IPv6: Why End-to-End Connectivity Matters and How It Benefits You
HTML-код
- Опубликовано: 7 июн 2023
- I get asked a lot in the comments section "Why should I use IPv6 in my homelab"? And it's a valid question, IPv4 being the norm in so many networking tutorials and classes, what advantages are there really to v6 anyway?
Well today, I'm going to explain a hypothetical setup with multiple services sharing a single public IPv4, the NAT "solutions" that the industry has moved to for dealing with the IPv4 exhaustion problem, and how the end-to-end principle of IPv6 solves all of these issues easily.
Of course, I'm focused on homelab users, but expanding this to small or medium businesses, the impact of properly routing traffic for your internal and external users can't be underestimated.
Hopefully in the future I can expand this with a setup guide on the IPv4 compatibility reverse proxy, but for now enjoy this explanation of the benefits of moving your infrastructure to V6!
Feel free to chat with me more on my Discord server:
/ discord
If you'd like to support me, feel free to here: ko-fi.com/apalrd
#ipv6 #networking #homelab 
Наука
Probably the best explanation of IPv6 i've ever seen. When I started in IT no one know how to explain NAT traversal in simple words - now when NAT is less mysterious for me IPv6 was this type of topic. Until now when I watched this video. Thanks!
Glad you like it!
Yeah he nailed it. He got me into Ceph and now I'm rethinking my home network. I have to stop watching this channel or I get even more ideas ;)
I'm allergic to NAT. 🙂
Thanks you are the only person that is focusing on IPv6 in the home lab that is making sense. Whenever I post a IPv6 question on forums there is usually a "expert" that will say you don't need IPv6 why bother. Why bother? Because IPv4 NAT really broke how things are supposed to work on the internet and many of the admins and network guys just seemed to forget how great things were without translations. Yes there are new new things to learn with IPv6 such as self configuration, SLACC, RA etc but in the end it so much easier. Also I don't have to run split horizon DNS services anymore. There is one problem of course all those cheap IOT devices that never will use IPv6 we have to account for them and continue to run dual stacks because of that.
Glad you appreciate it! I'm definitely trying to be forward-looking with my networking content
At some hacker events you can get a taste of this with IPv4 because they have a long history and have enough public IPv4s to allocate one to everyone at the event
So India is almost having 78% IPv6 coverage and the biggest operator in India started with IPv6. They also don't provide static IPv4 addresses hence the only option to host services is by using ipv6. Thank god for them i was forced to use ipv6 and ipv6 with a good firewall like pfsense is the best thing ever.
I was adding manual split horizon DNS entries for all my homelab stuff. I kept saying to myself "there must be a better way". I thought ipv6 was "cheap but unreadable" and discarded it as something for mobile operators. You convinced me to try it out.
If it's going in DNS, readability isn't really important, and DNS is the place for services anyway
I love how you demystify the supposed 'complexity' of ipv6 in your videos and show how easy it actually is.
To everyone still holding out: there's really no reason to not do v6 any longer!
The addresses are longer (and harder to memorize). That's really the 'complexity'.
Other than that, it's the same routing and subnetting we've always done, but we get rid of so many things we're used to 'needing' all the time.
Simplest v6 explainer I've seen, thanks! Now if only my ISP moved with the times...
your explanation was amazing. That's exactly what I was trying to understand, as i'm currently working on my homelab. Thanks a lot! Love the channel!
Glad you enjoyed it!
I was afraid of ipv6 as I didn't understand how it routes. This was as many others say a very welcome and necessary explanation! Thanks.
I needed this one. I have designed and built IP based networks (and other dead protocols) since the mid 90´s. And my MO when it comes to ipv6 is "disable, run, don´t look back" as many other oldies. I always thought that I never had to learn ipv6. But this video actually made me wanting to do something with it. NAT/SAT has been a good companion, but like you said, end-to end is what TCP/IP always was meant to be. So thanks.
Intentionally disabling IPv6 or not using it in 2024 is a crime against humanity
Great video! 😀
Dynamic IP addresses and NAT broke the internet and created a data privacy nightmare as the lack of end-to-end connectivity forces us to entrust our private data in plaintext to online services like Facebook, Google, Microsoft, Twitter, etc. If dynamic IP addresses and NAT had not happened end-to-end encryption would be standard and online services would just be directory services.
In my opinion it's very import to show people how to get rid of the IPv4 zombie instead of wasting money and resources to develop life-prolonging techniques like NAT or Port-Control-Protocol.
3:48 there is also loopback NAT and reflexive NAT, where your client will be redirected to the internal server when accessing the external IP, but now you might have 2 firewall rules and 3 NAT rules ...
I'm been using IPv6 for over 7 years now from my ISP.
One of the best ipv6 explanations
Awesome video, very clear, definitely switching to IPv6 for my homelab after watching this, thanks so much!
Thanks for this video. You do a really great job explaining things!
Glad it was helpful!
I'm a simple man. I hear the sound of buckling spring keyboard and I upvote.
It's such a pleasant sound that RUclips has subtitled it as 'applause'
Like most said this was a really great and useful explanation. Thank you.
Ok I'm sold! Great explanation.
Really great video!
Thanks for it!
Thank you for this video. One of the best once I have seen. Brief and informative. Only thing, can you cover few topics around how can you do security around ipv6? Firewall etc..
So good! Currently setting up a homelab. After this video I'm gonna have to figure out IPv6. (Hopefully software defined networking too.)
Thanks! IPv6 is awesome!
Thank you for this video, you explained that very well.
Glad it was helpful!
I wish more of the incumbent SP's would have had supported IPv6 at least by the end of the previous decade. 😐
If only they'd have seen this coming for 25 years now
I know you have a video that explains IPv6, but more are always welcome.
