• Vlyn@lemmy.zip
      link
      fedilink
      English
      arrow-up
      49
      arrow-down
      1
      ·
      5 months ago

      My ISP doesn’t support IPv6, now what?

      It’s really bullshit.

    • eclipse@lemmy.world
      link
      fedilink
      arrow-up
      12
      arrow-down
      2
      ·
      5 months ago

      It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.

      • ikidd@lemmy.world
        link
        fedilink
        English
        arrow-up
        19
        arrow-down
        3
        ·
        5 months ago

        NAT still has its place in obfuscating the internal network. Also, it’s easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.

        • eclipse@lemmy.world
          link
          fedilink
          arrow-up
          12
          arrow-down
          1
          ·
          5 months ago

          Given how large the address space is, it’s super easy to segregate out your networks to the nth degree and apply proper firewall rules.

          There’s no reason your clients can’t have public, world routeable IPs as well as security.

          Security via obfuscation isn’t security. It’s a crutch.

          • efstajas@lemmy.world
            link
            fedilink
            arrow-up
            10
            arrow-down
            1
            ·
            edit-2
            5 months ago

            There’s no reason your clients can’t have public, world routeable IPs as well as security.

            There are a lot of valid reasons, other than security, for why you wouldn’t want that though. You don’t necessarily want to allow any client’s activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn’t make anything more secure per se.

            • r00ty@kbin.life
              link
              fedilink
              arrow-up
              12
              ·
              5 months ago

              Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I’ve used.

              That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn’t used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.

              So I’m going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.

        • frezik@midwest.social
          link
          fedilink
          arrow-up
          7
          arrow-down
          1
          ·
          5 months ago

          Obfuscation is not security, and not having IPv6 causes other issues. Including some security/privacy ones.

          There is no problem having a border firewall in IPv6. NAT does not help that situation at all.

          • ikidd@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            1
            ·
            5 months ago

            Obfuscation is not security

            Yes, of course. But saying trite things like that doesn’t get around the idea that giving out a map of the internal network by default isn’t the best policy.

            • frezik@midwest.social
              link
              fedilink
              arrow-up
              4
              arrow-down
              3
              ·
              5 months ago

              So instead we open up a bunch of other issues.

              With CGNAT, governments still spy on individual addresses when they want. Since those individual addresses now cover a whole bunch of people, they effectively spy on large groups, most of whom have nothing to do with whatever they’re investigating. At least with IPv6, it’d be targetted.

              NAT obscurity comes at a cost. Its gain is so little that even a small cost eliminates its benefit.

              • ikidd@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                edit-2
                5 months ago

                Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.

                Making it harder for everyone else is the goal, and to do that you need a swiss cheese model. Hopefully all the holes don’t line up between the layers to make it that much harder to get through. You aren’t plugging all the holes, but every layer you put on makes it a little bit harder.

                And NAT is not just simple to set up, it’s the intuitive base for the last 30 years of firewalls. I don’t see where you get a cost from it. As I said, separating network spaces with it comes naturally at this point. Maybe that’ll change, but I remember using routable IPV4 when it was it the norm, and moving to NAT made that all feel way more natural.

                • frezik@midwest.social
                  link
                  fedilink
                  arrow-up
                  4
                  ·
                  5 months ago

                  Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.

                  That’s a silly way to look at it. Governments can be spying on a block of people at once, or just the one person they actually care about. One is clearly preferable.

                  Again, the obscurity benefit of NAT is so small that literally any cost outweighs it.

                  I don’t see where you get a cost from it.

