this post was submitted on 05 Feb 2024
190 points (95.2% liked)
Technology
60080 readers
3878 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I remember doing an IT course over a decade ago and learning about IPv6 taking over, honestly surprised it hasn't yet. I just looked it up and apparently they came up with it in 1998. How is it taking so long? Is there some technical reason it's harder or something? Does the extra address size mean a not so great trade off in traffic or something?
note: I did study a bit of networking and IT but have forgotten everything mostly and work in a different field, thus my ignorance.
IPv6 is here, and has been for a long time. But if, for example, your web or email server can only be reached over IPv6 some people will not be able to load the site or send emails to you.
The entire internet is configured to work with IPv4. Some of the internet (less than a quarter) is also configured to also work with IPv6.
Imagine if your home had two driveways on different streets. Do you tell everyone both addresses, or do you pick one of them? Probably just one right? Now imagine if the second address can only be reached if someone has an off road capable vehicle. And you don't know what vehicle someone has - which address would you give them? Is it even worth having two driveways?
That's the situation we're in. IPv4 support is required and works perfectly. IPv6 is optional and doesn't always work.
Except it doesn't work perfectly, because it has a relatively small address space. That's why ipv6 exists.
The driveway works perfectly, but it doesn't have space for all the guests if they all want to use their own vehicles.
Thankfully, we have carpooling and rideshares.
Great analogy, thanks
“Luckily” we are reaching the point where IPv4 just isn’t going to be fiscally sustainable for the majority of companies, meaning the push to IPv6 will be hastened.
Though I don’t pretend it isn’t going to be a hell of a ride.
192.169.x.x will always be easier than fe80:x:x::x:x
I had a roommate once who need an IP for something, and because it was a device I had been working with recently, I just rattled off "192.168.0.7" or something.
He was in awe of the fact that I could remember it. However, it's not that difficult when you know the private prefix you use is always "192.168." and that gets burned into your brain. The next octet is often zero (maybe 1 if your home network gets crazy), and you really only need to remember the final octet for the device.
Point is, fe80::x will go the same way. You'll remember fe80, and the rest is however you handled your own network scheme.
(I can never remember the class B private address space, though. Only classes A and C. Never needed to bother with the class B space when you can subnet 10.x.x.x so much.)
No. It's 23 or 42.
I definitely agree with automatically configured stuff, but I enjoy setting link-local static IP address with IPv6, like my home server is
fe80::bad:c0de
or192.168.0.2
, and my NAS isfe80::coo1:da1a
or192.168.0.3
. I've definitely mistyped the IPv4 a few times (see your 169 typo), but the IPv6 always delivers hackerman vibes.I have also set
::bad:c0de
and have my IPv6 prefix on a keybind, but I understand that's a bit of a stretch.I have never thought of writing things with static ipv6.
I have been missing out.
You're missing out your
::cafe
'sfe80::dead:beef
fd00::x is shorter than 192.168.x.x
Technically you're supposed to use fdxx:xxxx:xxxx::x, but on your home network nobody cares.
There are huge gaps in ipv6 adoption which means most users and services must continue to support and use ipv4.
Since everyone has to continue ipv4 support, there's not much motivation to push general adoption of ipv6. Maintaining dual stack support has its own costs.
Even within AWS, many of their services still don't support ipv6. AWS fees for ipv4 addressing may end up being a comparatively big driver for adoption.
You just outlined a reason for AWS not to fully support IPv6 as well.
In addition to what the other commented said, a lot of sys and net admins really don't like the idea of every lan device being globally addressable, while there's ways around it, a standard ipv4 Nat is a safety blanket to a lot of admins... Not that it should be like that, just my observation.
Those admins don't know what they're talking about. IPv6 has a region of the address space that can only be reached locally - similar to the 192.168.x.x space in IPv4. The only difference is it's really big (way bigger than the entire IPv4 space).
As for NAT... there's nothing stopping you from using it with IPv6. It's often unnecessary, but if you disagree you can use it. And in practice NAT is often part of the transition process to IPv6 - my cell network carrier for example gives my phone an IPv6 address on their internal network but routes all my traffic to the regular internet via IPv4. They are using NAT to do that. If you try to ping my phone's IPv6 address, it won't reach my phone.
