
IPv6 Support for EC2 Instances in Virtual Private Clouds - QUFB
https://aws.amazon.com/blogs/aws/new-ipv6-support-for-ec2-instances-in-virtual-private-clouds/
======
axyjo
Finally! It's been a major deficiency in AWS. Can't wait to see this roll out
to us-west-2.

~~~
djsumdog
I'm kinda sick of all the AWS posts on here, but I'm trying to be fair since
some of them are really interesting.

This is one of those that's more of a "about damn time," features that'd I'd
care about if I already didn't go with Digital Ocean/Linode instead just
because of IPv6 support.

~~~
harryh
Just curious but why is IPv6 support such a priority for you that it would be
the deciding factor in your choice of hosting provider?

~~~
jsmthrowaway
In 2017, one should instead ask why it _wouldn 't_ be.

~~~
Pyxl101
A funny quip, but since it seems like you're missing the point: what's the
_business impact_ of the choice, or the existence/absence of IPv6 support in a
hosting provider?

If I'm running a small startup that's available as a website, how does IPv6
support matter to me? (Assuming that I can otherwise get IPv4 addresses for
hosting my site, which I can.)

~~~
baq
you'll always be able to get an ipv4 address, how much will it cost you in 5
or 15 years though...

------
zbjornson
Pardon my ignorance, but why is this needed? I've seen dozens of "+1s" for
ipv6 on both AWS and GCP, but no one says why really. Is there hardware out
there on the public internet that cannot communicate over ipv4 already?

~~~
Mythanar
Most of it can't, actually. Rather, using the words in the question in their
strict meaning, most of the hardware out there is not on the "public
internet", it is behind NAT.

You can argue that behind NAT there is still IPv4 connectivity with public
internet, but it is actually closer to proxying (i.e. having some device talk
to internet on your behalf) than to routing (i.e. have some device pass your
packets on).

Long story short, there is (for a long time already), no IPv4 public internet.
There is IPv4 public interconnect between millions of isolated IPv4 islands.
And a lot of hacks and shady engineering to make packets traverse from
interconnect to islands and back.

~~~
zbjornson
But if that exists, why should I as someone running on EC2 care if I can use
IPv6 natively or have to make use of such proxying/routing?

~~~
Mythanar
The reasons are many. I'll name just a few: * You cannot send UDP packets to
your IPv4 customers. * You cannot initiate TCP connections to your IPv4
customers. * You cannot use any application-level protocol that carries
information about source or destination IP address. * IPSec more or less goes
out the window

~~~
brianwawok
But even if my desktop does IPV6.. I am still going to firewall it. Seems like
not a "benefit" to throw up my device directly on the internet.

~~~
pdkl95
Of course you'll keep your firewall. NAT != Firewall

Your firewall may start with a simple "deny all incoming SYN packets" rule,
but IPv6 gives you the _option_ to open up holes in the firewall to any device
_or devices_ on your LAN (port forwarding only works once per port through a
NAT).

The real benefits probably don't exist yet. There are entire categories of
network software that have remained unknown and unexplored because it didn't
work behind a NAT. There were several projects I wanted to write ~15 years ago
that I never even started because it required a real internet connection, not
a NAT "party line".

~~~
brianwawok
> Your firewall may start with a simple "deny all incoming SYN packets" rule,
> but IPv6 gives you the option to open up holes in the firewall to any device
> or devices on your LAN (port forwarding only works once per port through a
> NAT).

But see.. I can already do that with IPv4 and Nat. Oh I want to run a ftp
server on my backend? Open up port 8000 on my firewall and forward to port 21
on my FTP server.

I find it weird I am making this argument, as I am normally progressive. I
push Python3 over Python2, because it is the way of the future. Even though it
causes me pain sometime. For some reason, I just do not see the (for me
personally) reason to care about ipv6.

Clearly the more backbones that support it, the better. It at least gives us
the OPTION to use it later. Not totally sure what good it will do still though
;)

~~~
pilif
_> Oh I want to run a ftp server on my backend? Open up port 8000 on my
firewall and forward to port 21 on my FTP server_

funny you mention FTP where that is distinctly not true as the application
level protocol encodes IP addresses and ports to either (depending on PASV
mode) peer to open for the data transfer.

