The fact that the current version was published 2017 (so 2016 info) and IPv6 is still a moving target? I suspect that isn’t the reason to post it but it’s relevant.
I’ve often wondered if ipv6s less human readable addresses is the primary cause. I dread using and interacting with ipv6, compared to ipv4. Sure ipv6 solves a lot of scaling challenges, but it is so much harder to grock at first glance.
Yeah, I realized that just after I posted my reply. As usr1106 mentioned, the solution would be to always use square brackets. It would take up more space, but I think it would still be better for at least two reasons:
• Even with the brackets, it always takes the same or fewer keypresses (no need to press shift).
• It's easier to tell when the address starts and ends. This is helpful when you get into odd addresses like "xxxx::xxxx.192.168.123.234", or "::1", or "::". The versions [xxxx--xxxx.192.168.123.234], [--1], and [--] look nicer and more obvious, at least to me.
But of course this is all silly to go over now, decades after the decision. We'll save these changes for IPv8! :-P
anecdote: a few years ago there was a quiz at one of the ripe-conferences where participants were asked to pick the one invalid ipv6 address out of four. iirc the success rate was even below what would result from a random-pick
Many of the "IPv6-isms" come from the fact that renumbering networks is a big PITA and so IPv6 was built with the pipe dream of "change the config on the router and the entire network renumbers itself", like the flick of a switch. It was optimised for the least used case. IMO they should have just increased the address bit size to 128 and be done with it.
One of my own annoyances is the fact that local subnets have to be /64's (you can make smaller subnets but it breaks certain things) and ISP's are supposed to deliver a /48 or /56 to subscribers but some ISP's will only hand one /64. So if you want to create 2 separate networks in your home you're screwed.
Address abbreviation helps a bunch. IPv6 (not an expert, but I’m in a class right now!) suffers from severe 2nd system syndrome: it overhauls DHCP in a totally convoluted way, overhauls so much of how the IP layer works, etc. It really is a mess.
I think it would have been better to label everything that DHCPv6 covers with an entirely new name. Its functionality is fine for what it’s tasked to do, and much of the confusion I’d argue stems from those who (think they) know IPv4 trying to map their understanding to IPv6 unmodified.
So did 64 bit CPU adoption get delayed because addresses are hard to read compared to 32 bit addresses? Maybe not so much...
But the argument might still hold. If 80% of average network admins decide to hate IPv6 because they can no longer remember IP addresses of several machines and subnets by heart that might hinder adoption. Most of them are not daily affected by the fact that the world has run out of IPv4 addresses. And NAT works well enough for most of them, many are even convinced it gives them security.
Remembering your own machines really isn't the problem people think it is.
If I ask you what 192.168.1.1 is, you're probably going to guess it's a router/gateway. There is absolutely no reason for it to be, it's merely an accepted convention that the lowest-numbered host is the gateway.
There's absolutely nothing stopping you doing the same in ipv6. If you need to be able to remember where your gateway is, put it on 2001:db8::1. The problem isn't that they're long, it's that for some reason we assume we have to remember dynamically assigned addresses. Any address you have to memorise shouldn't be dynamically assigned, whether it's v4 or v6.
Except my prefix is a hell of a lot longer than that...
And it's not my choice that it changes every now and then (at least once a month).
That said, I use DynDNS for IPv4 too, but it's easier since I only need to configure it for the router, but for IPv6 each machine I want to access needs it's own record.
They are. I was part of the test rollout of IPv6 when I lived in Richmond, VA last year. It worked flawlessly so I'd assume they should be set for a greater rollout sooner rather than later.
When was that? It's been "coming soon" on Verizon's own FAQ[1] for almost half a decade now. I'm in one of the major MSAs along the eastern megalopolis, and there's no IPv6 here.
If you watch the graph in smaller time scale you see adoption is higher on weekends than on weekdays. I guess that means consumers using Google and similar from their mobile phones have a high rate of adoption. They did not do it themselves. While the average medium (and why not big) company IT department has not started to do anything and is IPv4 only. Seen in the graph when people work Monday to Friday and especially around Christmas.
You are asking in vain, Reddit News clientele are worrying about globalist stuff like saving our planet from climate hoax etc. While the book is typical Cisco Press style, very in-depth, CCNP+ tier complex, that's too much for redditors.
