
Comcast Automatically Enabling IPv6 in San Francisco - 2bluesc
http://blog.kylemanna.com/ipv6/2015/06/13/comcast-automatically-enabling-ipv6-in-san-francisco/
======
X-Istence
An engineer at Comcast in this nanog video [1] claims they have 60%
penetration in their own network for IPv6. Which is excellent news.

[1]:
[https://www.youtube.com/watch?v=EfjdOc41g0s&app=desktop](https://www.youtube.com/watch?v=EfjdOc41g0s&app=desktop)

~~~
junto
What are the security and privacy implications for home users when an ISP
simply switches them on?

~~~
2bluesc
The biggest that comes to mind is that with dual stack IPv6 all the people
running through IPv4 anonymizing VPNs will be bypassed for sites that support
IPv6. Oops.

IPv6 has some minor privacy extensions too, but likely still allow you to be
geolocated.

~~~
X-Istence
This is something the VPN providers need to fix, either by setting a default
IPv6 route that doesn't go anywhere so happy eyeballs will follow IPv4 or by
adding IPv6 to their proxies.

------
2bluesc
Side note, just noticed that Comcast SF broke my /60 prefix delegation that
had been working for almost 2 years[1].

Appears to be affecting DSLR[2] users too. Anyone else observe this?

[1]
[https://gist.github.com/1cec3537f61aefd1d6bc](https://gist.github.com/1cec3537f61aefd1d6bc)

[2]
[https://www.dslreports.com/forum/r30112054-IPv6-IPv6-prefix-...](https://www.dslreports.com/forum/r30112054-IPv6-IPv6-prefix-
delegation-stuck-with-64)

~~~
eeZi
Apparently, there are Comcast employees on the dslreports.com which actually
helped users there. Cool.

------
nemothekid
Comcast has been doing this for a while, at least in SF. I first noticed,
through gmail as well, that I was using ipv6 for atleast 2 years now. I think
they started rollout back in 2013.

~~~
RyJones
I got IPv6 from Comcast near Seattle the day after Thanksgiving, 2013.
[https://www.flickr.com/photos/ryjones/11079544726/](https://www.flickr.com/photos/ryjones/11079544726/)

------
klodolph
You're going to need to start testing both IPv6 and IPv4 on your servers. An
nginx misconfiguration on my server gave clients a redirect loop, but only for
IPv6 clients. Analytics show ~15% IPv6 penetration for the last app I made,
and it was a bit embarrassing that it was broken at first. Reverse DNS on IPv6
client addresses gave me Comcast host names.

~~~
tomjen3
Or, which is what most places are going to do, turn of AAAA names.

~~~
simoncion
If you've a correctly configured network, you can disable IPv6 without
screwing with DNS. All you have to do to your IPv4-only network is...
absolutely nothing.

------
kstrauser
I've had native IPv6 in Alameda for a couple of years now. I've had literally
no problems, ever, with it and haven't once disabled it or otherwise adjusted
my configuration to make a service work.

------
eeZi
In Germany, Unitymedia - the largest cable ISP - did so as well. You don't
even get a public IPv4 anymore unless you call them and beg, and apparently
they stopped doing even that.

~~~
stock_toaster
Do they run nat64 or something for reaching the ip4'ternet?

~~~
Flockster
The standard is called Dual-Stack Light, which means you are getting a native
IPv6 adress and your IPv4 traffic runs through a carrier-grade NAT. This is
necessary, because the cable-providers here in Germany came to late to the
Game and got to little IPv4 Chuncks. For normal users this is a good solution,
when the NATing service is stable enough. (Sometimes the server is down and
you are forced to IPv6 only..) But throug the carrier-grade NAT, you can not
run your own services, like a teamspreak server etc.

