Most active commenters
  • NelsonMinar(5)
  • matrix2003(4)

←back to thread

The IPv6 Transition

(www.potaroo.net)
215 points todsacerdoti | 25 comments | 20 Oct 24 05:54 UTC | HN request time: 0.616s | source | bottom
Show context
hairyplanter ◴[20 Oct 24 07:13 UTC] No.41893537[source]
I have fully implemented IPv6 in my home network.

I have even implemented an IPv6-Only network. It fully works, including accessing IPv4 only websites like github.com via DNS64 and NAT64 at my router.

The only practically useful thing about my IPv6 enabled network is that I can run globally routable services on my lan, without NAT port mapping. Of course, only if the client is also IPv6.

Other than this one use case, IPv6 does nothing for me.

It doesn't work from most hotels, nor from my work lan, nor many other places because most "managed" networks are IPv4 only. It works better at Cafes because they are "unmanaged" and IPv6 is enabled by the most common ISPs, like ATT and Comcast and their provided routers.

Based on this experience, I think IPv6 is less valuable than us HN audience thinks it is. Private networks, NAT, Carrier Grade NAT are good enough, and internet really doesn't care about being completely peer-to-peer.

I think the adoption rate reflects this--it's a linear growth curve over the last 25 years. It should have been exponential.

I think cost of IPv4 reflects this--it is now below the peak, and has leveled off.

As surprising as it seems, IPv4 exhaustion has not been a serious problem. Internet marches on. IPv6 is still a solution looking for a problem, and IPv4 exhaustion wasn't one of them.

replies(21): >>41893541 #>>41893647 #>>41893711 #>>41896275 #>>41898003 #>>41898138 #>>41898700 #>>41898907 #>>41898988 #>>41899569 #>>41900489 #>>41900918 #>>41901253 #>>41901285 #>>41902429 #>>41902453 #>>41902668 #>>41903211 #>>41903638 #>>41903908 #>>41913238 #
1. koyote ◴[20 Oct 24 22:10 UTC] No.41898907[source]
I recently moved to a 'cheap' ISP because I could get double the speed for half the price. They use CG-NAT and it's been awful.

I don't need to forward any ports but seemingly because I share an IP with a billion people I get Captchas everywhere (Google, Cloudflare etc.). I was even blocked from accessing Reddit without an account at some point.

replies(2): >>41899173 #>>41903723 #
2. NelsonMinar ◴[20 Oct 24 22:58 UTC] No.41899173[source]
Starlink uses CGNAT. It's awful, I'm regularly getting CAPTCHAs on random websites.

They now support IPv6 but only with dynamic address allocations so you don't get a lot of advantages from it.

replies(4): >>41899712 #>>41900753 #>>41902761 #>>41903537 #
3. imoverclocked ◴[21 Oct 24 00:40 UTC] No.41899712[source]
I hadn’t put that quite together. I wonder how many people would value IPv6 if they knew it meant less CAPTCHAs.
replies(2): >>41900113 #>>41900144 #
4. NelsonMinar ◴[21 Oct 24 02:05 UTC] No.41900113{3}[source]
CAPTCHAs are the main reason I turned IPv6 on. No idea if it will actually help in practice, it's hard to measure.

The other Starlink hassle is the geocoding for user IPv4 addresses is wildly wrong. I'm in Grass Valley, CA near Sacramento but sites all think my IP is either in Seattle or Los Angeles, depending on the week. This makes streaming services a huge PITA, I have to jump through hoops to convince them I'm in the Sacramento TV market about once a month. IPv6 could help with this too, Starlink could give out more precisely geolocated addresses. Not sure they're doing it though, all I see are IPv4 addresses in the geocoding feed: https://geoip.starlinkisp.net/feed.csv

replies(2): >>41900353 #>>41901595 #
5. alwayslikethis ◴[21 Oct 24 02:15 UTC] No.41900144{3}[source]
I'd imagine that to be short lived. IPv6 having such a huge address spaces means the IP reputations are even more worthless than IPv4 so eventually the bots would use it too, and if the ratio of bots to real users become too high sites may refuse IPv6 traffic altogether.
replies(3): >>41900764 #>>41902384 #>>41906226 #
6. esaym ◴[21 Oct 24 03:08 UTC] No.41900353{4}[source]
I was on a cruise ship in the Caribbean for a week just last month and I purchased the starlink powered internet package. Looking at my IP data, location info showed that I was actually in Dallas, Texas. Very sad!
7. matrix2003 ◴[21 Oct 24 04:46 UTC] No.41900753[source]
Why do dynamic address allocations matter? Most IPv4 consumer WAN addresses are also dynamic.