I learned IPv4 from blog posts written by people who read other blog posts and HOWTOs. It worked because I came along when everyone had (and needed) the experience.
IPv6 is harder because it’s the upgrade path, not a necessity. For that, I needed good professional source material. As do you: treat yourself!
IPv6 is fundamentally not ready for real world use within small/medium businesses and homes IMO. At least not without NAT. Why?
- Can’t just simply put one IPv6 router/firewall behind another. Not all IPv6 routers support DHCP-PD, and even if they did, you could have 2-3-4 levels of routers/firewalls at a business. I’m not making this up- retail/gas/food industries often have a plethora of networks at a location, and the business/franchise owner is not tech literate, or even if they were, the equipment is managed by third party vendors and they don’t want to customise their IP network for each location. It makes for messy deployment and maintenance.
- Can’t just simply open a firewall rule on the main site router to forward say HTTPS to an internal service. Why? Not all ISPs give static IPv6 prefixes, not all PCs/servers/devices support DHCP6 for static leases, and then there’s IPv6 privacy addresses. Yes, you can statically configure (only if ISP is static too!). No, I don’t want to open the port to all devices on the LAN and no I can’t rely on each device to be running their own firewall (let alone a properly configured one!).
- WAN failover / multiple ISPs is hard. You have a fibre primary feed, and a secondary cellular/5G feed. Each has different IPv6 addresses. How do you ensure the right ISP is used at any given point? IPv6 shifts this decision to the client. This makes load balancing and policy based traffic routing (eg VoIP over fibre 1, FTP over fibre 2, etc). Also the cost of using a multi-homed IPv6 subnet & BGP in a SME/retail business is out of the question (plus the cellular ISP wouldn’t support it anyway).
All the above works fine out of the box with IPv4 and NAT. It’s bread and butter easy. At the cost of not having dedicated unique public IPs but these places simply don’t need them.
What IPv6 should have done to ensure a smooth migration is allowed for NAT from the very start. That would have let everyone who needed public IPs get them straight away, and those that didn’t to still migrate anyway with as little drama as possible. But it’s just not the case, NAT has been slowly added but it’s support is far from ubiquitous that IPv4 has.
Before I start I must say, I built IPv6 only datacenters and enterprise networks. I am saying from experience.
> Can’t just simply put one IPv6 router/firewall behind another. Not all IPv6 routers support DHCP-PD, and even if they did, you could have 2-3-4 levels of routers/firewalls at a business.
You cannot do this with IPv4 either. Routing has to work. It works for both IPv4 and In But if you are saying, you add 2-3-4 layers of NAT, this is just crazy.
> Can’t just simply open a firewall rule on the main site router to forward say HTTPS to an internal service. Why? Not all ISPs give static IPv6 prefixes, not all PCs/servers/devices support DHCP6 for static leases, and then there’s IPv6 privacy addresses.
ISPs not providing static prefixes is a particular ISP problem, not an IPv6 problem. If your ISP cannot hand out static IPv4, you have a similar problem and tge workaround would be what? Dynamic DNS?
Admittedly we had /32 and own ASN, but in remote offices where you don’t buy transit, you live on PA addresses (and of course they are static). From what I know, some ISPs don’t issue static prefixes to residential customers, but if you want to serve services from your prefix, use a stable prefix and a decent ISP.
Privacy addresses are intended for client-initiated traffic, so no matter how many privacy addresses your server has, the stable one is still there.
> WAN failover / multiple ISPs is hard. You have a fibre primary feed, and a secondary cellular/5G feed. Each has different IPv6 addresses. How do you ensure the right ISP is used at any given point?
By sending RA and expiring the old prefix on the failover. I admit, this is not an obvious solution and it may not be suitable for some edge cases.
Datacenter networks are an entirely different beast to SME and SOHO business networks. You don’t get the same budget for nice equipment, nor dedicated IT persons to run it, nor any remotely technical people on the ISP side to help you. SME and SOHO are very price conscious too. Think low margin retail and petroleum and fastfood.
> You cannot do this with IPv4 either. Routing has to work. It works for both IPv4 and In But if you are saying, you add 2-3-4 layers of NAT, this is just crazy.
Yes, you literally can stack a dozen commercial IPv4 firewall/routers behind each others networks and a PC plugged into the very last one will have no problems access Google on the browser. Because of NAT, which all IPv4 capable personal/SOHO/SME routers do by default.
