I know it's a joke, but the idea that NAT has any business existing makes me angry. It's a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don't notice too much. The Internet is more centralized and controlled because of it.
No, it is not a security feature. That's a laughable claim that shows you shouldn't be allowed near a firewall.
Right, not the only reason, but it's a sticking point.
You shouldn't need to connect to your smart thermostat by using the company's servers as an intermediary. That makes the whole thing slower, less reliable, and a point for the company to sell your personal data (that last one being the ultimate reason why it's done this way).
Everyone having a static IP is a privacy nightmare.
There's a reason the recommendation in the standard for ipv6 had to be amended (it whatever the mechanic was) so that generated local suffixes aren't static. Before that, we were essentially globally identifiable because just the second half of your v6 address was static.
publicly addressable does not mean publicly routable… your router would still not arbitrarily connect untrusted external devices to internal hosts
NAT has the property of a firewall only as an implementation detail. replacing NAT with an IPv6 firewall in the router is an upgrade in every conceivable way
My comment wasn't even ipv6 specific, quite the opposite. The comment I was replying to also wasn't, and the implication that things would be better if everyone had a fixed IP(v4) was actually the specific privacy nightmare scenario I wanted to emphasize. That is the literal worst case of all.
Things can be mitigated somewhat with IPv6, but also only to a degree. Here you'd (usually) have a static prefix and not IP. You then need to use the randomized suffix generation (on a host level, or in DHCPv6 if you're using that), and not all OS so this by default, but I think Windows does these days. Advertising data collectors, which means basically every web site, could just assume that your prefix is stable and the information they gain if they happen to be correct it's... uncomfortable.
Which is why IPv6 was created. Everything used to get a public routable IP. Large company’s such as ATT and IBM got a whole /8 to themselves. NAT made it so we did not run out of IP’s in the 2000’s
I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that's the big, big, big networks — peering groups that connect large swaths of the Internet with other nations' municipal or public infrastructure.
These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I've seen, IPv6 addresses very real logistical problems you only see with IPv4 when you're already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.
However, this fuckin' half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Imo there's not much to be done besides go forward with IPv6. It's there, it's tested, it's basically ready for primetime in terms of NIC chip support... I just wish it weren't so obtuse to learn. :/
However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Its kind of interesting to me how conservative the IT industry is with stuff like this.
The industry loves to say "move fast and break things" or "innovate and disrupt", but that generally only applies to things that can be shat out in a two week long Python project (or shat out in 2 weeks after publicly funded universities spent years figuring out the algorithm for you). For anything foundational, like CPU architecture, operating systems, or the basic assumptions about how UI should work, they're terrified of change.
There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn't work very well. It needs to be treated as its own thing.
I couldn't figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just "bigger IPv4" - it's not. It's so much more, and better.
Funny how I never once criticized, or even mentioned, IPv6s complexity, yet that is the aspect you chose to so valiantly defend. Quite telling, isn’t it?
We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.
no instead you yell the IP address and they spend 30min trying to debug why they can’t ping it or even get ICMP packets through and then you realise you yelled the private IP address and they were on the wrong side of the NAT
This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.
yes.. that’s why every machine has its own IP address… so that they can both use the same port and you don’t have to connect to crazy bullshit like https://myhomerouter.example.com:8443/
My favorite thing to use IPv6 for is to use the privacy extension to get around IP blocks on YouTube when using alternative front ends. Blocked by Google on my laptop? No problem, let me just get another one of my 4,722,366,482,869,645,213,696 IP addresses.
I have a separate subnet which is IPv6 only and rotates through IP addresses every hour or so just for Indivious, Freetube and PipePipe.
TL;DR is that SLAAC used to use part of your device MAC to form it's IP, which would be trackable/fingerprintable. Now devices just pick the last 48-bits at complete random on the assumption that no other device is going to have that specific address out of the 4 quintilion available addresses.
Mostly, I'm not big enough to trigger anything there.
Also, since ISPs usually only get a single humongous IPv6 block, it's actually pretty hard to know what is okay to block. Somebody might be on a /48, /56 or /64 network but they might also just have a single IPv6 address. Since you're blocking quintillions of IP addresses with each /64 net, the risk of hitting innocent IPs is high.
Also also, I'm not sure if Google is actually prepared for such a case. Since all the requests coming from Invidious just seem like legit unauthenticated requests, it's hard to flag them on IPv6 when the IPs are fully randomized.
Still, Google is moving towards requiring a login for everything. So I assume that method won't work for much longer.
fc00::/7 is the private network range (for non routing v6)
fe80::/64 is link local (like apipa but it never changes)
::1/128 is loopback
/64 is the smallest network allocation, and you still have 64 bits left for devices.
You don't need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.
Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).
Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don't have to play the static ip game to connect to it after changing your router or net config.
The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.
On my home network I make sure that my PDs are the same as my VLAN IDs so that I can at least know where a device is based on its IP. If I was smart I would also line them up with the IPv4 subnets as well.
NAT is like package delivery IRL. If you’re a server and send a package to a client without NAT, that’s like sending a delivery boy to deliver pizza, goes straight from source to destination.
But with NAT it’s like ordering a package online. It first will be delivered to a distribution center, and then a delivery warehouse in your area, and then the courier delivers packages to all people on his route.
It’s way more complex and you now have a whole bunch of points of failure.
For regular nat it's like the pizza is able to get all the way to your house but then has no idea who to go to so somebody has to answer the door and then take the pizza from the door to the person who ordered it themselves.
And IPv6 is like the pizza delivery guy just walks right into the house up the steps into your bedroom and hands you the pizza directly.
The best part is they each have the same exact problems you'd have in real life.
Let me one up this. IPv4 NAT is like the pizza guy has to deliver to you, but you live in a gated community with a strict no visitors policy, which does not allow you to even mention what unit you're in, and none of the addresses in the community are registered with the post office or on Google Maps either. Instead, you tell the guardhouse you want to order, and they order the pizza for you. The pizza guy delivers to the guardhouse, and the guardhouse delivers the pizza to you.
IPv6 (with firewalling) is like a normal gated community, you order the pizza and include the unit number, and the delivery driver can deliver your pizza directly, as long as the guardhouse approves.
The difference is, with NAT, the guardhouse has to both guard (firewall) and route (keep track of all deliveries, and deliver) your packages, where with IPv6, the guardhouse (firewall) only has to guard (firewall) the entry point.
i kinda love that this explanation is so much more complex not because it adds nothing but precisely because it adds a lot of realism: NAT is actually just far more complexity and processing
Perfect, perfect analogy. Like, seriously, I've hardly ever seen an analogy that works so flawlessly where even the implications just line up perfectly.
And yet, in the real world we actually use distribution centers and loading docks, we don’t go sending delivery boys point to point. At the receiving company’s loading docks, we can have staff specialise in internal delivery, and also maybe figure out if the package should go to someone’s office or a temporary warehouse or something. The receiver might be on vacation, and internal logistics will know how to figure out that issue.
Meanwhile, the point-to-point delivery boy will fail to enter the building, then fail to find the correct office, then get rerouted to a private residence of someone on vacation (they need to sign personally of course), and finally we need another delivery boy to move the package to the loading dock where it should have gone in the first place.
