
Why you need IPv6 - telmich
https://blog.ungleich.ch/en-us/cms/blog/2018/05/23/why-you-need-ipv6/
======
gerdesj
Bugger off! I am an IPv6 evangelist by the way but feel sold short and here's
why:

IPv6 out of the box is not able to safely cope with multiple links to the rest
of the internet. For example, you have a 100MB leased line and four FTTC
connections to your site - which I happen to have. Each of those links has a
IPv6 prefix and for me those are all /56\. So far so good - I've got a _lot_
of IPv6 addresses.

So, I use SLAAC to dole out five lots of addresses to my systems. There is no
way for my systems to know which links are up or even to decide which ones
would be favourite unless I turn everyone into a "router lite" via say OSPF.
So I have to use my router to do that and use NPT to do NAT by another name.

IPv6 out of the box does not work properly with multiple links to the
internet.

I really do feel quite ashamed when I say that I think IPv6 is badly broken. I
deploy the bloody thing because its all we have. I remember that back in the
seventies that this internet thing was touted as being able to route around
problems due to nuclear attack. That was IPv4. Which is shit.

We have been sold out big style, several times. IPv6 can't cope with multi
link without NAT via a different name and telephony has no useful ENUM.

Your internet is not run by genial Engineers. It's fucked up by entrenched
monopolies, worldwide.

~~~
telmich
Can you describe the routing problem a bit more in detail? I'm trying to
understand why multi link should be more a problem in IPv6 than in IPv4.

If you are multi homed it sounds as if you should have your own /48 IPv6
network (PI) and then only use the link addresses for routing - but maybe
there is something that prevents you from - looking forward to hear your fully
story!

~~~
hartator
I wonder as well. The main downside I have heard about IpV6 until now is that
many softwares are not compatible.

~~~
gsich
Which for example?

~~~
hartator
Video games for example.

~~~
gsich
Can be fixed

------
zAy0LfpBZLC8mAC
They evangelize for IPv6 ... and then they ask for money for a single /64?
Seriously?

I would suggest anyone who wants a tunnel should look here:

[https://tunnelbroker.net/](https://tunnelbroker.net/)

Nothing wrong with earning money, but please stop selling broken products.

~~~
telmich
We absolutely agree: if possible, use free tunnel services.

Unfortunately HE does not work with NAT (sic!), which is why we initially
rolled out IPv6 VPNs internally. Also in most combinations you can actually
use miredo/teredo, however some of our customer networks _block_ teredo
traffic, because they don't want their windows machines to be reachable from
the IPv6 internet.

Just curious, why do you think it is a broken to sell IPv6 vpns?

~~~
zAy0LfpBZLC8mAC
It is broken to sell single /64s, that is not a sensible allocation size
across administrative boundaries. A /56 would be the absolute minimum, and
really it should be a /48.

------
sliken
I pretty much agree with the article. Seems like quite a few of the .com
companies exist because consumers don't have public IP's. With IPv6 suddenly
replacing various services are easy. Assuming you have a router, raspberry Pi,
or other machine you leave on 24/7.

After all seems like most end user use of the cloud could be replaced by a
raspberry Pi. Things like file sharing via dropbox, webcams/security cams,
photo sharing/browsing, internet enabled door locks and garage doors, and
monitoring temperatures, furnace, AC, solar, power use,

Sure it's a bit of work, but I suspect many would happily run things
themselves if there was a community solution that did it well. Last thing
anyone wants to do is replace their smarthone because a random vendor died,
lost interest, or was purchased. Like say google killing off Revolv after they
bought Nest. Not to mention paying even a few $ a month for an internet
enabled lock is silly.

~~~
blackflame7000
Not with that measily 480mbps USB controller split between 4USBs and 1
Ethernet. RaspberryPi4 hopefully.

~~~
StudentStuff
The Raspberry Pi Foundation seems deadset on pushing the same genre of chip
from Broadcom forward. I doubt the serious bandwidth limitations (all your I/O
going over 1 USB port) or the notable chipset flaws (1GB of ram max) will be
amended any time soon. They've had 6 years to fix the Raspberry Pi, yet it
still has the same hard limits.

