
Blockers to IPv6 Adoption - okket
https://labs.ripe.net/Members/david_holder/blockers-to-ipv6-adoption
======
grandinj
What we should take away from the IPv6 debacle is a fine lesson in hubris.

I was hanging out in the IPv6 mailing lists at the time the various solutions
were being debated.

The prevailing attitude was "the Internet is about to die from routing
overload without IPv6, so we can stick whatever complexity we want inside it,
and they will have no choice but to accept it."

Except that new router hardware and new incremental software improvements came
out, and the enormous complexity of the "boil the ocean" redesign inherent in
IPv6 was rightly regarded as completely unnecessary.

If the IETF had simply made IPV6 "ipv4 with longer addresses", (and there was
a proposal to do just that), implementations and deployment would have been
dramatically simpler and would have stood a real chance of succeeding.

Instead we have this baroque construction, which I _still_ have to explicitly
disable in my work environment because various bits of supposedly IPV6
software don't play nice together.

~~~
MR4D
Well said!

I was in the camp hoping for two octects at the beginning of the address (so
they could be zeroes). Actually, a single i text would have taken us to a
trillion IPs and given us enough time to think about the topic a bit more.

Large changes rarely succeed. Perl 6, Mozilla (back in the 1990’s) and others
come to mind.

This is hard stuff, and we were made to swallow the kitchen sink.

~~~
zAy0LfpBZLC8mAC
So, what are the changes in IPv6 other than change in address size that hinder
adoption?

~~~
noinsight
ARP was replaced by neighbor discovery protocol. Broadcast was replaced by
multicast.

~~~
zAy0LfpBZLC8mAC
> ARP was replaced by neighbor discovery protocol.

Would you be happy if we renamed NDP to ARPv6? Or is your suggestion that we
continue to use ARP and put a more-than-four-byte-address into a fixed-size
four byte field?

> Broadcast was replaced by multicast.

So, in IPv6 you can only send packets to a small subset of recipients, whereas
in IPv4 you could address a packet to "every IPv4 device on the planet"?

Or are you suggesting we should misname multicast in IPv6 as "broadcast" just
as we did in IPv4 in order to solve which technical problem exactly?

~~~
noinsight
I don't have a problem with IPv6, I was just stating changes between it and
v4.

~~~
zAy0LfpBZLC8mAC
Well, but I didn't ask for "changes between v6 and v4", I was asking for
changes other than the change in address size that hinder adoption--with the
point being that most of the stuff that people complain about is actually an
unavoidable consequence of the change in address size, such as the replacement
of ARP with a new protocol that can actually transport longer addresses than
32 bits (and that otherwise isn't all that different from ARP).

------
cornholio
I think the author is approaching this the wrong way, it's trivial to show the
advantages listed are mostly not true. The marginal benefits are more than
negated by the risks and costs of IPv6. IPv6 is not the product that needs to
be sold, and deploying it usually has negative cost benefit on short term, for
most businesses.

IPv6 needs to be deployed today because the internet literally cannot move
forward without it. There are tens of millions of new internet users in Africa
and Asia who get an inferior and more costly service for the simple reason
their countries weren't around for the great IPv4 feast in the 90s. The data-
centers of the world waste enormous energy and hardware for routing the more
and more fragmented IPv4 space. The costs of all this, as well as renting IPv4
addresses, which have steadily rised, are passed down to the consumers.

IPv6 should be sold as a status simbol: we deploy it because we care, we are
altruist industry leaders not stingy bean-counters.

~~~
mino
Enterprises are doing the right thing, ignoring v6. No advantage whatsoever
for a long time to come, only added complexity and training.

As a network engineer and enthusiast, I would do the same.

~~~
dvfjsdhgfv
I wouldn't say it's "the right thing", but it definitely makes sense in most
scenarios. Who in their right mind would voluntarily welcome a new layer of
complexity into their network when it's not really necessary?

------
m0dest
Decades from now, the story of IPv6 will be a cautionary tale about the danger
of ignoring incentives when enhancing open standards.

So much of the spec seems to have been designed in an idealist vacuum that the
promoters are blind to its own failures. The addresses are ugly and impossible
to memorize but that shouldn't matter because... There are no performance
advantages but that was out of scope because... There are few security
advantages because that wasn't a core goal because...