                  • Firewall rules are more complicated
                  • Firewall code is more complicated
                  • Firewall hardware has to be beefier to handle it
                  • NAT introduces more latency
                  • CGNAT introduces even more latency
                  • It introduces extra surface area for bugs in the firewall code. Some security related, some not. (I have one NAT firewall that doesn’t want to setup the hairpin correctly for some reason, meaning we have to do a bunch of workarounds using DNS).
                  • Lots of applications have to jump through hoops to make it through NAT, such as VoIP services
                  • Those hoops sometimes make things more susceptible to snooping; Vonage VoIP, for example, has to use a central server cluster to keep connections open to end users, which is the perfect point to install snooping (and this has happened)
                  • . . . and that centralization makes the whole system more expensive and less reliable
                  • A bunch of apps just never get built or deployed en masse because they would require direct addressing to work; stuff like a P2P instant messenger
                  • Running hosted games with two people behind NAT and two people on the external network gets really complicated
                  • . . . something the industry has “fixed” by having “live service” games. In other words, centralized servers.
                  • TLS has a field for “Server Name Indication” (SNI) that sends the server name in plaintext. Without going far into the details, this makes it easier for the ISP to know what server you’re asking for, and it exists for reasons directly related to IPv4 sticking around because of NAT. Widespread TLS use would never have been feasible without this compromise as long as we’re stuck with IPv4.

                  We forced decisions into a more centralized, less private Internet for reasons that can be traced directly to NAT.

                  If you want to hide your hosts, just block non-established, non-related incoming connections at your firewall. NAT does not help anything besides extending IPv4’s life.

            • frezik@midwest.social
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              edit-2
              5 months ago

              But why bother? “Let’s make my network slower and more complicated so it works like a hack on the old thing”.

        • zurohki@aussie.zone
          link
          fedilink
          English
          arrow-up
          6
          ·
          5 months ago

          That’s what temporary privacy addresses are for. Clients can just keep generating new addresses in your /64, which is it’s own subnet.

      • DigitalDilemma@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        I think you’ll find some ISPs will be reluctant to let go of CGNAT - they’re doing quite nicely by charging extra for ‘commercial’ services where it’s not in the way.

        Fortunately, many of us know about cloudflare tunnelling and other services, so NAT really isn’t a problem to self hosters and even SMEs any more.

          • maccentric@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            What would you recommend? I have a client with some pretty old hardware (FVS 318) installed that I suspect is causing some issues on their network.

            • eclipse@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              5 months ago

              Honestly, these days I have no idea. When I said “wouldn’t recommend” that wasn’t an assertion to avoid; just a lack of opinion. Most of my recent experience is with Cloud vendors wherein the problem domain is quite different.

              I’ve had experience with most of the big vendors and they’ve all had quirks etc. that you just have to deal with. Fundamentally it’ll come down to a combination of price, support requirements, and internal competence with the kit. (Don’t undermine the last item; it’s far better if you can fix problems yourself.)

              Personally I’d actually argue that most corporates could get by with a GNU/Linux VM (or two) for most of their routing and firewalling and it would absolutely be good enough; functionally you can do the same and more. That’s not to say dedicated machines for the task aren’t valuable but I’d say it’s the exception rather than rule that you need ASICs and the like.

        • frezik@midwest.social
          link
          fedilink
          arrow-up
          6
          ·
          5 months ago

          It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?

          The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.

          • AceBonobo@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            5 months ago

            The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.

            This has a lot of security benefits. Regardless, everything you said is sounds true to me.

            • frezik@midwest.social
              link
              fedilink
              arrow-up
              4
              ·
              edit-2
              5 months ago

              You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.

              Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.

              • AceBonobo@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                5 months ago

                I didn’t mean prevent, just makes it harder by default. You can still open connections from within the NAT

                Edit: I do admit to failing at accessing my IPv6 PC from my IPv6 phone

                Edit2: apparently NAT is full of security bugs

                • frezik@midwest.social
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  5 months ago

                  If your home router blocked incoming connections on IPv4 by default now, then it’s likely to continue doing so for IPv6. At least, I would hope so. The manufacturer did a bad job if otherwise.

            • hank_and_deans@lemmy.ca
              link
              fedilink
              arrow-up
              1
              ·
              5 months ago

              Yeah, no. If remote hosts could not send traffic to hosts behind NAT almost nothing would work.

              The hacks employed to make NAT work make security worse, not better.

              • AceBonobo@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                5 months ago

                You’re talking about NAT traversal? We do have control over which we apps we run though?

                Edit: apparently NAT is full of bugs

        • arin@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          4k was fine until I tried watching 8k 60fps HDR on YouTube, disabling IPv6 fixed it. It was weird because speedtest and torrents were completely fine using full bandwidth, just YouTube needed me to disable ipv6

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        9
        ·
        5 months ago

        Weird. Ipv6 and YouTube stats for nerds shows between 140mbit and 600mbit depending on what’s being watched and the time of day.