I’m asking, because I’m an advocate of having your gateway advertise a separate, stable ULA /64 in conjunction with the globally-routable dynamic /64.

This gives you a stable set of addressable LAN IPs, and you can usually ignore the dynamic globally routable IPs.

Granted this won’t work for everyone, but if dynamic global addresses are an issue, you should be requesting a plan that supports a static delegation from your ISP anyway.

replies(2): >>41902251 #>>41902354 #
8. matrix2003 ◴[21 Oct 24 04:48 UTC] No.41900764{4}[source]
It’s a little different though in that rather than an IP having a bad reputation, it’s usually a /64. That’s how I have seen IPv6 reputation managed since it’s a common network slice & NAT is not really used anymore.
9. azalemeth ◴[21 Oct 24 07:31 UTC] No.41901595{4}[source]
Or, as an alternative, we try to convince people that geoIP lookups are at best uncertain and at worst actively misleading -- and perhaps shouldn't be taken at face value. I personally think this would be a great thing. For paid services that allegedly need to know where you are geographically located, use your billing address. For advertisers it's one less bit of useful information...
replies(1): >>41906235 #
10. vetinari ◴[21 Oct 24 09:31 UTC] No.41902251{3}[source]
It matters, because when the prefix changes, it changes IP addresses of every single device in your network.

As you wrote, internally, you can use ULA. But you cannot open access from outside, because your firewall rules will become invalid with prefix change. With classic IPv4 NAT, your internal addresses don't change, so your port forwarding works, even if the WAN address changes.

Together, with a single /64 -- which means no subnets for you -- you are getting worse deal than with IPv4. You shouldn't have to contact your ISP for a plan (for a premium, obviously), that allows you to segment your network or open access to specific devices. What's the use of direct connections -- the IPv6 promise -- when you cannot use them anyway?

In short, with limitations like these, you are getting a bad deal.

replies(3): >>41902371 #>>41903535 #>>41911184 #
11. preisschild ◴[21 Oct 24 09:44 UTC] No.41902354{3}[source]
Having an extra 1:1 ipv6 NAT for ULA is added complexity that wouldn't be neccessary if you just give out static addresses.

Its not like IPv6 /56 subnets are expansive. Just give each customer a full /56 net and you are done.

replies(1): >>41911230 #
12. xrisk ◴[21 Oct 24 09:46 UTC] No.41902371{4}[source]
I don’t know what router you use, but openwrt lets you set firewall rules that only match the last 64 bits. This should solve your problem, provided you configure your router to hand out static IPv6 leases to devices.
replies(1): >>41902676 #
13. preisschild ◴[21 Oct 24 09:48 UTC] No.41902384{4}[source]
You can block ipv6 /64 subnets just like you can block IPv4 /32 IPs.
14. vetinari ◴[21 Oct 24 10:37 UTC] No.41902676{5}[source]
There are wildly different solutions for different routers.

I'm using Mikrotik, which doesn't allow prefix-less addresses in firewall, but allows you to put hostnames into your rules (so it will ask DNS what the address is and once the ttl expires, it will ask again).

On some CPEs (I don't remember which), it allowed to enter mac addresses, so the forwarding would always work for specific device, with any GUA address.

But we have to remember, that all these solution are optional and brand-specific; there's a wide range of devices that do not have anything to solve this problem.

15. iam-TJ ◴[21 Oct 24 10:50 UTC] No.41902761[source]
I've been using Starlink since early 2021 with IPv6 only internally. Starlink User Terminal hands out a /56 prefix (via DHCPv6) and mine has not changed in all that time so I wouldn't call it dynamic.

The User Terminal issues a router advertisement (RA) and my gateway gives itself an address in that /64 via SLAAC in addition to assigning itself an address from the /56 prefix.

If not using prefix delegation each host's address is dependent on their SLAAC policy - if not preferring stable addresses (e.g: EUI64) then of course the public address will vary (be dynamic) when using temporary "privacy" addresses.

My gateway delegates /60 sub-prefixes of the /56 and bare-metal hosts then either delegates /62 or advertises /64s from the /60 to VMs, containers, network namespaces and so forth.

