IPv6 is around 30 years old , but it still has growing up pains. It was designed before mobile broadband , before small businesses and home users started multihoming. Too many IPv6 cheerleaders saw NAT as a weakness of IPv4 instead of a flexible tool which goes well beyond the "temporary" fix for public addresses exhaustion. Then there are the dozen different ways of v4 to v6 migration and interworking. Also Apple, MSFT and google pushing different paths. Although you can get a PI (provider independent) /48 adress from your RIR , it is just not scalable for the hardware on Internet core routers to handle routing tables with a billion entries which wold result from everyone getting this. IPv6 wihout translation only really works well for big institutions with a fixed PI allocation and BGP multihoming to ISPs or smartphones with temporary /64 , which also allows for temporary hotspot. For small business and home internet I think the solution is ULA (ptivate IPv6) for the LAN with stateless network prefix translation to the WAN prefixes from ever changing ISPs , which could even be multiple concurrently.
You know, that's about the same conclusion I came to. I didn't think of the huge routing issue it would cause on the WAN, but the idea of having ULA on the LAN with stateless network prefix translation would probably be the best method I can see. Also, if you do ULA properly, then it should still be okay if you combine sites in the future so they won't clash. Stateless should be nice and light too to not be a drain on resources of the router. I think this is the way I'll go with it.
My ISP gives me a dynamic ipv6 prefix. I ended up getting an ASN and a /40 and announcing it via a vps on vultr. I then used a wireguard tunnel back to my own network.
I think you could have an IPv6 only network where all devices only have IPv6 ULA addresses, and access to the IPv4 internet is provided by something like NAT64 while access to the IPv6 internet is provided by some kind of NAT66, probably NPTv6. However, you can't easily run any kind of useful dual stack using IPv6 ULA addresses because, at least by default, everything uses IPv4 in preference to using IPv6 ULA addresses, so, at least for accessing the Internet, you might as well not bother with IPv6 at all.
Genuinely, due to all that hassle for very little gain, and the fact that the IPv6 cheerleaders forget that not everyone wants end to end connections. IPv6 hasn't really taken off. Whether you like it or not NAT nowadays does provide a certain level of extra security and privacy too.
Pretty much. My father was am early player in the Internet and I remember my whole childhood hearing him raving over having the world eventually switch to IPv6. By the time I became an adult he accepted that NA ISPs are only going to change if forced too, preferring NAT... and in NA at least a lot of people of my generation grew up with IPv4 and NAT being "normal".
That’s pretty much how the IT wizards at BP told it to me. They wanted NAT translation because it’s a convenient and understandable gateway to get inside the corporate enterprise network.
I've noticed that some local new ISP offer IPv6 and ISP natted ipv4, if you want public ipv4 you need to pay extra. So IPv4 exhaust is starting to slowly strangle businesses
@@finnderp9977i assume that at some point in the future, people will be FORCED to move on to ipv6. They will desperately cling on ipv4 for as long as possible though
@@finnderp9977cgnat sucks ass if u ever wanna selfhost anything with limited ipv6 support. having to use a vpn for others to gain acess to stuff on my own damn network feels dirty
I worked with IP6 a little bit 20 years ago. Problem 1: equipment that can't handle it. Problem 2: those address are so damn long. Unless your address has lots of continuous zeros in it, it is very difficult to remember. Problem 3: they keep making changes. Once, they had a standard way to translate IP4 addresses to IP6. Problem 4: If NAT fails on IP4 then nothing gets in. If the firewall fails on IP6, all of your computers are now internet addressable.
@@ukyoizeDNS is neet, yet it's also another possible point of failure. Also, if something new joins your network, writing down its IPv6 address is a pain in the arse
Just discovered your channel through this video popping up on my feed. Just beginning my career, bout to finish uni. Interesting stuff, gives me an insight as to why IPV6 wasn't adopted earlier. They certainly push "we're running out of time to switch" message in school.
IPv6 would allow people to easily self host services like photos in their homes instead of eternally paying a subscription or depending on external providers. I'd love to see it happenning but as time passes what I see is that providers like me don't use them, instead they have their own big private networks and do NAT to give you public internet access. They charge me extra for a public IP (I mean public, not static)
This is exactly what I was thinking. Devices can give their own hostname (in your control) and your router can return queries for hostname.local or hostname.lan. mDNS is also an option if your router won't do that. I might setup my new home network this way as IPv4 is behind a double nat (IPv4 is at a premium 😅 and it would add an extra 20% on my bill to get a static address) so I need to use IPv6 if I want any externally accessible services. I figure I can let cloudflare handle proxying so IPv4 clients can still access these services. I still need to figure all the IPv6 intricacies out so I might be back here again to reference a video or two.
I think the biggest problem with your idea is that if people started doing that, the bgp table would become way too big for any normal router to handle. Even today, not all ISPs keep a full bgp routing table since it consumes more ram than their equipment could handle. Imagine if we were to keep track on every customer subnets in one bgp routinf table, that would get impossible to manage. This is what I think, but I might be wrong, it happens a lot.
You probably know that most addresses are assigned on a geographic basis, meaning that if everybody got an IPv6 prefix from their provider BGP tables will be smaller?
@@NicoDeclerckBelgium Yes, that's how it's designed to work, keeps bgp tables manageable. But unfortunately the end user won't be able to move it to another isp.
@@NicoDeclerckBelgium Yes, same as with ipv4. In theory you could announce a single ipv4 address over BGP, but if people were to start popagating single hosts over the internet, routing tables would grow out of proportion and quickly become impossible to deal with. That's why there are policies about what prefix length you are allowed to announce over the internet.
While I love the idea of everyone gets their own /48, I think you're forgetting one of the biggest issues faced with ipv4, route table bloat. While an ipv4 entry only takes 12 bytes, an ipv6 entry takes 48 bytes, while that sounds small, this would be for every single user that wants their own subnet. Is that sustainable for even a moderate sized isp? pppingme
Mate, I remembered it was you as soon as I saw the nick, don't worry! I didn't know/think about the wan routing tables, as I'm not familiar with that side of networking. I have been educated :) Jump on my IRC
One of the big reasons IPv6 complicates having your own personal address block, is the same thing that makes it so easy to configure -- addresses very much reflect the network topology. As opposed to IPv4's massive routing tables and exceptions and such, it's just "All addresses with this prefix go here". Letting anyone and everyone have their own addresses complicates that; with 2^96 times as many addresses to route, routing tables would grow beyond all feasibility. The preferred setup, as i heard it, is to DHCP basically everything, and update DNS to reflect what address a name refers to.
Over the past decade, I've added IPv6, HTTP/2, and TLSv1.3 support to network software I've worked on. If customers ask for it, companies will sell it to you. If not, it will remain on developers' laptops and never be released publicly. Don't be afraid to ask for better IPv6 support. If enough tickets roll in your use case will become supported.
i guess there is a reason BGP is not very open to public. I can only imagine how routing tables would blow up if people would be given private Ipv6 ranges.
Yes BGP fixes this issue with IPv4. To solve this you (not the ISP) would need to own the /48 and some sort of enhanced/replacement for BGP would need to route traffic to you regardless of the current ISP. Of course doing lots of this would hurt the entire concept of subnets.
This is an EASY question to answer and it is the same reason the internet does not allow /32 IPv4 prefixes to be BGP routed across the internet. In short the routers that actually route the internet could not physically handle the amount or routes you would be talking about in this massivly deaggregated scenario. The current size of the IPv4 global table is just over 900K routes and the IPv6 global table is about 175K routes. You start allowing people to have their own /48 that they own and can take to what ever ISP they like, this will explode the size of the routing table many orders of magnitude. I do not know of any commercial grade routers that could currently hanld a fraction of this, and certainly 99% of the ISPs will not want to spend the money even if the hardware did exist. Maybe in another 20 years... we'll see!
For the home user at least in Germany if you set up everything out of the box you have everything dual stack automatically. There are some ISPs that apparently still don’t provide v6 for users with old contracts but at least with Deutsche Telekom you always have full v6 service. That means most people are already using it maybe without even knowing.
I would say main reason for slow adoption is that it is simply not needed in most cases. Most computers don't need public IP and for those few that do NAT is good enough.
I am no expert, but I did a couple of cisco networking courses over the years and it was noticeable how the attitude towards ipv6 had changed over those years. First time it was all enthusiasm and everyone would get personal ips because there were plenty to go round etc etc. Years later they were much more muted and basically came to the conclusion that there were just as many security issues under 6 as there was under 4, Nat was still a good idea for security, and people weren't going to get personal numbers except for the self configuration number which may possibly cause their own problems. Then there is the issue of all the ipv6 traffic that seems not to be noticed by some security software, so you have unknown automatic activities occurring that you don't know are occurring if you normally concentrate on ipv4 still. Throw in the long ipv6 numbers and the autoconfigure oddities, it is perhaps not surprising that anyone apart from the big boys find it easier to stick with ipv4. Nat means the address shortage isn't as acute as first stated. It would perhaps have been more sensible to just double the bit length of the addresses rather that go mad.
You are doing IPv6 Prefix Delegation the wrong way. The idea is that your router manages an address pool that you can use to delegate smaller prefixes for your local networks from. I get my prefix via DHCPv6 from my ISP and my router will then announce different prefixes delegated from the pool to subnets on the LAN side. The important part is that your router will adapt a new prefix and distribute that when it changes. Also, DynDNS has existed for years and I have been behind a dynamic IP address for years. The same applies to IPv6, just that instead of your router taking care of the DynDNS, now your individual clients have to take care of that. On top of that, dnsmasq for example is a great solution to keep a dynamic DNS in your local network. It will detect changes in IP addresses and it will then distribute the new IPs with the DNS requests. And if you set this up properly, you will never have to remember an IP address ever again and you will never have to set up static DNS for any machine. Also, my internal IPv6 network also has a private prefix which makes really handy and short IPv6 addresses like fd97::1 That's even easier to remember than IPv4, isn't it?
The other thing that IPv6 has trouble with (or so it seems and I hope to god I am wrong) There doesn't seem to be readily available a registration for word-wide IP addresses. With IPv4 you could perform a "whois" and find out if a particular address was owned or part of a pool and who owned/ managed that range in question. Especially when it comes to managing spam and hostile traffic. As an admin I want to be able to block specific ranges for a variety of reasons.
My question is, why are they delegating a whole 80 bits worth of /48 to an individual? Wouldn't it be smarter to delegate 24 bits at a time? (a whole /8 in ipv4.) I, as a home user, use 10/8 internally and could probably assign static addresses for every IP-capable thing I own, will own, or have *ever* owned and not run out in my lifetime. That's 16 million addresses for crying out loud.) It reeks of the same thing that the initial classful IPv4 routing stank of "There's plenty of room. Here, Ford, have 18/8. Sure, it's 1995 and you only sold 317,621 vehicles and you're making cheap and practicallly disposable disgusting sh*tboxes without any computers that few will want in 30 years time, but go ahead and have 1/255th of the address space. (Oh, and we're going to sit on 1/8th of the address space for "future use" that won't ever happen because of artificial scarcity.) If you want IPv6 to take off, lobby to have IPv6 delegations *decreased* in size and deprecate IPv4, telling all of those hogs sitting on their /8s that they can keep their addresses, but IPv4 is going away and "your reserved netblocks are turning into a tiny delegation of half of a 64 bit prefix, GL;HF. Congrats, your puny 16 million address netblock is practically valueless now that there's over 340 undectilion addresses available."
RFC 4941, Privacy Extensions for IPv6 SLAAC, was published in 2007, and many OSes now default to using this, creating and regularly rotating randomly-assigned local host addresses, using these for outbound traffic while keeping the MAC-based (or manually-assigned pseudo-static) host address as an anchor local LAN traffic. Multiple addresses on a single interface, to be used in different contexts is a common and required feature of IPv6, and is also the recommended method of multihoming in the absense of provider-independent (PI) space.
To be honest, one of the major "features" of IP4 that still makes me stay with it is that using a private address range and NAT seals my network. I don't have to trust a firewall to block things I don't want; that's the default. Unless I manually add a port forward, nothing gets in that's not a reply to an outgoing request. I don't have to worry about the watering timer on my garden faucet being hackable. It "physically" cannot be reached from the outside, no matter how good or bad the config of my firewall is. And that's with a network I---someone who knows how to configure a firewall reasonably well---am managing. The same goes doubly with 99% of consumers. I still remember the times of Windows 98, when people were dialling in with their PCs (so no router or firewall involved), and you couldn't even set up a new PC and download all the updates without it being loaded to the brim with malware in the meantime. Directly routing incoming internet traffic to a device that wasn't built specifically for it is folly.
The IPv6 equivalent of rfc1918 is called Unique Local Addresses (ULA). NAT provides nothing for security that a properly configured firewall doesn't. Every firewall I've ever seen starts out with deny all. NAT is just a false sense of security.
@@James_Knott NAT is not about security, it's about conveniency. It's impossible to someone "outhere" to reach my gadgets on my intranet, so I don't need to care about this part. Additionally, firewalls are also prone to failures and attacks (check Fortinet), so relying **only** on firewalls is the real false sense of security - Firewalls are software as anything else. In my home I solved part of the problem on the switch level - mission critical devices that should not be exposed to the extranet are unreachable to subnetworks that are exposed and that's all. I still need to secure access on these devices, but I don't need to care about ruling who in my own house can access that port or not. And this is only one example from my own intranet.
You cannot have what you want. It's the same reason why Internet doesn't work on MAC addresses but on IP addresses. IP addresses are assigned to countries and then to ISPs. Having your own IP address means that addresses would have to be randomly distributed across the world. So Internet routers would have to remember each individual IP address - where to route traffic to that address. Switches do exactly that - they remember all MAC addresses assigned to a switch port. Customer switches can have memory for let say a thousand MAC addresses. Internet routers work completely different. They work on addresses classes, not individual addresses. They do something like that - I have packet to 130.133.x.x - oh it's a Germany - I should send it through my D port. It doesn't have to remember each individual IP address, it remembers whole address classes. It's the only technically possible solution.
Okay, let's just do it by country then, not worldwide... as you wouldn't be taking your physical location overseas. If I could get an Australian /48 with ease that would be more realistic.
1) You do know that you can do IPv6 NATting as well, if you really want to 2) That the network changes, or the prefix length, it is not a problem if you let DHCPv6 handle IP address allocation in whatever range you use. This works really well in my home, and all the computers has domain names that resolve to those random addresses
Can you imagine the routing table looks if every /48 is individually touted. Requires every home user to talk bgp4 and the ISP s can't do optimized routes as any /48 can have it's own unique route. And you also need to find a way to properly secure that and keep toute propagation fast. Don't think that'll take off...
Okay, you seem to have not understand one fundamental part of IPv6: Hosts don't have a single address anymore. It is totally normal for a host to have a dozen of addresses at any time, like multiple SLAAC addresses for multiple networks it may be part of (one would be the one of your ISP, others can be private ULA, which you can pick yourself and never change), one or more managed DHCPv6 address, one or more hand assigned address that are easy to remember (which can also be from your ISP or ULAs or both), a bunch of temporary addresses used to go on the Internet to prevent IP tracking (those change every half an hour or so but the previous ones persists for a while and overlap with new ones, as long as they are still used and even beyond that to retrieve late requests), one link local address per interface, several mulitcast addresses required by the IPv6 standard (e.g. to make ARP work) and maybe additional mulitcast addresses if they are part of multicast groups.Your video makes it sound like those are either/or choices, but they aren't, those are "and, and, and, and even more" choices and it's quite common and normal in an IPv6 environment for any host to have that many addresses. Only one of these would be an address you use for public incoming services (and that would not be the address you use for outgoing connections, those would use a temporary addresses, even a web server would use temporary addresses to download software updates for example) and one of them would be the address you use internally to address your hosts within your LAN (that would be one that does not change, like an ULA address assigned by DHCPv6 or a hand assigned one for an ULA announced by SLAAC).