I'm not saying that we should give up on IPv6. But we should acknowledge that
its slow adoption is entirely due to a standard that was poorly designed for
the real needs of critical stakeholders and poorly marketed to everyone else.

~~~
olavk
IPv6 was designed in the early 90'ies where the internet looked very different
- this was even before the web. Large scale changes were much easier to
coordinate and roll out. I dont think the players at that time needed
incentives beyond knowing that the upgrade solved the address space problem.

The problems of adoption can be compared to the Python 3 debacle. When Python
3 was first planned, Python were mostly used by enthusiasts which would be
quick to adopt a new version - even if it had a few minor incompatible
changes. But when the release finally rolled out, Python had become much more
popular and entrenched and widely used by business and scientists which were
more reluctant to adopt breaking changes.

------
y0ghur7_xxx
I deployed a dual ipv4 + ipv6 stack on my home lan a few years ago. I got
myself a /48 from hurricane electric, and did everything like it's in the
book: SLAAC for subnets, fixed addresses on servers, every device had a public
ipv6 and the firewall allowed or denied stuff. Everything worked as it should
work. One day something stopped working on the he tunnel, and as I was about
to debug what went wrong, I just asked myself "Why am I doing this? My ISP has
no ipv6, every site I visit has an ipv4 address, why am I keeping all this
ipv6 stuff on? I don't need it. It's just useless work". And so I reverted
everything to ipv4 and I am happy since. Less work for me.

I see NO reason to deploy ipv6 at the moment. I don't see it for home lans, I
don't see it for my workplace, I don't see it for bigger enterprises.

But you can have a gazillion IPs with ipv6!! Yeah, so what?

~~~
kazen44
IPv6 brings some pretty nice features in terms of network engineering.

the major one is a vastly smaller BGP routing table, which is becoming more
and more of an issue.[1]

We need IPv6 to remove the horrible IPV4 space fragmentation.

[http://bgphelp.com/2017/01/01/bgpsize/](http://bgphelp.com/2017/01/01/bgpsize/)

~~~
y0ghur7_xxx
> the major one is a vastly smaller BGP routing table, which is becoming more
> and more of an issue.

But that's not a problem for me. It's a problem for my isp. And if he does not
care, why should I?

------
lwhalen
Comcast is my biggest blocker to IPv6 adoption. I maintain a static v4 block
with them, they tell me I have to give that up if I want a v6 block. Until I
give up v4, v6 works on my network right up to the Comcast modem, and is
promptly dropped on the floor. Regrettably, that is 'no bueno' for a multitude
of reasons. :-(

~~~
sliken
Very weird, the Comcast consumer lines support IPv6 quite well. Their default
is to give a /60, which seems appropriately overkill. Generally it "just
works", and my roku, android phones, and similar average over 50% of the
packets on IPv6.

Comcast seems like one of the largest deployments of IPv6 for normal consumers
outside of the cell companies.

~~~
4ad
> Their default is to give a /60, which seems appropriately overkill.

A /60 is pathetically small, with SLAAC you have 16 (!!) subnets for your
whole network. With people having multiple computers and multiple phones, this
is not enough even for a normal household of 3 people. If you are a IT person,
with multiple computers and VMs, forget it.

The recommended size of block that every ISP should give is /48 (RFC 6177).
Good ISPs will give you a /48, some lesser ISPs will give you a /56\. Comcast
and crappy ISPs will give you a /60.

~~~
detaro
How does a household with 3 people need 14 subnets?

I agree a /60 is stingy, but "not enough even for a normal household of 3
people" sounds like massive hyperbole. Even as a tech enthusiast filling that
would be some work, unless you insist I use a /64 for point-to-point links.

~~~
4ad
> Even as a tech enthusiast filling that would be some work

Have you ever used VMs on a laptop? How many virtual networks do you need?
Only one? With only one you only need one extra bit bit for routing, so you
could give a /63 instead of a /64 to your laptop, except that IPv6 allocation
is supposed to be done in nibbles (and you need to overprovison anyway, what
if tomorrow you need two networks?), so the next logical step is a /60, which
means your ISP should give you at least a /56\. Personally, I use much more
than one virtual network on my laptops, so I would need a /60 anyway (if I
want to keep all the nice properties of IPv6, that is).

As long as you want to keep everything nice with IPv6, the block you need is
/64-(4*n), where n is the level of routing you plan to do.

> unless you insist I use a /64 for point-to-point links.

Each p2p link on IPv6 uses a /64 (even though it's only assigned an /127).

> How does a household with 3 people need 14 subnets?

In the IoT era (where S stands for security), if you don't put each IoT device
in its own VLAN, you are in for a surprise.