I'm still stuck with needing learn how to assign static addresses in a network.
I subscribe to this channel, for IPv6 alone as primary reason. 🙂
Excellent, thank you
Very helpful video, although I've used dual stack for all my server's services for a while now.
Could you please make a video with details on your ipv6, where and why you use private/public subnets, how big those are and when and where you use static ips.
Details about your ipv4 to ipv6 layer 4 proxying would also be great (edit: just saw you have a video about that already, amazing!)!
And details how you setup quic and your certificate management as well of course!
As someone who used to disable ipv6 on everything, you have converted me.
Very nice!
The benefit of having everything go through a proxy like caddy is the Certificate managment for the respective services. Its central its easier to automate or has been automated in many pre done application. However I agree with everything else.
You should be issuing certs from the service anyway. That's how certs are designed to work.
If it that much of an issue use certbot for let's encrypt certs job done
are you saying you have caddy connect over HTTP to your backends ? Are they on an other server ? Ohh, that makes that HTTPS not that secure after all.
On my network I only terminate TLS on the final server. Sometimes that means running Caddy in the container to front a basic web application server (in Python or Ruby), which also brings with it automatic TLS and HTTP/3 (QUIC). I try to keep this as close to the application server as possible and prefer to limit the actual backend app to only accept connections from localhost if I’m doing the caddy for tls approach.
For ipv4 I’m using haproxy since it has good layer 4 support, it’s inspecting sni headers and then passing through the encrypted traffic without terminating tls. For port 80 you can either have a blanket redirect to 443 or a layer 7 proxy (no tls to worry about)
For web servers using acme protocol (either to let’s encrypt or to your own local organization CA) is the way to go. Fully automated.
@@apalrdsadventures Something I've been wondering is UDP/QUIC SNI routing possible like with previous HTTPS versions ?
I only run quic on v6, I’m not aware of any software which can layer 4 proxy it currently. Even nginx still lists quic in general as experimental. So ipv4 clients get http/2 at best.
Encrypted SNI requires more than just using tls 1.3, so it’s not a default thing. It doesn’t look like very many servers support it yet (caddy and haproxy both didn’t show up as supporting it), but the ech header has a separate encryption key so it’s still possible to distribute that to the frontend proxy without the tls private key.
To me the only problem to solve is how to make the Wireguard devices connect to my home dynamic address peer. That problem is about DNS and it is the same when you have ip 4 or 6. Servers with fixed ipv6 is another story, where your arguments may be applicable. Despite the fact I'm disagreeing: I love your proxmox videos and learnt a lot. Thanks!
Thank you for video! Can you discuss application of v6 in docker? For different scenarios: 1) dedicated /64; 2) NAT
Also v6 local network end-to-end works until your prefix is 64, many isp provide /56. Two /64 subnets will link through the router locally. The problem is how to handle docker subnet to avoid routing.
The way docker handles networking is a big reason why I hate docker. But a bridged network (I think docker calls it macvlan) which puts containers directly on the network is a solution.
Excellent... Thanks. Your topology diagram looks nice. What software you use for this ?
www.drawio.com/
y0 bro, great explanation. Love your video? What application are you using to create the diagram?
I've been running IPv6 on my home network for over 13 years. Initially, it was via a 6in4 tunnel, but for the last 7.5 years my ISP has provided native IPv6. I get really annoyed at those who claim IPv4 is good enough, especially when they should know better. I just wish people would get their heads out of the sand and move to IPv6. I know a few people whose ISP provides IPv6, but they won't configure their routers to use it. Stupid!!!
Gonna watch this whole thing and I'm sure it's incredibly helpful and elucidating but first just out of curiosity, what keyboard is that? I dig it
It’s made by Unicomp - www.pckeyboard.com/page/product/NEW_M
The distinctive sound it makes comes from it's buckling spring switches. Probably the best mechanical key switches you can get.
I wish I could use ipv6 at work. We have several port forwards on every one of our public ipv4 addresses and run into issues with devices that want to use stun for Webrtc. We also have ipv4 turned off internally. I'd love if there was a guide of the gotchas if you want to upgrade one of these lazy sysadmin networks to ipv6
A Discord member of mine has been testing Active Directory in a v6-only network (not dual stack), without any issues. He has NAT64/DNS64 running on the edge of the network.
In general the gotchas are mostly old IoT devices which won't do v6, or maybe old software. But for modern web-based stuff (both client and server side), v6 is extremely well supported or can be made well supported easily.
@apalrdsadventures thanks for this reply, I didn't get a notification but I was rewatching the video and noticed
Interesting. Are you going to make a few videos to explain how IP6 works? Thanks
he already has bunch of videos on his channel
It's literally exactly like IPv4 except with longer addresses and a couple of little tweaks that aren't too important
It’s like the ancient protocol but bigger addresses, automatic at its core and no translation shenanigans
Well, that's nice and all. Yet, I would rather see my stuff behind a correctly configured reverse proxy / application firewall than having to trust in jellyfin or any other service. Emby just recently messed up their implementation where quite a few users were vulnerable because they put their machines out there without proper protection...
In general a lot of vulnerable web applications are still vulnerable behind a proxy, and unless the proxy is doing MTLS or user auth on its own, it's not going to do much to solve them. Emby had a recent issue with proxy-specific headers which a proxy might have overwritten, but Emby has also had issues like file read vulnerabilities which a proxy won't do anything about.
That said, Emby and friends do have more than just HTTP(S) ports and I know that historically it was a big problem with Plex where people were opening all of the internal ports as well because the documentation listed the ports the app uses. So make sure you know what the ports actually should be opened before opening every single port the app binds to.