I get the ”let’s slaughter NAT” arguments, but this is an argument in favour of NAT. And in reality, we still need to have routing and firewalls. The exact same distribution network is still in use, but with fewer allowances for the recipient to manage internal delivery.
Personal opinion: IPv6 should have been almost exactly the same as IPv4, but with more numbers and a clear path to do transparent IPv6 to IPv4 traffic without running dual stack (maybe a NAT?). IPv6 is too complex, error prone and unsupported to deploy without shooting yourself in the foot, even now, a few decades after introduction.
in the real world we actually use distribution centers and loading docks
because we can pass packages in bulk between large distances… in routing, it’s always delivery boys: a single packet is a single packet: there’s no bulk delivery, except where you have eg a VPN packing multiple packets into a jumbo frame or something…
the comment you’re replying to is only providing an analogy: used to explain a single property by abstraction; not the entire thing
we can have staff specialise in internal delivery
but that’s not at all how NAT works: its not specialising in delivery to private hosts and making it more efficient… it’s a layer of bureaucracy (like TURN servers and paperwork - the lookup tables and mapping) that adds complexity, not because it’s ideally necessary but just because of limitations in the data format
routers still route pretty much exactly the same in IPv6 direct or NAT, but just at the NAT layer public IP and port is remapped to internal addresses and ports: the routing is still exactly the same, but now your router has to do extra paperwork that’s only necessary because of the scheme used to address
In the real world, addresses are an abstraction to provide knowledge needed to move something from point A to point B. We could use coordinates or refer to the exact office the recipient sits in, but we don’t. Actually, we usually try to keep it at a fairly high level of abstraction.
The analogy is broken, because in the real world, we don’t want extremely exact addressing and transport without middlemen. We want abstract addresses, with transport routing partially to fully decoupled from the addressing scheme. GP provides a nice argument for IPv4.
I know how NAT works, but we are working within the constraints of a very broken analogy here. Also yes, internal logistics can and will be the harbinger of unnecessary bureaucracy, especially when implemented correctly.
IPv6 is too complex, error prone and unsupported to deploy without shooting yourself in the foot, even now, a few decades after introduction.
Which is purely down to people not testing things before releasing them, because the support is there but there's layers of unnecessary stuff put in the way. Like I had an old ISP provided router that ran Linux, but the management UI was only ever tested against v4 networks so none of the v6 stuff was actually hooked up correctly.
Support in desktops and mobile devices is effectively 100%, but even in embedded hardware there's often full support, just not enabled correctly or tested.
Lustre 2.16 got released recently, so in a year or so you may actually be able to run commercially supported Lustre with IPv6 support. Yay!
After that, it’s only a matter of time before it’s finally possible to start testing supercomputers with IPv6! (And finally building a production system with IPv6 a few more years after that, when all the bugs have been squashed)
Look at the Top500 list. Fucking everyone runs Lustre somewhere, and usually old versions. The US strategic nuclear weapons research is practically all on Lustre. My guess is most weather forecasting globally runs on Lustre. (Oh, and a shitton of AI of course.)
Up until now, you were stuck with mounting your filesystem over IPv4 (well, kinda IPv4 over RDMA, ish). If you want commercial support for your hundreds of petabytes (you do), you still can’t migrate. And this isn’t a small indie project without testers, it’s commercially supported with billions in revenue, supporting compute hardware for even more money.
My point with this rambling is that a open source software that is this widely deployed, depended upon and this well funded, still failed to roll out IPv6 support until now. The long tail of migrating the world to IPv6 hasn’t even begun yet, we are still in the early days. Soon someone will start looking at the widely deployed, depended upon and badly funded stuff.
And maybe, if IPv6 didn’t try to change a bunch of extra stuff, we’d be further along. (Though, in the specific case of Lustre, I’ll gladly accuse DDN and Whamcloud for being incompetent…)
I mean yeah, there's extra stuff layered on top of the underlying protocols that is badly designed. Docker was built with a hard dependency on IPv4, so was the Dat protocol. If these things were designed properly from the start we wouldn't be having these issues.
Apple was smart here, they mandate that iOS apps must support single stack IPv6 only and perform functional testing of that as part of the app store process. Devs can't get away with pretending it's not necessary and not wiring up support for it.
Having multiple hosts under one address for all hosts is annoying. Port forwarding is annoying. Some isps have their own nat and want you to pay additionally for public ip address
In my personal life I will probably "never" intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than "it's hard"
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
My detailed explanation at my old job is that the dev team was full of idiots who hardcoded ipv4 addresses into their fucking code. Seriously. When we migrated from data center to cloud they had to go patch everything. The CTO wouldn't do shit about it and the director was just there riding things out until retirement.
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There's no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
If you don't have ipv6 internally, you probably can't access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix
The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.
My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.
My favorite feature of IPv6 is that there are so many addresses available. Every single IPv4 address right now could have its own entire IPv4 range of addresses in IPv6. It's mind-boggling huge.
After looking up some numbers, I note we could give every single square MILLIMETER on the planet its own entire IPv4 address space.
…And then every one of those IPv4 addresses could have its own entire copy of the IPv4 address space!
…And that would just be a drop in the bucket compared with IPv6! One good comparison I’ve seen is that you could assign an address to every atom on the surface of the earth (but not inside it) and have enough left over for 100+ more earths.
Rough math for the square millimeters:
The surface area of the earth is roughly 510 trillion square millimeters. Let’s round that up to a quadrillion or 10^15^.
The number of IPv6 addresses is 2^128^ or 3.4x10^38^. To be conservative again, let’s just round that down to 10^38^.
10^38^ / 10^15^ = 10^23^ IPv6 addresses per square mm of earth.
IPv4 address space is 2^32^ or around 4 billion. let’s round up to 10 billion or 10^10^.
So then 10^23^ / 10^10^ = 10^13^ IPv6 addresses per IPv4 address per square mm of earth.
10^13^ / 10^10^ =
1,000 IPv6 addresses
per IPv4 address
per IPv4 address
per square mm of earth.
And that was with the conservative estimates along the way. I think it would actually be tens of thousands.
many “unused” IP addresses are unused because they’re kinda like having spare parts: if you’re planning on extending your network in the futures, your IP block kinda should reflect your end state (ie the parts you need over time to replace or “build” new hosts)
or for blue/green deployments where it’s likely that at least half the IP range will be used in terms of process, but unused most of the time in terms of reachability
and then there’s weird things with splitting up IP blocks into subnets with a division of 3 (the minimum needed for dealing with net splits etc) - eg across availability zones… there are always “waste” IPs because you can’t divide multiples of 8 cleaning into 3
I use IPv6 every day and everywhere I can. It solves so many issues in large corporate and ISP network setups. And yes 10. Wasn’t big enough, and NATing is a PitA.
Honestly we just keep pushing it off when it’s not that bad. Workaround after workaround just because people are lazy.
IPv6 isn't just a larger IPv4. There are features inherent to it, like link-local actually functioning and being predictable, unlike APIPA in v4 which was grafted on as an afterthought and breaks more than it works.
It also functions router-less. You can grab 30 10-port switches and just stick them together and start plugging computers in. It will work without configuration or an authority.