~~~
detaro
> _Have you ever used VMs on a laptop? How many virtual networks do you need?_

Very few, to the point of "if it's more than one, the other ones aren't
intended be reachable and thus don't need public space".

> _Each p2p link on IPv6 uses a /64 (even though it's only assigned an /127)._

No, it doesn't, since my routers don't need to do SLAAC between each other,
but can happily live with static IPs.

> _In the IoT era (where S stands for security), if you don 't put each IoT
> device in its own VLAN, you are in for a surprise._

Never felt the need to put each device in it's own subnet, sensible
firewalling seems enough. I tend to avoid devices that really want to talk to
the internet though, so most of the time it's "you don't get to talk to the
internet"-subnet. But ok, if you love connected stuff and want to split it in
very fine ways, that'd be a bunch of subnets.

So yes, as I said /56 would be nice and should be the default but /60 is
likely to be enough for the vast majority of users.

------
Jack5500
I still think that while the hardware may be ready by now, the software
certainly isn't. Not only does an IPv6 break a lot of old software,that's not
designed for the stack. Even today, not all network librarys do support IPv6.
It's nothing that can't be worked out, but we are just not there yet and will
never be there until a forced adaption comes into play.

------
alex_duf
Yet adoption is still growing exponentially
[https://www.google.com/intl/en/ipv6/statistics.html](https://www.google.com/intl/en/ipv6/statistics.html)

It's not as fast as past me would have hoped for and I think the criticism is
perfectly valid but I'm quite happy to look at this graph no and again

~~~
mino
Not really, see slide 4 of Geoff Huston's talk at RIPE76:

[https://ripe76.ripe.net/wp-
content/uploads/presentations/9-2...](https://ripe76.ripe.net/wp-
content/uploads/presentations/9-2018-05-17-ipv6-reasons.pdf)

It is actually growing slower and slower and looking as a logistic curve,
which is perhaps unsurprising. Also note the increasing gap between weekdays
and weekends, which is a sign that enterprises don't care about v6.

~~~
tinus_hn
Enterprises move very slowly and don’t implement unnecessary changes.
Unsurprising indeed.

------
rwmj
I wonder if anyone has tried making their home network IPv6 only? How did that
work out for you?

The reason I ask is (as described in the article) I've nearly run out of
RFC1918 space because of dozens of machines, gadgets and many more virtual
machines. (For complicated reasons to do with the VPN routing, I cannot use
10.x).

~~~
letsgetphysITal
Can't use 172.16.0.0/12 either? That's over 1m hosts. You don't have 1m hosts
unless your homelab is actually a large domestic ISP.

~~~
rwmj
Either way I'd have to renumber everything. If I'm going to do that why
wouldn't I just go straight to IPv6? I already have IPv6 on my home network
(but everything has an IPv4 primary address and name resolution always
resolves to IPv4); and an IPv6-supporting ISP. The question is if it's a good
idea to go IPv6 only for some or all machines, and how to deal with the
IPv4<->IPv6 issues.

~~~
beagle3
If it's your home network, you could use 172.16.0.0/20, as well as the CGNAT
/16.

> If I'm going to do that why wouldn't I just go straight to IPv6?

Because it is a lot more than just renumbering.

Whether or not it's a good idea depends on what you expect to get from it
(anything?), how good your ISP's IPV6 support is, and how good the support of
hosts you connect to is.

If whatever hosts you contact are all on IPV4 only, then you'll have to
occasionally debug the 6to4/4to6/Teredo/whatever kludges that add latency and
provide nothing of value compared to using an IPv4 directly.

------
tehabe
I have an IPv6 internet connection but in my home network are still devices,
like my TV, which do not support IPv6.

I also use some VPN tunnels, which also still rely on IPv4.

------
atemerev
Of course it is the NAT. It always was the NAT. NAT is the easy thing, nearly
effortless, that dramatically improves network security — there is a "bastion
host" (router) and private network computers, almost impossible to be accessed
from the outside without breaking the bastion host first. This is good
security, and with NAT, everybody was getting it for free. With IPv6, it
doesn't work this way, everybody needs to know how to set up proper packet
filtering, ACLs, and whatsnot. It is really easy to misconfigure the network,
especially in the unfamiliar environment which is IPv6. Huge loss for
security. Of course IPv6 adoption suffers.