IPv6 rev-proxy is literally easier than IP4 NAT. Server gets a static ULA (globally unique but locally routable address) which is isolated by an entirely static and stateless firewall rule. Proxy gets a global address and firewall pinhole if needed.
Very interesting. Could you kindly elaborate on the firewall part? How do you connect to the internet? I discovered that my ISP switched from public (dynamic) IPv4 addresses of client routers (consumer) to private addresses, so for the time being I had to buy a static IPv4 for my homelab services to be accessible from outside. Looks like I managed to set the static IPv6 address to my router but I am kind of lost as I don't even ping into internet ... Thanks.
In general, in IPv4, you have a single public address (or a CGNAT, like you have now). For outgoing traffic, your router will do NAPT ('network address + port translation) to make all of the connections appear as they came from that single public address. For incoming traffic, you will port forward from the public address+port to a private address+port.
In v6, the address space is public, so there's no need to translate between internal and external addresses. You'll end up with a prefix from your ISP (probably a /48 if you paid for static IPv4, but /56 is also common for residential, and /60 for some providers). Unlike in v4, the router doesn't do any NAT, so you'll break up that large prefix into smaller subnets (/64) and assign those to your LAN networks. If you are using DHCPv4 the router will probably do DHCPv6 on WAN to receive an address + a prefix, then break apart the prefix automatically for LAN interfaces (but this depends on your router). At least in OPNsense, you set the LAN as 'Track Interface' to configure this. The router advertises the subnet like in v4, but the addresses in the subnet are part of the public address space. This eventually means all clients have a v6 out of the /64 subnet they are connected to, all out of the /48 or /56 subnet your router got from your ISP. The client itself can use its address directly to connect out to the internet, as long as the router firewall allows it. Public addresses are in the 2xxx block in IPv6 (so if they start with fe80 or fdxx they are not public).
Then, it's just a question of configuring the firewall to allow traffic to come in to the address+port you are hosting on, forwarding from the wan IP to an internal IP. Since the internal IPs are in the public range, the firewall just has to allow it.
IPv6 was not designed to bring e2e connactions back, it was designed to preserve it, IPv6 was released before NAT (and obviously CGNAT too).
Good video though.
Definitely a fun history trip to the early internet. Laughably, RFC 1631 (the original Network Address Translation, what we now call 1:1 NAT) notes that it's just a short-term solution, and the long-term solution is a new protocol with longer addressing. The IPng working group was already active at that time, but wouldn't publish for a few years.
RFC 3022 for network address and port translation (NAPT, what we now know as NAT / Masquarade) did come out in 2001, after v6 published in 1998. Maddeningly, they already knew back then that NAPT would break IPsec and FTP and we still struggle with those things today.
I guess the reason why IT admins hate IPv6 is because software legacy or not has trouble with IPv4 to IPv6 translation. If everything is IPv6 no problem. I haven't used it internally but using an IPv4 to ping a device is just so simple, but I guess you should use your local DNS for that
If you use DHCPv6 pinging an address without DNS is equally simple. You just need your prefix and the suffix can be your choice. My prefix is the 2001:ea:970f:4f00::/56 imho that's pretty reasonable. It's not like you can just do a ip a sh dev ethX to remember it anyway.
NAT was a blessing and a curse: it hobbled the internet along for another couple decades; however they would have had to implement ipv6 much sooner without it. Verizon FIOS still refuses to provide IPv6 in most areas. Very annoying.
Great presentation. I should have watched the whole video before commenting and i would have seen you address this. The diagrams were very helpful.
In the early days of NAT, some standards authors wanted to just wait for IPng to be finished (later named IPv6), but of course the internet was an absolute mess of numbering already (everyone had just chosen random numbers for private networks and now they were colliding when they joined the public internet) and they couldn't wait for the real solution so we got stuck with NAT.
@@apalrdsadventures The RUclips channel "The Serial Port" did a video on the history of NAT and the PIX firewall, In short, NAT was needed because as you said, people were just choosing random numbers for internal networks and they needed NAT to fix those situations and then NAT got used for public Internet later.
You may want to think about IPv6 NAT if you have more than routed link. Typically for home users, this might be for a 4g/5g backup provided by the ISP for a landline.
It's possible to do 4g/5g backup via manipulating router advertisement priorities, and with this architecture you don't even need the two ISPs to come into the same router (you can feed two separate routers into a switch, as long as they are v6-only). Only get one /64 from a mobile ISP, but for home users that's probably fine.
@@apalrdsadventures you can even do NDP proxying and still have separate local networks (IoT, guest) sharing the same /64, and theoretically even mix normal separate /64 from your ISP and share the /64 from 4g/5g backup. It is a hack but IMO less so than NAT as it doesn't break end-to-end.
4:00 what application are you using for the diagrams? Looks super helpful!
draw.io for diagrams. It's web based but they also have a client version.
@@apalrdsadventures Thank you so much for answering!.
I started looking at doing your final design at home about 5 years ago but using Docker and found out it's not good for IPv6. Came back here from your Frigate video, unhappy to see it is no better still.
I have tried to setup ipv6 on my network but I couldn't get pfsense to work with it.
How do you handle the certificate management with the two different paths?
The v4 path is doing layer 4 proxying, so all certificates are handled by the end server. Let's Encrypt will always try v6 challenges first anyway.
Thank you, I didn't realize that Caddy did layer 4 proxying... @@apalrdsadventures
3:06 what's the app with all the text on your laptop?.
Is it a notes app? With the evernote death, I'm looking for any help possible.
Visual Studio Code. My website is written in Markdown, so I write out all of my scripts in the same git repository that I use for the website.