I am all v6 internally, but that's not because I have a splatillion devices, but rather it's just better and easier to manage.
Well sometimes the lla is not predictable, some stacks take privacy addresses to lla, which is silly but they do it. Of course you can multicast ping and check your neighbor table to get the lla chosen in such cases.
You have two teams that independently set up private networks but now someone has to talk to them both?
In IPv4, they likely stepped on the same private subnets. In ipv6, they pretty much certainly did not step in the same ULA prefixes. My VPN setup is a mess of a maze to deal with the fact that most things I connect to are all independently allocated 10. subnets, with the IPv6 focused customer being easiest.
Also, if you want to embed information in your addressing, like vlan I'd or room information.
Besides, you can have addresses like fd37:5f1a:b4c1::feed:face, and that's fun isn't it?
Meh, the idea of having every address be globally routable makes a lot of sense. NAT is a great bandaid but it's still a bandaid. It still limits how peer to peer and multicast applications function, especially on larger networks.
NAT444 is shit. I can't even host a web server without routing it through a VPN, and my ISP can't work out how to provide an IPv6 addresses yet. Give it to me and I will work out how to use it.
Slight update - Just looked and apparently they had a goal of rolling out IPv6 addresses to all customers by earlier this year. I'll check my router config tomorrow and who knows. Maybe I will be able to get one now? Would be pretty sweet.
I am sorry to interrupt, my ISP gave me an ipv6 address, but I just can't access anything through it even when I specify it in the firewall, maybe they are blocking this functionality because they sell static ips.
Just my perspective as a controls (SCADA engineer):
I work for a large power company. We have close to 100 sites, each with hundreds of IP devices, and have never had a problem with ipv4. Especially when im out in the field I love being able to check IPs, calculate gateways, etc at a glance. Ipv6 is just completely freaking unreadable.
I see the value of outward-facing ipv6 devices (i.e. devices on the internet), considering we are out of ipv4s. But I don't see why we have to convert private networks to ipv6. Put more bluntly: at least industry, it just isn't gonna happen for decades (if it ever does). Unless you need more IPs it's just worse to work with. And there's a huge amount of inertia- got one singular device that doesn't talk ipv6 at a given generation site? What are you supposed to do?
I was going to say, my friend has to maintain some fucking DOS systems because their ancient embroidery machines only want to talk to software as old as they are, over connections as old as they are.
If you set up your DNS correctly then you don't even need the IPs. Just give devices unique, human-readable names and maybe do separate sub-domains for each site or something.
Oh, now that you mention it I've never tried to map a static DNS entry to a device without DNS. Welp, time to get thousands of raspberry pi's to act as IP KVMs!
That would imply en existence of display/usb outputs…
We’re essentially talking a bunch of embedded devices talking to each other. You can give them all the dns entries you want, but if they (or the programming environment) don’t support DNS lookup you might as well put your dns server in excel.
The microcomputers (raspberry pi, arduino, whatever) could have a modern network interface and relay the communication to the embedded devices over oldschool serial. But yeah, straight DNS wouldn't work. I like the idea though, gonna start posting my 10 favorite IP addresses on a piece of paper on the fridge. Who needs excel!
I’m a protective relay settings engineer at a contractor for lots of power companies. I’m dipping my toes into my first substation automation project. Getting to design the device native files, IPs, and other networking parts from the drawings package of site and device manuals. It’s all SEL equipment with a gateway at the top and local powerWAN, RTAC, annunciators, and relays below. I live thousands of miles from the site, so local testing would be challenging but probably have to fly or something lol. I have been doing some research on how to emulate this is a lab setting when all you have is the RTAC and some relays. Is this something SCADA engineers have to do sometimes? Like if you need to test a scheme when you can’t build it physically first?
Hey, interesting question. First of all, yes—I definitely have had to program RTUs, RTACs etc in the office and then send it out and hope it works. However, we have remote access to all of our sites through our company VPN, so as long as everything is physically connected correctly and everything is talking to each other I can just push new RTAC settings later. I don't really do much with relays, that falls more on our electrical engineering team. What exactly about your scheme are you looking to test? Are you talking about a relay protection scheme?
I'm fully transitioned. The first step was getting an Internet provider that featured it. I had to change providers for that. Then I had to find equipment that worked. Some of the things that have an early implementation of IPv6 don't actually work. It's like they never actually tested it. Then I had to integrate IPv6 in the way everything worked. I'm a big user of unique local adresses, which I feel isn't a really well known feature.
Ipv6 is broken for those that want control over their home networks thanks to Google and terribly written RFCs.
All that was needed was an extra byte or two of address space, but no, some high and mighty evangelicals in their ivory towers built something that few people understand 30 years later. Their die hard fans are sure that this will be the year of ipv6. The Year of Linux on the Desktop will come 10 years before the year of ipv6.
I want per device firewall and DNS rules for myself, the wife and the kids. With opnsense or pfsense I don't believe this is possible with SLAAC, which is what android only supports.
Shove all devices on a flat network with no special firewall rules and you are probably golden. But trying to control your own network, last few times I've tried, is impossible.
I've done this using separate networks, each device group I want to treat differently get's its own subnet/vlan pair and I firewall the whole vlan. No matter what ips clients have (or even what ips they statically set themself) they can't get past the firewall.
To physically get them connected to the network I use something similar to this config to have one wpa2-personal ssid that leads to multiple vlans depending on the password. Though you could also have multiple ssids with one vlan each or even wpa2-enterprise.
The router doesn't know the IP of android devices (though it doesn't need to), it only knows the vlans of the clients and what network they come from.
For all other clients I have dhcpv6.
DNS is on the router and can be set for each network.
I've recently changed isp and am now hitting CGNAT problems. I have been running Nextcloudpi for years and now I can't access it from outside.
I've trying to understand if I can fix the problem using IPv6 but from what you've said I'm now wondering if a vps is the solution?
I deal with cgnat on my 2 isps at home. Install tailscale on your vps and your router at home and then on your router you can share subnet devices over your tailscale network. Install a reverse proxy on your vps.
If set up correctly you can route a human readable web address (jellyfin.example.com) to your vps static ip address and then to, for example, a docker container with local address 192.168.100.1:8096, via reverse proxy.
Yeah, had the same issue with my ISP, but at least they switched me back to ipv4 after a support call. Didn't want to pay extra for the privilege of not being reachable from the outside anymore.
Well of course, how else would you trick script kiddies that figured out when they DDOSed 127.0.0.1 and learned what a loop back was, and get them again in a few weeks with "ok ok my real address is 127.34.21.2"
not sure if you are joking, but any valid IP4 address starting with 127. does the same thing, loopback. 127.0.0.1 is just the standard most people use, you could use 127.127.127.127, or 127.1.1.1 or any random numbers 0 and 254 for the second 2, and 1 and 254 for the last and the effects will be identical.
In fact, it's so standard that there's a bunch of shitty code out there that thinks 127.0.0.1 is the only loopback address.
I'm thinking of a networked Chinese laser cutter that we put on our 10.0.0.0/16 network in the makerspace. It seems to think that 10.0.1.1 and 10.0.2.1 are on different networks. Wouldn't be surprised if it does a similar mistake with loopback addresses.