@@Yggdrasil42 Not really, as most addresses are not intended for the outside world. Just as with IPv4, every IPv6 address consists out of two parts, a network part and a host part. Unless the network part matches your public IPv6 prefix assigned to you by your ISP, your firewall can block it incoming and outgoing. This already eliminates the majority of addresses. Link local addresses cannot be routed anyway beyond a physical network and ULA addresses are not supposed to ever leave your LAN (except for tunneling, e.g. via a VPN to another LAN). Temporary addresses (which are recognizable as such) are not supposed to ever be used for new incoming connections, so your firewall only needs to allow incoming traffic for temporary addresses it saw outgoing traffic for, which is the default behavior of any IPv6 SI (stateful inspection) firewall; SI pretty much works like NAT, except that it does not rewrite the address or any ports, but otherwise prevents traffic flow the same way NAT would have prevented it. I.e. unless you've ever sent a request from a temp address to host X in the past, no traffic from host X to this temp address can pass through an SI firewall. Unless you want to run servers from behind the firewall, you can block access to all other non-temp addresses using your public prefix and that's it. Only if you plan to have servers accessible from the Internet, you need to poke an explicit holes into the firewall for these servers and you would certainly not poke holes for the addresses based on the interface MAC address (also recognizable as such) as a MAC address can change at any time, e.g. when you replace the server or just replace the network adapter of it (or switch from one to another network adapter). Interface based addresses, despite using the public prefix, also just intended for internal use within your local network. You would poke holes for a server addresses you either assign by hand, if you want to manage addresses on the servers themselves, or assigned by a DCHPv6 server, if you want to manage addresses via a central address server. That's the primary reason why DHCP even exists for IPv6, as for pure client hosts, SLAAC is totally sufficient, since with SLAAC they can create their public temp addresses and that's all they need to get onto the Internet as clients. For LAN to LAN client communication, you use link local addresses or ULA addresses and preferable service discovery over manually assigned addresses (no need to remember IP addresses at all), same for LAN to LAN client-server communication (your LAN file server or printer). Last but not least, public multicast must be managed by the firewall anyway, you cannot manage that by hand and this is semi to full automatic.
15 years ago I was excited about IPv6. Finally I would be able to get permanent, global addresses for all of my systems. Then I discovered what you talk about here, that the gate keeping on the IPv6 addresses is just as bad, if not worse, than IPv4. I haven't bothered with IPv6 since.
I disabled IPv6 years ago on my network, in my router. I was noticing laggy behavior with my win 10 machines. I started monitoring a bit with Wireshark and noticed a whole lot of IPv6 traffic, and a lot of it going to Microsoft.. After turning off IPv6 on my machines and the router my networking performance increased quite a bit. To the best of my knowledge I haven't noticed any problems as a result. I don't have an issue with NATing. My ISP does traffic shaping so the upload speeds are pitiful by comparison. Of course this is going to work best for customers that do a lot of streaming. When calling my provider they suggested that I pay for a commercial account if I want faster upload speeds which costs 3 times as much per month than the standard home user account that I am using. I came up with some other solution which put my servers external to my network at a fraction of the cost.
WHAT??? Your Windows 10 machines are probably misconfigured. Mine work fine, even when migrating from dual stack (v4 AND v6 network) to v4 only network or back.
Small customers owning their /48 would cause the routing tables to grow way too big. About 10 years ago we had issues with edge routers (the ones which need the routing table for the whole internet), the global routing table grew and a bunch of the old edge routers didn't have enough RAM to handle the size. With millions of small customers owning their /48, you would also start running into issues where the edge routers would get slower at looking up the addresses. NAT66 looks to me like the best compromise, especially because it's stateless and any arm/riscv home box should be able to NAT a gigabit link. BTW I also still haven't given ipv6 a proper try, because none of my ISPs over the years supported it.
IPV6 is like fusion, it will be here in 10 years, every 10 years. I remember being told in 1996 that by 2000 everyone will need to be on IPV6. Well you can see how well that went. Another issue is broadcasting your own IPV6. Lots of carriers will let you take a slice from one of their blocks, but that forces you to stay with them or renumber everything. Oh you want us to broadcast your block? I don't know if that is allowed. Note: this last thing was from a few years ago, I don't know if the carriers have gotten any better.
Spot on. Actually, even though the ISP for my company 'offers' IPv6, their issue is their techs don't understand it, and when they deploy it, they're giving to you in the same way they do IPv4 address, and expect you to NAT v6. They don't understand how to do prefix delegation etc, it's awful. So ISP support is still a huge issue.
If your ISP has technicians troubleshooting business connections, and they don't have at least a CCNA or NSE4 (depending on which tech they work with), you need to start looking at another ISP. I say this as an "entry-level" technician working for an ISP. A lot of the blokes I work with have knowledge and skills beyond their pay level.
1) Static addresses & routing normally only available for business products/services. A domain name can be paid for but normally just 1 IP address. DynamicDNS or similar service hosted by another company. QNAP have a way your local NAS tells QNAP DNS service your device IP to route & make your DNS publicly accessible (needs password). 2) NAT is a part of firewall security to protect your local systems from random remote access & probing. 3) Home automation & IoT love IPv6 & having your many local devices reachable from internet so you can access automation when you're not at home. 4) IPv4 to IPv6 may eventually become the longest tech transition in history.
NAT is NOT security in any way shape or form. Obscurity is not security. Also, just because something has a globally routable address, it does not mean it is accessible from the Internet - you should still be running a stateful firewall that blocks inbound traffic by default.
I've been working with ipv6 for several years now. And i still consider it harder than ipv4. Not because of the addresses but because the software and stacks around ipv6 just aren't as well tested. So i keep running into issues that were already fixed for ipv4 decades ago, or weird problems cause by weird ipv6 mechanism, such as dad(duplicate address discovery). Also, the way certain solutions implement it, e.g., 1 device that provided internet access only allowed dns over the link local, which meant we couldn't simply route dns requests.
In my case, IPV6 hasn't taken off because no one has been able to answer me this one simple question: Why, given everything we know about how insecure most devices are, would I even want each and every device directly routed and/or exposed to the outside world in the first place?
Hello, I am a Cisco guy. What you do is setup dynamic NAT without overloading (using PAT) on your public router IP. This way when your PC on the inside requests an address it grabs an available public IP from a pool and uses it, another host grabs another one out of the dynamic pool, etc. This is handy when you have an application that doesn't like having its ports translated, or when you have a bunch of hosts that want to build say a L2TP to the same VPN ip. Without translating ports you will want to do stateful inspection on incoming traffic, because you loose the "Firewall" that Overloaded NAT naturally creates. This way when your ISP changes your range, you just build a new pool of addresses. The nightmare that it would create in the BGP backbone routers on the internet, would make it HIGHLY unlikely that you are going to get your own range and move it between ISP's
DNSv6 is what you need to set up. DNS was made so that IP addresses can change without affecting accessibility. if you own a domain name (or use a dynamicDNS service), you can have it tie to a IPv6 address and then have the router handle checking it is up to date and updating it if needed.
I have no arguments, only a suggestion: write your congressman! If we could get a bill passed in congress related to the assignment/ownership/routing of IPv6 address space to home users via ISPs, it could make a swift and dramatic difference.
As somewhat of a techy I have always been curious about IPv6, but like you said, it's scary at first jumping into something you aren't familiar with especially when it comes to configuring your network and you need to understand how it works and be confident in it. The whole address structure of ipv4 is very simple to remember off the top of your head when you are working in the field. Great video and appreciate you sharing your experience! One question I had was how exactly does security come into play here though. If devices communicate directly, isn't that by nature attempting to cut out the middleware (router, firewall, etc)? I would assume this would put regular users at even more risk because now their device (printer, IoT, laptops, tv's, phones, etc) are now directly exposed to the internet. Unless the router will always need to exist simply for the wifi/hardwired connections? But ISP's seem to like to rent their modem/routers or just completely lock you out of them anyways so you are left up to whatever they issue. It would also mean that you would have to somehow force each device to register a new ip if you wanted to rotate them for some reason (like repeated attacks)... the nightmare that comes to mind when dealing with IoT devices...
The end to end that I talk about is the direct routability from host to host without nat. There would still need to be a firewall in there for security, just like with IPv4. That doesn't change. In fact, it's the same rule on my nftables that applies to both address families. It says don't let anything in from the wan interface, unless it's my return traffic. Simple.
The main reason that you can't have your own prefix in IPv6 is because it's designed to be hierarchical when assigning prefixes in order to keep routing tables small. IPv4 routing tables are a mess because of the way they've been assigned and traded over the years, and IPv6 is supposed to simplify the routing tables otherwise the routers will just run slower and huge chunks will be unreachable as the routing table size exceeds the maximum RAM capacity of the router. So the prefix system allows the IP addresses to be tiered with the large providers having a huge chunk and carving it out to their customers - perhaps the big guys get /96 (32 bits) then give the huge customers /64s out of that, and that may be subdivided into /48 or /32 for their customers and so on. Key point being that the first few prefix bits tells you which network to route to and that network can look at the next set of prefix bits to determine the customer and so on. If you could get a random /32 then the whole scheme breaks down as now everyone needs a special rule that your traffic now goes to this other network, i.e., now you added a line to everyone's routing table.
I've used dual stack IPv4 and IPv6 for a couple of years. I use *Dynamic* *DNS* , so I do not care if my ISP IP changes. Moreover, I totally do not care about IPs as I use *fully* *qualified* *domain* *names* for everything that I need to access remotely. You will never be able to keep your IP number like you keep your phone number. The reason is how routing works. It is not a bug, it is a feature. As a bonus for using FQDN, you get encryption with the use of certificates.
So, imagine you're an IT person. And a random user comes to you saying they want their own IP, because they want to host a server. As an IT person, you'd say - no, static IPs are for us, you get dynamic IP. If you want to host a server, you can just point users to your computername, don't worry about the IP address.
Well this is why we can't have nice things. ISPs treat static IPv4 addresses as a lever for "business pricing". If they played fair with IPv6, they would lose that cash cow. So they will not.
My ISP (a cable company) absolutely refuses to issue an IPV6 address to the WAN side of *their* router. Their configuration, although IU can change it, which doesn't break anything but doesn't help either. My girlfriend has deprecated DSL service from the telephone company. IPV6 works perfectly right through to any device on her home wifi that supports IPV6. Once again, their router, their configuration.
You need a PI (provider independent) prefix, which is to be requested via a registrar. That's what we use at work (in IPv4), also time to play with AS(autonomous system number). It isn't too scaleable for routers though, so ISP larger prefixes were pushed to keep route tables manageable.
There is a reason of not giving everyone an ISP-independent static IP. If you own an IP address and you move country or ISP the route to you changes. This means the routers need more special rules thus slowing the entire routing system down (though probably not much) because you can't just have a rule everything with 130.160.0.0/16 goes to ISP X. So while I'd like this I think it does have some negative benefits in how the entire network works.
I think it’s mostly routing table size that is preventing the registries like RIPE NCC assigning a /48 to home users directly. I’ll ask some of my contacts there if they ever thought about it.
Major reason why IPv6 not in use is its "feature" to allow direct access of any home/small office device direct access from the internet. Which is a fundamental security issue. The approach when FTTH modem/router will have IPv6 outside but ipv4 inside is more secure.
You mention a desire to get rid of NAT so that you can have end to end communication. Why? I see NAT as not only a "workaround" for the IPV4 address space deficiency, but also a useful way to centralize control and help protect devices in your network.
When I was first learning about IPv4 and NAT and then IPv6 global addresses it seemed like NAT offered an additional layer of obscurity from the WAN side that to me at least offers a little more security for local clients
@@ceb1970 people want to allow end2end traffic ? Because that's how the Internet was intended. It's a peer2peer system. If you've ever made a program or standard like Skype, Teams, WebRTC standard, etc. you'd be amazed how much extra work is needed to make these things work with NAT.
@autohmae "Because that's how it was intended" isn't really a reason if we've already figured out workarounds. As a network programmer (among other things) I'm aware of the difficulties in traversing NAT, and in fact the clever ways people have found to traverse carrier-grade NAT (which I despise) on top of regular NAT impresses me to no end. I'm not saying there are no reasons to seek direct end to end connections, by the way. There certainly are a host (😁) of reasons to do so. But those reasons almost never apply to home users, even the technically sophisticated ones. But I'm open to hearing a use case that would make it worth switching to IPv6, or even just paying your ISP for a block of public IPv4 IPs (which I have done in the past, but ultimately found it to not be worth the cost). I've been doing this a long (long, long) time and I honestly once hated NAT (not just carrier-grade NAT). But now that we've standardized ways to work around it I'm actually pretty comfortable with it and even appreciate its benefits.
So few home users need or want to bring their own IPs (IP4 or IP6), it's much easier for ISPs to just say no to such requests instead of investing a lot of money into educating their staff and implementing new protocols. Also, for home users NAT via a router is a godsend in terms of security.
What you're talking about (in regards to an IPv6 allocation you can move around) already exists for IPv4. It's called Provider Independent (PI). But this really isn't the problem I think. The problem is that right now most providers (even dedicated server providers) will happily "sell" you fixed IP allocations, in block or single IP form for IPv4. But for IPv6 they will not do this. In reality there's no reason they can't, at least within their geographic region let you take your IPv6 address between services in the same way they offer for IPv4. They just give an option for IPv6 yes/no. And they will bung you an allocation. This, I think is because it's still seen as experimental, when it really is a fully functioning technology. I had this happen to me just the other day. A server provider informed me that some feature of a virtual machine I was running was no longer supported and I needed to create a new one and copy my data over. Now, this VM is a secondary DNS for me. So what's to do, install the service and copy over all the config/DNSSEC keys etc. Move the IP to the new VM and all good. But, then I see the IPv6 block is now different, with no way to get the original one back. So, now I need to go to EVERY domain I host, and change glue records and the DNS zones to point the ns2 records to the new IPv6 address. Not fun at all. In regards to going full ipv4 or ipv6. I don't think there's any reason to do that. I've had IPv6 on my home network for probably around 12 years (via tunnel for the first half of that). All the time I've run dual stack, and frankly until they turn off IPv4 (if that ever happens) that will be the only sensible way to go I believe. In the last 5 years or so, ipv6 adoption has increased greatly. Big social media (facebook, google, youtube etc) work via ipv6, in fact I can tell you this video was served over IPv6 to me. Most good hosting providers support it. Dual stack isn't a bad thing. It should of course be configured to use IPv6 first over IPv4. In which case you'll be using it everywhere you can use it. I am confused why we've not moved to ipv6 fully by now. Pretty much all kit out there supports it including basic level consumer kit, ISPs could easily move to it, many of the good ones have done some time ago and certainly if you run a service on the internet your provider almost certainly offers IPv6 to your VM or bare metal server. Everything is in place right now. But for some reason most people are still dragging their feet.
are you kidding me right now? ipv6 is impossible to remember, concatenates an arbitrary number of characters with 4 colons, has incomprehensible number groups and subnets, lacks fundamental support from most even modern hardware and drivers, and is generally just a drag to deal with. What really should have happened is that we should have move from 4 octets to 8 octects and kept the familiar numbering system with now enormous subnets, giving legacy ips the subnet mask of 255.255.255.255.0.0.0.0 so the entire internet worked while everyone upgraded, but Noooooooo, that would be too easy
Exactly. It would have needed only a packet header extension and a few simplifications. Hardware would have needed to implement only the lower 8 of the newly added bits to be future proof for 40 more years, reserving the rest for later.
I haven't looked into v6 because I tend to go along with whatever the network security people suggest. 🧐 I appreciate the video for throwing some light on the topic.
Here in Philadelphia, Verizon (the fiber to premises ISP) finally got IPv6 working, and now I can connect to my linux server in a German datacenter via IPv6!
While the push for NAT was driven by a lack of IP, it's greatest strengths were security and local addressing/portability. NAT is not needed for IPv6 (for security) with a good router/firewall. But for localized portability something like NPTv6 makes sense. You are a network engineer (as I have been). You are okay with bad actors knowing your IP block no matter which ISP you switch to. But for your everyday person, I'm still not convinced "having your own /48" is a good idea. Anonymity is gold. I'd almost go the other way: it would be good if the ISP changed your /48 every day to help kill the tracking systems. But for non-regular users I agree with you. In fact, I want to dual-home my network with a /48; if I could somehow talk a second fiber ISP to connect to my house.
The real answer, DDoS mitigation and monitoring tools haven't caught up yet. They are only just recently starting to implement IPv6 and are not yet feature parity with IPv4. It has nothing to do with the end-user experience. IPv6 is much better than IPv4 since it resolves the NAT issue, you think ISPs want to use CGNAT?