@@apalrdsadventures Oh cool, I had a hunch it was VSCode. It's a very efficient workflow. On a side note, what if someone wants the privacy of ipv4 cgnat or is in a public wifi network where they don't have control over the network & don't want their devices accessible from the public internet? Won't NAT be useful in that scenario? Or is it a case of firewall 's responsibility?
I'm new to these so excuse if I've asked anything dumb?
I'd really like you to cover privacy implications of ipv6, will it make your ip address a permanent unique identifier for tracking you?
Thanks to ipv4 ad companies like google rely on cookies & browser fingerprinting more than ip addr to uniquely identify you & track you. It's easy to deal with such tracking by using free countermeasures like tracker blockers, cookieautodelete, user agent changes/script blockers like noscript etc.
How does ipv6 play into this context? I imagine only paid vpns may be the solution?
So in IPv6 by convention, from the 128 bit address, the first 64 bits identify the network and the last 64 bits identify the host. By convention also, /48 is the longest suffix that is routed on the global internet.
This means that the /64 subnet can usually identify your location about as well as your single public IPv4 would have (without CGNAT) for fixed ISPs. A business connection should get a whole /48 and a residential might get a /56 or /60, with nearby houses ('nearby' as within the same headend, not necessarily physically) will be within the same /48 or /40 block. For mobile ISPs they assign a /64 when the phone attaches to the network, so it's similar to CGNAT in trackability, you can certainly identify the carrier and the point of presencce location as well as you would have in CGNAT IPv4.
For the last 64 bits, you can assign them manually, sequentially, or based on the MAC address of the interface (all of which would be easily trackable), but most devices now will assign two random host addresses. The first is the 'permanent' or 'secured' address and is randomly generated and never changed for a given network, the second is a 'temporary' host address which is randomly generated and changed every ~24 hours. Outgoing connections will use the most recent temporary address, previous temporary addresses may be kept if existing connections are still using them, and incoming connections can be addressed to the permanent address i.e. via DNS. Some OSes will go as far as keep a list of the permanent address they use for each wifi network, similar to how they keep unique privacy MAC addresses for each network, so you can't be tracked across multiple networks.
So for most purposes on a modern computer the IPv6 host suffix is not trackable across the internet for a long period of time.
Great video!
Could you make an IPv6 "tutorial" in the OMADA ecosystem? I searched here on RUclips, but there's nothing specifically about IPv6... just generic configurations.
I don't have an Omada router, just APs which are just acting as APs (not the whole SDN setup).
Unless things have changed in the last 5 years or so, IPv6 implementations still haven't been fully completed or standardized. I've tried to set up IPv6 in a couple different environments and I've never gotten it to work properly. Not sure if it's a Microsoft thing, or maybe the specific network vendors I was trying to use (Cisco, Juniper, Palo Alto, Windows server 2016, and Ubuntu 18), or perhaps it was something on the ISP's side, but I was never able to get simple things to work, i.e., being able to ping an IPv6 address inside my network from the internet. I've been working full time doing IT/networking for over 20 years and even with support from the ISP I was not able to get any devices working on v6. It makes a lot of sense for corporations and mobile network operators to use v6 because of the sheer number of addresses needed, but in literally every network install I've ever done it makes no sense. As for split horizon DNS, that is easily fixed by putting your devices which need remote access in a DMZ subnet and let the router do what it was designed to do. No DNS tricks needed. When you host a device on-premises without using a DMZ there's no way to get around hairpin routing if you want to use a single IP for your server/device. IPv4 is getting old and it's not perfect, but it's still FAR easier to work with than IPv6. Maybe when device manufacturers get on board and fully support v6 and ISPs in rural areas get serious about v6 it will be different. For now it's more of a novelty.
IPv6 is kinda like 5G cellular. I am told that 5G has all these great features and can support more bandwidth and connections, but if you live in a state that has terrible mobile connectivity, the number of Gs doesn't really matter. I would absolutely love to be able to make phone calls while driving multiple hours to jobs sites, but most places I drive don't have any cell coverage at all, except by quaint local telephone companies that are 10 years or more behind the technology curve. I guess I've said all this to say that it's all relative. You can upgrade your customer's phones to whatever technology you want, but if they live in an area where you don't want to provide service, it doesn't help them at all. If you provide virtually unlimited IPv6 space to corporations, they'll use it and it will be the greatest thing ever. If you offer those IPv6 addresses to overworked hospital, school, library, etc. IT staff, you're going to have to come up with a damn good reason why they need to renumber their networks for virtually no gains. The people that need IPv6 will figure it out and make it work. The people that don't need it will very likely continue for many more years without it and get by just fine.
There could be a lot of reasons for this, the biggest of which is that enterprises are the slowest to adopt IPv6 so enterprise-only solutions are also the slowest to have good IPv6 support. ISPs and hosting companies are the most eager to get traffic on v6, since they are legitimately very much out of addresses and it costs them a lot of money to continue to buy v4 blocks to provide to customers. Businesses can afford to buy a small block and hide behind that, but even then you will eventually run out of 10/8 space in a large enterprise if you aren't careful with it, and mergers / acquisitions become a nightmare when you are both using 10/8 in overlapping regions.
As to the 'needs' of deploying v6, going v6-only in a large organization means you can fully access everything over both v4 and v6 (using DNS64/NAT64 or 464xlat, depending on your client devices), while deploying v4-only means you can't access v6 at all. It also means your network design is very significantly simpler, as you have a massive amount of address space to subnet from, and can use that to encode things like site, subnet within the site, the vlan id, ... in a readable form in the address directly. This also means routes will aggregate as you go up from the subnet level to the site level, leading to a single route per site. So for a deployment which is new or being re-done today, going v6 will be much easier than v4. As to upgrading from v4 on an existing large network, it's mostly an longer term issue that will need to be addressed at some point in time, like any other major network refresh.