Honestly my biggest issue with ipv6, aside from not understanding it, which I don't, at all, I've realized while setting up my own opnsense firewall, is that they decided on FUVKING COLONS. AND LETTERS. Okay, cool, hexadecimal exists, that's swell, but typing them is such a fucking pain in the ass.
There's no way to put your fingers on a keyboard to make it feel natural.
While I agree that it is godawful to type and worse to read, let alone remember, you wouldn’t want these addresses in full decimal notation…
Nothing the mechanical keyboard community can't solve.
https://ipv6buddy.com/
They need to stop that nonsense. NAT is not for security, and was not designed for security purposes. In fact, there are a few ways it subverts security, such as SNI in TLS making the connection less private than it could be.
If they want to block external connections, a border firewall can do the job just fine without NAT. It's arguably better, because NAT complicates existing firewall rules and their implementation in code. Complications are the enemy of security.
How do you anonymize ip addresses without effectively recreating nat using firewall rules?
Mu. Why do you feel the need to anonymize IP addresses?
There is no way to personally identify anyone. Right now advertisers have to jump through hoops of cookies and browser fingerprinting to identify you- which can be blocked.
They still wouldn't. A single computer address is not an individual. They're only slightly better off compared to knowing the edge router IP like they do now.
If you really want to protect against that, then use a proxy or an onion router. NAT was never meant to do this, and it does it poorly.
It is extremely likely to be the same user. Shared computers are rare today.
So what? They still don't have much more information than the edge router IP. Again, if you want to protect yourself here, use a proxy, onion router, or VPN. NAT is not designed to tackle this, and does it poorly.
In a large cooperate network, or even a small network, there's nothing fixing a device to a specific network address. You can shuffle those around between people entering and leaving the building and device power cycles just like DHCP does for IPv4.
It's more complicated and v4 is already there. That was the reasoning and it hasn't changed even though by now it should have.
To add to what others have said, I've heard that wide adoption of NATing as a standard practice basically ensured IPv4 longevity well beyond its logical end. This along with the cost to fully upgrade a network to IPv6 meant there was no financial incentive for companies to adopt it.
With Amazon starting to charge for IPv4 addresses, it won't be long before Google and Microsoft do the same with GCP and Azure. This may be the financial kick in the ass to get large enterprise environments to finally commit to IPv6.
Financial incentive does exist, but the problem is that it's a tragedy of the commons. Me upgrading only makes sense if everything else is also upgraded. Until then, it makes sense for me not to spend anything. However, everyone else is making exactly that same calculation.
ISPs have a lot of trouble managing IPv4. How much so depends on when you got your allocations. The first ISPs in the US got tons. The ones that grew out in other countries had to pick over the scraps. Even later US ISPs, particularly mobile carriers, got hit just as hard.
Those later arrivals have to implement Carrier Grade NAT, where all traffic goes through a small set of IPv4 addresses. Sometimes, it's multiple layers of NAT. It takes extra equipment and network design to support all this, which in turn affects speed, reliability, and cost.
Even tough IPv6 is technically superior to IPv4 for the network operator it doesn't have clear benefits for home users.
Having global addresses instead of NAT means less control over your LAN and these unique public addresses can track users more accurately.
You can still have internal IP addresses and things like the router firewall work pretty much like they always have. I'm not sure what you mean by less control really.
I feel like that concern is overblown. You get way more information from DNS, for way cheaper, than you get from "there were 27 devices, now there are 28!" and both takes being the ISP and observing the traffic.
It's also not like VPNs can't work in IPv6 land for people that really are conscious of hiding as much information about what they're doing from their ISP as possible.
is there any reason why we can't still use NAT with IPv6? it seems like that would solve at least some of the problems.
In principle, no. In practice I looked into it to do a quick job of enabling ipv6 on my router and the software either just doesn't do it, or fights you actively.
Generally speaking ipv6 is a PITA to administer, at least from the POV of someone who's not a professional network admin and can't be arsed to spend a month learning a gazillion new concepts when I can be just fine with ipv4.
It is possible, it's just not generally supported be ISP routers. Also there is a possibility of performance issues since IPv4 NAT often relies on hardware acceleration which might not work for NAT6.
Because you shouldn't. NAT causes so many issues, nobody sane is implementing NAT for IPv6 as an out of the box option.
I'm still trying to figure out good nftables rules for ipv6 prefix delegation...