I went through something a bit like this almost 30 years ago. The basic problem with IPv4 was lack of addresses. So they came up with IPv6 ~ huge address space. But while that was getting sorted, some sort of quick dirty fix (a hack) was required, and that became NAT. Now NAT does break a couple of your fundamental network paradigms, but it's not all negative. It largely solves the limited address problem and it opens up a complete can of worms with other kinds of network tricks. It mostly makes IPv6 completely unnecessary. If you went pure IPv6 then loads of things would stop working. But if you simply stopped IPv6 and went back to pure 4 ~ a few things would go a bit wonky for a week or so, but then they'd go back to old-school and everything would work again. So this brings me back to today ~ when as a home user I have a dual stack because that's the default, (Linux Mint as host) but mostly the IPv6 doesn't do anything ~ except complicate the picture. As far as I can see, pretty much everything is running through IPv4 + NAT anyway. That's where we were at when I started learning this stuff in '95 ~ '96 and that's where we're at still. IPv6 fixes one problem, but NAT fixes several. It's a quick dirty hack, but it has become a wonderfully useful and versatile hack, it does a number of things simple pure IPv6 doesn't. The quick & dirty hack, is actually a far better and more versatile solution than the proper one. As a Linux-head ~ I find something very oddly appealing about that.
why don't u use a domain registrar that allows u to directly update the dns records via an API? I use one and it allows me to directly update any ipv4 or ipv6 records dynamically (like how dyndns works), so i only have to set up a simple script on those devices and even when i would get a total different ipv6 block, my subdomains will automatically get updated too, having the ipv6 adresses reconnected. My DNSprovider also supports low-TTL updates, which means after i propagate the update it takes less than a few seconds to be active and reachable from the whole world (no need to wait before the other side of the world has the new info)
Hi! Have you considered using both? Private adresses for internal use, memorable adresses that never change and use SLAAC at the same time to provide publicly routable adresses for when you need to go out into the internet? You can use the auto assigned addresses, private and public ranges at the same time with no wories. This way theres no NAT or One to One funky translations.
its simply is unpractical. reading firewall entrys, readon logs - SEARCHING logs. imagine you have to change your search depending if the log uses shortened or non shortened ways to log ips. how many times you have to manually read a routing table to find an error, close to impossible on ipv6 if the table is large enough
My employer does not currently have IPv6 deployed in the network, but we own a public address block (/42?). It is registered to my employer, at ARIN. Just as the /24 IPv4 address space we own is registered with ARIN. It is ours, and whichever ISPs we choose for service, we would announce our networks using BGP. Or, we could simply point our default to the ISP, and they would point a static route to our public IP blocks and redistribute into BGP. What you are addressing in this video is the situation where you are ‘leased’ an IPv6 block (/48) from your ISP. This is a /48 out of a much larger space that your ISP has been allocated. It isn’t portable, so you can’t own it and take it to any other ISP. IPv6 address blocks allocated via DHCPv6 also has the mechanism to request the same prefix each time the DHCPv6 allocation expires, if only all ISPs would honor this! I really think the big challenge with IPv6 is that we approach it with the same mindset that has been used for decades with IPv4. RFC1918 addresses on the LAN, NAT to a single public IP address, implied security because of Stateful NAT, etc. Even in larger (enterprise) IPv4 networks where the organization has a public assigned address block, and has a mix of Static NAT to present public facing services as well as dynamic NAT/PAT for outbound connections initiated by internal users and systems. For IPv6 use in small environments (home, or SMB), if you lease an IPv6 address block from your ISP, you need to be able to accommodate the potential for prefix allocation changes, incorporating DNS and SLAAC. For larger networks, request an address block from ARIN (or whoever your Regional authority is), and then you will have that permanent address block.
Deja vu all over again, in the early days of the Internet we use RIP, and RIP needed a table of all routes, as we added addresses the table got to big and IBM had to build special RS/6000's to hold the routing tables. OSPF and BGP were written to handle this. It shrank the routing tables. So in IPv6 can do what you want, and the IPv6 version of BGP needs to know how to route to your /48 and provide that into the consolidated routing tables for routing packets over the backbone. Adding a large number of random /48's makes that table huge. The ISP have a single larger block keeping this table smaller and more manageable. Thus they charge for reserved blocks of addressing space to limit this to only those entities willing to pay for the routing table entries. (Using routing table loosely here of course).
Yes, I've certainly learned about the route tables in BGP, as I don't really touch WAN stuff, but many have pointed that out, which is fair. Now it just implies that the design could never have had everyone with their own lifetime address easily.
@@TallPaulTechIPv6 was never designed for everyone to have permanent /48's, it was always intended to be region based, be that region be a ISP or a multinational company, or whatever. That a private space within it, without use of nat on the gateway, was allowed, I'm sure it caused a lot of consternation on how it would be implemented if it got large.
Seems the dhcp service should pick up the current prefix and dish out assignments based on that, then retire the old prefix? And ya, update dns accordingly 😞
funny thing with NAT is i don't see why an IPv6 router with a firewall which offers even better protection than NAT wouldn't be a bad thing. like literally just have a rule to drop incoming non-established connections. or even IPv6, a firewall, and NAT.
I've been running IPv6 on my home network for over 13 years, the first 6 with a 6in4 tunnel, but now with native IPv6 from my ISP. Android devices don't work with DHCPv6, thanks to some genius at Google. Re your changing prefix, that's why you use a DNS server. Hopefully your ISP will provide a consistent prefix. I've had the same prefix for years and it's survived replacing, at different times, my modem and the computer I run my firewall on (pfSense). If you want a prefix that's forever yours, arrange for your own prefix, independent of the ISP and have it routed to you, as businesses do. BTW, your IPv4 address is likely not permanent. With my ISP, mine is, so long as I don't change my modem or firewall hardware. Many others aren't even that lucky, with their address changing anyway. Also, with my ISP, the host name they provide is based on the firewall and modem MAC addresses and again doesn't change as long as I don't change hardware. Do NOT use NAT. It's a curse from the network gods and should only be used to get around the IPv4 address shortage. There's no need for it with IPv6. With SLAAC, you have one consistent address and up to 7 privacy addresses. Use the consistent address for DNS and the privacy addresses are normally used for outgoing connections. The IPv6 equivalent of RFC1918 is called "Unique Local Addresses" (ULA), where you pick a prefix that starts with fd:. You can use ULA for your local devices, so that even if your public prefix changes, you still have the same addresses on your LAN, just like RFC1918. On IPv6, the LAN subnet size is always /64. Run dual stack, as I do, so that both IPv4 & IPv6 are available. Normally, IPv6 is preferred, but IPv4 is still available. I often help people with IPv6 on the pfSense forum. One thing I've noticed is many problems are self inflicted because people are stuck in the IPv4 way of doing things. You seem to be in that category. You also seem to be dreaming up problems on your own. Yes, if you had a business, you could get your own prefix, but you would be paying a lot more for it. Use DNS. That way, should your prefix change, you update the server. Problem solved. A bit about me. I come from a telecom background. I first learned about IPv4 in early 1995, when I took a class through a local college. As I was sitting in the class, I was thinking 32 bits was not enough. Shortly after, I read about IPv6 in the April 1995 issue of Byte magazine and realized that was the way to go and I've been advocating for it ever since. I also got my Cisco CCNA several years ago, and IPv6 was part of the subject matter. As I mentioned, I run pfSense for my firewall/router and have multiple subnets. I also have ULA enabled, though I don't really have a need for it, with my persistent prefix. Regardless it works. Also, with the modems my ISP provides, when in gateway mode, ULA is also provided, in addition to the public prefix.
For me it comes down to one point. I can remember an IPv4 address. I can't a IPv6. So when dealing with my network of 10+ personal computers and several servers I don't want to have to resort to a "cheat sheet".
IP addresses are for routing. The idea that every major network in the world needs to know your IP prefix so it can route to your ISP is just silly. That is what DNS is for. The 6-to-4 issue is the real problem IPV6 is not complicated, but hybrid IPV6 and IPV4 kind of is. If we get to the point where the normal user doesn't need that, we're getting somewhere. Don't know if that will ever happen
Can't even get native IPv4 at home anymore around here, the Providers simply don't have enough of them. I need to share my IPv4 with other Customers and the Providers uses some Kind of IPv4 over IPv6 Tunnel for the communication with IPv4 only Servers. If o need native IPv4, i need to sign an expensive business Contract with the Providers. It somehow works, but routing anything from the outside my home Network is a pain.
Watching this the second time, I got to thinking the problem is software/systems designed with IPv4 expectations, so really if you design every system to expect your specific nodes can change address, it would not be required that we own our own bank of addresses or try to make the addresses never change.
As for the question „Why use IPv6?“ is concerned, here are some answers which apply to my personal situation: a) Configuring routing for virtual machines and Docker containers becomes easier. b) My ISP supports native IPv6. c) My preferred hosting provider charges for every single IPv4 address since the pool was exhausted, and IPv4 subnets have become prohibitively expensive, while every machine is assigned as many free-of-charge IPv6 /64 subnets as desired. I use some servers which don’t have an IPv4 address anymore.
Fixed public IPs (prefix portion, not the subnet portion) shouldn't be assigned by networking providers they should be independently allocated similar to domain names so it can be transfered between venders. It's one more major flaw in the standard.
Very interesting (as usual). My understanding is that, aside from address space exhaustion, one of the problems the IPv6 working group was trying to solve was "huge" routing tables in the core backbone routers. That had arisen because of historical "classful" routing and the lack of any serious discipline, at least early on, to allocate IPv4 in a strict hierarchical fashion. IPv6 follows strict guidelines allocating blocks to regional NICs, then sub-blocks to countries, then smaller blocks to ISPs. I've always felt that, while the strict hierarchical nature of IPv6 is good for keeping routing tables manageable, it also enables more accurate geo-location and that's probably a good reason for sticking with IPv4. Second, I've been told that in some places in the world (Germany), ISPs rotate prefixes every 24 hours. ISPs claim to be protecting home users who expose routeable addresses but my guess it's the old "if you want a permanent address you have to pay for a business connection". Seems to me the solution to this is enhanced DDNS where any prefix changes are communicated with your DDNS provider.
German's Telekom gives you a new prefix whenever you create a new PPPoE session (if you don't have a fixed IP contract). They haven't actively terminated sessions for quite a few years now. With a somewhat smart router it isn't that big a deal. My local DNS server updates its configuration automatically whenever it sees a prefix change and then updates the public DNS zones for those machines that are externally visible. Geo-location works extremely well for most ISPs because they already do assign addresses geographically anyway. This applies to IPv4 just as well. The main reason that IPv4 is so fragmented: inability to grow. If you hand out too much space to a given company, resources are wasted (like in the old days, where one university got 1/256 of all IP addresses). On the other hand, if you give them too little, you end up with either two routes to the same physical target or have to renumber stuff. Given that IPv4 addresses used to be hard-coded everywhere (because why depend on DNS), that's a major PITA. Now make an educated guess how many "serious" internet using companies have a constant demand and you will see how the fragmentation happened. IPv6 combats that on the levels: motivate people to not hard-code numbers everywhere and make it easy to have reasonable allocations with enough room to grow. Take a university for example. It's quite a bit easier to estimate the number of networks you will need than the number of networked machines. The former reflects organizational structures and we have a lot more understanding about their development. Once you have the number of networks, round up to the next power of 16 and subtract that number from 64, you have your base line for what prefix you need.
One thing to add, what I feel is missing is just a pice of software which keeps your subnet steady. with IPv6 just your prefix changes. But everything after the Prefix could stay the same. Thus I would love to see software to just support the prefix notation, or add on to it with variables. For example you get your isp prefix and add your networks like so: ips:vlan::ip It would be nice that software could understand that if you leave the ISP part out that it just adds it automatically depending on what your RA gives it. Such that you can just write for apps or DNS or what have you just: ::vlan::ip and it fills in the blanks.
You could use 2 subnets at home. The public subnet from your ISP with SLAAC and Unique-Local-Adresses (ULAs) that work in your home network and don't change. Alao it really sounds like you're trying to evade DNS. IPv6 was explicitly made with people using DNS, which negates the need for static IP addresses. I live in Germany, and IP-addresses (v4 and v6) change every day for home users. And still I have some services running without issue.
Most ISPs will give you a fixed address if you pay extra. Default settings actually mean your ISP provided address may just be reset randomly. Link local addresses will work locally, so use DHCP for local addresses, my router allocates IPV6 to clients automatically (for global addresses) - and Widows 10/11, Server 2023 etc. all actually default to IPV6 and just fall back to IPV4. Some devices on my network still do not support IPV6, and this is an industry wide problem, so basically have to run both. IPV6 is actually more efficient at data transfer so there are other benefits.
As a non-network engineer, but someone more technical than the average user, like hosting something on a home server, a raspberry pi, etc. My only exposure to ipv6 is when it breaks something, like your PiHole DNS server, and the easiest fix is to turn it off everywhere. So the technology is off to a bad start right off the bat.
Indeed. Since everyone's knee-jerk reaction is "just turn the broken shit off!", it'll never get fixed. Until people take a serious look at what doesn't work, and why it doesn't work, there won't be any fixes.
I’ve been running ip6 on my home network for several years in a dual stack config as not all my devices support it. My isp doesn’t support it either so I use a vpn service that gave me a 48bit prefix. I don’t see ip6 being different from ip4 in that the prefixes have to be routed and ultimately you want minimum amount of routing traffic so it makes sense that internet service providers are allocated blocks of similar addresses that can be advertised in a block. If everyone can have their own prefix that is portable then you either have to advertise each prefix separately which has performance implications since each router needs to know about the prefix to route it as well as capacity - the amount of memory each router would need to be able to store the the routing table would be enormous. Also this “problem” is same on ip4 - if you change isp, you get a new ip4 address. This is why we have DNS so we don’t care what the address is, just as long as it is updated when the address changes everything is fine. I personally don’t masquerade my ip6 addresses but there is still a firewall and in general only outbound initiated connections are permitted but I have the option to expose a port on a server to allow inbound.
@@MikkoRantalainen main feature was for me to learn about the technologies needed for it to work and also to be able to host test web sites directly on a virtual server (in a DMZ) without having to mess around with reverse proxying or using different ports.
@@_chrisr_ Do you think IPv6 has been easier solution overall than using reverse proxying or port forwarding? At least for me reverse proxying and port forwarding would be much easier solution than trying to switch to IPv6.
@MikkoRantalainen as there was a learning curve, it took longer initially, but that was several years back and I didn't touch it until I upgraded my server which ran the ip6 network services (as well as ip4) earlier this year and had to remember what I had set up! 😀. Having said that it wasn't particularly hard to set it up. I only have single external ip address so sometimes being able to have a host with its own external address has an advantage when trying to replicate a configuration used by a customer.
Every adapter can have many IP addresses. You have control over LLAs and ULAs and you can use them in your internal networks for permanent addressing. Since you do not control the prefix you get assigned by your ISP, you should not depend on addresses derived from it to not change. To control access from and to the internet, use a firewall instead of NAT (e.g. you could use MAC addresses or another non-changing characteristic to tie firewall rules to devices, instead of using public IPv6 addresses in you firewall rules). Under normal operations, using NAT should be quite exotic with IPv6 (i.e. if you find yourself wanting to use NAT, you should stop and reevaluate the solution to the problem you are trying to fix).
Uhm I don't know where you live, but for EU-Region the RIPE is a really nice Internet Registry. You can get your own ASN and IPv6 Space for little money (I paid 50$ for a /40 Prefix and ASN). You don't need justification or something you just need ID-Card for Identification. You also dont have to be a company. Normal people can ask for one whithout much hastle. But Announcing the Prefix is yet a completely different story.
You are addressing the problem that an IP address serves two purposes: it acts as an identifier (i.e. Which computer or which network do I want to talk to?) and a locator (i.e. Where is this computer or network located on the Internet?) If you change the provider, of course the locator has to change, unless you are your own provider, running your own AS. However, you want to keep the identifier. There is a protocol called LISP (Locator/Identifier Separation Protocol) which tries to separate these functions. With this, there are IP addresses that act as a locator (EID), and other IP addresses that act as an identifier (RLOC). This way, you can keep your identifier IP addresses while your locator IP addresses change. I don’t know whether this is usable yet.
partly agree, changing prefixes should beveolved with smart dns. own prefixes you own would be a huge problem for bgp routing. imagine ipv6 full tables will all /48 routes.
Paul, I found that using an IPv6 unique local address (ULA) prefix solved the issues you mentioned, in both my business and home use cases. I registered my fd00::/8 prefix back in SixXS times, and each of my devices is assigned an address with this prefix. The addresses are as simple to remember as I choose them to be, are managed by my own DNS server, they obfuscate my internal network without the need for NAT, and remain unchanged no matter what IPv6 prefix is assigned by my ISP. As is common practice in Germany, both my home router’s IPv4 address and IPv6 routing prefix change every 24 hours, so ULA was something I needed from the get-go. If you have not tried ULA yet, I strongly recommend looking into it.
"both my home router’s IPv4 address and IPv6 routing prefix change every 24 hours" OUCH!!! My IPv4 address is virtually static, changing only when I change hardware and I've had the same IPv6 prefix for a few years. I'm in Canada. What possible reason could they have for changing addresses every 24 hours?
@@TallPaulTech I used a Linux router for years, including with IPv6 via 6in4 tunnel. However, I found it wouldn't work with DHCPv6-PD, which my ISP used to provide IPv6. As I result, I switched to pfSense. Does Linux now support it properly?