As someone else described, I have my gateway also delegate ULA prefixes by changing just the first two octets of the public delegated prefix to fddc (fd = ULA, dc = "data center :) but otherwise identical and likewise on the bare-metal hosts, etc.

ULA is used for internal services; ISP delegated prefix for anything that needs public access.

Multicast-DNS takes care of internal hostnames; everything is ${hostname}.local

There's a separate VLAN for legacy IPv4-only devices that does NAT64 using a ULA prefix.

DNS64/NAT64 for the laggards like github.com that can't grok 128 bit addresses :)

The only time I have problems with web services is when their DNS advertises an AAAA resource record but their firewall/load-balancers/servers are not configured to allow/listen on it.

replies(2): >>41906203 #>>41912437 #
16. thedanbob ◴[21 Oct 24 12:39 UTC] No.41903535{4}[source]
> It matters, because when the prefix changes, it changes IP addresses of every single device in your network.

My solution for my home network was to write a script that periodically checks my IPv6 prefix and updates the firewall rules and DNS if it ever changes. It doesn't feel like a great way to do it but it seems to work.

17. ◴[21 Oct 24 12:39 UTC] No.41903537[source]
18. ◴[21 Oct 24 13:03 UTC] No.41903723[source]
19. NelsonMinar ◴[21 Oct 24 17:17 UTC] No.41906203{3}[source]
Thanks for the report with success with IPv6 and Starlink. Do you make inbound connections to devices on your LAN? Do they work?

Starlink recently updated their FAQ with more info on addressing: https://www.starlink.com/support/article/1192f3ef-2a17-31d9-...

As for static addresses, it says "a reservation system retains the ... IPv6 prefix even when the system is off or rebooted. However, relocating the Starlink or software updates may change these addresses."

I suspect in practice the IPv6 address will only change if you get moved to a different POP ground station. Some customers never get moved. I've been moved several times because I'm in NorCal and they keep switching me between Seattle and Los Angeles.

Here's some recent discussion of users reporting what they've observed about changing IPv6 addresses: https://www.reddit.com/r/Starlink/comments/1b6mr4c/how_stati...

replies(1): >>41906790 #
20. NelsonMinar ◴[21 Oct 24 17:19 UTC] No.41906226{4}[source]
Ooof that's an ugly thought. But I think "refuse IPv6 traffic altogether" is not possible for any consumer site. Per the article, there's 40% adoption of IPv6 now and it's only growing. Major parts of the world rely on IPv6 working right. I guess sites could go IPv4-only but given how many other problems there are with IP reputations, that'd be awfully dumb.
21. NelsonMinar ◴[21 Oct 24 17:20 UTC] No.41906235{5}[source]
I agree! Now please convince Youtube TV, Hulu, and friends.

YTTV at least will prefer your phone's geolocation to the IP address, that's how I "check in" to my metro every couple of months.

22. iam-TJ ◴[21 Oct 24 18:16 UTC] No.41906790{4}[source]
Yes, I use direct IPv6 peer-to-peer connections both outbound and inbound using the delegated prefix.

Even for a changing prefix, if operating a DNS authoritative server for a domain, any changes to the prefix can be quickly and automatically updated in both forward (AAAA) and reverse (PTR) resource records provided the TTL for those records is appropriately short, and thus allow almost seamless inbound via FQDNs. I do this with a bind9 (hidden) master locally that notifies external slave servers operated by a highly available, anycast, DNS service.

23. matrix2003 ◴[22 Oct 24 04:24 UTC] No.41911184{4}[source]
Could you NAT the router WAN external address and route it to a static ULA?

I think the more elegant solution is to use static IP space for hosting services, but most of us home users aren’t used to that.

24. matrix2003 ◴[22 Oct 24 04:34 UTC] No.41911230{4}[source]
I think the OC was arguing that if your global /64 changes, the firewall rules would change as well for any hosted services.

I proposed that you might be able to route the external router’s WAN to a ULA via NAT to save in complexity when the PD changes, but I agree that a static delegation would by far be the easiest. Us home hosters aren’t used to that even though it is technically against the license agreement more often than not.

25. znpy ◴[22 Oct 24 08:55 UTC] No.41912437{3}[source]
> Starlink User Terminal hands out a /56 prefix (via DHCPv6) and mine has not changed in all that time so I wouldn't call it dynamic.

Unless the service explicitly states that your subnet is your or yours alone you should assume it's dynamic.

If you start relying on the prefix not ever changing you might have a bad surprise.

And from experience, that kind of surprises always come when you least need them.