Sure, VoIP may not work, but actually chances are it will because the VoIP service will be NAT-free via VPN to the provider.
And in this retail/petro/fastfood environment things like p2p file sharing are irrelevant and not required. All traffic is either to websites or to corporate systems across VPNs where NAT is not present or easily managed.
> By sending RA and expiring the old prefix on the failover. I admit, this is not an obvious solution and it may not be suitable for some edge cases.
It’s a slow failover by comparison to IPv4 methods. Too slow for some common use cases in industries I deal with. It also doesn’t allow for load balancing across links (eg route all important traffic out link 1 by default and all backup uploads out link 2 by default).
> Datacenter networks are an entirely different beast to SME and SOHO business networks.
SOHO networks just use what providers gives them. I am not sure, why are you jumping from large “oil-and-gas corps” to SOHO, though.
For SOHO providers will be building IPv6-only networks with NAT64 to access the legacy IP. I am seeing it happening: I saw multiple situations like this with guest wifi already. Obviously, this trend is going to continue.
> Yes, you literally can stack a dozen commercial IPv4 firewall/routers behind each others networks and a PC plugged into the very last one will have no problems access Google on the browser. Because of NAT, which all IPv4 capable personal/SOHO/SME routers do by default.
… and then Google blocks it all because the amount of requests from a single IP exceeds their expectations. I have seen half of Belarus blocked by Google because their NAT pools were overprovisioned. When I was at Cisco, a customer asked us to change the NAT behaviour so, that it uses pool not “first, all ports from the first IP in the pool, then all ports from the second IP, etc” to “first port from the first IP, then the first port from the second IP, etc”. The reason was, their starting IPs in the pool were always oversubscribed and blocked. The alternative behaviour broke FTP, SIP even with application-level fixups because the protocols don’t expect signalling and data to use different IPs.
Not to mention, SOHO routers just don’t have enough capacity to maintain translation cache so connections will be randomly dropped.
> Too slow for some common use cases in industries I deal with.
Have you tried it? Renumbering event means sending two RA packets: one to expire an old prefix, another to announce a new one. While technically it’s slower than changing routers on the NAT gateway, I wonder what are your requirements.
It doesn’t allow load balancing, which is true. Work is being done in IETF to support for client-based load balancing, see RFC7157, etc. In my experience, load balancing is rarely happening in such scenarios because it will result an overloaded link when either on two goes down. Anyway, I don’t argue, it is something that could be improved.
>You cannot do this with IPv4 either. Routing has to work. It works for both IPv4 and In But if you are saying, you add 2-3-4 layers of NAT, this is just crazy.
Is it? I'm behind two layers of nat and everything works fine.
That NAT "does not work" is an old myth that certain people love to use. If you show it does work, their final reply is always: but inbound connections are hard.
I do not know who needs inbound connections to all of their devices in a corporate network, nor at home, since we solved that shit long time ago.
It only counts as working if you are ok with a giant pile of hacks and pain. Ever had to debug NAT-related SIP issues? Not fun. A lot of protocols fell out of favor, because they poorly interact with NAT (and stupid corporate firewall rules on the other hand so everything gets tunneled via https now..).
And wanting inbound connections is really not that strange a request. Maybe I want to host some website at home? How about a weather station/other IoT..
How about multiplayer gaming?
There are so many things that would benefit from being able to poke some holes in the firewall. With carrier grade NAT becoming more and more common you can forget about that, since you have no control over their infrastructure to forward any ports.
I my experience, they all did. I'm not even sure how you could possibly deploy IPv6 without it, manually handing out prefixes?
> you could have 2-3-4 levels of routers/firewalls at a business.
It seems just a bad design, but I still don't see how IPv6 would not allow it.
> Why? Not all ISPs give static IPv6 prefixes, not all PCs/servers/devices support DHCP6 for static leases, and then there’s IPv6 privacy addresses
1. you don't need a static prefix to write a firewall rule: you can simply remove the dynamic prefix with a mask and match the EUI-64 suffix. For example with ip6tables it's something like this `::e2ab:8fff:fe12:3b6b/-64`.
2. All IPv6 devices do support SLAAC with a stable address mechanism, either EUI-64 or stable privacy address and you can use that in the firewall rule.