@@James_Knott That's how I get my addresses from the ISP too. It works nicely. Do you mean you couldn't get it to work as a DHCP client from the ISP to get that info? Use something like this # wan #auto eth0.2 #iface eth0.2 inet dhcp #iface eth0.2 inet6 dhcp # request_prefix 1 # accept_ra 2 On the internal side, I have radvd and dhcpv6 server.
@@James_Knott The reason is, unsurprisingly, money. Only particular contract models, aimed at business clientele and priced substantially higher than those meant for Joe Random private user, allow for static IPv6 address prefix assignment. The same goes for IPv4 addresses, by the way. Come to think of it, I believe there is also the limitation that one can have either static IPv4 or static IPv6, but not both simultaneously. This is based on the information I received from my ISP, which happens to be the market leader in Germany. Where I live, there is unfortunately no alternative ISP. 😐
This is a great video. I tried this week to go IPv6. All worked well until I got my NAS and it did some funky stuff renaming itself to my ISP’s name and relocating itself to the NT when I am in NSW. So I went back to IPv4. I like your idea of “owning” an IPv6 range of addresses. We should be allocated them and they should be ours to use. We have a telecommunications legal precedent already in phone numbers belonging to us, so that even if I switch from Optus or Vodafone to Telstra or vice versa, I am legally allowed to keep my original phone number. If I had to change phone numbers every time I changed providers, this would make life impossible for all my family, friends and work. Why can’t we take an IPv6 static address with us from provider to provider like we do a phone number?
Also a good point. I wrote to my local Federal MP about this last night suggesting that every Australian get a range of IPv6 addresses allocated to them, same as with a phone number. NBN could administer and that way the tables would work within Australia wouldn’t they? They wouldn’t be random, they’d be assigned (similar to how landline phone numbers used to mean certain areas like how Vic is 03 and NSW is 02)
At least part of the problem is that many of the big players, especially in North America, have enough of the IPv4 address space that they have no pressure to support IPv6. It's sheer laziness. I think another reason ISPs might be reluctant is that CGNAT makes it that more difficult for customers to make services available on the WAN. This, in turn, reduces uplink traffic.
I'm waiting for IPv7 with the planetery prefix, then allocate a block designated for Mars If you give people the ability to buy IP6 ranges in bulk, then you'll just end up with large companies buying huge chunks for themselves for "just in case" I suspect you'll end up with IP6 eventually on the interwebs because of the lack of IPs, but private range will probably stay on IP4 with nating
What you are waiting for is an IPv8, not IPv7. There is concept of using odd/even numbers for unstable/stable releases like odd numbers are used for concepts, highly experimental things used only to evaluate that concepts etc. This is why we have IPv4 and IPv6, but not IPv5. Same issue with linux kernels (2.0.×× 2.2.× 2.4.×× 2.6.××) etc.
I thought the same thing. I work at an SMB company, our ISP offers dual stack with a /48 on IPv6. I hesitate to set up IPv6 internally without NAT66 because the ISP is then in charge of my prefix. I researched the thing and found out you CAN get a /48 for yourself (as a company at least), even for reasonable money. BUT you will have to implement BGP to make it work, which adds a lot of complexity and cost (for the routers).
For sceptics, this might become useful if interplanetary colonization happens in the far future, probably not now. Plus it's a godd safeguard of the limit is reached for whatever reason
I tried to get V6 going, just simple pings, in my local net no problems, but once I tried to cross my ISP's router, nothing worked, so I took it that their firmware was broken and that was the end for me. So I wait for a better box from my ISP. I cannot easily replace that box as it does voip and free cellular backup, both not easily replicated as they won't hand out the codes etc to talk to their systems. About 80% of what you said went over my head, so a good tutorial would help.
100% agree with this. I wouldn’t and won’t implement IPv6 on our customers networks, or my own (except for testing) We manage many sites that utilise multiple WANs and in my opinion the ISP needs to be disposable; their network stops at the WAN.
Network Address Translation (as an invisible proxy) has helped a lot of people misunderstand network scope. If IP4 and associated software didn't expect one address per interface, then an interface could have two addresses: an RFC1918 address and a public address, one for local comms and one for global comms. IP6 does this. NAT is like a secretary that connects calls so you don't have to know how to dial direct and transfers calls based on caller id, so the caller has no idea there are several bosses behind the same number.
There's just not a whole lot of business reasons to be able to give an IP address to every grain of sand on the planet. Much less wanting to keep track of them all in your maintenance database for the tech support folks.
I've been thinking about a more universal version of the IP protocol, requires a lot more bits but I also think it has advantages. Bit 0 -> Physical or Virtual Bit 1- 31 -> Galaxy 32-79 -> Star 80-95-> planetary body 96-127-> polar latitude 128-159 -> polar longitude 160-191 -> height (cm) 192-255 -> unique identifier 256-303 -> protected bits (see below) 304-319 -> parity bits This would mean that every ~cubic centimetre of the earth (up to 42km out) could have ~10^19 addresses, 16bits per solarsystem for each planet, 48bits per galaxy for each star, or 31 or each individual galaxy could be divided up in some relatively structured way just like the planetary addresses as and when the time comes that they're needed. But this should be more than one per galaxy, more than one per star in any given galaxy, and more than one per orbiting body over 10km in diameter Since the Poles and the centre of the planet are relatively over-allocated you can put special addresses at those locations like DNS servers etc. Each asteroid or planet or moon gets a similar number/density of addresses with bigger/older/popular planets getting a range (so if 10^19 addresses per cm^3 isn't enough they can be allocated more). Lesser objects maybe having a different breakdown of the planetary body/latitude/longitude/height bits for something smaller than 10km then having ~43000km of height cms is probably too much, similarly at it's surface a density of 0.001mm is a bit high density, so some precision bits could be moved to the planetary body to account for the millions of lesser bodies per system. And similar could be done with space habitats over a certain size too. With this density of physical addresses, it provides opportunities. We could assign each (macro) component an IP origin address, with each company at any given address having its own range by picking a different cubic centimetre of the factory to choose their IPs from, and if they run out with a given cube they can move one cm over. As well as each component getting an address each person could be allocated a physical address at birth too, effectively making these like permanent phone numbers or email addresses or identity codes. Each year could have a different location in the hospital as the base IP and each unique identifier could be randomised to prevent the use of dialling every one in sequence. Similarly, institutions could assign an IP address to other physical or even virtual items like a degree or receipt as a proof of authenticity, with each IP on those things leading to a website which should give data to verify the person or item's authenticity. Each IP address also has 48 protected bits that it can use as a signature or to assign a port number internally the exact use of which is determined by the destination, not the global network/standards. For example a unique code could be attached to the personal IP for each time it's given out and then if it's shared to others there's a fingerprint attached and modifying that fingerprint to disguise the origin could mean that any message may be dropped as spam. Or for a virtual address you might have several computers behind a single access point and each computer gets it's own protected range for port forwarding, UPnP, etc. And as well as each component, person and so on getting a physical address point of origin, you have a separate but identical in quantity set of virtual addresses for each location which can be used to do routing by the current location of a device, or it's nearest cell tower or ISP service box etc. If you want to send a message to someone then the easiest heuristic would be the one that reduces the distance to the virtual address. Omitting the higher value bits can be done for certain types of traffic like planetary traffic or in-system traffic or in-galaxy traffic, doing this assumes virtual addresses. 16 parity bits allow for the code to be error-correcting under reasonable conditions which current IP addresses are not To all practical purposes, they'd never run out of addresses and then IP would be kind of future-proofed beyond just our one current planet. 320 bits is a lot more than the 32 and 128 bits we currently use in IPV4 and IPV6, though it would have a lot more utility, it'd roll Mac addresses and IP addresses into the same standard and it'd give the IPs some rhyme or reason beyond 'just because the allocator gave you this set of numbers' User authentication, there should still be plenty of ways to obfuscate user location and so on through virtual addresses, picking (or purchasing) one (or a set) that's within the planet's core could be an accepted method for doing this, so being ANON on the web should still be possible to the same degree it is now, but if you want to authenticate you are who you purport to be it should be relatively easy too, you can physically authenticate your address without much trouble providing the ISPs provide this facility, and as you have an IP that's personal to you based of your own point of origin you can also allow for that to be used as an auth server for your identity if your hospital/ISP/government provide that facility. Obviously, it needs a little fleshing out but I think it's a good start.
You have given incredible thought to this. If anything like what you've suggested here were to be implemented within the next 100 years, humanity & perhaps even some other kinds of life could be set for as long as I'm willing to consider forecasting into the future. If this is truly what you are passionate about & you want this to happen, then find a way to do it. However if I were you, I would use your incredible ability to consider & think through every possible aspect/need of something and apply that ability to things that are bigger problems for humanity now. The first thing that comes to mind is not everyone on earth has access to drinkable water or healthy food or any internet access at all.
There's no more permanent solution than a temporary fix, as long as it needs an overhaul might as well plan for the future... Though yes it is a bit overkill I also think there are a miriad of ways in which it could be used if it existed. I personally am a big fan of the verification methods that could be built on this. You can have a stamp of authenticity and origin built into so many different things, you could put a substantial end to fakes and forgeries for example. You could make certain portions of the internet only accessible by people who are declaring their identity correctly eliminating or substantially reducing trolling. Having a universal addressing standard in place for the next billion years is just a bonus xD
@@gzoechi TTL is a hop counter generally speaking, so if a hop is between Star systems it's still just one hop, you'd likely need to have a larger counter but it would depend on the configuration of the networks at each star 10-16 bits of TTL might be overkill if each star system is 1 hop DNS wouldn't have to be synchronised, so long as each star system is closer to the terminal address the packet's route can be looked up in each star system, it may be that if you're moving system though that you need to tell your destination and request all packets for you be saved until arrival before setting out... or by setting up a device at your departure point to act as storage and relay for those packets... though it depends on the speed of travel if physical travel is a substantial fraction of C packets could be saved via transmission between Star systems, and if it is possible to send and or receive during a voyage. However in most cases it's a simple matter to aim at the relevant star system (even though intermediaries) and expect the thing to have not left the destination system so it'd be no different from a phone changing cell tower while a packet is on route. It may be reasonable for interstellar relays to hold onto copies of packets and sign them as a way to reduce the requirement for retransmission over stellar distances. A lot of this could actually be worked out by looking at slower transmission methods like TCP/IP over carrier pigeon and remembering that there may be occasions where the bandwidth of a lorry load of tape drives is more effective than radio, for 'non urgent' interstellar communication (which would be most interstellar communication if we're honest, our closest neighbour gets things with a 4-year delay) it may be that we pack cargo ships with some form of permanent storage and send communications to another system snail mail style to be unpacked and transmitted locally or repacked onto another storage ship for another destination.
Agreed, and you seem to be the only person that has described my exact dilemmas! I have the issue on my network with my Kubernetes cluster. I've tried to go IPv6 first everywhere, and on "normal hosts" having both a ULA and GUA works fine and handles the changing ipv6 prefix problem. But I can't setup my kube cluster using the ISP prefix just in case it changes. I've set it up with a ULA for now, but of course the pods can't route to the internet unless its IPv4. The half way solution would be stateless NAT or Network Prefix Translation, where the router just swaps the prefixes and leaves the host portion alone, but I can't seem to get this to work with IPTables.
Honestly, I think the fact that basically every home network uses NAT, and has for a while, has probably set up snuck assumptions in so many programs out there. And not just programs, but general practices and recommendations as well. I'm no expert, but I find that transitioning from NAT connections to direct ones may introduce a host of unintended consequences. Not saying we shouldn't do it, it just becomes an interesting new paradigm.
@@TallPaulTech Absolutely. I was thinking more about the security implications. Having a network device in front of traffic by default sort of gives you a firewall for free. It also makes tracking a whole lot harder as any Internet host would just see the public IP, even though any device could be connected through it. Having each device actually have their own public IP addresses would make it much easier to determine what exact device the packets originated from.
@@TallPaulTech that's fair. I'm just thinking about how ISPs may implement IPv6 going forward for home customers. If they stop using NAT for their home Internet solutions, that puts home users in a technically different situation than they've ever been in. I'm not sure what the implications of that would be, but I think there would definitely be some interesting ones.
@@TallPaulTechI've never static'ed my home net, but I've never had a problem getting static for my work here in the US, never. Of course, we only need a /28 IPv4
In around 2010 there were many IPv6 enthusiastic ISPs. But that was also the time when Internet blocking laws appeared. Controllers were connecting to the Internet in each café with free WiFi, and if they managed to connect to the forbidden resource, they posted notable fines for law violation. Controllers often had muTorrent installed on notebooks, and muTorrent configured Teredo and/or 6to4. If Teredo and/or 6to4 helped to reach the forbidden resource, they posted fine. At the same time Internet-blocking software was immature, barely capable of blocking IPv4 correctly. ISP could either provide native unblocked IPv6 and be fined for that, or not provide IPv6 at all. Instantly IPv6 became damnation for cafés and for ISPs. They blocked each and every IPv6 loophole. No more 6to4, no more Teredo. Nobody likes fines. That's how IPv6 was canceled in Russia.
I’m in the same boat .. want to use ipv6 more. I have to wonder about your concept of owning a static, portable subnet though. I don’t think calling it your “prefix” is right, to me it’s a subnet. And mostly like ipv4, your subnet is just a subnet within your isp’s subnet.. they can only allocate within the ipv6 blocks they own. Getting a new IPv4 address is normal if changing ISP’s so not surprising IPv6 is the same. I mean, why not go a step further and have a single static ipv6 address for your phone or laptop that never changes even if you traverse different networks (home, then cellular, then mates wifi, or work lan, etc). It would be a technical nightmare. DHCPv6 just needs to be smart enough to see the new prefix, and only worry about the subnet portion for address allocation, and then intelligently combine the two, rather than being hard-coded. And finally, yeah. IPv6 support is dismal in terms of routers etc. i also think such routers should do ipv6 firewalling in a way that mimics port-forwarding config. Too much to type in a youtube comment… At the end of the day, the ultimate problem is that everyone is simply dragging their heels. People (ISP’s, vendors etc) might only barely dip their toes in the water but noone wants to jump in proper.
I use BT in the UK and *each* time the router restarts the external connection it gets a different IPv6 address from BT. Most frustrating as I can’t use native IPv6 as it’s changed daily.
I thought IPv6 was created for practical reasons because we were supposedly running out of IP addresses. It's been 20 years and this hasn't happened largely thanks to NAT. Is there any downside to just continuing to use NAT as a workaround for IP address exhaustion problem as opposed to a full adoption of IPv6?
IPv6 is around 30 years old , but it still has growing up pains. It was designed before mobile broadband , before small businesses and home users started multihoming. Too many IPv6 cheerleaders saw NAT as a weakness of IPv4 instead of a flexible tool which goes well beyond the "temporary" fix for public addresses exhaustion. Then there are the dozen different ways of v4 to v6 migration and interworking. Also Apple, MSFT and google pushing different paths. Although you can get a PI (provider independent) /48 adress from your RIR , it is just not scalable for the hardware on Internet core routers to handle routing tables with a billion entries which wold result from everyone getting this.
IPv6 wihout translation only really works well for big institutions with a fixed PI allocation and BGP multihoming to ISPs or smartphones with temporary /64 , which also allows for temporary hotspot.
For small business and home internet I think the solution is ULA (ptivate IPv6) for the LAN with stateless network prefix translation to the WAN prefixes from ever changing ISPs , which could even be multiple concurrently.
You know, that's about the same conclusion I came to. I didn't think of the huge routing issue it would cause on the WAN, but the idea of having ULA on the LAN with stateless network prefix translation would probably be the best method I can see. Also, if you do ULA properly, then it should still be okay if you combine sites in the future so they won't clash. Stateless should be nice and light too to not be a drain on resources of the router. I think this is the way I'll go with it.
NAT is dead! Long live NAT!
My ISP gives me a dynamic ipv6 prefix. I ended up getting an ASN and a /40 and announcing it via a vps on vultr. I then used a wireguard tunnel back to my own network.
I think you could have an IPv6 only network where all devices only have IPv6 ULA addresses, and access to the IPv4 internet is provided by something like NAT64 while access to the IPv6 internet is provided by some kind of NAT66, probably NPTv6. However, you can't easily run any kind of useful dual stack using IPv6 ULA addresses because, at least by default, everything uses IPv4 in preference to using IPv6 ULA addresses, so, at least for accessing the Internet, you might as well not bother with IPv6 at all.