A /8 subnet is basically everything after the first of the four segments, e.g. 127.*.*.*. marine_mustang was saying that loopback (what you think of as only 127.0.0.1) is actually an entire subnet, so any address that starts with 127 will hit the loopback interface. TIL, never thought about it much before.
NAT is not much different to a firewall though… just because the address space is publicly routable does not mean that the router has to provide a route to it, or a consistent route
NAT works by assigning a public port for the outgoing stream different to the internal port, and it does that by inspecting packets as they go over the wire: a private machine initiates a connection, assign an arbitrary free port, and sends that packet off to the router, who then reassigns a new port, and when packets come in on that port it looks up the IP and remapped port and substitutes them
that same process can easily be true in IPv6 but you don’t need to do any remapping: the private machine initiates a connection, and the router simply marks that IP and port combination as “routable” rather than having to do mappings as well
No, but it’s far easier to explain how to configure your home network such that 182.168.1.* is for your regular devices like laptops, etc. and 192.168.2.* is for your IoT devices. Then block all access from 192.168.2.* to the internet so your IoT devices can’t “phone home”, can’t auto-update without your knowledge, can’t end up as part of a botnet, etc.
That's the thing, you are still thinking in ipv4 terms, and that's ok. It's a different way to think of things using ipv6 and the proper way to configure them. No worries tho. Not like you are being forced to ipv6 for internal home networks.
I know its a joke but man its annoying to go from something that is organized in a human readable way to one where you have to rely on the system. I am someone who hates databases though so I have always been like this. Heck way back in the aughts I used to complain that my job involved more seeing and issues and fixing it and the systems were getting to were I feel more like im counseling it.
Its really not possible to remember an IPv6. I mean it is but its really an abandonment on human level and a solution that leverage dhcp which was common anyway. Its about as easy as a hardware address.
skill issue. Your ISP isn't giving you a /128, you don't have to remember a whole ass SLAAC address. My desktop has like 4 IPv6 addresses most of the time, but I only have to remember the one I assigned it and my network prefix. This is one of the advantages of IPv6; you can have an easy to remember, and SLAAC, and privacy-extension addresses all at once.
I can't prove it, but I'm typing this from my head- 2a05:f6c7:8321::10
That's about as human readable as IPv4.
bro just add another octet to the end of ipv4. That goes from 4 billion to a trillion and will most definitely outlast modern electronics and capitalism
Hi I have no idea what I’m doing when it comes to networking. I have ipv6 off on my home network because I was scared of accidentally exposing things outside of my home network. I’m using Ubiquiti. Can someone give me/link me a crash course on how to setup ipv6 without introducing any security holes into my network? Maybe also a crash course in firewalls.
Block new connections inbound on the router's wan. Also block ping if you don't want pings to find you. That's the most basic setup for firewalling on the udm, ipv4 and 6. Every router in 2025 should be able to block new inbound on ipv6.
I know it's a joke, but the idea that NAT has any business existing makes me angry. It's a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don't notice too much. The Internet is more centralized and controlled because of it.
No, it is not a security feature. That's a laughable claim that shows you shouldn't be allowed near a firewall.
Fortunately, Google reports that IPv6 adoption is close to cracking 50%.
I think NAT is one reason why the internet is so centralized. If everyone had a static IP you could do all sorts of decentralized cool stuff.
Right, not the only reason, but it's a sticking point.
You shouldn't need to connect to your smart thermostat by using the company's servers as an intermediary. That makes the whole thing slower, less reliable, and a point for the company to sell your personal data (that last one being the ultimate reason why it's done this way).
Everyone having a static IP is a privacy nightmare.
There's a reason the recommendation in the standard for ipv6 had to be amended (it whatever the mechanic was) so that generated local suffixes aren't static. Before that, we were essentially globally identifiable because just the second half of your v6 address was static.
IPv4 centralization creates far more privacy issues than everyone having a static IP. The solutions are still things like VPNs and onion routing.
publicly addressable does not mean publicly routable… your router would still not arbitrarily connect untrusted external devices to internal hosts
NAT has the property of a firewall only as an implementation detail. replacing NAT with an IPv6 firewall in the router is an upgrade in every conceivable way
I'm aware of that, and didn't say otherwise?
My comment wasn't even ipv6 specific, quite the opposite. The comment I was replying to also wasn't, and the implication that things would be better if everyone had a fixed IP(v4) was actually the specific privacy nightmare scenario I wanted to emphasize. That is the literal worst case of all.
Things can be mitigated somewhat with IPv6, but also only to a degree. Here you'd (usually) have a static prefix and not IP. You then need to use the randomized suffix generation (on a host level, or in DHCPv6 if you're using that), and not all OS so this by default, but I think Windows does these days. Advertising data collectors, which means basically every web site, could just assume that your prefix is stable and the information they gain if they happen to be correct it's... uncomfortable.
ah! sorry i misread/misunderstood privacy to mean security in your comment :)
Which is why IPv6 was created. Everything used to get a public routable IP. Large company’s such as ATT and IBM got a whole /8 to themselves. NAT made it so we did not run out of IP’s in the 2000’s
My isp and router both claim to have IPv6 but every test site has failed.
There is likely a filter you need to turn off.
Fine, I won't invite you to our bi-annual TURN server appreciation event.
You are right, but I wish ipv6 was less shitty of a replacement.
I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that's the big, big, big networks — peering groups that connect large swaths of the Internet with other nations' municipal or public infrastructure.
These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I've seen, IPv6 addresses very real logistical problems you only see with IPv4 when you're already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.
However, this fuckin' half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Imo there's not much to be done besides go forward with IPv6. It's there, it's tested, it's basically ready for primetime in terms of NIC chip support... I just wish it weren't so obtuse to learn. :/
Its kind of interesting to me how conservative the IT industry is with stuff like this.
The industry loves to say "move fast and break things" or "innovate and disrupt", but that generally only applies to things that can be shat out in a two week long Python project (or shat out in 2 weeks after publicly funded universities spent years figuring out the algorithm for you). For anything foundational, like CPU architecture, operating systems, or the basic assumptions about how UI should work, they're terrified of change.
There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn't work very well. It needs to be treated as its own thing.
I couldn't figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just "bigger IPv4" - it's not. It's so much more, and better.
Funny how I never once criticized, or even mentioned, IPv6s complexity, yet that is the aspect you chose to so valiantly defend. Quite telling, isn’t it?
Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.
IPv6 is the natural Internet. Things are either allowed or forbidden to connect.
NAT is just a kludge.
Can you share more details please?
We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.
That's nothing that can't be done with a good set of firewalls on IPv6.
The one thing you can't do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.
no instead you yell the IP address and they spend 30min trying to debug why they can’t ping it or even get ICMP packets through and then you realise you yelled the private IP address and they were on the wrong side of the NAT
This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.
yes.. that’s why every machine has its own IP address… so that they can both use the same port and you don’t have to connect to crazy bullshit like https://myhomerouter.example.com:8443/
Good luck trying to find industrial stuff that supports IPv6, hell most of it is still serial.
I have legit heard that serial is security mechanism because it cannot communicate long distance like ethernet.
Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.
it’s not magic… it’s a firewall, and it works pretty much exactly the same as a NAT: a whitelist of IP and port combinations
My favorite thing to use IPv6 for is to use the privacy extension to get around IP blocks on YouTube when using alternative front ends. Blocked by Google on my laptop? No problem, let me just get another one of my 4,722,366,482,869,645,213,696 IP addresses.
I have a separate subnet which is IPv6 only and rotates through IP addresses every hour or so just for Indivious, Freetube and PipePipe.
This is exactly why ipv6 was never widely adopted. There's too much power in a limited IP pool.
Define "widely".
According to Google 46.09% of their traffic is IPv6 and most servers support it. It's mostly large ISPs dragging their feet.
I think it's just a few domestic US ISPs. The rest of the world has been happily using it for quite some time.
I've never seen functional ipv6 except at university, and I would only consider gci large in terms of coverage area and price.
Could you link the privacy extension in question I haven't heard of it
it's not a browser extension, its a SLAAC thing https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac.
TL;DR is that SLAAC used to use part of your device MAC to form it's IP, which would be trackable/fingerprintable. Now devices just pick the last 48-bits at complete random on the assumption that no other device is going to have that specific address out of the 4 quintilion available addresses.
edit the RFC https://datatracker.ietf.org/doc/html/rfc4941
Thanks, might have to try that sometime.
Sure, it's part of the IPv6 spec:
https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac/
https://datatracker.ietf.org/doc/html/rfc8981
What is stoping Google from just blocking your entire IP-Block?
Mostly, I'm not big enough to trigger anything there.
Also, since ISPs usually only get a single humongous IPv6 block, it's actually pretty hard to know what is okay to block. Somebody might be on a /48, /56 or /64 network but they might also just have a single IPv6 address. Since you're blocking quintillions of IP addresses with each /64 net, the risk of hitting innocent IPs is high.
Also also, I'm not sure if Google is actually prepared for such a case. Since all the requests coming from Invidious just seem like legit unauthenticated requests, it's hard to flag them on IPv6 when the IPs are fully randomized.
Still, Google is moving towards requiring a login for everything. So I assume that method won't work for much longer.
Hah, do they not just block the whole /64? That's actually really funny.
Skill issue
IPv6 is easy to do.
2000::/3 is the internet range
fc00::/7 is the private network range (for non routing v6)
fe80::/64 is link local (like apipa but it never changes)
::1/128 is loopback
/64 is the smallest network allocation, and you still have 64 bits left for devices.
You don't need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.
Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).
Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don't have to play the static ip game to connect to it after changing your router or net config.
The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.
On my home network I make sure that my PDs are the same as my VLAN IDs so that I can at least know where a device is based on its IP. If I was smart I would also line them up with the IPv4 subnets as well.
I hope nat burns in hell when ipv6 will become standard
Any day now brother
It's the year of the ipv6 server
mind explaining? All 8 know about Nat is that it sometimes didn't let me play rainbow six siege
NAT is like package delivery IRL. If you’re a server and send a package to a client without NAT, that’s like sending a delivery boy to deliver pizza, goes straight from source to destination.
But with NAT it’s like ordering a package online. It first will be delivered to a distribution center, and then a delivery warehouse in your area, and then the courier delivers packages to all people on his route.
It’s way more complex and you now have a whole bunch of points of failure.
That's a great analogy for carrier grade nat.
For regular nat it's like the pizza is able to get all the way to your house but then has no idea who to go to so somebody has to answer the door and then take the pizza from the door to the person who ordered it themselves.
And IPv6 is like the pizza delivery guy just walks right into the house up the steps into your bedroom and hands you the pizza directly.
The best part is they each have the same exact problems you'd have in real life.
Let me one up this. IPv4 NAT is like the pizza guy has to deliver to you, but you live in a gated community with a strict no visitors policy, which does not allow you to even mention what unit you're in, and none of the addresses in the community are registered with the post office or on Google Maps either. Instead, you tell the guardhouse you want to order, and they order the pizza for you. The pizza guy delivers to the guardhouse, and the guardhouse delivers the pizza to you.
IPv6 (with firewalling) is like a normal gated community, you order the pizza and include the unit number, and the delivery driver can deliver your pizza directly, as long as the guardhouse approves.
The difference is, with NAT, the guardhouse has to both guard (firewall) and route (keep track of all deliveries, and deliver) your packages, where with IPv6, the guardhouse (firewall) only has to guard (firewall) the entry point.
i kinda love that this explanation is so much more complex not because it adds nothing but precisely because it adds a lot of realism: NAT is actually just far more complexity and processing
Sounds good to me
Perfect, perfect analogy. Like, seriously, I've hardly ever seen an analogy that works so flawlessly where even the implications just line up perfectly.
I am in awe.
Lol
Waiting for IPv8 when the delivery guy takes a slice and feeds it to me so I don't need to worry about greasy fingers.
The good ol' American ipV8 motor
Nah that's just ransomware
Why are we eating pizza in the bedroom
I was eating salad in my bedroom 2:30 in the morning today.
Me: Fuck, can't sleep I'm hungry. You want anything? Wife: yeah, fill up my water bottle and bring me something to eat.
I went downstairs, made two loaded salads and brought them up to the bedroom.
I might in fact be getting old.
If you can eat a salad and then lay down without getting an explosion of acid reflux, maybe you aren't old yet 😂
And yet, in the real world we actually use distribution centers and loading docks, we don’t go sending delivery boys point to point. At the receiving company’s loading docks, we can have staff specialise in internal delivery, and also maybe figure out if the package should go to someone’s office or a temporary warehouse or something. The receiver might be on vacation, and internal logistics will know how to figure out that issue.
Meanwhile, the point-to-point delivery boy will fail to enter the building, then fail to find the correct office, then get rerouted to a private residence of someone on vacation (they need to sign personally of course), and finally we need another delivery boy to move the package to the loading dock where it should have gone in the first place.
I get the ”let’s slaughter NAT” arguments, but this is an argument in favour of NAT. And in reality, we still need to have routing and firewalls. The exact same distribution network is still in use, but with fewer allowances for the recipient to manage internal delivery.
Personal opinion: IPv6 should have been almost exactly the same as IPv4, but with more numbers and a clear path to do transparent IPv6 to IPv4 traffic without running dual stack (maybe a NAT?). IPv6 is too complex, error prone and unsupported to deploy without shooting yourself in the foot, even now, a few decades after introduction.
because we can pass packages in bulk between large distances… in routing, it’s always delivery boys: a single packet is a single packet: there’s no bulk delivery, except where you have eg a VPN packing multiple packets into a jumbo frame or something…
the comment you’re replying to is only providing an analogy: used to explain a single property by abstraction; not the entire thing
but that’s not at all how NAT works: its not specialising in delivery to private hosts and making it more efficient… it’s a layer of bureaucracy (like TURN servers and paperwork - the lookup tables and mapping) that adds complexity, not because it’s ideally necessary but just because of limitations in the data format
routers still route pretty much exactly the same in IPv6 direct or NAT, but just at the NAT layer public IP and port is remapped to internal addresses and ports: the routing is still exactly the same, but now your router has to do extra paperwork that’s only necessary because of the scheme used to address
In the real world, addresses are an abstraction to provide knowledge needed to move something from point A to point B. We could use coordinates or refer to the exact office the recipient sits in, but we don’t. Actually, we usually try to keep it at a fairly high level of abstraction.