Pls make a video "How U set up your ipv6 homelab"
How service change to ipv6
How to config wireguard
Etc...
Thanks
I'm working on an OPNsense basic setup video that fully covers both v4 and v6, then I'll go from there
@@apalrdsadventures hope video will come soon
I wanna learn how to manager my service under ipv6 and much more. Thanks again
Would be great video how to build IPv6 network in home lab, with caddy :)
I'm using more than just Caddy, but I definitely like it for dealing with TLS especially
@@apalrdsadventures I have many services in my home lab and I am not sure yet all of them will work with IPv6
What tool are you using in these videos to draw your diagrams?
draw.io
problem solved with a VPN hosted on my router. all clients use local ipv4 addresses and clients outside the LAN automatically connect to VPN.
What if you change ISPs / IPs? On IPv4 NAT takes care of this so if your public IP changes then no device needs to be reconfigured. With IPv6 however you'd have to reconfigure every single device. DHCP wouldn't work either unless you have a DDNS client embedded in every device / service with an IP (not feasible, esp for IoT).
It depends. Changing ISPs would mean a new prefix delegation, so the router would advertise the new prefix. Clients will pick that up and be fine (as they would in DHCP).
Virtually all consumer IoT devices are doing mDNS now, so they would be fine too internally. A lot of them are probably speaking IPv6 to each other already, since mDNS can use link-local addresses and those always exist if the interface is up in most OSes.
On server networks it's definitely more tricky since the addresses need to be fixed (although they can be random) and need to go in DNS, but that's not really different from needing to update DNS now if you have a public IP change. So only DNS should need to change.
@@apalrdsadventures Oh wow! Didn't know that machines could pick up a new prefix while not changing the end bit. The solution I'd seen before was with NAT, where you'd assign fd00::1, fd00::2, etc to the machines (private ips), then later have a rule in the router that publicprefix::X -> fd00::X. That way you still have 1:1 addresses but don't have to worry about changing prefixes.
Using ULA addresses (fc00::/7) means the clients treat the network as having no public IPv6 access, since ULAs aren't globally routable, the order of precedence is IPv6 global, then IPv4, then IPv6 ULA. So it's a good practice to use ULAs on networks which are actually isolated from the internet and to NOT use them on networks which can route to the internet.
The host identifier *could* change depending on how the OS implements privacy extensions. Most server Linux distributions have privacy extensions disabled by default, so the host identifier will be generated from the MAC address and fixed per interface. Client OSes, especially mobile OSes, often keep a different permanent host identifier for each 'network', some identify that by wifi SSID similar to how they keep a different unique MAC address for each network. So those devices are more likely to generate a new permanent address on a changing prefix, but they would probably also usually generate a new MAC address in the same scenario.
@@probablypablito That is incredibly cursed, and a crime against humanity.
In case of hosting multiple services reverse proxy makes managing the certificates easier, plus on the firewall one only needs to allow access to reverse proxy instead of a longer list of hosts (there are some exceptions that need more ports but not too many). So the main advantage would be that locally it would skip the router hop. For high bandwidth services it could make sense to manage certificates directly by the services if reverse proxy becomes a bottleneck. Or am I missing something? Overall does not mean IPv6 is not worth it, just that it's not a silver bullet to solve all the problems.
It Depends, of course.
- In my case I use a layer 4 (TCP) proxy instead of layer 7 (TLS/HTTP), so the proxy doesn't have to decrypt / encrypt the traffic and doesn't hold the certs. The origins can do their own LE challenges to get certs, and TLS-ALPN-01 challenges will pass through layer 4 proxies even if port 80 is not open.
- If you are using a layer 7 proxy, then the traffic from the proxy to the backend is either unencrypted (not good), encrypted using a self-signed cert from the origin (better but not great, unless you use cert pinning), or signed using an internal CA. Alternatively you can use a secure backend network like Nebula instead of TLS to secure backend traffic.
- You're also decrypting/encrypting all of the traffic, which adds load to the proxy (even with AES-NI). For higher bandwidth traffic this means the traffic goes through AES 3 times (on the origin, decrypt on the proxy, encrypt on the proxy).
- As you scale beyond a few users, all of these become significant, but on a home network with only a few users the bandwidth and CPU usage is not huge and it's not that big of a deal.
I face three main problems with IPv6:
Crap routers can't handle it. I've seen TP links that crumble with more than 100 connections on IPv6 due to really bad firewall code.
Dynamic prefix from ISP makes firewall pinholes impossible to write in a portable way with some providers.
Games that just won't use v6.
IPv6 makes my smart home devices randomly lose connectivity. I disabled IPv6 and never had an issue. The problem is I believe you need it enabled for Thread devices.
what are you using for the "explaing" program
draw.io
thanks for the fast reply! @@apalrdsadventures
How does a private individual own a permanent IPv6 address since these are addresses of all the devices on my network? Is there somewhere I go to buy an IPv6 address block? And how do I get my ISP to route these?
Okay I just googled and it appears I just need to pay A$1180 annually and and A$500 signup fee to own an IPv6 address range. Guess I will stick with IPv4 and NAT.
You don't need to own a range. You get it delegated from your ISP (via DHCPv6). They should give you somewhere between a /48 and /60 (16 to 65536 subnets) and you assign subnets out of that dynamic pool.
At least in the US, the pricing from ARIN is currently free for v6-only, but you need an ISP you can BGP peer with which a residential ISP won't do. But a small business shouldn't have a problem with that.
@@apalrdsadventures So you can or can't keep your IPv6 address when you change ISP?
@@knightrider585 Not only you can keep your addresses but you can have multiple IP Transit Providers, be connected to all of them and, in case one link goes down, your router automatically routes traffic from/to your network to the other link you have via BGP and you won't even notice - well... you'll have a short freeze delay, a couple packets might need to be retransmitted but your connection won't drop entirely. This is called "multihoming".