Genuinely, due to all that hassle for very little gain, and the fact that the IPv6 cheerleaders forget that not everyone wants end to end connections. IPv6 hasn't really taken off. Whether you like it or not NAT nowadays does provide a certain level of extra security and privacy too.
So basically local NAT went from "we have to do it" to "it's a feature I rely on"
Pretty much. My father was am early player in the Internet and I remember my whole childhood hearing him raving over having the world eventually switch to IPv6. By the time I became an adult he accepted that NA ISPs are only going to change if forced too, preferring NAT... and in NA at least a lot of people of my generation grew up with IPv4 and NAT being "normal".
That’s pretty much how the IT wizards at BP told it to me. They wanted NAT translation because it’s a convenient and understandable gateway to get inside the corporate enterprise network.
I've noticed that some local new ISP offer IPv6 and ISP natted ipv4, if you want public ipv4 you need to pay extra. So IPv4 exhaust is starting to slowly strangle businesses
@@finnderp9977i assume that at some point in the future, people will be FORCED to move on to ipv6. They will desperately cling on ipv4 for as long as possible though
@@finnderp9977cgnat sucks ass if u ever wanna selfhost anything with limited ipv6 support.
having to use a vpn for others to gain acess to stuff on my own damn network feels dirty
I worked with IP6 a little bit 20 years ago. Problem 1: equipment that can't handle it. Problem 2: those address are so damn long. Unless your address has lots of continuous zeros in it, it is very difficult to remember. Problem 3: they keep making changes. Once, they had a standard way to translate IP4 addresses to IP6. Problem 4: If NAT fails on IP4 then nothing gets in. If the firewall fails on IP6, all of your computers are now internet addressable.
Can't remember adresses? We have a solution for that: DNS
@@ukyoizeDNS is neet, yet it's also another possible point of failure. Also, if something new joins your network, writing down its IPv6 address is a pain in the arse
Just discovered your channel through this video popping up on my feed. Just beginning my career, bout to finish uni. Interesting stuff, gives me an insight as to why IPV6 wasn't adopted earlier. They certainly push "we're running out of time to switch" message in school.
IPv6 would allow people to easily self host services like photos in their homes instead of eternally paying a subscription or depending on external providers. I'd love to see it happenning but as time passes what I see is that providers like me don't use them, instead they have their own big private networks and do NAT to give you public internet access. They charge me extra for a public IP (I mean public, not static)
No video cuts, no animation, no notes, yet so clearly explained!
Haha, you mean no planning, no effort... :D
You need to control your DNS. The IP stack is important but jumping up a layer and controlling your DNS, that's the key.
This is exactly what I was thinking. Devices can give their own hostname (in your control) and your router can return queries for hostname.local or hostname.lan. mDNS is also an option if your router won't do that.
I might setup my new home network this way as IPv4 is behind a double nat (IPv4 is at a premium 😅 and it would add an extra 20% on my bill to get a static address) so I need to use IPv6 if I want any externally accessible services. I figure I can let cloudflare handle proxying so IPv4 clients can still access these services.
I still need to figure all the IPv6 intricacies out so I might be back here again to reference a video or two.
Internet routing would be impossible if everyone had a permanent portable ipv6 prefix. Route tables would have to be ridiculously large.
I think the biggest problem with your idea is that if people started doing that, the bgp table would become way too big for any normal router to handle. Even today, not all ISPs keep a full bgp routing table since it consumes more ram than their equipment could handle. Imagine if we were to keep track on every customer subnets in one bgp routinf table, that would get impossible to manage. This is what I think, but I might be wrong, it happens a lot.
Yeah, it would kill it... so it's dead.
You probably know that most addresses are assigned on a geographic basis, meaning that if everybody got an IPv6 prefix from their provider BGP tables will be smaller?
@@NicoDeclerckBelgium Yes, that's how it's designed to work, keeps bgp tables manageable. But unfortunately the end user won't be able to move it to another isp.
@@swelarra But that's the same with IPv4.
@@NicoDeclerckBelgium Yes, same as with ipv4. In theory you could announce a single ipv4 address over BGP, but if people were to start popagating single hosts over the internet, routing tables would grow out of proportion and quickly become impossible to deal with. That's why there are policies about what prefix length you are allowed to announce over the internet.
While I love the idea of everyone gets their own /48, I think you're forgetting one of the biggest issues faced with ipv4, route table bloat. While an ipv4 entry only takes 12 bytes, an ipv6 entry takes 48 bytes, while that sounds small, this would be for every single user that wants their own subnet. Is that sustainable for even a moderate sized isp? pppingme
Mate, I remembered it was you as soon as I saw the nick, don't worry! I didn't know/think about the wan routing tables, as I'm not familiar with that side of networking. I have been educated :) Jump on my IRC
One of the big reasons IPv6 complicates having your own personal address block, is the same thing that makes it so easy to configure -- addresses very much reflect the network topology. As opposed to IPv4's massive routing tables and exceptions and such, it's just "All addresses with this prefix go here". Letting anyone and everyone have their own addresses complicates that; with 2^96 times as many addresses to route, routing tables would grow beyond all feasibility.
The preferred setup, as i heard it, is to DHCP basically everything, and update DNS to reflect what address a name refers to.
Over the past decade, I've added IPv6, HTTP/2, and TLSv1.3 support to network software I've worked on. If customers ask for it, companies will sell it to you. If not, it will remain on developers' laptops and never be released publicly. Don't be afraid to ask for better IPv6 support. If enough tickets roll in your use case will become supported.
i guess there is a reason BGP is not very open to public. I can only imagine how routing tables would blow up if people would be given private Ipv6 ranges.
Yes BGP fixes this issue with IPv4. To solve this you (not the ISP) would need to own the /48 and some sort of enhanced/replacement for BGP would need to route traffic to you regardless of the current ISP. Of course doing lots of this would hurt the entire concept of subnets.
This is an EASY question to answer and it is the same reason the internet does not allow /32 IPv4 prefixes to be BGP routed across the internet. In short the routers that actually route the internet could not physically handle the amount or routes you would be talking about in this massivly deaggregated scenario. The current size of the IPv4 global table is just over 900K routes and the IPv6 global table is about 175K routes. You start allowing people to have their own /48 that they own and can take to what ever ISP they like, this will explode the size of the routing table many orders of magnitude. I do not know of any commercial grade routers that could currently hanld a fraction of this, and certainly 99% of the ISPs will not want to spend the money even if the hardware did exist. Maybe in another 20 years... we'll see!
For the home user at least in Germany if you set up everything out of the box you have everything dual stack automatically. There are some ISPs that apparently still don’t provide v6 for users with old contracts but at least with Deutsche Telekom you always have full v6 service.
That means most people are already using it maybe without even knowing.
I would say main reason for slow adoption is that it is simply not needed in most cases. Most computers don't need public IP and for those few that do NAT is good enough.
I am no expert, but I did a couple of cisco networking courses over the years and it was noticeable how the attitude towards ipv6 had changed over those years. First time it was all enthusiasm and everyone would get personal ips because there were plenty to go round etc etc. Years later they were much more muted and basically came to the conclusion that there were just as many security issues under 6 as there was under 4, Nat was still a good idea for security, and people weren't going to get personal numbers except for the self configuration number which may possibly cause their own problems.
Then there is the issue of all the ipv6 traffic that seems not to be noticed by some security software, so you have unknown automatic activities occurring that you don't know are occurring if you normally concentrate on ipv4 still.
Throw in the long ipv6 numbers and the autoconfigure oddities, it is perhaps not surprising that anyone apart from the big boys find it easier to stick with ipv4. Nat means the address shortage isn't as acute as first stated.
It would perhaps have been more sensible to just double the bit length of the addresses rather that go mad.
You are doing IPv6 Prefix Delegation the wrong way. The idea is that your router manages an address pool that you can use to delegate smaller prefixes for your local networks from. I get my prefix via DHCPv6 from my ISP and my router will then announce different prefixes delegated from the pool to subnets on the LAN side. The important part is that your router will adapt a new prefix and distribute that when it changes.
Also, DynDNS has existed for years and I have been behind a dynamic IP address for years. The same applies to IPv6, just that instead of your router taking care of the DynDNS, now your individual clients have to take care of that.
On top of that, dnsmasq for example is a great solution to keep a dynamic DNS in your local network. It will detect changes in IP addresses and it will then distribute the new IPs with the DNS requests.
And if you set this up properly, you will never have to remember an IP address ever again and you will never have to set up static DNS for any machine.
Also, my internal IPv6 network also has a private prefix which makes really handy and short IPv6 addresses like fd97::1
That's even easier to remember than IPv4, isn't it?
There's a difference between publicly routable, and publicly accessible. Firewalls still exist in IPv6.
The other thing that IPv6 has trouble with (or so it seems and I hope to god I am wrong)
There doesn't seem to be readily available a registration for word-wide IP addresses.
With IPv4 you could perform a "whois" and find out if a particular address was owned or part of a pool and who owned/ managed that range in question.
Especially when it comes to managing spam and hostile traffic. As an admin I want to be able to block specific ranges for a variety of reasons.
My question is, why are they delegating a whole 80 bits worth of /48 to an individual? Wouldn't it be smarter to delegate 24 bits at a time? (a whole /8 in ipv4.) I, as a home user, use 10/8 internally and could probably assign static addresses for every IP-capable thing I own, will own, or have *ever* owned and not run out in my lifetime. That's 16 million addresses for crying out loud.)
It reeks of the same thing that the initial classful IPv4 routing stank of "There's plenty of room. Here, Ford, have 18/8. Sure, it's 1995 and you only sold 317,621 vehicles and you're making cheap and practicallly disposable disgusting sh*tboxes without any computers that few will want in 30 years time, but go ahead and have 1/255th of the address space. (Oh, and we're going to sit on 1/8th of the address space for "future use" that won't ever happen because of artificial scarcity.)
If you want IPv6 to take off, lobby to have IPv6 delegations *decreased* in size and deprecate IPv4, telling all of those hogs sitting on their /8s that they can keep their addresses, but IPv4 is going away and "your reserved netblocks are turning into a tiny delegation of half of a 64 bit prefix, GL;HF. Congrats, your puny 16 million address netblock is practically valueless now that there's over 340 undectilion addresses available."
Does anyone else not like the idea of half the IPv6 address being the MAC address of the hardware? Seems like there could be some privacy concerns.
Using the MAC address isn't mandatory. There are different algorithms available. For ULAs it's usually practical. Not so much for GUA
RFC 4941, Privacy Extensions for IPv6 SLAAC, was published in 2007, and many OSes now default to using this, creating and regularly rotating randomly-assigned local host addresses, using these for outbound traffic while keeping the MAC-based (or manually-assigned pseudo-static) host address as an anchor local LAN traffic. Multiple addresses on a single interface, to be used in different contexts is a common and required feature of IPv6, and is also the recommended method of multihoming in the absense of provider-independent (PI) space.
That's optional. Usually, it's not configured that way.
@@James_Knott It is on Windows and Linux... which current OS used EUI-64 by default?
@@NicoDeclerckBelgium I believe Linux did originally and possibly Windows.
To be honest, one of the major "features" of IP4 that still makes me stay with it is that using a private address range and NAT seals my network. I don't have to trust a firewall to block things I don't want; that's the default. Unless I manually add a port forward, nothing gets in that's not a reply to an outgoing request. I don't have to worry about the watering timer on my garden faucet being hackable. It "physically" cannot be reached from the outside, no matter how good or bad the config of my firewall is.
And that's with a network I---someone who knows how to configure a firewall reasonably well---am managing. The same goes doubly with 99% of consumers. I still remember the times of Windows 98, when people were dialling in with their PCs (so no router or firewall involved), and you couldn't even set up a new PC and download all the updates without it being loaded to the brim with malware in the meantime.
Directly routing incoming internet traffic to a device that wasn't built specifically for it is folly.
The IPv6 equivalent of rfc1918 is called Unique Local Addresses (ULA). NAT provides nothing for security that a properly configured firewall doesn't. Every firewall I've ever seen starts out with deny all. NAT is just a false sense of security.
@@James_Knott NAT is not about security, it's about conveniency.
It's impossible to someone "outhere" to reach my gadgets on my intranet, so I don't need to care about this part.
Additionally, firewalls are also prone to failures and attacks (check Fortinet), so relying **only** on firewalls is the real false sense of security - Firewalls are software as anything else.
In my home I solved part of the problem on the switch level - mission critical devices that should not be exposed to the extranet are unreachable to subnetworks that are exposed and that's all. I still need to secure access on these devices, but I don't need to care about ruling who in my own house can access that port or not.
And this is only one example from my own intranet.
You cannot have what you want. It's the same reason why Internet doesn't work on MAC addresses but on IP addresses. IP addresses are assigned to countries and then to ISPs. Having your own IP address means that addresses would have to be randomly distributed across the world. So Internet routers would have to remember each individual IP address - where to route traffic to that address. Switches do exactly that - they remember all MAC addresses assigned to a switch port. Customer switches can have memory for let say a thousand MAC addresses.
Internet routers work completely different. They work on addresses classes, not individual addresses. They do something like that - I have packet to 130.133.x.x - oh it's a Germany - I should send it through my D port. It doesn't have to remember each individual IP address, it remembers whole address classes. It's the only technically possible solution.
Okay, let's just do it by country then, not worldwide... as you wouldn't be taking your physical location overseas. If I could get an Australian /48 with ease that would be more realistic.
1) You do know that you can do IPv6 NATting as well, if you really want to
2) That the network changes, or the prefix length, it is not a problem if you let DHCPv6 handle IP address allocation in whatever range you use. This works really well in my home, and all the computers has domain names that resolve to those random addresses
Can you imagine the routing table looks if every /48 is individually touted. Requires every home user to talk bgp4 and the ISP s can't do optimized routes as any /48 can have it's own unique route. And you also need to find a way to properly secure that and keep toute propagation fast. Don't think that'll take off...
Okay, you seem to have not understand one fundamental part of IPv6: Hosts don't have a single address anymore. It is totally normal for a host to have a dozen of addresses at any time, like multiple SLAAC addresses for multiple networks it may be part of (one would be the one of your ISP, others can be private ULA, which you can pick yourself and never change), one or more managed DHCPv6 address, one or more hand assigned address that are easy to remember (which can also be from your ISP or ULAs or both), a bunch of temporary addresses used to go on the Internet to prevent IP tracking (those change every half an hour or so but the previous ones persists for a while and overlap with new ones, as long as they are still used and even beyond that to retrieve late requests), one link local address per interface, several mulitcast addresses required by the IPv6 standard (e.g. to make ARP work) and maybe additional mulitcast addresses if they are part of multicast groups.Your video makes it sound like those are either/or choices, but they aren't, those are "and, and, and, and even more" choices and it's quite common and normal in an IPv6 environment for any host to have that many addresses. Only one of these would be an address you use for public incoming services (and that would not be the address you use for outgoing connections, those would use a temporary addresses, even a web server would use temporary addresses to download software updates for example) and one of them would be the address you use internally to address your hosts within your LAN (that would be one that does not change, like an ULA address assigned by DHCPv6 or a hand assigned one for an ULA announced by SLAAC).
But isn't the firewalling a nightmare then?
@@Yggdrasil42 Not really, as most addresses are not intended for the outside world. Just as with IPv4, every IPv6 address consists out of two parts, a network part and a host part. Unless the network part matches your public IPv6 prefix assigned to you by your ISP, your firewall can block it incoming and outgoing. This already eliminates the majority of addresses. Link local addresses cannot be routed anyway beyond a physical network and ULA addresses are not supposed to ever leave your LAN (except for tunneling, e.g. via a VPN to another LAN). Temporary addresses (which are recognizable as such) are not supposed to ever be used for new incoming connections, so your firewall only needs to allow incoming traffic for temporary addresses it saw outgoing traffic for, which is the default behavior of any IPv6 SI (stateful inspection) firewall; SI pretty much works like NAT, except that it does not rewrite the address or any ports, but otherwise prevents traffic flow the same way NAT would have prevented it. I.e. unless you've ever sent a request from a temp address to host X in the past, no traffic from host X to this temp address can pass through an SI firewall. Unless you want to run servers from behind the firewall, you can block access to all other non-temp addresses using your public prefix and that's it. Only if you plan to have servers accessible from the Internet, you need to poke an explicit holes into the firewall for these servers and you would certainly not poke holes for the addresses based on the interface MAC address (also recognizable as such) as a MAC address can change at any time, e.g. when you replace the server or just replace the network adapter of it (or switch from one to another network adapter). Interface based addresses, despite using the public prefix, also just intended for internal use within your local network. You would poke holes for a server addresses you either assign by hand, if you want to manage addresses on the servers themselves, or assigned by a DCHPv6 server, if you want to manage addresses via a central address server. That's the primary reason why DHCP even exists for IPv6, as for pure client hosts, SLAAC is totally sufficient, since with SLAAC they can create their public temp addresses and that's all they need to get onto the Internet as clients. For LAN to LAN client communication, you use link local addresses or ULA addresses and preferable service discovery over manually assigned addresses (no need to remember IP addresses at all), same for LAN to LAN client-server communication (your LAN file server or printer). Last but not least, public multicast must be managed by the firewall anyway, you cannot manage that by hand and this is semi to full automatic.
