this post was submitted on 24 Sep 2024
103 points (94.8% liked)

Asklemmy

43463 readers
769 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
mekhos@lemmy.ml
tmpod
14specks@lemmy.ml
103
People still working in IT, thoughts on IPv6? (lemmy.world)
submitted 5 days ago by Tekkip20@lemmy.world to c/asklemmy@lemmy.ml
87 comments fedilink hide all child comments
 

Now currently I'm not in the workforce, but in the past from my work experience, apprenticeship and temp roles, I've always seen ipv4 and not ipv6!

Hell, my ISP seems to exclusively use ipv4 (unless behind nats they're using ipv6)

Do you think a lot of people stick with the earlier iteration because they have been so familiar with it for a long time?

When you look at a ipv6, it looks menacing with a long string of letters and numbers compared to the more simpler often.

I am aware the IP bucket has gone dry and they gotta bring in a new IP cow with a even bigger bucket, but what do you think? Do you yourself or your firm use ipv4 or 6?

top 50 comments
sorted by: hot top controversial new old
[–] todd_bonzalez@lemm.ee 20 points 4 days ago

I have IPv6 at home, at work, on my phone, and my hotspot. I have them on my websites and servers. IPv6 is everywhere for me. I use it all the time. Most people do and don't even realize it.

IPv4 still reigns supreme on a LAN, because you're never going to run out of addresses, even if you're running an enterprise company. IPv6 subnets are usually handed out to routers, so DHCPv6 can manage that address space and you don't need to know anything unless you're forwarding ports on IPv6.

For the Internet, just use hostnames. There's literally zero reason to memorize a WAN address when it could be an A/AAAA record.

[–] davel@lemmy.ml 29 points 4 days ago* (last edited 4 days ago) (4 children)

I think djb was right, over twenty years ago: The IPv6 mess

The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space.

There was an alternative proposal that was backward-compatible with IPv4, but I’ve forgotten the name now.

[–] scrubbles@poptalk.scrubbles.tech 24 points 4 days ago (1 children)

Oh man, that would have been so great. Think of all the networking stacks that could have just been silently upgraded. Just some letters/numbers appended to the front or back. If you only get x bytes then prepend with zeroes. Adoption would have been mostly transparent.

[–] Tower@lemm.ee 15 points 4 days ago

Yup. For those that don't know, that's essentially how utf-8 works -

https://youtu.be/MijmeoH9LT4

load more comments (3 replies)
[–] Sundial@lemm.ee 34 points 4 days ago (3 children)

People still use IPv4 because companies are slow to adopt new technologies. They see it as a huge money drain and if there is not a visible or tangible benefit to it then they won't invest in it. IPv6 is definitely a growing technology, it's just taking it's sweet time. For reference, currently the IPv4 has just under a million routes in the global routing table while IPv6 has ~216K routes. About 5 years ago it was something like 100K for IPv6 and not much has changed for IPv4.

I personally do not like the addressing of IPv6. It's not just the length, but now you have to use colons instead of period to separate the octets which leads to extra key strokes since I have to hold shift to type in a colon. It's a minor thing, but when networking is your bread and butter it adds up.

There are also some other concerns with IPv6. Since IPv6 tries to simplify routing by doing things like getting rid of NATing it also opens us up to more remote attacks. It used to be harder to target a specific user or PC that's behind a NATed IP but now everything is out in the open. I'm sure things will get better as more and more people use it and there will be changes made to the protocol however. It's just the natural evolution of technology.

I am very surprised to hear your ISP is not using IPv6. Seems like they're a little behind the times. Unless they just don't offer it to residential customers, which is still a bit behind the times too I guess.

[–] WheelcharArtist@lemmy.world 28 points 4 days ago* (last edited 4 days ago) (2 children)

Iv6 doesn't try to simplify routing and remove nat. that's just how things work. Nat is a workaround for ipv4.

Ipv6 is around since 1998. that's not slow to adopt, at that point it is just plain refusal from some because of the costs you mentionend

[–] Sundial@lemm.ee 16 points 4 days ago (5 children)

Ipv6 does simplify routing. It has less headers and therefore less overheard. IPv6 addressed the necessity of NAT by adding an obscene amount of possible IPs. Removing the necessity of NAT also simplifies routing as it's less that the router has to do.

Ipv6 as a concept was drafted in the 90s. It didn't start actually being seriously used until ~2006/7ish.

load more comments (5 replies)
load more comments (1 replies)
[–] zurohki@aussie.zone 7 points 4 days ago

IPv6 has a policy of throwing more address space at stuff to make routing simpler, though.