The analogy is broken, because in the real world, we don’t want extremely exact addressing and transport without middlemen. We want abstract addresses, with transport routing partially to fully decoupled from the addressing scheme. GP provides a nice argument for IPv4.
I know how NAT works, but we are working within the constraints of a very broken analogy here. Also yes, internal logistics can and will be the harbinger of unnecessary bureaucracy, especially when implemented correctly.
Which is purely down to people not testing things before releasing them, because the support is there but there's layers of unnecessary stuff put in the way. Like I had an old ISP provided router that ran Linux, but the management UI was only ever tested against v4 networks so none of the v6 stuff was actually hooked up correctly.
Support in desktops and mobile devices is effectively 100%, but even in embedded hardware there's often full support, just not enabled correctly or tested.
Lustre 2.16 got released recently, so in a year or so you may actually be able to run commercially supported Lustre with IPv6 support. Yay!
After that, it’s only a matter of time before it’s finally possible to start testing supercomputers with IPv6! (And finally building a production system with IPv6 a few more years after that, when all the bugs have been squashed)
Look at the Top500 list. Fucking everyone runs Lustre somewhere, and usually old versions. The US strategic nuclear weapons research is practically all on Lustre. My guess is most weather forecasting globally runs on Lustre. (Oh, and a shitton of AI of course.)
Up until now, you were stuck with mounting your filesystem over IPv4 (well, kinda IPv4 over RDMA, ish). If you want commercial support for your hundreds of petabytes (you do), you still can’t migrate. And this isn’t a small indie project without testers, it’s commercially supported with billions in revenue, supporting compute hardware for even more money.
My point with this rambling is that a open source software that is this widely deployed, depended upon and this well funded, still failed to roll out IPv6 support until now. The long tail of migrating the world to IPv6 hasn’t even begun yet, we are still in the early days. Soon someone will start looking at the widely deployed, depended upon and badly funded stuff.
And maybe, if IPv6 didn’t try to change a bunch of extra stuff, we’d be further along. (Though, in the specific case of Lustre, I’ll gladly accuse DDN and Whamcloud for being incompetent…)
I mean yeah, there's extra stuff layered on top of the underlying protocols that is badly designed. Docker was built with a hard dependency on IPv4, so was the Dat protocol. If these things were designed properly from the start we wouldn't be having these issues.
Apple was smart here, they mandate that iOS apps must support single stack IPv6 only and perform functional testing of that as part of the app store process. Devs can't get away with pretending it's not necessary and not wiring up support for it.
Having multiple hosts under one address for all hosts is annoying. Port forwarding is annoying. Some isps have their own nat and want you to pay additionally for public ip address
In my personal life I will probably "never" intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than "it's hard"
It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
Just a heads up, you linked to the same article twice
Clipboards are also hard
That’s odd, but truly sorry.
And I would consider a detailed argument on why it is more secure to disable it to be a good reason.
Personally? I consider an IT team who don't know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.
Yeah, I run dual stack without much trouble myself. I believe it is mainly difficult for people because eyeball diagnostics are impossible with 6.
My detailed explanation at my old job is that the dev team was full of idiots who hardcoded ipv4 addresses into their fucking code. Seriously. When we migrated from data center to cloud they had to go patch everything. The CTO wouldn't do shit about it and the director was just there riding things out until retirement.
It has less eyes on it due to it being less popular. It also introduces an extra vector of attack.
It does not have less eyes on and it's 50% of Google traffic.
Think they mean local networks.
If an IT department carefully curates IPv4 but ignores IPv6, then a rogue actor can set up a parallel IPv6 network largely without being noticed.
IPv6 can be managed, just that it is a blindside for a lot of these departments.
Don't see how that is anymore vulnerable then up 4.
But you could do the same thing with a rogue DHCP server I IPv4... With similar methods to prevent the misbehavior on networks
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There's no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
If you don't have ipv6 internally, you probably can't access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix
I'm pretty sure stateful gateways do exist, but it's a massive ball of complexity that would be entirely avoided if people just used native v6.
you sir/maam have not seen the netflix talk on using IPv6 for their full internal stack because of inefficiencies allocating IPv4 ranges i’m guessing
The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.
My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.
My favorite feature of IPv6 is that there are so many addresses available. Every single IPv4 address right now could have its own entire IPv4 range of addresses in IPv6. It's mind-boggling huge.
you could assign every square meter of the planet an ip and use it for location, and still have addresses left over
Oh it’s way more than that!
After looking up some numbers, I note we could give every single square MILLIMETER on the planet its own entire IPv4 address space.
…And then every one of those IPv4 addresses could have its own entire copy of the IPv4 address space!
…And that would just be a drop in the bucket compared with IPv6! One good comparison I’ve seen is that you could assign an address to every atom on the surface of the earth (but not inside it) and have enough left over for 100+ more earths.
Rough math for the square millimeters:
The surface area of the earth is roughly 510 trillion square millimeters. Let’s round that up to a quadrillion or 10^15^.
The number of IPv6 addresses is 2^128^ or 3.4x10^38^. To be conservative again, let’s just round that down to 10^38^.
10^38^ / 10^15^ = 10^23^ IPv6 addresses per square mm of earth.
IPv4 address space is 2^32^ or around 4 billion. let’s round up to 10 billion or 10^10^.
So then 10^23^ / 10^10^ = 10^13^ IPv6 addresses per IPv4 address per square mm of earth.
10^13^ / 10^10^ =
1,000 IPv6 addresses
per IPv4 address
per IPv4 address
per square mm of earth.
And that was with the conservative estimates along the way. I think it would actually be tens of thousands.
square centimeter is the one I heard
I understand some of these words!
They kept talking it was because address exaustion, and IANA sold all the remaining blocks they had...
I tested it at the time. Ran nmap ping scan across a block all night with zero results. IANA sold the internet
many “unused” IP addresses are unused because they’re kinda like having spare parts: if you’re planning on extending your network in the futures, your IP block kinda should reflect your end state (ie the parts you need over time to replace or “build” new hosts)
or for blue/green deployments where it’s likely that at least half the IP range will be used in terms of process, but unused most of the time in terms of reachability
and then there’s weird things with splitting up IP blocks into subnets with a division of 3 (the minimum needed for dealing with net splits etc) - eg across availability zones… there are always “waste” IPs because you can’t divide multiples of 8 cleaning into 3
https://map.bgp.tools/
https://xkcd.com/195/
Surely we can do better. Why not IPv10? That's 4 higher than 6!
not sure if you're aware thats a real thing https://www.ipv10.net/
Guess we have to crank it up to 11, then.
>Forbidden
>You don't have permission to access this resource.
Awesome.
Obviously. You can only access it in IPv10.
My IP goes up to 11.
I use IPv6 every day and everywhere I can. It solves so many issues in large corporate and ISP network setups. And yes 10. Wasn’t big enough, and NATing is a PitA.
Honestly we just keep pushing it off when it’s not that bad. Workaround after workaround just because people are lazy.