15 years ago I was excited about IPv6. Finally I would be able to get permanent, global addresses for all of my systems. Then I discovered what you talk about here, that the gate keeping on the IPv6 addresses is just as bad, if not worse, than IPv4. I haven't bothered with IPv6 since.
Fair call
I disabled IPv6 years ago on my network, in my router. I was noticing laggy behavior with my win 10 machines. I started monitoring a bit with Wireshark and noticed a whole lot of IPv6 traffic, and a lot of it going to Microsoft..
After turning off IPv6 on my machines and the router my networking performance increased quite a bit. To the best of my knowledge I haven't noticed any problems as a result.
I don't have an issue with NATing.
My ISP does traffic shaping so the upload speeds are pitiful by comparison. Of course this is going to work best for customers that do a lot of streaming. When calling my provider they suggested that I pay for a commercial account if I want faster upload speeds which costs 3 times as much per month than the standard home user account that I am using. I came up with some other solution which put my servers external to my network at a fraction of the cost.
WHAT??? Your Windows 10 machines are probably misconfigured. Mine work fine, even when migrating from dual stack (v4 AND v6 network) to v4 only network or back.
Small customers owning their /48 would cause the routing tables to grow way too big. About 10 years ago we had issues with edge routers (the ones which need the routing table for the whole internet), the global routing table grew and a bunch of the old edge routers didn't have enough RAM to handle the size. With millions of small customers owning their /48, you would also start running into issues where the edge routers would get slower at looking up the addresses. NAT66 looks to me like the best compromise, especially because it's stateless and any arm/riscv home box should be able to NAT a gigabit link. BTW I also still haven't given ipv6 a proper try, because none of my ISPs over the years supported it.
That was why I hadn't tried it either until I got an ISP that actually had it. I guess this whole thing should start there.
IPV6 is like fusion, it will be here in 10 years, every 10 years. I remember being told in 1996 that by 2000 everyone will need to be on IPV6. Well you can see how well that went.
Another issue is broadcasting your own IPV6. Lots of carriers will let you take a slice from one of their blocks, but that forces you to stay with them or renumber everything. Oh you want us to broadcast your block? I don't know if that is allowed. Note: this last thing was from a few years ago, I don't know if the carriers have gotten any better.
It's already here. Over 50% of internet traffic is IPv6.
@@thewhitefalcon8539 True for public networks, I'd be interested to see the enterprise network adoption
Spot on.
Actually, even though the ISP for my company 'offers' IPv6, their issue is their techs don't understand it, and when they deploy it, they're giving to you in the same way they do IPv4 address, and expect you to NAT v6. They don't understand how to do prefix delegation etc, it's awful. So ISP support is still a huge issue.
If your ISP has technicians troubleshooting business connections, and they don't have at least a CCNA or NSE4 (depending on which tech they work with), you need to start looking at another ISP. I say this as an "entry-level" technician working for an ISP. A lot of the blokes I work with have knowledge and skills beyond their pay level.
1) Static addresses & routing normally only available for business products/services. A domain name can be paid for but normally just 1 IP address. DynamicDNS or similar service hosted by another company. QNAP have a way your local NAS tells QNAP DNS service your device IP to route & make your DNS publicly accessible (needs password).
2) NAT is a part of firewall security to protect your local systems from random remote access & probing.
3) Home automation & IoT love IPv6 & having your many local devices reachable from internet so you can access automation when you're not at home.
4) IPv4 to IPv6 may eventually become the longest tech transition in history.
NAT is NOT security in any way shape or form. Obscurity is not security.
Also, just because something has a globally routable address, it does not mean it is accessible from the Internet - you should still be running a stateful firewall that blocks inbound traffic by default.
I've been working with ipv6 for several years now.
And i still consider it harder than ipv4.
Not because of the addresses but because the software and stacks around ipv6 just aren't as well tested. So i keep running into issues that were already fixed for ipv4 decades ago, or weird problems cause by weird ipv6 mechanism, such as dad(duplicate address discovery).
Also, the way certain solutions implement it, e.g., 1 device that provided internet access only allowed dns over the link local, which meant we couldn't simply route dns requests.
In my case, IPV6 hasn't taken off because no one has been able to answer me this one simple question:
Why, given everything we know about how insecure most devices are, would I even want each and every device directly routed and/or exposed to the outside world in the first place?
You don't. Just learn to set things up properly.
Hello, I am a Cisco guy. What you do is setup dynamic NAT without overloading (using PAT) on your public router IP. This way when your PC on the inside requests an address it grabs an available public IP from a pool and uses it, another host grabs another one out of the dynamic pool, etc. This is handy when you have an application that doesn't like having its ports translated, or when you have a bunch of hosts that want to build say a L2TP to the same VPN ip. Without translating ports you will want to do stateful inspection on incoming traffic, because you loose the "Firewall" that Overloaded NAT naturally creates. This way when your ISP changes your range, you just build a new pool of addresses. The nightmare that it would create in the BGP backbone routers on the internet, would make it HIGHLY unlikely that you are going to get your own range and move it between ISP's
That's actually what I'm doing, and will be the subject of my next video.
DNSv6 is what you need to set up. DNS was made so that IP addresses can change without affecting accessibility. if you own a domain name (or use a dynamicDNS service), you can have it tie to a IPv6 address and then have the router handle checking it is up to date and updating it if needed.
I have no arguments, only a suggestion: write your congressman! If we could get a bill passed in congress related to the assignment/ownership/routing of IPv6 address space to home users via ISPs, it could make a swift and dramatic difference.
As somewhat of a techy I have always been curious about IPv6, but like you said, it's scary at first jumping into something you aren't familiar with especially when it comes to configuring your network and you need to understand how it works and be confident in it. The whole address structure of ipv4 is very simple to remember off the top of your head when you are working in the field. Great video and appreciate you sharing your experience!
One question I had was how exactly does security come into play here though. If devices communicate directly, isn't that by nature attempting to cut out the middleware (router, firewall, etc)? I would assume this would put regular users at even more risk because now their device (printer, IoT, laptops, tv's, phones, etc) are now directly exposed to the internet. Unless the router will always need to exist simply for the wifi/hardwired connections? But ISP's seem to like to rent their modem/routers or just completely lock you out of them anyways so you are left up to whatever they issue. It would also mean that you would have to somehow force each device to register a new ip if you wanted to rotate them for some reason (like repeated attacks)... the nightmare that comes to mind when dealing with IoT devices...
The end to end that I talk about is the direct routability from host to host without nat. There would still need to be a firewall in there for security, just like with IPv4. That doesn't change. In fact, it's the same rule on my nftables that applies to both address families. It says don't let anything in from the wan interface, unless it's my return traffic. Simple.
The main reason that you can't have your own prefix in IPv6 is because it's designed to be hierarchical when assigning prefixes in order to keep routing tables small. IPv4 routing tables are a mess because of the way they've been assigned and traded over the years, and IPv6 is supposed to simplify the routing tables otherwise the routers will just run slower and huge chunks will be unreachable as the routing table size exceeds the maximum RAM capacity of the router. So the prefix system allows the IP addresses to be tiered with the large providers having a huge chunk and carving it out to their customers - perhaps the big guys get /96 (32 bits) then give the huge customers /64s out of that, and that may be subdivided into /48 or /32 for their customers and so on. Key point being that the first few prefix bits tells you which network to route to and that network can look at the next set of prefix bits to determine the customer and so on. If you could get a random /32 then the whole scheme breaks down as now everyone needs a special rule that your traffic now goes to this other network, i.e., now you added a line to everyone's routing table.
I've used dual stack IPv4 and IPv6 for a couple of years. I use *Dynamic* *DNS* , so I do not care if my ISP IP changes. Moreover, I totally do not care about IPs as I use *fully* *qualified* *domain* *names* for everything that I need to access remotely. You will never be able to keep your IP number like you keep your phone number. The reason is how routing works. It is not a bug, it is a feature. As a bonus for using FQDN, you get encryption with the use of certificates.
So, imagine you're an IT person. And a random user comes to you saying they want their own IP, because they want to host a server. As an IT person, you'd say - no, static IPs are for us, you get dynamic IP. If you want to host a server, you can just point users to your computername, don't worry about the IP address.
very good to hear this; (dev ops engineer w/ home lab here)
Well this is why we can't have nice things. ISPs treat static IPv4 addresses as a lever for "business pricing". If they played fair with IPv6, they would lose that cash cow. So they will not.
Exactly.
Yep, sounds about right
My ISP (a cable company) absolutely refuses to issue an IPV6 address to the WAN side of *their* router. Their configuration, although IU can change it, which doesn't break anything but doesn't help either.
My girlfriend has deprecated DSL service from the telephone company. IPV6 works perfectly right through to any device on her home wifi that supports IPV6. Once again, their router, their configuration.
You need a PI (provider independent) prefix, which is to be requested via a registrar. That's what we use at work (in IPv4), also time to play with AS(autonomous system number).
It isn't too scaleable for routers though, so ISP larger prefixes were pushed to keep route tables manageable.
There is a reason of not giving everyone an ISP-independent static IP. If you own an IP address and you move country or ISP the route to you changes. This means the routers need more special rules thus slowing the entire routing system down (though probably not much) because you can't just have a rule everything with 130.160.0.0/16 goes to ISP X.
So while I'd like this I think it does have some negative benefits in how the entire network works.
I think it’s mostly routing table size that is preventing the registries like RIPE NCC assigning a /48 to home users directly. I’ll ask some of my contacts there if they ever thought about it.
Major reason why IPv6 not in use is its "feature" to allow direct access of any home/small office device direct access from the internet. Which is a fundamental security issue. The approach when FTTH modem/router will have IPv6 outside but ipv4 inside is more secure.
Or private ipv6 inside. But yes, in a small private network ipv4 is simpler, more than enough. To the outside world ipv6
Anyone who makes that claim doesn't know how to set up a firewall.
You mention a desire to get rid of NAT so that you can have end to end communication. Why? I see NAT as not only a "workaround" for the IPV4 address space deficiency, but also a useful way to centralize control and help protect devices in your network.
When I was first learning about IPv4 and NAT and then IPv6 global addresses it seemed like NAT offered an additional layer of obscurity from the WAN side that to me at least offers a little more security for local clients
" useful way to centralize control and help protect devices in your network."
you can just use a state full firewall, no NAT needed.
@@autohmae You can, but that doesn't answer the question.
@@ceb1970 people want to allow end2end traffic ? Because that's how the Internet was intended. It's a peer2peer system. If you've ever made a program or standard like Skype, Teams, WebRTC standard, etc. you'd be amazed how much extra work is needed to make these things work with NAT.
@autohmae "Because that's how it was intended" isn't really a reason if we've already figured out workarounds. As a network programmer (among other things) I'm aware of the difficulties in traversing NAT, and in fact the clever ways people have found to traverse carrier-grade NAT (which I despise) on top of regular NAT impresses me to no end.
I'm not saying there are no reasons to seek direct end to end connections, by the way. There certainly are a host (😁) of reasons to do so. But those reasons almost never apply to home users, even the technically sophisticated ones. But I'm open to hearing a use case that would make it worth switching to IPv6, or even just paying your ISP for a block of public IPv4 IPs (which I have done in the past, but ultimately found it to not be worth the cost).
I've been doing this a long (long, long) time and I honestly once hated NAT (not just carrier-grade NAT). But now that we've standardized ways to work around it I'm actually pretty comfortable with it and even appreciate its benefits.
So few home users need or want to bring their own IPs (IP4 or IP6), it's much easier for ISPs to just say no to such requests instead of investing a lot of money into educating their staff and implementing new protocols. Also, for home users NAT via a router is a godsend in terms of security.
What you're talking about (in regards to an IPv6 allocation you can move around) already exists for IPv4. It's called Provider Independent (PI). But this really isn't the problem I think. The problem is that right now most providers (even dedicated server providers) will happily "sell" you fixed IP allocations, in block or single IP form for IPv4. But for IPv6 they will not do this. In reality there's no reason they can't, at least within their geographic region let you take your IPv6 address between services in the same way they offer for IPv4. They just give an option for IPv6 yes/no. And they will bung you an allocation. This, I think is because it's still seen as experimental, when it really is a fully functioning technology.
I had this happen to me just the other day. A server provider informed me that some feature of a virtual machine I was running was no longer supported and I needed to create a new one and copy my data over. Now, this VM is a secondary DNS for me. So what's to do, install the service and copy over all the config/DNSSEC keys etc. Move the IP to the new VM and all good. But, then I see the IPv6 block is now different, with no way to get the original one back. So, now I need to go to EVERY domain I host, and change glue records and the DNS zones to point the ns2 records to the new IPv6 address. Not fun at all.
In regards to going full ipv4 or ipv6. I don't think there's any reason to do that. I've had IPv6 on my home network for probably around 12 years (via tunnel for the first half of that). All the time I've run dual stack, and frankly until they turn off IPv4 (if that ever happens) that will be the only sensible way to go I believe. In the last 5 years or so, ipv6 adoption has increased greatly. Big social media (facebook, google, youtube etc) work via ipv6, in fact I can tell you this video was served over IPv6 to me. Most good hosting providers support it.
Dual stack isn't a bad thing. It should of course be configured to use IPv6 first over IPv4. In which case you'll be using it everywhere you can use it. I am confused why we've not moved to ipv6 fully by now. Pretty much all kit out there supports it including basic level consumer kit, ISPs could easily move to it, many of the good ones have done some time ago and certainly if you run a service on the internet your provider almost certainly offers IPv6 to your VM or bare metal server. Everything is in place right now. But for some reason most people are still dragging their feet.
are you kidding me right now? ipv6 is impossible to remember, concatenates an arbitrary number of characters with 4 colons, has incomprehensible number groups and subnets, lacks fundamental support from most even modern hardware and drivers, and is generally just a drag to deal with. What really should have happened is that we should have move from 4 octets to 8 octects and kept the familiar numbering system with now enormous subnets, giving legacy ips the subnet mask of 255.255.255.255.0.0.0.0 so the entire internet worked while everyone upgraded, but Noooooooo, that would be too easy
Humanity in a nutshell.
Exactly. It would have needed only a packet header extension and a few simplifications. Hardware would have needed to implement only the lower 8 of the newly added bits to be future proof for 40 more years, reserving the rest for later.
Sad / frustrating /disappointing that this didn't happen. Ease of use was considered last.
You don't need to remember ips.
As if you don't remember phone numbers today.
Exactly. They should junk the whole stupid system and start over.
I haven't looked into v6 because I tend to go along with whatever the network security people suggest. 🧐 I appreciate the video for throwing some light on the topic.
Cheers. I didn't expect this, but at least it's got people talking.
Here in Philadelphia, Verizon (the fiber to premises ISP) finally got IPv6 working, and now I can connect to my linux server in a German datacenter via IPv6!
While the push for NAT was driven by a lack of IP, it's greatest strengths were security and local addressing/portability. NAT is not needed for IPv6 (for security) with a good router/firewall. But for localized portability something like NPTv6 makes sense. You are a network engineer (as I have been). You are okay with bad actors knowing your IP block no matter which ISP you switch to. But for your everyday person, I'm still not convinced "having your own /48" is a good idea. Anonymity is gold. I'd almost go the other way: it would be good if the ISP changed your /48 every day to help kill the tracking systems. But for non-regular users I agree with you. In fact, I want to dual-home my network with a /48; if I could somehow talk a second fiber ISP to connect to my house.
If you were in NYC Stealth would do that
The real answer, DDoS mitigation and monitoring tools haven't caught up yet. They are only just recently starting to implement IPv6 and are not yet feature parity with IPv4.
It has nothing to do with the end-user experience. IPv6 is much better than IPv4 since it resolves the NAT issue, you think ISPs want to use CGNAT?
I went through something a bit like this almost 30 years ago.
The basic problem with IPv4 was lack of addresses. So they came up with IPv6 ~ huge address space. But while that was getting sorted, some sort of quick dirty fix (a hack) was required, and that became NAT. Now NAT does break a couple of your fundamental network paradigms, but it's not all negative. It largely solves the limited address problem and it opens up a complete can of worms with other kinds of network tricks. It mostly makes IPv6 completely unnecessary. If you went pure IPv6 then loads of things would stop working. But if you simply stopped IPv6 and went back to pure 4 ~ a few things would go a bit wonky for a week or so, but then they'd go back to old-school and everything would work again.