IPv4 will individually route tiny slices of address space all over the world, IPv6 just assigns a massive chunk of space in the first place and calls it a day.

load more comments (1 replies)
[–] skullgiver@popplesburger.hilciferous.nl 21 points 4 days ago* (last edited 4 days ago) (4 children)

It fixes must about every gripe I have with IPv4. It closes the hidden security holes NAT introduces. It pretty much configures itself. It allows you to use multiple Xboxes or Playstations within the same network and play online without faffing about! You can also disable the firewall entirely and basically never get scanned because scanning 2^64 addresses to find one computer is infeasible for bots (though you shouldn't).

The addresses are longer, that's for sure. But you shouldn't be remembering those anyway. That's why DNS exists! If you don't have a local DNS server for some reason, just use mDNS, every device supports it out of the box. yourcomputersname.local will work in place of an IP address in just about everything since Windows Vista.

IPv6 was severely underdeveloped when the Necromancy Address Translation kept IPv4 usable twenty years ago, but we're beyond that now. We have been for a while, actually.

Unfortunately, a lot of network people are the type that learned how networks worked in school forty years ago and decided that this is the way things are and they should never change again. That's how you get things like "TLS 1.3 pretends to be a TLS 1.2 session resumption or half the internet will break" and "only port 80 and 443 are usable on the internet". They even brought DHCP back when IPv6 works perfectly fine without it! At least Google did the right thing and refused to play ball with that malarkey in Android.

The whole address reserve argument never helped much. Super expensive cloud providers are now charging extra for IPv4 addresses but if you're using Amazon AWS you're used to paying through the nose anyway. CGNAT is a much worse problem, with thousands or hundreds of thousands of people sharing the same IPv4 address and basically being forced to solve CAPTCHAs all day because one of their IP coinhabitors has a virus.

As the comments here show, plenty of people can't be bothered. That's fine, legacy websites and devices can just use IPv4, that's the beauty of it.

load more comments (4 replies)
[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 24 points 4 days ago (2 children)

We turn it off in our office. It doesn’t benefit us.

You could also make the argument that ipv4 through NAT is better for privacy since it obfuscate what, and how many devices are connected to where.

[–] tunetardis@lemmy.ca 12 points 4 days ago (2 children)

When I was first looking into IPv6, people were talking about how you can self-assign an address by simply wrapping an IPv6 address around your MAC address. But that practice seems to have fallen out of favour, and I'm guessing the reason is, as you say, the whole privacy thing? There's a lot of pushback these days against any tech that makes it easier to fingerprint your connection.

[–] perviouslyiner@lemmy.world 9 points 4 days ago* (last edited 4 days ago) (1 children)

That was so insane - "we need a unique number, let's just use the MAC" - it was like people didn't even think through any of the implications when making ipv6 address schemes.

Similar with the address proposals that ignored the need to minimise the size of core internet routing tables.

[–] skullgiver@popplesburger.hilciferous.nl 4 points 4 days ago

That proposal was made when every computer hooked straight into the internet without a firewall. Every device already had a unique IP address that was globally routable and you needed to race to a firewall download page before a scanner would infect your computer (you had about five minutes, much less if you had the network cable plugged in during setup).

The routing table size reduction has always been stupid. The protocol should not be adjusted to help the penny pinchers save on RAM. And the same problem happened to IPv4 a few years ago, because nobody learned their lesson.

[–] skullgiver@popplesburger.hilciferous.nl 6 points 4 days ago (1 children)

With modern IPv6 (say, Windows 7 or later?) IPv6 privacy extensions solve this problem. Basically, you get a whole bunch of addresses. One based on your MAC address so you can port forward/allow incoming connections in the firewall, and then a bunch of rotating random addresses used for outgoing connections. People that know your prefix and MAC address can find your listening PC, but websites won't get your MAC address.

As for fingerprinting, thanks to NAT slipstreaming you can choose between "video calling software breaks" and "every malicious ad can access any port on your device" or in some extreme cases "every malicious ad can access any device in your network". Some websites have also been caught scanning IPv4 networks to figure out where your router lives using standard Javascript, so your IPv4 network isn't any better protected. At least with IPv6 a website can't take ten seconds to scan 255 addresses and figure out how many devices are on your network!

[–] just_an_average_joe@lemmy.dbzer0.com 2 points 4 days ago (1 children)

Noobie question, wouldn't the ISP decide what your outgoing IPv6 address is? Like they do with IPv4? I mean no matter how many times I restart my router, my public IP remains the same so I always thought it was assigned by them.

[–] skullgiver@popplesburger.hilciferous.nl 5 points 4 days ago* (last edited 4 days ago) (3 children)

They assign a prefix. For IPv4 this is usually a /32, or 1 single address, though it's possible to assign larger ranges. I've seen businesses with a /28 on IPv4 for example.

The end device picks what IP addresses within the prefix are used for what. For instance, the server rack may use three IP addresses, the office one, and maybe the IoT network also gets one.