3. IPv6 privacy extensions, when enabled, don't preclude listening and accepting connection on the EUI-64 address. So, an inbound traffic firewall rule will just use the stable address: you shouldn't listen on a privacy address, they are for outbound connections.
> Each has different IPv6 addresses. How do you ensure the right ISP is used at any given point? IPv6 shifts this decision to the client.
I honestly don't understand the difference with IPv4. You can have multiple addresses and do load balancing on the router with both.
> IPv6 shifts this decision to the client. This makes load balancing and policy based traffic routing
I can't comment on this because I never tried it, either on IPv4 or IPv6. On top of my head, I'd say it would be possible by updating the routes priorities with an RA, if you don't want or can't do a NAT66 with a ULA prefix.
> At the cost of not having dedicated unique public IPs but these places simply don’t need them.
Wrong! Everyone needs routable addresses, even if they don't know it because they need VoIP, video calls on webRTC, FTP, p2p file sharing, online games, etc. All of these barely manage to work in a NAT by using workarounds like ALGs, UpnP, NAT-PMP, relay servers and other atrocities that greatly complicate the network design and are a security nightmare.
Sorry I could have stated the DHCP-PD issue more clearly. Comcast doesn’t support it. [1]
> I honestly don't understand the difference with IPv4. You can have multiple addresses and do load balancing on the router with both.
A PC cannot easily have 2 different IPv4 subnets in the same NIC, which is what IPv6 permits with RA. Even if a PC did have 2 networks, how does the router tell the PC to use fibre for everything except backups, and cable for backups, and cellular only if the others fail? These decisions are best made by the router, not an arbitrary client device connected behind it. With IPv6 and no NAT, how does the client PC know what IP to use as its source at any given time? Yes NAT66 works- and for a very very long time the IPv6 community has resisted any NAT, which has resulted in poor NAT support in IPv6 stacks across many vendors.
> Wrong! Everyone needs routable addresses, even if they don't know it because they need VoIP, video calls on webRTC, FTP, p2p file sharing, online games, etc. All of these barely manage to work in a NAT by using workarounds like ALGs, UpnP, NAT-PMP, relay servers and other atrocities that greatly complicate the network design and are a security nightmare.
I didn’t say a routable IP isn’t required. I said a dedicated unique public IP is not required.
A gas station or fast food business doesn’t need online games or p2p file sharing. Their VoIP is done over VPN or uses NAT ALG in the firewall. Their web browser and payment systems are happy with a NAT’d IP on a LAN behind their router (which may or may not have a public static IPv4).
The only "problem" here that is caused by IPv6 is the SD-WAN / multi-provider scenario. Even that is solvable. There are so many IPv6 addresses that your local router can have a unique routable range that it can hand out to the local network, "masking" the external internet provider addresses in the same way that IPv4 routing does it. That's not NAT, that's just routing. E.g. I have a customer that uses a non-RFC1918 public range internally and they have 5 ISP uplinks. They don't need to renumber their internal range just to fail over to another link.
ALL of the other issues are caused by vendors selling garbage products that have IPv6 as a "checkbox" tick without real support.
The real problem is that network engineers around the world let them get away with it, because they avoid IPv6 because of this perception that it isn't mature.
The protocol is over two decades old! It's been fully supported since Windows 2000! My phone is IPv6. My fibre LAN is IPv6. It just works.
What doesn't work is this attitude where people just like you continue to pay for products that only pay lip service to the future.
I've gone on rants here before about enormous service providers like AWS and Azure providing IPv6 "support" that is an absolute garbage fire. Totally worthless. Useless beyond belief. Literally counterproductive in the case of Azure, where turning on IPv6 anywhere will break unrelated IPv4 functionality!
Nobody ever chimes in to say: "Yes, we agree, this is bad."
Nobody ever says "Microsoft should fix this!"
Nobody has a problem. So now we have situations like the one you just described, where people are still buying routers in 2021 that that can't handle the most basic IPv6 functionality.
IPv4 addresses are now USD $40 each and rising exponentially. I really do hope the COVID case number graphs taught some of you in a visceral sense what the world "exponential" means. Hint: it doesn't mean that it'll cost $60 in a decade. Try $40000, each.
