that EVERYONE needs to transition to IPv6 or it doesn't make sense.
First I have to pay the cost of transition, along with the risk of things not working while I do this, and then the risk of something new being added and not working.
You can transition step by step. Dual Stack is a thing.
IP6 is good for backbone right now. It will slowly transition into LAN for larger environments (think Enterprise when they setup new network segments, since they’re buying new hardware anyway. But only after extensive testing.
That makes no sense to me. Every network in itself doesn't need IPv6. The 10.0.0.0/8 range has 16 777 216 addresses. IPv6 only makes sense if everyone uses it. We bought ourselves time with NAT and CGNAT and splitting up older ranges but that won't last forever and is costly.
Everyone needs to transition otherwise services will need to keep their IPv4 forever. And if the services keep their IPv4 users don't have an incentive. Maybe we should transition BEFORE there is time pressure. Now is the time to slowly start setting everything up with enough time to plan and test firewall rules and appliances and everything else.
On my local network I want governance over my devices. I want specific firewall rules per device, so I can, for instance, block YouTube only on the kids devices. I want this to be centrally managed, so configured on my opnsense router. I want all devices to use IP6. Unfortunately none of this is possible.
To setup firewall rules I need DHCPv6, not SLAAC so my IPs on my local network that I manage are well known and fixed. Android devices don't support DHCPv6. And the designers of IP6 were daft enough to set the priority of IPv4 above that of their new protocol. So basically if you have any IPv4 addresses on a device, they'll be preferred by basically all operating systems - because that's what the spec says. So you can't run dual stack in a meaningful way.
TL;DR: IPv6 on a local network has not been thought through at all even though it's incredibly old, it's really immature.
Trash
Yes, the dumb ones will stick to IPv4 as they are unable to learn and change.
Bit rude, Whilst I understand tech changes and evolves, some are literally the Just Works meme and don't need to be rapidly changed.
"Rapidly“. IPv6 is 26 years old. And we are literally running out of IPv4 addresses.
Talk about dumb.
Are you going to assume the risk of this change, and pay the millions upon millions of dollars to make it happen, and for what benefit?
We have thousands of devices that simply don't support it (because they were designed before IP6 existed. You going to pay to replace them, and the labor to replace them, and the reprogramming to replace them, and the RISK you create while doing this?
Dumb is right. Hubris is another word that comes to mind.
If your devices are that fragile, they shouldn't be hooked up to the internet in the first place. What are you doing hooking NETBIOS token ring networks up to the web?
If you want to talk about risking breaking things, imagine the glorious lie that NAT introduced. Thanks to these old devices, your router at home/small business parses every FTP connection, every SIP message, every H.363 call, modifies its contents, and opens one or more ports in the firewall just to keep old stuff from breaking.
If your crap survived NAT, it'll survive IPv6. And if it can't use IPv6, that means you don't need to worry about it and you can just keep using IPv4 on these things like you always have!
IPv6 is 26 years old. If you are still running devices that are connected to the internet and are older than that then you have a problem.