With IPv6 you should be getting a /56 or a /48. In other words, they pick the first 48 to 56 bits of your IP addresses, basically leaving 80 to 72 bytes for the end device to distribute amongst itself. You could give the first device address one and start counting up if you wanted to, but that'd come with the annoying edge case of needing to track what numbers are already in use. If you like a false sense of control, DHCPv6 is what manages this.

SLAAC (the "everything works by default" approach) requires a /64 (64 bits of local address space), so if you want to do routing (say, attach a wireless access point or a second router) and you don't want to do IPv4 hacks that hide IP addresses from each other, you need a few networks. That's why you get 8 to 16 bits of network space, so you can assign 256 to 65536 networks yourself in case you have weird requirements.

If your ISP assigns you 2003:123:def:abc::/48, then you can pick whether you want to assign 2003:123:def:abc::beef:cafe or any random address that starts with the ISP prefix. You have enough space to give every connection of every device on every WiFi network its own IP address every second of the day, but usually addresses are rotated only once per day.

The ISP picking the address range does come with a huge downside, and that's that you can't really use internal IP addresses anymore. To fix that, you can set up a so-called ULA. That's basically a service anywhere on the network that shouts "hey, if you can't, you can pick any address from fdef:abc:abc:abc::/96". By default, devices will pick two addresses (one based on the MAC address and a temporary one), and you can use the one based on the MAC address to plug into your local DNS server.

That way, even if you switch ISPs to one that only does IPv4, you can still use a Pi-Hole at fdef:abc:abc:abc::123:456:789 as your DNS server. These ULAs are completely local, so they can't be reached from the internet.

Though, just to be sure, you should generate a random ULA prefix (there's an algorithm in the standard, but there are sites to do it for you) just in case you have bad luck and connect to someone else's wifi who also thought it'd be funny to use fdef:cafe:babe:b00b::/96 as the local prefix. Completely optional, but best practice.

load more comments (3 replies)
[–] zurohki@aussie.zone 7 points 4 days ago (1 children)

IPv6 has privacy addresses, though. Stuff on my network generates a new random address every day and uses that address for outgoing connections, so you can't really track individual devices inside my network.

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 0 points 4 days ago (1 children)

You can just look at what addresses from that range have left the network in any given 24 hour window.

If AAAA is constantly reaching our to aussie.zone one day, and the next day AAAB is reaching out to that address you can pretty easily connect the dots.

load more comments (1 replies)
[–] esc27@lemmy.world 17 points 4 days ago* (last edited 4 days ago) (3 children)

IPv6 is now twice as old as IPv4 was when IPv6 was introduced. 20 years ago I worried about needing to support it. Now I don't even think about it at all.

load more comments (3 replies)
[–] nutsack@lemmy.world 17 points 4 days ago* (last edited 4 days ago)

a teammate implemented it because he thought it would be a good resume project. it added more maintenance work to a lot of pieces, forever. there is no measurable benefit to the business

[–] PotentialProblem@sh.itjust.works 20 points 4 days ago

Company currently uses IPv6! For awhile firewall rules kept biting us as we’d realize something worked in ipv4 but not IPv6 but now I forget it’s even a thing really.

I once paid for a vpc host that was exclusively IPv6 and was shocked how many things broke. I was using it for a discord bot and the discord api didn’t even properly support IPv6 …

[–] r00ty@kbin.life 11 points 4 days ago

I've used IPv6 at home for over 20 years now. Initially via tunnels by hurricane electric and sixxs. But, around 10 years ago, my ISP enabled IPv6 and I've had it running alongside IPv4 since then.

As soon as server providers offered IPv6 I've operated it (including DNS servers, serving the domains over IPv6).

I run 3 NTP servers (one is stratum 1) in ntppool.org, and all three are also on ipv6.

I don't know what's going on elsewhere in the world where they're apparently making it very hard to gain accesss to ipv6.

[–] Max_P@lemmy.max-p.me 10 points 4 days ago (1 children)

I want to love IPv6 but it's unfortunately still basically impossible to get good proper IPv6 in the first place.

At home I'm stuck with fairly broken 6rd that can't be hardware accelerated by my router and the MTU is like 1200 which is like 20% bandwidth overhead just for headers on the packets.

On the server side, OVH does have IPv6 but it's not routed, so the host have to pretend to have all the IPv6 addresses and the OVH routers will only accept like 8 of them in use before its NDP table is full, so assigning an IPv6 to every Docker container fails miserably.

IPv6's main problem is ISPs are so invested in NAT and IPv4 infrastructure they just won't support IPv6. Microsoft, Google and Apple need to team together and start requiring functional IPv6 to create user demand, because otherwise most users don't know about CGNAT and don't care. Everything needs to complain about bad IPv6 connectivity so users complain to ISPs and pressure them into fixing it.