        Is it possible your isp has problems with their ipv6 setup?

        IPv6 overheads should only have a marginal impact on max speeds.

        • IphtashuFitz@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          I’ve heard of all sorts of issues with my fiber ISP (Verizon Fios) rolling out IPv6. It’s been years that they’ve been slowly rolling it out for testing in a few places. There’s virtually no useful documentation on their website about it. And it’s still not available where I am.

    • smb@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      5 months ago

      ipv6 in companies… ipv6 is not hard, but for internal networking no company (really) “needs” more than rfc1918 address space. thus any decision in that direction is always “less” needed than any bonus for (da)magement personnel is crucial for the whole companies survival…

      for companies services to be reachable from outside/ipv6 mostly “only” the loadbalancers/revproxies etc need to be ipv6 ready but … this i.e. also produces logs that possibly break decades old regexes that no one understands any more (as the good engineers left due to too many boni payed to damagement personnel) while other access/deny rules that could break or worse let through where they should block (remember that 192.168. could the local part of ipv6 IF sone genious used a matching mech that treats the dot “.” as a wildcard as overpayed damagement personnel made them rush too fast), could be hidden “somewhere”. altogether technical debt is a huge blocker for everything, especially company growth, and if no customer “demands” ipv6, then it stays on the damagement personnels list as “fulfilling the whishes of engineers to keep them happy” instead of on the always deleted “cleaning up technical debt caused by damagement personnel” list.

      setting up firewalls for ipv6 is quite easy and if you go the finegrained “whitelisted or drop/block” approach from the beginning it might take a bit for ipv6 specials to be known to you, but the much bigger thing is IMHO the then current state of firewall rules. and who knows every existing rule? what rules should be removed already and must not be ported to ipv6? usually firewalls and their rules are a big mess due to … again too many boni payed to damagement personnel, hindering the company from the needed steps forward…

      ipv6 adoption is slow for reasons that are driving huge cars that in turn speed up other problems ;-|

        • smb@lemmy.ml
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          i once had to look at a firefall appliance cluster, (discovered, it could not do any failover in its current state but somehow the decider was ok with that) but when looking at its logs, i discovered an rsh and rcp access from an ip address that belonged to a military organisation from a different continent. i had to make it a security incident. later the vendor said that this was only the cluster internal routing (over the dedicated crosslink), used for synchronisation (the thing that did not work) and was only used by a separate routing table only for clustersync and that could never be used for real traffic. but why not simply use an ip that you “own” by yourself and PTR it with a hint about what this ip is used for? instead of customers scratching their head why military still uses rcp and rsh. i guess because no company reads firewall logs anyway XD

          someone elses ip? yes! becuase they’ll never find out !!1!

          i really appreciate that ipv6 has things like a dedicated documentation address range and that fc00:/7 is nicely short.

  • Norgur@fedia.io
    link
    fedilink
    arrow-up
    84
    arrow-down
    1
    ·
    5 months ago

    I also know that I cannot tell the difference between two IPv6 addresses because they all merge into an indiscernible blur inside my head

  • Kerb@discuss.tchncs.de
    link
    fedilink
    arrow-up
    44
    ·
    edit-2
    5 months ago

    ::1 is the new 127.0.0.1
    :: abbreviates empty fields
    ipv6 has more addresses
    there is something going on with mac addresses (asside from arp)

    thats all i remember

      • twei@discuss.tchncs.de
        link
        fedilink
        arrow-up
        11
        ·
        edit-2
        5 months ago

        fc00::/7 are ULA (basically what RFC1918 was for IPv4) not entirely true, fc00::/8 is part of ULA, but it is not yet defined. Use fd00::/8 instead.
        2001:db8::/32 is for documentation purposes

        • eclipse@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          IMO they shouldn’t have allowed ULA as part of the standard. There’s no good reason for it.

          • nonentity@sh.itjust.works
            link
            fedilink
            arrow-up
            7
            ·
            5 months ago

            I use ULA prefixes to ensure the management interfaces of my devices don’t leak via public routes.