So this brings me back to today ~ when as a home user I have a dual stack because that's the default, (Linux Mint as host) but mostly the IPv6 doesn't do anything ~ except complicate the picture. As far as I can see, pretty much everything is running through IPv4 + NAT anyway. That's where we were at when I started learning this stuff in '95 ~ '96 and that's where we're at still.
IPv6 fixes one problem, but NAT fixes several. It's a quick dirty hack, but it has become a wonderfully useful and versatile hack, it does a number of things simple pure IPv6 doesn't. The quick & dirty hack, is actually a far better and more versatile solution than the proper one.
As a Linux-head ~ I find something very oddly appealing about that.
I'm waiting for IPv7 (or 8 or whatever) which offers the advantages of NAT plus a larger address space.
why don't u use a domain registrar that allows u to directly update the dns records via an API? I use one and it allows me to directly update any ipv4 or ipv6 records dynamically (like how dyndns works), so i only have to set up a simple script on those devices and even when i would get a total different ipv6 block, my subdomains will automatically get updated too, having the ipv6 adresses reconnected. My DNSprovider also supports low-TTL updates, which means after i propagate the update it takes less than a few seconds to be active and reachable from the whole world (no need to wait before the other side of the world has the new info)
Hi! Have you considered using both? Private adresses for internal use, memorable adresses that never change and use SLAAC at the same time to provide publicly routable adresses for when you need to go out into the internet? You can use the auto assigned addresses, private
and public ranges at the same time with no wories. This way theres no NAT or One to One funky translations.
its simply is unpractical. reading firewall entrys, readon logs - SEARCHING logs. imagine you have to change your search depending if the log uses shortened or non shortened ways to log ips.
how many times you have to manually read a routing table to find an error, close to impossible on ipv6 if the table is large enough
My employer does not currently have IPv6 deployed in the network, but we own a public address block (/42?). It is registered to my employer, at ARIN. Just as the /24 IPv4 address space we own is registered with ARIN. It is ours, and whichever ISPs we choose for service, we would announce our networks using BGP. Or, we could simply point our default to the ISP, and they would point a static route to our public IP blocks and redistribute into BGP.
What you are addressing in this video is the situation where you are ‘leased’ an IPv6 block (/48) from your ISP. This is a /48 out of a much larger space that your ISP has been allocated. It isn’t portable, so you can’t own it and take it to any other ISP. IPv6 address blocks allocated via DHCPv6 also has the mechanism to request the same prefix each time the DHCPv6 allocation expires, if only all ISPs would honor this!
I really think the big challenge with IPv6 is that we approach it with the same mindset that has been used for decades with IPv4. RFC1918 addresses on the LAN, NAT to a single public IP address, implied security because of Stateful NAT, etc. Even in larger (enterprise) IPv4 networks where the organization has a public assigned address block, and has a mix of Static NAT to present public facing services as well as dynamic NAT/PAT for outbound connections initiated by internal users and systems.
For IPv6 use in small environments (home, or SMB), if you lease an IPv6 address block from your ISP, you need to be able to accommodate the potential for prefix allocation changes, incorporating DNS and SLAAC. For larger networks, request an address block from ARIN (or whoever your Regional authority is), and then you will have that permanent address block.
Deja vu all over again, in the early days of the Internet we use RIP, and RIP needed a table of all routes, as we added addresses the table got to big and IBM had to build special RS/6000's to hold the routing tables. OSPF and BGP were written to handle this. It shrank the routing tables.
So in IPv6 can do what you want, and the IPv6 version of BGP needs to know how to route to your /48 and provide that into the consolidated routing tables for routing packets over the backbone. Adding a large number of random /48's makes that table huge. The ISP have a single larger block keeping this table smaller and more manageable.
Thus they charge for reserved blocks of addressing space to limit this to only those entities willing to pay for the routing table entries. (Using routing table loosely here of course).
Yes, I've certainly learned about the route tables in BGP, as I don't really touch WAN stuff, but many have pointed that out, which is fair. Now it just implies that the design could never have had everyone with their own lifetime address easily.
@@TallPaulTechIPv6 was never designed for everyone to have permanent /48's, it was always intended to be region based, be that region be a ISP or a multinational company, or whatever. That a private space within it, without use of nat on the gateway, was allowed, I'm sure it caused a lot of consternation on how it would be implemented if it got large.
Seems the dhcp service should pick up the current prefix and dish out assignments based on that, then retire the old prefix? And ya, update dns accordingly 😞
funny thing with NAT is i don't see why an IPv6 router with a firewall which offers even better protection than NAT wouldn't be a bad thing. like literally just have a rule to drop incoming non-established connections. or even IPv6, a firewall, and NAT.
I've been running IPv6 on my home network for over 13 years, the first 6 with a 6in4 tunnel, but now with native IPv6 from my ISP.
Android devices don't work with DHCPv6, thanks to some genius at Google.
Re your changing prefix, that's why you use a DNS server. Hopefully your ISP will provide a consistent prefix. I've had the same prefix for years and it's survived replacing, at different times, my modem and the computer I run my firewall on (pfSense). If you want a prefix that's forever yours, arrange for your own prefix, independent of the ISP and have it routed to you, as businesses do.
BTW, your IPv4 address is likely not permanent. With my ISP, mine is, so long as I don't change my modem or firewall hardware. Many others aren't even that lucky, with their address changing anyway. Also, with my ISP, the host name they provide is based on the firewall and modem MAC addresses and again doesn't change as long as I don't change hardware.
Do NOT use NAT. It's a curse from the network gods and should only be used to get around the IPv4 address shortage. There's no need for it with IPv6.
With SLAAC, you have one consistent address and up to 7 privacy addresses. Use the consistent address for DNS and the privacy addresses are normally used for outgoing connections.
The IPv6 equivalent of RFC1918 is called "Unique Local Addresses" (ULA), where you pick a prefix that starts with fd:. You can use ULA for your local devices, so that even if your public prefix changes, you still have the same addresses on your LAN, just like RFC1918.
On IPv6, the LAN subnet size is always /64.
Run dual stack, as I do, so that both IPv4 & IPv6 are available. Normally, IPv6 is preferred, but IPv4 is still available.
I often help people with IPv6 on the pfSense forum. One thing I've noticed is many problems are self inflicted because people are stuck in the IPv4 way of doing things. You seem to be in that category. You also seem to be dreaming up problems on your own. Yes, if you had a business, you could get your own prefix, but you would be paying a lot more for it. Use DNS. That way, should your prefix change, you update the server. Problem solved.
A bit about me. I come from a telecom background. I first learned about IPv4 in early 1995, when I took a class through a local college. As I was sitting in the class, I was thinking 32 bits was not enough. Shortly after, I read about IPv6 in the April 1995 issue of Byte magazine and realized that was the way to go and I've been advocating for it ever since. I also got my Cisco CCNA several years ago, and IPv6 was part of the subject matter. As I mentioned, I run pfSense for my firewall/router and have multiple subnets. I also have ULA enabled, though I don't really have a need for it, with my persistent prefix. Regardless it works. Also, with the modems my ISP provides, when in gateway mode, ULA is also provided, in addition to the public prefix.
For me it comes down to one point. I can remember an IPv4 address. I can't a IPv6. So when dealing with my network of 10+ personal computers and several servers I don't want to have to resort to a "cheat sheet".
When I get my new routing device I'll be setting it up with dhcp server for ipv6. I'll show how an address can be as simple as fd::1, fd::2, etc.
IP addresses are for routing. The idea that every major network in the world needs to know your IP prefix so it can route to your ISP is just silly. That is what DNS is for.
The 6-to-4 issue is the real problem IPV6 is not complicated, but hybrid IPV6 and IPV4 kind of is. If we get to the point where the normal user doesn't need that, we're getting somewhere.
Don't know if that will ever happen
Can't even get native IPv4 at home anymore around here, the Providers simply don't have enough of them.
I need to share my IPv4 with other Customers and the Providers uses some Kind of IPv4 over IPv6 Tunnel for the communication with IPv4 only Servers.
If o need native IPv4, i need to sign an expensive business Contract with the Providers.
It somehow works, but routing anything from the outside my home Network is a pain.
Watching this the second time, I got to thinking the problem is software/systems designed with IPv4 expectations, so really if you design every system to expect your specific nodes can change address, it would not be required that we own our own bank of addresses or try to make the addresses never change.
As for the question „Why use IPv6?“ is concerned, here are some answers which apply to my personal situation: a) Configuring routing for virtual machines and Docker containers becomes easier. b) My ISP supports native IPv6. c) My preferred hosting provider charges for every single IPv4 address since the pool was exhausted, and IPv4 subnets have become prohibitively expensive, while every machine is assigned as many free-of-charge IPv6 /64 subnets as desired. I use some servers which don’t have an IPv4 address anymore.
Fixed public IPs (prefix portion, not the subnet portion) shouldn't be assigned by networking providers they should be independently allocated similar to domain names so it can be transfered between venders. It's one more major flaw in the standard.
Very interesting (as usual). My understanding is that, aside from address space exhaustion, one of the problems the IPv6 working group was trying to solve was "huge" routing tables in the core backbone routers. That had arisen because of historical "classful" routing and the lack of any serious discipline, at least early on, to allocate IPv4 in a strict hierarchical fashion. IPv6 follows strict guidelines allocating blocks to regional NICs, then sub-blocks to countries, then smaller blocks to ISPs. I've always felt that, while the strict hierarchical nature of IPv6 is good for keeping routing tables manageable, it also enables more accurate geo-location and that's probably a good reason for sticking with IPv4.
Second, I've been told that in some places in the world (Germany), ISPs rotate prefixes every 24 hours. ISPs claim to be protecting home users who expose routeable addresses but my guess it's the old "if you want a permanent address you have to pay for a business connection".
Seems to me the solution to this is enhanced DDNS where any prefix changes are communicated with your DDNS provider.
German's Telekom gives you a new prefix whenever you create a new PPPoE session (if you don't have a fixed IP contract). They haven't actively terminated sessions for quite a few years now. With a somewhat smart router it isn't that big a deal. My local DNS server updates its configuration automatically whenever it sees a prefix change and then updates the public DNS zones for those machines that are externally visible.
Geo-location works extremely well for most ISPs because they already do assign addresses geographically anyway. This applies to IPv4 just as well.
The main reason that IPv4 is so fragmented: inability to grow. If you hand out too much space to a given company, resources are wasted (like in the old days, where one university got 1/256 of all IP addresses). On the other hand, if you give them too little, you end up with either two routes to the same physical target or have to renumber stuff. Given that IPv4 addresses used to be hard-coded everywhere (because why depend on DNS), that's a major PITA. Now make an educated guess how many "serious" internet using companies have a constant demand and you will see how the fragmentation happened.
IPv6 combats that on the levels: motivate people to not hard-code numbers everywhere and make it easy to have reasonable allocations with enough room to grow. Take a university for example. It's quite a bit easier to estimate the number of networks you will need than the number of networked machines. The former reflects organizational structures and we have a lot more understanding about their development. Once you have the number of networks, round up to the next power of 16 and subtract that number from 64, you have your base line for what prefix you need.
One thing to add, what I feel is missing is just a pice of software which keeps your subnet steady. with IPv6 just your prefix changes. But everything after the Prefix could stay the same. Thus I would love to see software to just support the prefix notation, or add on to it with variables.
For example you get your isp prefix and add your networks like so:
ips:vlan::ip
It would be nice that software could understand that if you leave the ISP part out that it just adds it automatically depending on what your RA gives it. Such that you can just write for apps or DNS or what have you just:
::vlan::ip and it fills in the blanks.
You could use 2 subnets at home. The public subnet from your ISP with SLAAC and Unique-Local-Adresses (ULAs) that work in your home network and don't change.
Alao it really sounds like you're trying to evade DNS. IPv6 was explicitly made with people using DNS, which negates the need for static IP addresses.
I live in Germany, and IP-addresses (v4 and v6) change every day for home users. And still I have some services running without issue.
Most ISPs will give you a fixed address if you pay extra. Default settings actually mean your ISP provided address may just be reset randomly. Link local addresses will work locally, so use DHCP for local addresses, my router allocates IPV6 to clients automatically (for global addresses) - and Widows 10/11, Server 2023 etc. all actually default to IPV6 and just fall back to IPV4. Some devices on my network still do not support IPV6, and this is an industry wide problem, so basically have to run both. IPV6 is actually more efficient at data transfer so there are other benefits.
As a non-network engineer, but someone more technical than the average user, like hosting something on a home server, a raspberry pi, etc. My only exposure to ipv6 is when it breaks something, like your PiHole DNS server, and the easiest fix is to turn it off everywhere.
So the technology is off to a bad start right off the bat.
Indeed. Since everyone's knee-jerk reaction is "just turn the broken shit off!", it'll never get fixed. Until people take a serious look at what doesn't work, and why it doesn't work, there won't be any fixes.
I recently got IPV6 working, and have dual stacks running, we have to start getting familiar with it, so why not…
I’ve been running ip6 on my home network for several years in a dual stack config as not all my devices support it. My isp doesn’t support it either so I use a vpn service that gave me a 48bit prefix. I don’t see ip6 being different from ip4 in that the prefixes have to be routed and ultimately you want minimum amount of routing traffic so it makes sense that internet service providers are allocated blocks of similar addresses that can be advertised in a block. If everyone can have their own prefix that is portable then you either have to advertise each prefix separately which has performance implications since each router needs to know about the prefix to route it as well as capacity - the amount of memory each router would need to be able to store the the routing table would be enormous. Also this “problem” is same on ip4 - if you change isp, you get a new ip4 address. This is why we have DNS so we don’t care what the address is, just as long as it is updated when the address changes everything is fine. I personally don’t masquerade my ip6 addresses but there is still a firewall and in general only outbound initiated connections are permitted but I have the option to expose a port on a server to allow inbound.
Why are you running your home network with IPv6? Does it provide you any benefit or features you couldn't have with IPv4 home network?
@@MikkoRantalainen main feature was for me to learn about the technologies needed for it to work and also to be able to host test web sites directly on a virtual server (in a DMZ) without having to mess around with reverse proxying or using different ports.
@@_chrisr_ Do you think IPv6 has been easier solution overall than using reverse proxying or port forwarding?
At least for me reverse proxying and port forwarding would be much easier solution than trying to switch to IPv6.
@MikkoRantalainen as there was a learning curve, it took longer initially, but that was several years back and I didn't touch it until I upgraded my server which ran the ip6 network services (as well as ip4) earlier this year and had to remember what I had set up! 😀. Having said that it wasn't particularly hard to set it up. I only have single external ip address so sometimes being able to have a host with its own external address has an advantage when trying to replicate a configuration used by a customer.
Every adapter can have many IP addresses. You have control over LLAs and ULAs and you can use them in your internal networks for permanent addressing. Since you do not control the prefix you get assigned by your ISP, you should not depend on addresses derived from it to not change. To control access from and to the internet, use a firewall instead of NAT (e.g. you could use MAC addresses or another non-changing characteristic to tie firewall rules to devices, instead of using public IPv6 addresses in you firewall rules). Under normal operations, using NAT should be quite exotic with IPv6 (i.e. if you find yourself wanting to use NAT, you should stop and reevaluate the solution to the problem you are trying to fix).
Uhm I don't know where you live, but for EU-Region the RIPE is a really nice Internet Registry. You can get your own ASN and IPv6 Space for little money (I paid 50$ for a /40 Prefix and ASN). You don't need justification or something you just need ID-Card for Identification. You also dont have to be a company. Normal people can ask for one whithout much hastle. But Announcing the Prefix is yet a completely different story.
which service do you use as a partner to get the PI?
You are addressing the problem that an IP address serves two purposes: it acts as an identifier (i.e. Which computer or which network do I want to talk to?) and a locator (i.e. Where is this computer or network located on the Internet?) If you change the provider, of course the locator has to change, unless you are your own provider, running your own AS. However, you want to keep the identifier. There is a protocol called LISP (Locator/Identifier Separation Protocol) which tries to separate these functions. With this, there are IP addresses that act as a locator (EID), and other IP addresses that act as an identifier (RLOC). This way, you can keep your identifier IP addresses while your locator IP addresses change. I don’t know whether this is usable yet.
partly agree, changing prefixes should beveolved with smart dns. own prefixes you own would be a huge problem for bgp routing. imagine ipv6 full tables will all /48 routes.