[–] quafeinum@lemmy.world 2 points 4 days ago* (last edited 4 days ago) (1 children)

We were offered a /32(?) for like 1000$/yr… sounds like a good deal tbh

[–] Max_P@lemmy.max-p.me 3 points 4 days ago (1 children)

IPv6 or IPv4?

A /3 of IPv4 for that price is impossible, that'd be 10% of the entire IPv4 space. A /29 (32-3) would be more reasonable but 1k for a block of 8 IPs would be a massive ripoff.

Doesn't make sense for IPv6 either, as that'd be exactly the global unicast range (2::/3), but makes sense they'd give you like a huge block in there, maybe a /32 as that's what they assign to an ISP. As an end user you usually get a /48.

load more comments (1 replies)
[–] 30p87@feddit.org 13 points 4 days ago

I try to force everything to use IPv6. It's a huge pain to support IPv4 as a selfhoster. I never had to specify an IP manually, DNS exists for a reason.

[–] wizardbeard@lemmy.dbzer0.com 10 points 4 days ago (2 children)

With NAT existing, I'm not sure there's a significant reason to switch anymore.

Plus the "surprise" privacy and security benefits of just... not having every network connected device directly addressable by anyone else on the global network. The face of the internet and networking in general, plus the security and safety concerns around it, have changed dramatically since v6 was first created.

[–] tc4m@lemmy.world 12 points 4 days ago (1 children)

NAT is just security by obscurity and actually not really security at all. What's protecting you from incoming scans, etc is your network firewall. That firewall works just the same for IPv6. Blocking incoming traffic for your home network is usually the default setting in your ISP issued router anyway.

Working as a network engineer, NAT in a large scale customer environment can quickly devolve into a clusterfuck. Many times we had week long reachability issues due to intermediate ISPs NATing unexpectedly.

My nemesis is GCNAT, which adds another layer of NAT because some ISPs don't have enough public IP space for all their customers to go around.

I have a customer where their ISP just assigned one of their locations public IPv4 addresses. Neither the customer, nor the ISP owned that address space. Their logic was that this address space is registered on a different continent, so it's basically fair game to use it themselves. Granted, they only route it internally for a MPLS network, but still...

What I'm getting at is that NAT increases complexity and breaks properly routed end to end connections. Everyone kinda fucks up with NAT, especially ISPs (in my opinion anyway).

I can really recommend the IPv6 study material from the major internet registries (took the v6 courses from RIPE NCC myself).

IPv6 is so much simpler for subnetting, writing firewall rules,... IMO the addresses just look kinda clunky.

load more comments (1 replies)
load more comments (1 replies)
[–] aard@kyu.de 5 points 4 days ago

Have been using it since late 90s, stopped using it with the shutdown of SixXs as there still were no viable native options in pretty all my infra locations. Recently started using it again as I finally have an ISP providing proper v6.

[–] yournamehere@lemm.ee 3 points 4 days ago

ipv6 isnt real.

[–] mspencer712@programming.dev 57 points 5 days ago

Mostly I’m scared I’ll write a firewall rule incorrectly and suddenly expose a bunch of internal infrastructure I thought wasn’t exposed.

[–] nick@midwest.social 55 points 4 days ago (2 children)

Cloud infra engineer here.

Answer: I don’t think about it. Nothing fully supports it, so we pretend it doesn’t exist.

[–] PlexSheep@infosec.pub 7 points 4 days ago (1 children)

Which is why "nothing" supports it

load more comments (1 replies)
[–] kamenlady@lemmy.world 15 points 4 days ago

That's exactly my experience with it.

Some certificates are even annoyed by IPv6 and they won't install until i remove any trace of it from the DNS. This should also pretty much be the only occasion I'm forced to deal with IPv6, instead of glancing over it while working on the server configs.

[–] Xanvial@lemmy.world 21 points 4 days ago

Just annoyed when I need to specify port when using IPv6. Needs to add square bracket to workaround ambiguity of colon is kinda bad. How can they decide to use colon instead of another special character??

[–] darklamer@lemmy.dbzer0.com 14 points 4 days ago

Both my employer and my home ISP use IPv6 since many years now and so does all my own stuff, it's wonderfully convenient to have a globally unique address for everything that I connect to the network.

[–] PetteriPano@lemmy.world 13 points 4 days ago

IPv6 was "just around the corner" when I was studying 20+ years ago. I kept a tunnel up until the brokers shut down.

I've been hosting some big (partly proprietary) services for work, and we've been IPv6 compatible for a decade.

My ISP finally gave me native IPv6 earlier this year, which gave me the push to make sure my personal hosting does IPv6 as well. Seems like most big players services support it today. It's nice to not have the overhead that CGNAT brings.

IPv6 got a bit of a bad reputation when operating systems defaulted to 6to4 translation but never actually managed to work.

load more comments
view more: next β€Ί