~~~
blackflame7000
IDK I'm hoping the RPI4 will arrive when 4K starts become more prevalent and
can do the HVEC decoding

~~~
StudentStuff
HEVC on the next generation of Raspberry Pi is highly unlikely due to both
licensing costs and Broadcom not having a cheap IP block to use for adding
HEVC. 4K is more likely, but if you want that today go get an OrangePi for
less than the cost of a Raspberry Pi. It even has HEVC 8bit support!

------
wink
> You want to expose services of your home network? You can fiddle around with
> NAT, hack some proxies and waste a lot of time and energy on this setup.

> With IPv6, you can assign _every_ device in your network a public IPv6
> address and decide on your router / firewall, which services to expose
> publicly.

Yeah, I used to think like this. Now I'm older and wiser (grumpier? lazier?)
and because with great power comes great responsibility.. and everyone
(including me) is running shitty router boxes instead of a perfectly tuned
OpenBSD gateway... I think it would be really nice to have it but I'm not sold
it will make the internet a safer place, instead it will expose all those IoT
devices that can be wormed.

I also wanted to self-host stuff at home. Back when I had access to a basement
(and no proper connection) running decent hardware was no problem, now in an
apartment even a small silent NAS is annyoing enough already. Also I don't
have no high hopes the fiber market in Germany will improve to a point where I
can reasonably assume to have more than 10/20Mbit of upstream behind a static
IP.

So yeah, this is a freedom for (from my PoV) a few percent of people, the rest
won't bother or it will actively cause problems because nobody understands
IPv6 firewalling and stuff. (Not you, dear readers, the masses that are happy
if their wifi at home works, at all).

------
magicalhippo
My cable ISP added IPv6 some years ago and recently my router finally got
stable IPv6 support, so I decided to give it a try.

My use-case was exactly what the article highlights, putting my RPi on the net
exposing a service.

As I quickly found out DNS was required, as the IPv6 addresses were just
impossible to remember. The prefix I got from the ISP was a far cry from the
2001::42 shown in various articles on IPv6.

Then I discovered the prefix wasn't stable across cable modem reboots, and I
used autoconfig on the RPi, so the suffix wasn't stable either. So that meant
I dynamic DNS was suddenly a required feature, not an optional thing.

After spending half a day trying and failing to find a dynamic DNS service
which supported IPv6 and which supported a client I could successfully and
reliably use on my RPi, I gave up and went back to plain old IPv4 and NAT.

~~~
telmich
That's impressive to hear. If that is still the case, we will implement and
offer an IPv6 DDNS service mid future.

Seriously. If you are blocked for using IPv6 by this, we will provide this
service and announce it on
[https://twitter.com/datacenterlight](https://twitter.com/datacenterlight).

~~~
magicalhippo
Cheers, I'll keep a look out.

Not sure how common it is for "home ISPs" to issue unstable prefixes, but
that's what I got so...

------
nanamo
The fact that every device in your network is given a publicly reachable IP
address is not something to brag about. It’s a security problem.

I’ll stick to my NAT, thank you.

~~~
anderiv
This trope needs to die. Just because a device has a publicly-routable IP
_does not_ mean that it’s freely-accessible. That’s why we have stateful
firewalls.

There are millions of IPv4 systems at large enterprises and educational
institutions that have public addresses, and do you think they’re accessible
from the internet? Didn’t think so. They’re behind a default-deny stateful
firewall, very similar in function to the stateful firewall that’s present on
every single consumer router you can buy.

NAT is a hack that breaks things, and imposes un-needed performance
bottlenecks.

~~~
marvy
I'm not so sure that this trope needs to die; it has a grain of truth to it,
at least for home users. Consider this situation: I'm browsing the web on my
laptop at home. Meanwhile, someone wants to hack into my laptop. Suppose they
want to start with a simple port scan. If my ISP only gave me an IPv4 address,
the attacker is out of luck: my laptop HAS NO NAME. They can send IP packets
to my router, but unless the router itself has unusually serious security
holes (such as remote code execution), the router will not send packets to
arbitrary ports on my laptop, because there is no way to even ask it to do so.
The best they can try to do is inject content into web pages I'm browsing, and
https prevents even that.

Now I get IPv6. The attacker now has a perfectly reasonable way to send
packets to my laptop. The router's job is to look at these packets and drop
some of these packets while not dropping those that I rely on to browse the
web, or whatever. Result: I am one bad config away from having my laptop be
accessible from the internet.

You mention large enterprises. Sure, they can afford good sys admins. But the
average computer user is their own sys admin. Are they ready for this job?

And if you say "yes", then here's the follow-up question: are they ready to
administer the use-cases in sliken's comment, and still remain secure?
[https://news.ycombinator.com/item?id=17140187](https://news.ycombinator.com/item?id=17140187)

~~~
kbaker
Are you sure your router has PCP or NAT-PMP disabled, which _could_ expose
ports on your external IPv4 IP without any interaction? Do you expect the
average computer user to configure PCP securely on their router?

Various NAT traversal options are already pretty widespread. Having only a
firewall keeps things much simpler.

~~~
craftyguy
> Having only a firewall keeps things much simpler.

Yes, for you and for attackers. Security strategies require layers, since no
one layer can be depended upon to stand on its own. Removing NAT is removing a
layer of security. Suddenly your firewall has to stand on its own. Good luck!

Edit: Why is my comment bad?

~~~
zAy0LfpBZLC8mAC
NAT is not a layer of security. At all. A billion layers of no security is
still no security.

(And actually, NAT is a negative contribution to security as it hides the lack
of a firewall when it isn't there or doesn't work, which would be trivial to
detect without NAT.)