If your server is behind a NAT and the user is using passive mode, it'll tell
the client to connect to some internal ip address, so unless the NAT router
does deep packet inspection and alters your packet on the go, that won't fly.

Conversely, if you disable passive mode, a NATed client would have the same
issue because in that case it would tell the server to connect to some
internal IP on the client's side which too won't fly.

Same issue for all other protocols that have IP addresses in their payload.
There are very few of them these days for precisely this reason, many early
media streaming and VoIP protocols were doing this too.

Also somewhat related: Port forwarding from one public address only gives you
the ability to forward to one specific server. What if you want to run two
different HTTP servers on your backend? What if you want to run different SMTP
servers on your backend.

Now you're again down to needing packet-contents inspection or you need
multiple public IPs in the first place plus a more complicated NAT table. With
v6, all you need is to open a few ports.

And these were the technical issues.

There's also a political issue: As v4 addresses get more and more scarce, so
increases the control entities with addresses get to have over what services
they do and to not allow on the network.

Do we want to live in a place where no new service gets to participate in the
internet? Where the next Netflix can't launch because none of the providers
want to have yet another service competing against their own content business?

In order for the internet to continue to grow, we need an abundance of
addresses and the only way to get that is to have wide-spread v6 support. And
in order to get there, every single bit counts: Every service that can offer
v6 should. Every provider that can offer v6 should. Only this way we can avoid
one big cause for a very much locked down internet in the hands of the
providers and the old guard.

v6 plays a very important role for both technical and political reasons to the
point where we really need to fight the "v4 works fine for me" attitude.
Having a v4 address to run a service on is a privilege. Don't argue from a
privileged position based on lazyness.

------
josho
Is there a succinct developer/administrators guide to IPv6?

I recently discovered my home IP is ipv6 and have started to realize that it
is more than just a larger address range. e.g. arp is replaced with ndp. While
I haven't yet found a guide that has more depth than the very basics, but
isn't a full on Cisco manual.

~~~
axyjo
HE's IPv6 training guide is pretty good --
[https://ipv6.he.net/certification/](https://ipv6.he.net/certification/)

~~~
pilif
And you can get an awesome T-Shirt if you complete it. I wear mine with pride,
mainly because in the process of doing it, I nagged our business ISP into
properly supporting reverse delegations

------
secure
I’m not an AWS user, so the “Virtual Private Cloud” caveat confuses me. If I
just click an EC2 instance, will that be in a “Virtual Private Cloud” or not?
Also, are these IPv6 addresses publically reachable or not?

~~~
irishsultan
If you're not an AWS user yet then any EC2 instance you create (if you ever
decide to become an AWS user) will be in a Virtual Private Cloud, either one
you create yourself or the default VPC associated with your account.

Only older accounts (from before december 2013) have the ability to create EC2
instances that aren't in a VPC.

------
cherioo
I find it interesting that this didn't make into the keynote. Is the actual
interest really low?

~~~
toomuchtodo
Most production environments terminate on Cloudfront endpoints (or other CDNs)
or ELBs/ALBs; not much need for IPv6 to individual instances (which can use
IPv4 internally).

~~~
wmf
The opposite pattern is much more convenient: IPv4 on the public endpoint and
IPv6-only internally. AWS is now close to supporting this.
[http://blog.ipspace.net/2014/03/facebook-is-close-to-
having-...](http://blog.ipspace.net/2014/03/facebook-is-close-to-having-
ipv6-only.html)

~~~
Pyxl101
Could you explain? How does it help to use IPv6 internally if you're using
IPv4 publicly?

One of the original motivations for IPv6 was that it would provide enough
address space for every device in the world to have its own unique IP address.
Then devices could communicate with each other directly, without worrying
about intervening NATs. If you're using IPv4 publicly, then you've already
lost that advantage.