Paul, I found that using an IPv6 unique local address (ULA) prefix solved the issues you mentioned, in both my business and home use cases. I registered my fd00::/8 prefix back in SixXS times, and each of my devices is assigned an address with this prefix. The addresses are as simple to remember as I choose them to be, are managed by my own DNS server, they obfuscate my internal network without the need for NAT, and remain unchanged no matter what IPv6 prefix is assigned by my ISP. As is common practice in Germany, both my home router’s IPv4 address and IPv6 routing prefix change every 24 hours, so ULA was something I needed from the get-go. If you have not tried ULA yet, I strongly recommend looking into it.
"both my home router’s IPv4 address and IPv6 routing prefix change every 24 hours"
OUCH!!! My IPv4 address is virtually static, changing only when I change hardware and I've had the same IPv6 prefix for a few years. I'm in Canada. What possible reason could they have for changing addresses every 24 hours?
I've already come to that conclusion myself :) When I get my new router (linux box) I'll be setting it up
@@TallPaulTech I used a Linux router for years, including with IPv6 via 6in4 tunnel. However, I found it wouldn't work with DHCPv6-PD, which my ISP used to provide IPv6. As I result, I switched to pfSense. Does Linux now support it properly?
@@James_Knott That's how I get my addresses from the ISP too. It works nicely. Do you mean you couldn't get it to work as a DHCP client from the ISP to get that info? Use something like this
# wan
#auto eth0.2
#iface eth0.2 inet dhcp
#iface eth0.2 inet6 dhcp
# request_prefix 1
# accept_ra 2
On the internal side, I have radvd and dhcpv6 server.
@@James_Knott The reason is, unsurprisingly, money. Only particular contract models, aimed at business clientele and priced substantially higher than those meant for Joe Random private user, allow for static IPv6 address prefix assignment. The same goes for IPv4 addresses, by the way. Come to think of it, I believe there is also the limitation that one can have either static IPv4 or static IPv6, but not both simultaneously. This is based on the information I received from my ISP, which happens to be the market leader in Germany. Where I live, there is unfortunately no alternative ISP. 😐
This is a great video. I tried this week to go IPv6. All worked well until I got my NAS and it did some funky stuff renaming itself to my ISP’s name and relocating itself to the NT when I am in NSW. So I went back to IPv4. I like your idea of “owning” an IPv6 range of addresses. We should be allocated them and they should be ours to use. We have a telecommunications legal precedent already in phone numbers belonging to us, so that even if I switch from Optus or Vodafone to Telstra or vice versa, I am legally allowed to keep my original phone number. If I had to change phone numbers every time I changed providers, this would make life impossible for all my family, friends and work. Why can’t we take an IPv6 static address with us from provider to provider like we do a phone number?
In hindsight, it's the fact that the routing tables for the world would be too much of a problem for random addresses to be everywhere.
Also a good point. I wrote to my local Federal MP about this last night suggesting that every Australian get a range of IPv6 addresses allocated to them, same as with a phone number. NBN could administer and that way the tables would work within Australia wouldn’t they? They wouldn’t be random, they’d be assigned (similar to how landline phone numbers used to mean certain areas like how Vic is 03 and NSW is 02)
At least part of the problem is that many of the big players, especially in North America, have enough of the IPv4 address space that they have no pressure to support IPv6. It's sheer laziness.
I think another reason ISPs might be reluctant is that CGNAT makes it that more difficult for customers to make services available on the WAN. This, in turn, reduces uplink traffic.
I'm waiting for IPv7 with the planetery prefix, then allocate a block designated for Mars
If you give people the ability to buy IP6 ranges in bulk, then you'll just end up with large companies buying huge chunks for themselves for "just in case"
I suspect you'll end up with IP6 eventually on the interwebs because of the lack of IPs, but private range will probably stay on IP4 with nating
What you are waiting for is an IPv8, not IPv7. There is concept of using odd/even numbers for unstable/stable releases like odd numbers are used for concepts, highly experimental things used only to evaluate that concepts etc. This is why we have IPv4 and IPv6, but not IPv5. Same issue with linux kernels (2.0.×× 2.2.× 2.4.×× 2.6.××) etc.
@@NikiBretschneider IPv6 really screwed up that idea - it seems very experimental.
I thought the same thing. I work at an SMB company, our ISP offers dual stack with a /48 on IPv6. I hesitate to set up IPv6 internally without NAT66 because the ISP is then in charge of my prefix. I researched the thing and found out you CAN get a /48 for yourself (as a company at least), even for reasonable money. BUT you will have to implement BGP to make it work, which adds a lot of complexity and cost (for the routers).
For sceptics, this might become useful if interplanetary colonization happens in the far future, probably not now. Plus it's a godd safeguard of the limit is reached for whatever reason
I tried to get V6 going, just simple pings, in my local net no problems, but once I tried to cross my ISP's router, nothing worked, so I took it that their firmware was broken and that was the end for me. So I wait for a better box from my ISP.
I cannot easily replace that box as it does voip and free cellular backup, both not easily replicated as they won't hand out the codes etc to talk to their systems.
About 80% of what you said went over my head, so a good tutorial would help.
100% agree with this.
I wouldn’t and won’t implement IPv6 on our customers networks, or my own (except for testing)
We manage many sites that utilise multiple WANs and in my opinion the ISP needs to be disposable; their network stops at the WAN.
Network Address Translation (as an invisible proxy) has helped a lot of people misunderstand network scope. If IP4 and associated software didn't expect one address per interface, then an interface could have two addresses: an RFC1918 address and a public address, one for local comms and one for global comms. IP6 does this. NAT is like a secretary that connects calls so you don't have to know how to dial direct and transfers calls based on caller id, so the caller has no idea there are several bosses behind the same number.
There's just not a whole lot of business reasons to be able to give an IP address to every grain of sand on the planet. Much less wanting to keep track of them all in your maintenance database for the tech support folks.
I've been thinking about a more universal version of the IP protocol, requires a lot more bits but I also think it has advantages.
Bit 0 -> Physical or Virtual
Bit 1- 31 -> Galaxy
32-79 -> Star
80-95-> planetary body
96-127-> polar latitude
128-159 -> polar longitude
160-191 -> height (cm)
192-255 -> unique identifier
256-303 -> protected bits (see below)
304-319 -> parity bits
This would mean that every ~cubic centimetre of the earth (up to 42km out) could have ~10^19 addresses,
16bits per solarsystem for each planet, 48bits per galaxy for each star, or 31 or each individual galaxy could be divided up in some relatively structured way just like the planetary addresses as and when the time comes that they're needed. But this should be more than one per galaxy, more than one per star in any given galaxy, and more than one per orbiting body over 10km in diameter
Since the Poles and the centre of the planet are relatively over-allocated you can put special addresses at those locations like DNS servers etc.
Each asteroid or planet or moon gets a similar number/density of addresses with bigger/older/popular planets getting a range (so if 10^19 addresses per cm^3 isn't enough they can be allocated more). Lesser objects maybe having a different breakdown of the planetary body/latitude/longitude/height bits for something smaller than 10km then having ~43000km of height cms is probably too much, similarly at it's surface a density of 0.001mm is a bit high density, so some precision bits could be moved to the planetary body to account for the millions of lesser bodies per system. And similar could be done with space habitats over a certain size too.
With this density of physical addresses, it provides opportunities.
We could assign each (macro) component an IP origin address, with each company at any given address having its own range by picking a different cubic centimetre of the factory to choose their IPs from, and if they run out with a given cube they can move one cm over.
As well as each component getting an address each person could be allocated a physical address at birth too, effectively making these like permanent phone numbers or email addresses or identity codes. Each year could have a different location in the hospital as the base IP and each unique identifier could be randomised to prevent the use of dialling every one in sequence.
Similarly, institutions could assign an IP address to other physical or even virtual items like a degree or receipt as a proof of authenticity, with each IP on those things leading to a website which should give data to verify the person or item's authenticity.
Each IP address also has 48 protected bits that it can use as a signature or to assign a port number internally the exact use of which is determined by the destination, not the global network/standards. For example a unique code could be attached to the personal IP for each time it's given out and then if it's shared to others there's a fingerprint attached and modifying that fingerprint to disguise the origin could mean that any message may be dropped as spam. Or for a virtual address you might have several computers behind a single access point and each computer gets it's own protected range for port forwarding, UPnP, etc.
And as well as each component, person and so on getting a physical address point of origin, you have a separate but identical in quantity set of virtual addresses for each location which can be used to do routing by the current location of a device, or it's nearest cell tower or ISP service box etc. If you want to send a message to someone then the easiest heuristic would be the one that reduces the distance to the virtual address.
Omitting the higher value bits can be done for certain types of traffic like planetary traffic or in-system traffic or in-galaxy traffic, doing this assumes virtual addresses.
16 parity bits allow for the code to be error-correcting under reasonable conditions which current IP addresses are not
To all practical purposes, they'd never run out of addresses and then IP would be kind of future-proofed beyond just our one current planet. 320 bits is a lot more than the 32 and 128 bits we currently use in IPV4 and IPV6, though it would have a lot more utility, it'd roll Mac addresses and IP addresses into the same standard and it'd give the IPs some rhyme or reason beyond 'just because the allocator gave you this set of numbers'
User authentication, there should still be plenty of ways to obfuscate user location and so on through virtual addresses, picking (or purchasing) one (or a set) that's within the planet's core could be an accepted method for doing this, so being ANON on the web should still be possible to the same degree it is now, but if you want to authenticate you are who you purport to be it should be relatively easy too, you can physically authenticate your address without much trouble providing the ISPs provide this facility, and as you have an IP that's personal to you based of your own point of origin you can also allow for that to be used as an auth server for your identity if your hospital/ISP/government provide that facility.
Obviously, it needs a little fleshing out but I think it's a good start.
Solution in seek of a problem...We haven't even solved rural broadband internet and you're concerned with intergalactic addressing?
You have given incredible thought to this. If anything like what you've suggested here were to be implemented within the next 100 years, humanity & perhaps even some other kinds of life could be set for as long as I'm willing to consider forecasting into the future.
If this is truly what you are passionate about & you want this to happen, then find a way to do it.
However if I were you, I would use your incredible ability to consider & think through every possible aspect/need of something and apply that ability to things that are bigger problems for humanity now. The first thing that comes to mind is not everyone on earth has access to drinkable water or healthy food or any internet access at all.
There's no more permanent solution than a temporary fix, as long as it needs an overhaul might as well plan for the future... Though yes it is a bit overkill I also think there are a miriad of ways in which it could be used if it existed. I personally am a big fan of the verification methods that could be built on this. You can have a stamp of authenticity and origin built into so many different things, you could put a substantial end to fakes and forgeries for example. You could make certain portions of the internet only accessible by people who are declaring their identity correctly eliminating or substantially reducing trolling. Having a universal addressing standard in place for the next billion years is just a bonus xD
How does this handle TTL (DNS entries, routes, packets, ...) which could be billions of years 🤔
@@gzoechi TTL is a hop counter generally speaking, so if a hop is between Star systems it's still just one hop, you'd likely need to have a larger counter but it would depend on the configuration of the networks at each star 10-16 bits of TTL might be overkill if each star system is 1 hop
DNS wouldn't have to be synchronised, so long as each star system is closer to the terminal address the packet's route can be looked up in each star system, it may be that if you're moving system though that you need to tell your destination and request all packets for you be saved until arrival before setting out... or by setting up a device at your departure point to act as storage and relay for those packets... though it depends on the speed of travel if physical travel is a substantial fraction of C packets could be saved via transmission between Star systems, and if it is possible to send and or receive during a voyage. However in most cases it's a simple matter to aim at the relevant star system (even though intermediaries) and expect the thing to have not left the destination system so it'd be no different from a phone changing cell tower while a packet is on route.
It may be reasonable for interstellar relays to hold onto copies of packets and sign them as a way to reduce the requirement for retransmission over stellar distances. A lot of this could actually be worked out by looking at slower transmission methods like TCP/IP over carrier pigeon and remembering that there may be occasions where the bandwidth of a lorry load of tape drives is more effective than radio, for 'non urgent' interstellar communication (which would be most interstellar communication if we're honest, our closest neighbour gets things with a 4-year delay) it may be that we pack cargo ships with some form of permanent storage and send communications to another system snail mail style to be unpacked and transmitted locally or repacked onto another storage ship for another destination.
Agreed, and you seem to be the only person that has described my exact dilemmas!
I have the issue on my network with my Kubernetes cluster. I've tried to go IPv6 first everywhere, and on "normal hosts" having both a ULA and GUA works fine and handles the changing ipv6 prefix problem.
But I can't setup my kube cluster using the ISP prefix just in case it changes. I've set it up with a ULA for now, but of course the pods can't route to the internet unless its IPv4.
The half way solution would be stateless NAT or Network Prefix Translation, where the router just swaps the prefixes and leaves the host portion alone, but I can't seem to get this to work with IPTables.
That's something I'll be trying when my new router hardware arrives. I'll be using nftables though, but that's probably what I'll do... bloody NAT.
Honestly, I think the fact that basically every home network uses NAT, and has for a while, has probably set up snuck assumptions in so many programs out there. And not just programs, but general practices and recommendations as well.
I'm no expert, but I find that transitioning from NAT connections to direct ones may introduce a host of unintended consequences. Not saying we shouldn't do it, it just becomes an interesting new paradigm.
The main thing is to have your own public IP address(es), which seem rare these days with IPv4 because ISP's are using NAT.
@@TallPaulTech Absolutely. I was thinking more about the security implications. Having a network device in front of traffic by default sort of gives you a firewall for free. It also makes tracking a whole lot harder as any Internet host would just see the public IP, even though any device could be connected through it. Having each device actually have their own public IP addresses would make it much easier to determine what exact device the packets originated from.
The device can be fingerprinted by its traffic regardless. Also, if you want to NAT in IPv6, you still can.
@@TallPaulTech that's fair. I'm just thinking about how ISPs may implement IPv6 going forward for home customers. If they stop using NAT for their home Internet solutions, that puts home users in a technically different situation than they've ever been in. I'm not sure what the implications of that would be, but I think there would definitely be some interesting ones.
@@TallPaulTechI've never static'ed my home net, but I've never had a problem getting static for my work here in the US, never. Of course, we only need a /28 IPv4
In around 2010 there were many IPv6 enthusiastic ISPs. But that was also the time when Internet blocking laws appeared. Controllers were connecting to the Internet in each café with free WiFi, and if they managed to connect to the forbidden resource, they posted notable fines for law violation. Controllers often had muTorrent installed on notebooks, and muTorrent configured Teredo and/or 6to4. If Teredo and/or 6to4 helped to reach the forbidden resource, they posted fine.
At the same time Internet-blocking software was immature, barely capable of blocking IPv4 correctly. ISP could either provide native unblocked IPv6 and be fined for that, or not provide IPv6 at all. Instantly IPv6 became damnation for cafés and for ISPs. They blocked each and every IPv6 loophole. No more 6to4, no more Teredo. Nobody likes fines.
That's how IPv6 was canceled in Russia.
I’m in the same boat .. want to use ipv6 more.
I have to wonder about your concept of owning a static, portable subnet though. I don’t think calling it your “prefix” is right, to me it’s a subnet. And mostly like ipv4, your subnet is just a subnet within your isp’s subnet.. they can only allocate within the ipv6 blocks they own. Getting a new IPv4 address is normal if changing ISP’s so not surprising IPv6 is the same.
I mean, why not go a step further and have a single static ipv6 address for your phone or laptop that never changes even if you traverse different networks (home, then cellular, then mates wifi, or work lan, etc). It would be a technical nightmare.
DHCPv6 just needs to be smart enough to see the new prefix, and only worry about the subnet portion for address allocation, and then intelligently combine the two, rather than being hard-coded.
And finally, yeah. IPv6 support is dismal in terms of routers etc. i also think such routers should do ipv6 firewalling in a way that mimics port-forwarding config.
Too much to type in a youtube comment…
At the end of the day, the ultimate problem is that everyone is simply dragging their heels. People (ISP’s, vendors etc) might only barely dip their toes in the water but noone wants to jump in proper.
I use BT in the UK and *each* time the router restarts the external connection it gets a different IPv6 address from BT. Most frustrating as I can’t use native IPv6 as it’s changed daily.
I thought IPv6 was created for practical reasons because we were supposedly running out of IP addresses. It's been 20 years and this hasn't happened largely thanks to NAT. Is there any downside to just continuing to use NAT as a workaround for IP address exhaustion problem as opposed to a full adoption of IPv6?
NAT is a downside in itself. You're blocking the access to ports on the inside of the NAT.
@@eidodk what is exactly what I want. I do not want every jim and joe in the world to access my fridge.
@@xmarkx9988 You can block them yourself. You can however not unblock ports you need unblocked, which IS the problem.