@@knightrider585 They don't belong to an ISP, when you are on BGP, you are your own ISP. They are addresses attributed to your ASN.
So, I feel like when I'm using reverse proxy increases my security, is ipv6 port forwarding bad?
Reverse proxying still has security benefits, but there's no need to centralize a single proxy for all services in v6 as there was in v4 (to share the v4 address).
Some apps don't natively support TLS or don't support authentication, so reverse proxying those is still good, but you can run the proxy along with the application instead of centrally.
But what if you don't want a static unique public ip?
websites are working but i am unable to download files from the websites , is any solution for that
My entire ISP does not provide ipv6 in or out. I can't even use it for lan only routing due to modem restrictions.
What is this green lock in the topology and what is its purpose?
that's the logo of Caddy, a reverse proxy server. HAProxy is another alternative that I use as well.
If your ISP assigns you a dynamic IPv6 prefix everything breaks because when your prefix rotates you need to change every single DNS record and every single firewall rule.
If your (fixed, not mobile) ISP is following recommended practices for v6 deployment you should get a prefix delegation tied to your DHCP lease which shouldn't change as long as you continue to renew the lease. I've only had it change once, when Comcast changed the router on their end.
Mobile ISPs are a bit different since prefix allocation is done by the 3GPP side and not DHCP, so it will change more frequently as sessions are allocated/de-allocated.
@@apalrdsadventures too bad if that happens, a lot of issues for businesses. I rather have a nated environment , until they come up with a more reliable solution, and that's just a small part of the problem.
So with one firewall I can secure my whole network . Yet when I attach every single device in my home to ipv6 I have to have firewall on every single device, otherwise I would be a target for attackers. Or you have some other idea?
You still have one firewall on the edge of your network, this doesn't change
What happens when your ISP changes your /48 subnet?
ISPs are not recommended to change the subnet ever, but occasionally it will change due to network changes on their end (i.e. replacing routers). Usually it will persist for at least a year.
But in general, since everything is self-assigned and derived from the delegated prefix, hosts will reconfigure using the new subnet and continue working just fine. DNS will need to be updated. If the hosts are using privacy extensions their suffix will change as well, if not then the suffix will stay the same so DNS changes are easy.
One thing i will say, a lot of the new hotness in enterprise WAN and Security, has little, poor or no ipv6 support, which is going to be a roadblock.
E.g. zscaler, vmware sdwan, cato networks, netskope. Also, unfortunately IPv6 NPT seems like the best approach for multi internet links at a site
As to multi-WAN, if you're at any sort of business scale you get a (currently free from ARIN) provider-independent prefix and do BGP multihoming. You can get a prefix big enough for the whole operation and split it into /48s for each site.
At the very small scale but still multi-WAN, you can advertise both prefixes to clients in RAs and manipulate the lifetime / router priority fields to force clients choose a prefix for outgoing connections.
Moving to a more end-to-end model (relying on TLS all the time and not trusting the 'internal' network blindly) can also reduce the need for large scale overlays also
@apalrd's adventures multi-wan at the dc or large offices sure, I deal with a lot of redundant connection sites. Most cellular and satellite services will not allow bgp advertisements, and most numbers registries need fairly stringent requirements for organisations to use multiple ASNs as would be suggested with retailers sites and the like.
Not to mention protocols emeding ip addresses in higher level headers (see SIP et all) not having to deal with algs and TURN/STUN on ipv6 will be mice onece ipv4 turns into a small minority. On the subject of IPv and containers (docker in my case), is it possible to set things up so that the contaners get IPv6 adresses via autoconfiguration (router solicitation + router advertisement) this can pe rather handy in a hom lab cenario when you isp depsides to give yo a different PD (which for home internet can, depending on ISP; be rather frequently) it would be nice not to have to change ipv6 addresses for numerous containers manually, and not evryone hase orcestartion rolled out,. It might just be me being an idiot but i can't seeam to get it to work
How do I host services, like a dns server or a webserver when my prefix changes every day ?
Are you in Germany? Apparently German ISPs love changing prefix every day. ISPs are suppose to keep them stable without making them static, but some ISPs just ... don't
Other than that, you can use link-local addresses (fe80) within the same subnet and unique local addresses (fdxx with a randomly-generated /48) for communication within your network. Link-local addresses are usually used with mdns and ULAs are used by some new home automation protocols that rely on IPv6 if they don't have an existing IPv6 network.
@@apalrdsadventures yes 😄 you are right. Im from Germany. I asked the ISP to make it static but they said its not possible because of privacy reasons. It is only possible for business customers.
Your idea is great but if i want for example host a reverse proxy or something like that I would need to do 6to6 nat i guess. That would ruin all the benefits from ipv6.
If your DNS side can deal with prefix updates, you can use a static suffix instead of a nat66 setup and let the prefix change.
Another option is to continue relying on v4 for hard addresses and give clients v6 to get out to the internet only, so the addresses don't matter.
@@apalrdsadventures yes, thats what I do for now. Thanks for your replys :)
The reason why ipv6 has grown over the last 10 years is smart phones and cell networks using it. I reckon growth will start to slow down soon.
Nope. IPv4 is on the decline. Addresses are getting more expensive and more clients don't need it
There's one point I'm not clear about here. You got your IPv6 addresses from your ISP, right? If not, I don't understand how traffic is routed to you from an external IPv6 network (e.g. Verizon mobile)
Yes, you get a prefix delegation (at least a /64, usually larger) from the ISP. For mobile providers usually you get a /64 assigned via the 3GPP PDU, for everyone else usually you get a /48, /56, or /60 via DHCPv6-PD.