            It’s one of the unique parts of the standard IPv6 stack not back ported to IPv4, that an interface on any host can be configured with multiple addresses. It permits functional isolation with the default routing logic.

            IPv6 is far from perfect, but the majority of the arguments I’ve seen against deploying it are a mixture of laziness, wilful ignorance, and terminal incuriosity.

            • eclipse@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              5 months ago

              I might be misunderstanding. It’s definitely possible to have as many IPv4 aliases on an interface as you want with whatever routing preferences you want. Can you clarify?

              I agree with your stance on deployment.

              • nonentity@sh.itjust.works
                link
                fedilink
                arrow-up
                3
                ·
                5 months ago

                Configuring multiple v4 addresses on an interface is a kludge, typically only used on hosts which apply inter-network routing logic. It’s an explicit, primary function of the standard v6 specifications.

                With v4, you would use either RFC1918 and NAT, or plumb a public address to the host.

                With v6 you should use a ULA and an address with a public prefix, and selectively open ports/services to on appropriate address.

                An example is the file sharing and administration daemons on my NAS are only bound to its ULA. I don’t need to worry whether it will accidentally be exposed publicly through fat fingering my firewall config, because it will never route beyond my gateway.

          • zurohki@aussie.zone
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            Yeah there is: not breaking all your internal traffic when the wan link goes down and you lose your prefix.

            • eclipse@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              5 months ago

              I can potentially see that scenario if your transit provider is giving you a dynamic prefix but I’ve never seen that in practice. The address space is so enormous there is no reason to.

              Otherwise with either of RADVD or DHCPv6 the local routers should still be able to handle the traffic.

              My home internal network (v6, SLAAC) with all publicly routeable addresses doesn’t break if I unplug my modem.

              • frezik@midwest.social
                link
                fedilink
                arrow-up
                5
                ·
                5 months ago

                IIRC, there are some sloppy ISPs who are needlessly handing out prefixes dynamically. ISPs seem to be doing everything they can to fuck this up, and it seems more incompetence than malice. They are hurting themselves with this more than anybody else.

        • zurohki@aussie.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          You’re not supposed to use fc00::/8, so it’s just the fd00::/8 half that’s the new ULA.

  • feoh@lemmy.ml
    link
    fedilink
    arrow-up
    27
    ·
    5 months ago

    I keep hearing this, and I KNOW it’s true at the enterprise level, but I’ve been running my home LAN IPv6 native for the last - 6+ years? Ever since I learned Comcat would vend it to you from their stock router.

    Works great. No problems. Didn’t used to be that way, but these days most (more?) of the stack bugs have been shaken out.

    • PowerCrazy@lemmy.ml
      link
      fedilink
      English
      arrow-up
      8
      ·
      5 months ago

      I’m a network engineer and I run ipv6 natively in all of our datacenters. There are even a handful of end systems that have ipv6 native networking stacks with ipv4 sockets for our non-ipv6 compatible applications. IPv6 issues are basically self-inflicted at this point by companies that see their IT systems as cost centers, or by basilisk directors who’s knowledge stopped in the 90’s.

      • feoh@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Yeah, I feel like this is one of those memes that just travevls like lightning because it’s attractive to people.

        IPv6 WAS crazy bad for a very long time, so I can kind of understand it at least, but wake up and smell the 128 bit addressing people, ipv6 is a SUPER useful tool when you need it :)

  • EtzBetz@feddit.de
    link
    fedilink
    arrow-up
    22
    ·
    5 months ago

    I am hosting a few services on my LAN over IPv6, except for Plex, which I am tunneling through IPv4, since Plex itself used to have issues with IPv6.

    It’s always funny when friends complain that one of my services is down, it was 100% IPv6 not working/enabled/willingly disabled on their site yet.

  • sgibson5150@slrpnk.net
    link
    fedilink
    arrow-up
    18
    ·
    5 months ago

    I made an effort to learn it. In 2000. Again in 2012 or whenever the last big push was. If past is prologue, I may need to learn it again soon. 😆

      • Fonzie!@ttrpg.network
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        5 months ago

        It is in the style of the original, where during Covid the page on “Migrating to the Netherlands” simply just started with “Do not migrate to the Netherlands”, before expanding on the Covid restrictions on place and what foreign nationals currently in the Netherlands are to do.