I agree with everything you said but it still doesn't make me hate ipv6 less.
How much slack did you have in your 10.* network? Or was it literally 16.7 million devices?
IPv6 isn't just a larger IPv4. There are features inherent to it, like link-local actually functioning and being predictable, unlike APIPA in v4 which was grafted on as an afterthought and breaks more than it works.
It also functions router-less. You can grab 30 10-port switches and just stick them together and start plugging computers in. It will work without configuration or an authority.
I am all v6 internally, but that's not because I have a splatillion devices, but rather it's just better and easier to manage.
Well sometimes the lla is not predictable, some stacks take privacy addresses to lla, which is silly but they do it. Of course you can multicast ping and check your neighbor table to get the lla chosen in such cases.
16M devices on one network would almost certainly have major scalability problems all its own. SMB chattiness alone . . . shudder.
Having the breathing room is great.
You have two teams that independently set up private networks but now someone has to talk to them both?
In IPv4, they likely stepped on the same private subnets. In ipv6, they pretty much certainly did not step in the same ULA prefixes. My VPN setup is a mess of a maze to deal with the fact that most things I connect to are all independently allocated 10. subnets, with the IPv6 focused customer being easiest.
Also, if you want to embed information in your addressing, like vlan I'd or room information.
Besides, you can have addresses like fd37:5f1a:b4c1::feed:face, and that's fun isn't it?
Meh, the idea of having every address be globally routable makes a lot of sense. NAT is a great bandaid but it's still a bandaid. It still limits how peer to peer and multicast applications function, especially on larger networks.
NAT444 is shit. I can't even host a web server without routing it through a VPN, and my ISP can't work out how to provide an IPv6 addresses yet. Give it to me and I will work out how to use it.
Slight update - Just looked and apparently they had a goal of rolling out IPv6 addresses to all customers by earlier this year. I'll check my router config tomorrow and who knows. Maybe I will be able to get one now? Would be pretty sweet.
I am sorry to interrupt, my ISP gave me an ipv6 address, but I just can't access anything through it even when I specify it in the firewall, maybe they are blocking this functionality because they sell static ips.
I can use dynamic DNS, the problem is I can't host over NAT444 without something like a VPN.
Still not been given an IPv6 address though.
Just my perspective as a controls (SCADA engineer):
I work for a large power company. We have close to 100 sites, each with hundreds of IP devices, and have never had a problem with ipv4. Especially when im out in the field I love being able to check IPs, calculate gateways, etc at a glance. Ipv6 is just completely freaking unreadable.
I see the value of outward-facing ipv6 devices (i.e. devices on the internet), considering we are out of ipv4s. But I don't see why we have to convert private networks to ipv6. Put more bluntly: at least industry, it just isn't gonna happen for decades (if it ever does). Unless you need more IPs it's just worse to work with. And there's a huge amount of inertia- got one singular device that doesn't talk ipv6 at a given generation site? What are you supposed to do?
90% of industrial devices are still 100 Mbit/s.
I mean that's of the ethenet capable ones... a huge chunk are still serial
I was going to say, my friend has to maintain some fucking DOS systems because their ancient embroidery machines only want to talk to software as old as they are, over connections as old as they are.
And the rest are pure analog
You'll be lucky if you find ethernet on them. RJ45 serial is still pretty common nowadays
If you set up your DNS correctly then you don't even need the IPs. Just give devices unique, human-readable names and maybe do separate sub-domains for each site or something.
For that to work industrial devices have to support DNS in the first place…
Oh, now that you mention it I've never tried to map a static DNS entry to a device without DNS. Welp, time to get thousands of raspberry pi's to act as IP KVMs!
That would imply en existence of display/usb outputs…
We’re essentially talking a bunch of embedded devices talking to each other. You can give them all the dns entries you want, but if they (or the programming environment) don’t support DNS lookup you might as well put your dns server in excel.
The microcomputers (raspberry pi, arduino, whatever) could have a modern network interface and relay the communication to the embedded devices over oldschool serial. But yeah, straight DNS wouldn't work. I like the idea though, gonna start posting my 10 favorite IP addresses on a piece of paper on the fridge. Who needs excel!
I’m a protective relay settings engineer at a contractor for lots of power companies. I’m dipping my toes into my first substation automation project. Getting to design the device native files, IPs, and other networking parts from the drawings package of site and device manuals. It’s all SEL equipment with a gateway at the top and local powerWAN, RTAC, annunciators, and relays below. I live thousands of miles from the site, so local testing would be challenging but probably have to fly or something lol. I have been doing some research on how to emulate this is a lab setting when all you have is the RTAC and some relays. Is this something SCADA engineers have to do sometimes? Like if you need to test a scheme when you can’t build it physically first?
Hey, interesting question. First of all, yes—I definitely have had to program RTUs, RTACs etc in the office and then send it out and hope it works. However, we have remote access to all of our sites through our company VPN, so as long as everything is physically connected correctly and everything is talking to each other I can just push new RTAC settings later. I don't really do much with relays, that falls more on our electrical engineering team. What exactly about your scheme are you looking to test? Are you talking about a relay protection scheme?
I see your satirical IPv6 meme and raise you the highest quality IPv6 evangelism you'll ever see.
That was beautiful
I'm surprised by the comments here. I use 90% IPv6. For me v4 is only present for retro compatibility. The transition was hard however.
Was?
It's still in progress..
In progress?
I can't even get an IPv6 address, even if I wanted to pay an obscene amount for a business tier.
You can get on IPv6 for free with a HE tunnel https://tunnelbroker.net/
I'm fully transitioned. The first step was getting an Internet provider that featured it. I had to change providers for that. Then I had to find equipment that worked. Some of the things that have an early implementation of IPv6 don't actually work. It's like they never actually tested it. Then I had to integrate IPv6 in the way everything worked. I'm a big user of unique local adresses, which I feel isn't a really well known feature.
Ipv6 is broken for those that want control over their home networks thanks to Google and terribly written RFCs.
All that was needed was an extra byte or two of address space, but no, some high and mighty evangelicals in their ivory towers built something that few people understand 30 years later. Their die hard fans are sure that this will be the year of ipv6. The Year of Linux on the Desktop will come 10 years before the year of ipv6.
And 10 years before fusion power?
I don't see how? Works great for my home network.
I want per device firewall and DNS rules for myself, the wife and the kids. With opnsense or pfsense I don't believe this is possible with SLAAC, which is what android only supports.
Shove all devices on a flat network with no special firewall rules and you are probably golden. But trying to control your own network, last few times I've tried, is impossible.
I've done this using separate networks, each device group I want to treat differently get's its own subnet/vlan pair and I firewall the whole vlan. No matter what ips clients have (or even what ips they statically set themself) they can't get past the firewall.
To physically get them connected to the network I use something similar to this config to have one wpa2-personal ssid that leads to multiple vlans depending on the password. Though you could also have multiple ssids with one vlan each or even wpa2-enterprise.
The router doesn't know the IP of android devices (though it doesn't need to), it only knows the vlans of the clients and what network they come from. For all other clients I have dhcpv6.
DNS is on the router and can be set for each network.
Broken how? What parts are not commonly understood?