~~~
kazen44
NAT is not a firewall. You are confusing the firewall function of your home
router with NAT. NAT does nothing to prevent packets from flowing into your
network, as NAT hole punching is fairly doable to accomplish.

Also, all consumer routers simply block any incoming IPV6 packets, this has
been the default for more then 10 years now. (the only thing not blocked is
ICMP for MTU path-discovery, which is actually a good thing).

~~~
raesene9
This, whilst technically correct, isn't necessarily end-users experience of
things.

Yes NAT doesn't block packets, however without explicit configuration traffic
from the Internet will be very unlikely to flow into an RFC1918 addressed
network from the Internet.

So effectively it does prevent traffic inbound in the same way a firewall
does.

Yes you can punch holes in NAT, but that's an explicit action (well side-
stepping the insanity that is UPnP) for for non-technical users sitting behind
a NAT router will effectively mean that they're unlikely to receive direct
inbound network attacks from the Internet.

~~~
throwaway2048
You can achive precisely 100% exactly the same functionality with a firewall
without NAT, indeed you need that sorta functionality to implement NAT to
begin with.

All you need is a default deny inbound traffic rule, this isnt some kind of
arcane thing that is so much harder than NAT for end users.

~~~
raesene9
Of course you can, the point I was making was that NAT provides effectively
the same outcome, not that it wasn't possible with a firewall.

------
merb
well K8s can't be run in Dual Stack, which is a major Pita. Also most Clouds
(especially Gcloud) mostly work on the IPv4 level.

------
rektide
Google offering no ipv6 networking options in their cloud is one giant dick of
a blocker. Screw this. Immoral awful cataclysmic prevention of us getting
better at #ipv6. Wtf Google.
[https://issuetracker.google.com/issues/35904387](https://issuetracker.google.com/issues/35904387)

------
mehrdadn
I'm surprised security and privacy weren't mentioned. In the current state of
affairs (no, I'm not talking about some ideal utopia with IPv6 perfection
where fifty quintillion additional RFCs have been finally deployed and battle-
tested world-wide; I'm talking about IPv6 _as available to the ordinary user
/today/_) I simply do not trust using IPv6 to provide as much security or
privacy as IPv4. More than happy to change my mind when (...if?) the
technology moves forward 10 years from now, but I just can't see it working
right now. Sorry.

~~~
ge0rg
It is really sad to see that essentially all security issues of IPv4 were
inherited, at least on the LAN level. However, besides of the "firewall
protection" provided by NAT, which is largely mirrored as "outgoing
connections only" in ipv6 deployments, I fail to see how it actually makes
security worse. Do you have examples for what you had in mind?

~~~
mehrdadn
The one you excluded (why?) is a pretty darn big one. It means for example
that a random hacker would have a hell of a hard time spontaneously reaching
my phone via the cellular data connection... or the WiFi connection for that
matter, since that's NAT'ed too. Which reduces the attack surface immensely. I
don't see why even this by itself would be insufficient reason...

~~~
detaro
Because it has a trivial IPv6 equivalent in the form of a basic stateful
firewall?

~~~
mehrdadn
And you're also claiming every single router I'm going to encounter today has
already set up IPv6 correctly as needed to mirror the security and privacy
characteristics of IPv4 like this?

~~~
detaro
Pretty much, yes. Other security issues with random routers appear to be way
more common.

~~~
mehrdadn
EDIT: My mistake, see comment below.