        On one hand: Now that’s loud & clear communication. On the other hand, “Just don’t” really ties in to the stereotype of Dutch directness/rudeness.

        • Boomkop3@reddthat.com
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          Being direct is not rude, in my opinion. I don’t know why people need things so sugarcoated. Being direct, to me, is a sign of respect

  • smb@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    5 months ago

    maybe start with an adjustable setup:

    • rent a cheap vm, i got one for 1€/month (for the first year,cancel monthly) from ovh currently
    • setup 3 openvpn instances to redirect all routes through the tunnel, one with ipv4 only, one with ipv6 only and one with both
    • setup the client on your mobile phone and your laptop both with all three vpns to choose from
    • have the option to choose now and try out ipv6, standalone or dualstack depending on what vpn you switch on
    • use this setup to blame services that don’t support ipv6 yet or maybe are broken with dualstack 🤣
    • rise from under-the-stone (disabling ipv6 only) to in-sunlight (to a well-above-industry-standart-level !!! “quick” new network technologies adopting “genious”) 🤣
    • improve your openvpn setup from above to be reachable “by” ipv6 too if you haven’t done it from the beginning, done: reach the pro-level of the-late-adopter-noob-group

    (if you want, ask for config snippets)

    btw i prefer to wait for ipv8😁 before “demanding” ipv6 from services i use 🤣

  • smileyhead@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    5 months ago

    I pay yearly more for IPv4 address space for virtual machines on my dedicated server than for that dedicated server itself _(ツ)_/.

    Let that thing die.

    Monthly summary:

    54.40€ - 30 IPv4 addresses
    0.00€ - 18 quintillion IPv6 addresses
    38.39€ - whole server for dozens of services

    • AlwaysTheir@lemmy.one
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Someone is using Hetzner. :) Yes let IPv4 fade away. Still what services are you running that require so many unique IPs?

    • frezik@midwest.social
      link
      fedilink
      arrow-up
      9
      ·
      5 months ago

      For individuals. There are tons of benefits for everyone collectively, but as is often the case, there’s not enough incentive for any one person to bother until everybody else does.

      • electricprism@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        I’d be open to considering those but I never had a website break it down in a material way. At best 6 to me is shiny and side grade – if it results in major labor and time spent without reasonable benefit within a LAN then it’s not going to be a humdinger. Of course like I said if there are arguments to be made I’m happy to contemplate them.

        YMMV, for me the juice hasn’t been worth the squeeze yet and I’m not sure it ever will.

    • orangeboats@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      5 months ago

      I use IPv6 exclusively for my homelab. The pros:

      • No more holepunching kludge with solutions like ZeroTier or Tailscale, just open a port and you are pretty much good to go.

      • The CGNAT gateway of my ISP tends to be overloaded during the holiday seasons, so using IPv6 eliminates an unstability factor for my lab.

      • You have a metric sh*t ton of addressing space. I have assigned my SSH server its own IPv6 address, my web server another, my Plex server yet another, … You get the idea. The nice thing here is that even if someone knows about the address to my SSH server, they can’t discover my other servers through port scanning, as was typical in IPv4 days.

      • Also, because of the sheer size of the addressing space, people simply can’t scan your network.

    • qpsLCV5@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      5 months ago

      personally, i’d have pretty big benefits for my homelab if i could use my own ipv6 range for everything. having only a singe public IP is just very limiting.

      sadly, my ISP does give out ipv6 for home networks, but i cannot connect to any of them from my mobile phone with the same carrier. so that’s fun. they talked about rolling out ipv6 on mobile networks years ago, but i guess it’ll take a few more…

      • electricprism@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        5 months ago

        YMMV. Time, energy, compat*ability problems, unforseen issues which cost time debugging.

        Again, I’m speaking for me – there has to be a tangible real benefit and within networks even with 100 devices IPv4 does the job better than fine and better than IPv6 for some folks.

        Not to mention its just plain easier to remember 4 octet sets of numbers running from machine to machine in an office than 6 or 8 or whatever.