Concerning private networks, IPv4 offers more than enough address space within
its private ranges for your private network. The 10.0.0.0/8 block provides 16
million addresses, and there's also 172.16.0.0/12 and 192.168.0.0/16\. There
are certainly enough addresses in these ranges that running out is not a
concern, so it does not seem that IPv6 would provide a benefit when applied
specifically and only to private networks.

~~~
fulafel
It frees you from expensive complexities arising from tunneling and private
address space. You don't need the network engineering and service costs to
bring your private 10.x overlay network to your various datacenters[1] behind
different ISPs, you don't have to fight with addressing conflicts when talking
to other people using rfc1918 space or debug situations where 1918 addresses
are ambiguous, etc. It's cheaper, safer and simpler to integrate with other
organizations because you only have to configure your firewall rule instead of
trying to mash together incompatible rfc1918 internal networks and overlay
technologies in addition to the fw. Your security posture is better and
cheaper to maintain because your simpler network is easier to reason about.

[1] meaning your network locations, not your private datacenter (necessarily)

------
dispose13432
Honestly, can someone explain why it took so long?

I mean, you can get IPv6 on a bunch of low-end budget VPSs. Why couldn't
Amazon do it? And why cant GCE do it?

Is it a lot of work?

~~~
vbernat
The more layers you have, the more time you need to convert all of them to
IPv6 (from network to all the applications). IPv6 implementations of various
things is always less complete than their IPv4 counterpart.

Notably, even low-level stuff may still be difficult to make with IPv6. For
example, Linux supports IP equal-cost multipath routing for IPv6 since 2012.
Quagga, a popular routing daemon, still doesn't support that. BIRD, another
open-source routing daemon, just got partial support for it this year. If your
network is relying on this, it's an additional burden to deploy IPv6.

------
fidget
8 IPs per instance, max :/

~~~
openasocket
Might be a dumb question, but why would you want or need more than one IP
address for an instance? It's not like more addresses will let you
download/upload things faster. Maybe if you want to run multiple web servers
on port 80 and give each one a different IP address, but how often do people
do that, especially more than 8 times over?

~~~
derefr
Picture running something like Docker on a box, where each container gets its
own IPv6 address—with services on their proper ports—instead of mashing a
bunch of NATed ports together under the host's IP.

Or, moreover (and this is a bit of a pipe-dream, but it's something I've been
hacking on to make possible) picture running something like an Erlang node on
a box, where each Erlang _process_ gets its own IPv6 address, fully Internet-
routable. This effectively makes Erlang into an SDN vswitch for ephemeral,
featherweight virtual machines (which would be oddly similar to AWS's just-
announced "Lambda@Edge".)

------
lyonlim
I believe this doesn't mean there's IPv6 support for ELBs in a VPC yet. We
unknowingly enabled dualstack configuration on Route 53 some time back and
this led to users on devices which prioritised IPv6 over IPv4 to fail to
connect.

~~~
zippergz
There will be very soon. They announced it today during a session on ELB.

------
vhost-
The state of IPv6 remains sad and depressing. I just switched to centurylink
fiber from comcast and I still don't have an IPv6 address. I have the option,
but I have to pay for it, which seems totally backwards to me. Sure, I will
pay for a static IPv4 address if I need it because I understand that they are
few and far between by now. But you can't just give me one v6?

Basically I have a fiber connection in the US, which on it's own is pretty
mindblowing, but no IPv6 address...

------
faitswulff
I have to wonder if Amazon started releasing all this product news to cover up
the fact that one of their employees jumped off the company building in an
apparent suicide attempt:

[https://news.ycombinator.com/item?id=13059565](https://news.ycombinator.com/item?id=13059565)

~~~
sudhirj
The AWS reinvent conference is going on, which is their annual developer
conference. So probably just a coincidence. Each announcement has a stage
announcement and planned sessions as well.