@@apalrdsadventures awesome thanks. Unfortunately, I don't think my ISP does ipv6, so it looks like I won't be able to do this right now. ☹️
Im in australia, and neither my mobile isp nor my home isp assign me an ipv6 address. with the exception of my isp when i was opted in to their bullshit gcnat.
Is it just better in that case for me to continue using ipv4 since i have absolutely no exposure to ipv6 regardless of where i am and what device im using?
If you want to have IPv6 you can use a VPN that offers IPv6
@@isithardtobevegan53 i think youre entirely missing the point. The devices have an ipv6 assigned by the router and can be addressed or spoken to directly from the internet using just the ipv6. Using a vpn just adds unnecessary tunneling just as cgnat does, and requires all other uses to be using that vpn.
You then run into the trouble of having to separate local and internet traffic, and even further, what parts of the local network a device should still have access to, which yes can still be done with a vpn, is extremely limited and not as flexible.
All thats to say, the vpn would just be doing ipv6>ipv4 conversion for absolutely all traffic, so at that stage youre just ipv4 with a gucci belt anyway.
@@-felt I did not say that this method of obtaining a global IPv6 address is better than as if your ISP gave you IPv6. Of course it would be better if your ISP gave it to you but, getting it from a VPN is at least better than nothing.
tell this the other channels like networkchuck or crosstalk solutions 😂
So what is ipv6 native mean on my router
native IPv6 just means not tunneled
Guys I need help , I want to convert my ipv4 to ipv4/ipv6 , I have 0 clue on how these work , can someone just please help me out, it’s been days I’ve been trying to figure this out, my Wi-Fi customer care doesn’t even seem to care
do all ipv6 routers block incoming traffic by default?
Yeah your firewall will block anything unless whitelisted or out going request
@@legendaryzfps are all routers firewalls?
@@StephenBuergler router and firewall are different things BUT: your "Router" is most lilely an IAD (integrated access device) which combines Router, Firewall, Access Point, Switch and in some cases VoIP Gateway in one device. So the devices known as Routers in public are IADs in 99% of the cases which have a firewall included, so has yours i think
@@legendaryzfps back in the old ipv4 nat days I feel like you could more easily rely on there being a firewall because there isn't really another way that could work. traffic comes into the router/switch/dhcp/wifi thing and there wouldn't be an obvious place to send it. now it's a matter of configuration. incoming traffic could be forwarded to the computer, it's just that it should be configured to block it. another thing that I thought was true was that you couldn't really trust the software on these things. they would have these vulnerable wps buttons, default passwords everyone knew, telnet ports on the lan side with a known default password, a upnp action to disable routing to the internet, wep, previous owners could have configured them poorly, dns rebinding attacks, foreign actors messing with them, never updated firmware... Is being configured to not forward incoming ipv6 traffic not in this set of things to worry about?
edit: I just find it hard to trust these things very much if at all.
@@StephenBuergler NAT is NOT a security feature. If you dont trust IPv6 which is the only protocol being run being run by the ISP ive worked for and a swiss ISP i know of (there is no IPv4, youre able to access the IPv4 Internet via a 6to4 gateway at the ISP). If you wanna tell me that millions of customers have insecure internet connections by default i dont know what else to say. I as a Network Engineer know, that IPv6 is secure and turning on the firewall if it isnt by default for some reason takes 5 minutes just as IPv4
Its kinda funny I used to use untangled they still to this day don't support ipv6 properly hence why I am opnsense now. Altho I do miss there easy interface and antlitics
On my work they just force people working remotly to use VPN
I don't have the time to change the ipv6 every 3-6 months when my ISP decides to change it. Thus I disabled it completely, If theres enough IPV6 addresses for trillions of devices why do ISPS insist on changing them so frequently. One would think static IPs would be default with IPV6...
great presentation, but that brings up some serious security concerns, I guess we will have to rely a lot more on vlans for network segmentation.. I'm very curious about what it's gonna look like in the future..
Why would you need to rely on network segmentation for security any more than you already do? This doesn't change firewall rules or anything, just straightens out packet routing.
My home ISP, nor cell phone internet service offer IPv6 😢
Most cellphone devices use ipv6. Your provider is incompetent
As much as I am a fan of moving forward with IPv6 and even have things on the internet not accessible to me that I try to get to without it, I've been dragging my feet in that I didn't want to solve the issue of making sure my devices stay good when no longer behind NAT (=stupid firewall). Just using an old consumer router that needs replacement and I haven't directed traffic through another computer with better firewall capabilities. Botnets try to abuse everything I let them touch; it seems fun to let them try logging in with disabled login names on services but then they pull BS like spamming login attempts that will fail with forged packets to have the service participate in a DDOS.
Literally just set to deny/deny, like most routers come as default.
@@deepspacecow2644 That's the start of my firewall rules. Need to take the time to 'unbreak' ipv6 with it as I try to learn+permit as I go..
Allowing all devices to go directly to any other device without any gateways sounds a lot like an unsegmented network. One compromise you lose everything.
Any segmentation you are using doesn't change the fact that you have less hops for traffic when you avoid proxies.
@@apalrdsadventures yes I think you are correct that a direct connection will have the best performance in most metrics. But the problem is on the WAN side where the limitation of the propagation of signals through copper/optical media is much greater than all of the hops combined. Typical store&forward processing time of a hop is 100-600 nanoseconds... and that's on hardware from 3 generations (2016) ago
7:53 I just hate these people. Why don't they see the chances of V6, instead of being annoyed by their "length". As if anyone types their public v4 addresses manually... It's beyond me...
Ciao, a very useful and clear video, but I am still skeptical about the ipv6. Maybe because of the tons of video and articles: "Hacker paradise", "less secure than.." etc..