My ISP uses carrier-grade NAT on IPv4, breaking sites all over the place. I had to call them to enable a dedicated IPv4 address. Their annual investor report says that they will run out within a couple of years. Get one now while you can is the message.
Do you have any idea how much code is required for two PCs to communicate directly now, with up to 4 NAT layers as a common scenario? It's a huge library you have to integrate in your code and then you need a cloud service to assist it.
This is madness, and network engineers around the world are perpetuating it.
> The only "problem" here that is caused by IPv6 is the SD-WAN / multi-provider scenario. Even that is solvable. There are so many IPv6 addresses that your local router can have a unique routable range that it can hand out to the local network, "masking" the external internet provider addresses in the same way that IPv4 routing does it. That's not NAT, that's just routing. E.g. I have a customer that uses a non-RFC1918 public range internally and they have 5 ISP uplinks. They don't need to renumber their internal range just to fail over to another link.
Neither does anyone using IPv4.
Does your customer use BGP for that public IPv6 range? Do they have cellular links? Can they load balance some traffic over two/three links? Can they direct certain protocols over different carriers?
> Literally counterproductive in the case of Azure, where turning on IPv6 anywhere will break unrelated IPv4 functionality!
not just on azure; smartphones seem to be the only environment were v6 is doing its job (lots of smartphones need lots of addresses. ipv6 has a lot of addresses, problem solved) and i guess it's because they are most user-centric client-device imaginable, the actual users don't care at all and most importantly; expect things to occasionally fail.
I'm mad because network "engineers" use that word without realising what it entails to earn that title.
The painting has been on the wall for decades. IPv4 exhaustion was predicted to the week.
Did anyone do anything about it? No.
There are people talking about how Kubernetes is the "future" on this very forum, yet it simply does not work with IPv6. Instead, it uses NAT and RFC1918 ranges... but you've got to be careful not to accidentally overlap those subnets with the rest of your network!
I have a customer that screwed this up and now they're facing a rebuild of 3 out of 4 of their clusters. Fun times.
I have another customer undergoing mergers, where renumbering their IPv4 RFC1918 ranges is going to cost them on the order of $10M.
IPv4 is the legacy, and its costing real money to keep it going decades after its expiry.
IPv6 should have supported NAT like IPv4, not dragged its heels by begrudgingly implementing it years/decades later (and still not all support IPv6 NAT so the problem isn’t yet solved).
NAT, as much as you hate it, makes deployments easier and quicker and simpler for your average business. I don’t have to worry about BGP, or if my ISP has given me a /64 only or can they do a /60 or /48.
A gradual migration would have allowed both types of approaches to be used. Some would start with IPv6 using NAT, and other more switched on orgs could go straight away with NAT-free IPv6 networks. And lets face it, this has been a very gradual 20 years migration…
router that do BGP are cheap, especially if you're only taking a default route which is all you're going to need for using multiple ISPs for redundancy.
It’s not the router that is the problem with BGP, it’s the ISPs. Will your cheap as chips cellular carrier support BGP? Will your local cable provider? Probably not.
Both of my ISPs offer IPv6 gateways. I set them up and visited several IP6 websites.
I crypto exchange I use frequently, Bittrex, allows to whitelist an IP address. Since I have a static IPv4, I did so. Problem is, my request to bittrex always goes out the IP6 gateway and Bittrex does not recognize me. I had to shut down the IP6 gateway to get into the account.
Static IPv6 are rare by default because computers for end users should use IPv6 privacy extensions. In Ubuntu 16.04 LTS timeframe privacy extension was still broken a bit, so it did not work on every network adapter. Nowadays it just works, unless a crazy network gives you only /128.
The whole address changes, but there's usually a prefix that doesn't change, e.g. /64.
Whitelisting the /64 is then equivalent to whitelisting a single IPv4 address with a NATted network behind it, although since ISPs may use different IPv6 prefix lengths it might not be easy for users to know what they should use.
("ip ad" etc show the current address with prefix.)
What? Germany is one of the most privacy-aware countries. So people should make some noise. Of course internet is still a bit new for all of us as the still-chancellor noted to too long ago... So technical incompetence does not surprise me. Vodafone prefers to make headlines with criminal sales practices.
You can configure your operating system to prefer IPv4 over IPv6. On glibc systems, this can be done by adding e.g. "precedence ::ffff:0:0/96 100" to /etc/gai.conf.