~~~
justincormack
Do they let you run services on ipv6 easily, ie unfiltered access and firewall
control?

~~~
eeZi
Nope, at least not for Unitymedia. There's a IPv6 firewall, but without rules
- you can just switch it on or off, making it unsuitable for pretty much any
service hosting - you either have to expose your entire network, or you cannot
access anything at all.

For 5€/month, they will issue a better router with a full-features firewall,
though.

------
techdragon
this makes me jealous... In Australia all the mobile networks are using
carrier grade NAT to avoid using IPv6 ... And there's only one ISP with IPv6
and the others don't care because they already acquired enough IPv4 addresses
they can probably survive another decade on IPv4

It's shit.

~~~
j0hnj0nes
Just wait until they have to keep all the metadata by law...

I suspect they will after they realise you can't tie things down in CGNAT

------
ars
Comcast enabled it everywhere as far as I know.

I'd like to use IPv6 on my servers but I need fail2ban support first.

~~~
simon_vetter
I would recommend sshguard [1] as a fail2ban replacement. It does much of what
fail2ban used to do out of the box and has supported ipv6 for a long, long
time.

It is packaged in debian, ubuntu and probably other major distros these days.

[1] [http://www.sshguard.net/](http://www.sshguard.net/)

~~~
simoncion
_shrug_ I would recommend deactivating password logins and using only key-
based logins.

In the many, many, many months I've had my internet-facing IPv6-enabled SSH
servers online, I've only received one bogus SSH connection attempt from an
IPv6 address at the University of Michigan.

~~~
ams6110
That will change though. I receive hundreds of IPv4 connection attempts every
day, as more systems move to IPv6 so will the attacks.

Interesting though is that covering the entire IPv6 space is a much larger
task. That should hold down the volume of random attempts for a while, just by
dilution effect.

------
rdl
Unfortunately Comcast Business still has extremely limited IPv6 even in areas
where Residential has IPv6

------
levifig
Comcast customer in Maryland here. I've had IPv6 fully enabled for at least 6
months now… :)

------
PhantomGremlin
I have Comcast (Oregon), but right now I block all IPv6 at my firewall.
If/when it's available here, why should I enable it? Why would I care?

This isn't a troll. I'm ignorant of the practical advantages as it has
actually been deployed so far. I'd like to know how it improves my life. E.g.
will I get a block of addresses, instead of just 1?

BTW, apropos of nothing, we would have never needed IPv6 if there was a charge
for IPv4 addresses. Assume $1 per month. Do you think MIT would pay
$16,000,000+ per month? Assume $1 per year. Do you think MIT would pay
$16,000,000 per year? In either case I think the clear answer would be: NO!

~~~
simoncion
Do you use uPnP? Do you do _any_ port forwarding?

If the answer to either of those questions is "Yes", then you should consider
activating IPv6, if your ISP supports it.[0]

The most tight-assed ISPs give you a /64 allocation. Because most machines use
something called SLAAC, this means that this /64 is enough for a single
subnet. The IETF strongly recommends that ISPs hand out at least a /56, but
_really_ wants to see /52s being handed out to each customer.

In San Francisco, it seems that Comcast Residential connections get handed out
at most a /60\. Comcast uses DHCPv6-PD, so your DHCPv6 client needs to _ask_
for the larger allocation. On routers that support IPv6, configuring your
client to do this is typically very easy.

As an aside, if you enable IPv6, please don't filter ICMP. ICMP was pretty
important in IPv4, and has become absolutely _critical_ in IPv6.

[0] If you use uPnP, you're relying on firewalls on your endpoints for your
security anyway -because any host can poke a hole in the NAT at any time-, so
activating IPv6 doesn't substantially change your security situation.

~~~
zyx321
>The IETF strongly recommends that ISPs hand out at least a /56

I never really understood that. IPv6 has 128 bit addresses, so even at /96
every single customer will have as many addresses as the entire IPv4 space.
Why is /64 considered "tight-assed"?

~~~
welterde
Right now SLAAC (Stateless address autoconfiguration) needs at least a /64 to
work properly, thus only giving the customer a /64 means they can't run
autoconfig on more than one broadcast segment.