~~~
Symbiote
This is the typical function on a consumer router:
[https://bt.i.lithium.com/t5/image/serverpage/image-
id/53294i...](https://bt.i.lithium.com/t5/image/serverpage/image-
id/53294i4F3FB103F6280D5A?v=1.0)

What do you see?

~~~
mehrdadn
Thanks for asking; you made me realize this was my mistake -- please see:
[https://news.ycombinator.com/item?id=17345328](https://news.ycombinator.com/item?id=17345328)

------
singularity2001
Is it reasonable to hate and avoid IPv6 for fears of further privacy erosion
(easier tracking than with IPv4)?

~~~
neojima
In 2005 or so, sure. Now...not so much?

What privacy erosion/easier tracking are you talking about that wasn't
remedied by the very wide deployment of RFC4941 (IPv6 Privacy Extensions) in
operating systems?

~~~
singularity2001
with IPv4 my ISP has to shuffle IPs with every reconnect. with IPv6 you could
get one IP for lifetime?

~~~
detaro
That's orthogonal to IPv4 and IPv6. There's ISPs that give you always the same
IPv4 adress, there's ISPs that give you a different IPv6 prefix each time.

------
tty74
For me, there is just one thing that prevents me from switching completely to
IPv6: Github.

~~~
sigjuice
Really? Each and every other thing you need already does IPv6?

~~~
Faaak
Hacker news is not even v6 ready

~~~
okket
In fact, it is eye-opening to disable IPv4 when you have native IPv6. So
little works. It is not painful, it is totally unusable. Today, in 2018, a few
months away from the 20th birthday of IPv6.

------
gigatexal
Couldn’t you get rid of nat altogether with ipv6?

~~~
mehrdadn
Not if you want to keep its benefits. See discussion below.

------
kojon99
Performance? How exactly is ipv6 more performing? It even has bigger headers.

Why would ipv6 be more reliable than ipv4? I’d say it’s the opposite: many
times I’ve found websites with AAAA registers that pointed to a dead server. I
mean, if you’re going to blame cgn for your problems, let’s steep to your
level.

Analytics? Forensics? So you’re telling me ipv6 destroys my privacy. How is
that a pro argument?

~~~
jjeaff
I'm by no means am expert in this space, but I was working on some routing
issues lately and doing some speed testing with my router.

The specs on the router claimed that the highest speeds could be reached with
ipv6 support because you could then avoid the overhead of nat for your ipv4
addresses. So that may be what they are referring to. Nat does create
overhead.

~~~
kazen44
Also, it has a simpler checksum to calculate and a far simpler header. The
header is larger but has far less fields. This should make packet processing
faster aswell.

Also, MTU path-discovery is a pretty big deal in terms of performance, as IPV6
does not allow packet fragmentation. Which should improve performance aswell.

------
GvS
I've enabled ipv6 on my ubuntu server recently and it was 100x slower. The
only solution I found is to go back to ipv4:
[https://askubuntu.com/questions/759524/problem-with-
ipv6-sud...](https://askubuntu.com/questions/759524/problem-with-ipv6-sudo-
apt-get-update-upgrade)

~~~
M_Bakhtiari
Was all IPv6 traffic slower or just this one apparently misconfigured host?

If the former I'd image this is a kernel bug and has nothing to do with any
Ubuntu servers.

~~~
Avamander
It honestly doesn't matter what bug it is. It should be promptly investigated
further and solved. Random blame assignment doesn't help anyone. In this case
though, seeing how most mirrors still can't do HTTPS I would not be surprised
if the IPv6 issue is caused by the mirrors - another thing not yet properly
configured.

------
guidedlight
I see IPv6 as a privacy issue.

It will enable clients to be individually identified without needing to rely
on cookies and fingerprinting anymore.

NAT is great in that it obscures individual machines without too much lose of
functionality.

~~~
andrewaylett
[https://tools.ietf.org/html/rfc4941](https://tools.ietf.org/html/rfc4941)
defines IPv6 privacy extensions, which mitigate that issue.

One of the few benefits of an extended roll-out of IPv6 is that there's been
time for people to identify issues like this and get fixes rolled out widely
before systems started relying on the old behaviour.

~~~
mehrdadn
What percentage of IPv6-supporting routers have implemented and activated
those privacy extensions?

~~~
detaro
It's a feature of the client device, not the router, and is implemented in all
major operating systems. They are not perfect though, since at least the
original design was purely timer-based, which left some tracking potential.

~~~
mehrdadn
Thanks for the correction, and yeah, there you go.