To simplify, are you sure that my laptop is still secure with a global address that exposes it from any site and services on internet?
Also if I change the ISP I have to reconfigure all the internal network (static addresses, thier matches on the unbound, etc)
Don't you think that using the ULA and a virtual IP to match the prefix given by the ISP is better?
Saluti dall'Italia ;)
Are you Italian? It looks like every word you say has a paired hand motion to go along with it.
Is there a matrix that shows you get more clicks or does this translate to more views? Really just curious, I don’t believe you do that in everyday conversation.
I do have a lot of hand movements, it probably comes from demonstrating physical things so much
@@apalrdsadventures thanks for the response. While it looks a little over the top, I get it that if you are showcasing it demonstrating items, using hands is pretty effective.
Intentionally disabling IPv6 or not using it in 2024 is a crime against humanity
I don't understand what's the utility on supporting ipv6 for home usage if at the end if you want to preserve the ability to access services in your home network via a proxy and ipv4 from the outside you'll have to setup all the port forwarding rules anyway, and at that point why bother with ipv6 if ipv4 is still supported everywhere?
Within my network, I don't have to do split-horizon DNS and avoid hairpin routing. While it's not a big deal for all services, tunneling a bunch of stuff up to the router and back can really load the router and the Ethernet link to the router, and similarly it can *really* load the proxy if the proxy is terminating TLS.
So now, the only traffic taking that extra step is the minority of traffic that's both outside of my network and on a legacy network.
If you only have ipv4 on the outside you could connect to a tunneling service or your own VPN
By using iv6, does that make all my LAN connected addresses internet routable? This seems bad for security? Thanks for the content.
Yes, all v6 networks which are connected to the internet are part of the gobal address space. This means a packet can route directly to any other host, without doing NAT traversal. It doesn't mean the firewall will allow the packet through, just that packet can be directly addressed all the way to the destination.
One important side effect is that you will have to pay more attention to your firewall configurations, in fact if you haven't disabled IPv6 in your router, you may have silently been exposed already. A lot of home users have no idea.
@apalrd's adventures So for neophytes, like me, that sounds scary. It would be helpful to have some content on how to properly set up one's security when using iv6.
@@craigleemehan very simple, use the default firewall rule to block all traffic, and then you just allow the traffic you want to allow. The idea behind it is the same, no matter if it's legacy IP or IPv6.
Most (all?) of the popular firewall distributions I've seen (Unifi, OPNsense/pfSense, OpenWRT, ...) block all by default on WAN, so there's no change to security if you are using one of those.
MAN GOO SLEEP!
My ISP still doesn't even use IPv6 :DD it's like fourth largest ISP in our country and no IPv6 support for customers :DDD
So change if the isp isn't offer full internet connectivity that's a reason to leave
@@damiendye6623 it's not that easy when they are effectively granted geographic monopolies
@@jeremiahbullfrog9288 don't know which country your in but that monopoly isn't allowed in the UK
This is pretty common because the big ones are also the oldest ones and they got plenty of addresses ages ago. Consider switching. Also it may be a silly suggestion but did you call up their support and ask about ipv6? They might just have it turned off by default
@@thewhitefalcon8539 not me, but i read from many people that tried contacting them about that in over many years and they just said they don't support it and they aren't planning for supporting ipv6 :/
If the problem was IPv4 exhaustion, you just need to add more octets. IPv6 introduces many features that no one asked for and simply makes IPv6 not backward compatible, as well as having a terrible addressing design for comfortable human reading.
IPv6 is a necessity because there is nothing else for dealing with the exhaustion of IPs, that is why we have to integrate all the services that we can, because unfortunately after about 20 years with the inertia that it has, it seems that it is too late to for "someone" to recognize "ok, I think we went too far, let's make it simpler." and then propose a smoother transition alternative, perhaps even backward compatible, whose adoption could have been driven by conviction and not by imposition.
As a home user, I have no use for IPv6, so I disable it. Less fuss in my systems
0:23 well, strictly as I understand IPv6 was already being worked on before NAT existed/was invented. So their is no 'back' in their intentions.
but surely the all the IPV4 NATting adds security that we would lose with ipv6!! okay i'll watch. cool shirt. edit: oh, i didnt know ipv6 delegated a whole subnet for my lan, that's nifty
No NAT doesn't it never has what it has done is broken protocols and made it so the internet is centralised rather than decentralised as it was ment to be. All firewalls today are stateful so only allow state established. Isp are by RFC meant to issue customers with a /56 prefix. Mine zen internet in the UK has given me /48
Most ISPs delegate a whole group of subnets (/60 and /56 are common), so you can have 16 or 256 subnets each of which is effectively infinite in size.
NAT does nothing that a properly configured firewall can't. Firewalls start at deny all and you then add the exceptions you want.
NAT is EVIL
So I lose firewall protection with v6. Not a good tradeoff.
The firewall still needs an allow rule to pass traffic. It doesn't need a port forward rule to change the destination address.
@@apalrdsadventures I LIKE the idea that external boxes have no idea what my internal address is. Plus the time to rewrite the packet address on modern firewalls is basically nil. Its a hardware feature.
If the internal address is randomly generated (and for clients, changed daily), why does it matter what the address is?
@@apalrdsadventures Where did that come from? The most common way to allocate v6 addresses is from the MAC.
RFC4941 (2007) describes how to generate randomized temporary privacy host identifiers (last 64 bits of the address) and support is universal in modern OSes, although many Linux server variants disable it by default. Essentially, a node generates a stable address which may be put in DNS, and periodically regenerates a new temporary address which it uses for outgoing connections, and will keep all of the addresses active as long as connections are still established.
www.rfc-editor.org/rfc/rfc4941