See this post below https://lemmy.fwgx.uk/comment/2126323
What did Google do? Just curious as I'm not into home networking
They refuse to support DHCP6 and will only use SLAAC on Android devices.
Do they only use SLAAC because it's easier to tie devices to MACs and therefore identities?
I think so. Anything to erode privacy
Every atom of the universe should have its own ip.
For targeted location-based ads of course! Lots of revenue there
Is this IPv5?
Fun fact: IP version 5 is actually reserved for the Internet Streaming Protocol.
CGNATs suck ass though, I had to buy a vps just to access my own network outside my home.
I've recently changed isp and am now hitting CGNAT problems. I have been running Nextcloudpi for years and now I can't access it from outside. I've trying to understand if I can fix the problem using IPv6 but from what you've said I'm now wondering if a vps is the solution?
My ISP doesn't properly support IPV6, otherwise it should work. I use wireguard to route just my server traffic to the vps.
I deal with cgnat on my 2 isps at home. Install tailscale on your vps and your router at home and then on your router you can share subnet devices over your tailscale network. Install a reverse proxy on your vps.
If set up correctly you can route a human readable web address (jellyfin.example.com) to your vps static ip address and then to, for example, a docker container with local address 192.168.100.1:8096, via reverse proxy.
Yeah, had the same issue with my ISP, but at least they switched me back to ipv4 after a support call. Didn't want to pay extra for the privilege of not being reachable from the outside anymore.
fun fact, the RFC introducing NAT calls it a "short-term solution"
https://www.rfc-editor.org/rfc/rfc1631
I have never started using ipv6 so I'm in the clear here
I love the flat earther energy in this
C’mon, IPv4 has so many problems. Sure, let’s reserve a whole /8 for a single loopback address, that’s efficient. 🙄
Well of course, how else would you trick script kiddies that figured out when they DDOSed 127.0.0.1 and learned what a loop back was, and get them again in a few weeks with "ok ok my real address is 127.34.21.2"
Wait... I know 127.0.0.1 but what's the second one?
not sure if you are joking, but any valid IP4 address starting with 127. does the same thing, loopback. 127.0.0.1 is just the standard most people use, you could use 127.127.127.127, or 127.1.1.1 or any random numbers 0 and 254 for the second 2, and 1 and 254 for the last and the effects will be identical.
In fact, it's so standard that there's a bunch of shitty code out there that thinks 127.0.0.1 is the only loopback address.
I'm thinking of a networked Chinese laser cutter that we put on our 10.0.0.0/16 network in the makerspace. It seems to think that 10.0.1.1 and 10.0.2.1 are on different networks. Wouldn't be surprised if it does a similar mistake with loopback addresses.
A /8 subnet is basically everything after the first of the four segments, e.g. 127.*.*.*. marine_mustang was saying that loopback (what you think of as only 127.0.0.1) is actually an entire subnet, so any address that starts with 127 will hit the loopback interface. TIL, never thought about it much before.
Also for home network I don’t won’t my IOT to have a real IP to the Internet. Using IPv4 NAT you can have a bit of safety by obscurity
NAT is not much different to a firewall though… just because the address space is publicly routable does not mean that the router has to provide a route to it, or a consistent route
NAT works by assigning a public port for the outgoing stream different to the internal port, and it does that by inspecting packets as they go over the wire: a private machine initiates a connection, assign an arbitrary free port, and sends that packet off to the router, who then reassigns a new port, and when packets come in on that port it looks up the IP and remapped port and substitutes them
that same process can easily be true in IPv6 but you don’t need to do any remapping: the private machine initiates a connection, and the router simply marks that IP and port combination as “routable” rather than having to do mappings as well
Its unlikely someone with guess your ipv6 of your iot.
No, but it’s far easier to explain how to configure your home network such that 182.168.1.* is for your regular devices like laptops, etc. and 192.168.2.* is for your IoT devices. Then block all access from 192.168.2.* to the internet so your IoT devices can’t “phone home”, can’t auto-update without your knowledge, can’t end up as part of a botnet, etc.
That's the thing, you are still thinking in ipv4 terms, and that's ok. It's a different way to think of things using ipv6 and the proper way to configure them. No worries tho. Not like you are being forced to ipv6 for internal home networks.
Ok, so what would the equivalent be?
Create a new /64 and don't give it a route to the internet.
Why not? What's the difference to them having a nat ipv4?
I know its a joke but man its annoying to go from something that is organized in a human readable way to one where you have to rely on the system. I am someone who hates databases though so I have always been like this. Heck way back in the aughts I used to complain that my job involved more seeing and issues and fixing it and the systems were getting to were I feel more like im counseling it.
I do like how I can easily remember IPv4 addresses while I struggle to remember a single IPv6 address
Its really not possible to remember an IPv6. I mean it is but its really an abandonment on human level and a solution that leverage dhcp which was common anyway. Its about as easy as a hardware address.
skill issue. Your ISP isn't giving you a /128, you don't have to remember a whole ass SLAAC address. My desktop has like 4 IPv6 addresses most of the time, but I only have to remember the one I assigned it and my network prefix. This is one of the advantages of IPv6; you can have an easy to remember, and SLAAC, and privacy-extension addresses all at once.
I can't prove it, but I'm typing this from my head- 2a05:f6c7:8321::10
That's about as human readable as IPv4.
and you can put words in them too, like 2404:e80:905c:beef::1337
my favorite is ::beef:babe
💪👱♀️
Come on, it's e easy to remember one IPv6 address: ::1
bro just add another octet to the end of ipv4. That goes from 4 billion to a trillion and will most definitely outlast modern electronics and capitalism
It looks daft now with a little hindsight, but we're kind of still in the foresight stage for the overall life of IPv6.
Hi I have no idea what I’m doing when it comes to networking. I have ipv6 off on my home network because I was scared of accidentally exposing things outside of my home network. I’m using Ubiquiti. Can someone give me/link me a crash course on how to setup ipv6 without introducing any security holes into my network? Maybe also a crash course in firewalls.
Don't worry Ubiquiti has ipv6 issues. You have an excuse.
What issues? I'm pretty much 100% ipv6 on all ubiquity equipment.
Block new connections inbound on the router's wan. Also block ping if you don't want pings to find you. That's the most basic setup for firewalling on the udm, ipv4 and 6. Every router in 2025 should be able to block new inbound on ipv6.
https://en.m.wikipedia.org/wiki/Internet_Stream_Protocol
In case anyone wants to know what not to talk about.
I wrote and ipv6 parser once.
Never again.
As in a regex or ..?
An ipv4 parser would also be sorta difficult.
you have to account for the fact that all the octets can be added to decimal: http://2130706433 (valid 127.0.0.1)
or the fact that octets can be in different formats: http://0x7F.0x0.0x0.0x1 (127.0.0.1)
or the fact that you can mix octet formats: http://0xC0.0250.0.1 (192.168.0.1)
Yeah a mix of regex and heuristics to validate before parsing
It was a long time ago now
It also had to parse ipv4 because they can be embedded (IIRC) and the different octet formats
An ipv6 address turns my brains thinking center off. Short circuit at how fucking stupid it looks.
No different the 10.A4.b2.12
Imagine using ipv6