
IPv6 Adoption Statistics - luismarques
http://www.google.com/intl/en/ipv6/statistics.html
======
IgorPartola
Every time IPv6 comes up on HN, around 50% of the comments seem to be about
how IPv6 doesn't do NAT and how now every device you have is suddenly directly
exposed to the internet. Let's clarify this a bit instead of answering
individual commenters:

In IPv6, just like in IPv4, you have a firewall. In Linux, you use ip6tables
instead iptables, for example. This is what keeps your devices on your network
safe. If you were to start from scratch to set up a router with an IPv6
firewall, you'd need just two rules: (1) allow packets in for already
established connections and (2) drop every other incoming packet. If you know
what you are doing, you can actually set this up yourself. I have, and while
educational, it provided no real world benefit.

Most people don't want to bother with using iptables directly, so don't. Get a
router that supports OpenWRT and flash it. For most of them, it's a really
simple process (my TP-Link let me upload the binary to flash via the web GUI).
Why OpenWRT? Well, it's secure and constantly updated, it supports IPv6
natively, and it comes with the IPv6 firewall that is configured in a fashion
very similar to how you think of IPv4 (it even rate limits ping requests,
etc.). As a bonus, if your ISP doesn't support IPv6, OpenWRT has an
installable web GUI component for configuring an IPv6 tunnel. Lastly, even if
you don't want IPv6 (yes, I see you there in the back, climbing back under
your rock), still use OpenWRT. It seems to have a lot less bugs than
commercial router firmware, and is a lot more stable and up to date than DD-
WRT or Tomato.

Edit: One other misconception that comes up frequently is that IPv6 means that
your privacy is at a more of a risk because your MAC address may be exposed.
While in some configurations this can happen, IPv6 has what's called Privacy
Extensions: in addition to your more permanent MAC-based IPv6 address (network
prefix + munged MAC address), your OS will periodically generate a new random
IPv6 address (network prefix + random number). This actually makes it
marginally harder to track you since your exact IP address will change
frequently, as seen by hosts you access. See
[http://en.wikipedia.org/wiki/IPv6#Privacy](http://en.wikipedia.org/wiki/IPv6#Privacy).

~~~
citrin_ru
Privacy Extensions is dangerous: [http://blog.bimajority.org/2014/09/05/the-
network-nightmare-...](http://blog.bimajority.org/2014/09/05/the-network-
nightmare-that-ate-my-week/)

~~~
somesay
I haven't read the long article but it ends with:

> UPDATE (2014-09-06): As […] was the first to point out, RFC 7217 addresses
> all of my issues with “privacy” addresses. Let implementation come soon!

So, not backing your message.

------
pilif
After I switched ISP to one that supports native IPv6 (and generally is pure
awesome), I noticed that my traffic at home went to about 50% IPv6, also
thanks to YouTube supporting V6.

I also casually noticed that all but one address in my "Account Activity" view
in Gmail are IPv6 addresses (ironically, the mobile phone got the one single
IPv4 address in that list over 4G).

V6 works nicely and totally transparent causing zero trouble for me, even
though there are some application protocols that don't handle V6 properly yet
(Apple Remote Desktop and Air Video to give two examples).

One thing that's tricky about V6 is the fact that without NAT all your boxes
are internet-reachable unless you have a firewall. That's easily added of
course, but whereas we have protocols like upnp and nat-pmp to reconfigure NAT
routers, there's nothing equivalent for various applications to tell the
router to forward some V6 traffic.

So this is actually a step back what connectivity behind LANs is concerned.

I would love for applications to be able to ask the OS for their very own
application specific v6 address. Then they could just listen on that instead
of all interfaces (and listening on all interfaces would not include these
application specific interfaces).

That way, I could theoretically get away without a restrictive firewall while
still giving applications a way to be directly connected to. An attacker would
have to scan a /48 (in my case) or a /64 (in the worst case) in order to find
an open port given a known remote address.

~~~
vegardx
While having an unique address per application can be cool, I don't like the
premise that this is used as some sort of security layer.

We have firewalls. We know how they work and how to implement them well. For
all intents and purposes a typical NAT-setup is bascially wide open from the
inside and out. You can do the same with a few simple rules on a firewall.

~~~
pilif
I know we have firewalls, but in the normal desktop use-case, there are some
applications that you want to be able for external clients to connect to.

Skype (or other VoIP clients), Bittorrent, Game servers, etc all work better
with or flat-out require external connectivity.

In the V4 world, we have upnp or NAP-PMP to allow applications to open a port
on the router and to have the router then forward the packets to a client
behind the router.

In the V6 world there's no equivalent protocol even though the work needed
would be smaller (forwarding to a given host/port combination is enough - no
port mapping).

It's bizarre that at the moment, servers on my various machines at home get
_better_ connectivity over IPv4 (thanks to NAP-PMP) than over IPv6 (thanks to
my firewall).

Having application specific addresses would provide more than enough security
for many simpler LANs (good luck guessing a 64 or even 80 bit number in order
to get the one where the "juicy" ports are open) to use in absence of a v6
compatible NAP-PMP equivalent.

I would totally trust the 80 bits of pool size as a sufficient security
boundary and I'd disable the IPv6 firewall for my home network if this concept
of application specific addresses would exist.

This would also be much closer to the ideal of the old times where every
machine was assumed to be connectible without additional configuration
anywhere.

~~~
kalleboo
Isn't it easy enough to just have a local firewall on each machine where you
open up ports for the apps you want to be public?

~~~
pilif
The firewall on a local machine might suffer from exploits, thus still
allowing access.

Or I might want some services open to my lan and only a smaller subset opened
to the public (something the personal firewalls built into many OSes can't do)

~~~
kalleboo
> The firewall on a local machine might suffer from exploits, thus still
> allowing access.

Is a updated firewall from Apple, Microsoft or ipfw more or less likely to
suffer from exploits than a cut-rate device from ASUS, Netgear or Linksys that
hasn't been updated in years?

> Or I might want some services open to my lan and only a smaller subset
> opened to the public (something the personal firewalls built into many OSes
> can't do)

That may be fair enough but that's just a reason to improve the firewalls in
the OSes. As soon as you tether to your phone or use public WiFi you're going
to want a solid local firewall anyhow.

~~~
justincormack
The idea is that it can be turned off from the machine itself, so eg if you
get hacked via a website or email, your firewall might get disabled, while
another box would also need to be hacked. (Of course things like UPNP give the
machines control over the router so making this moot, which is why I dodnt run
them).

~~~
kalleboo
> Of course things like UPNP give the machines control over the router so
> making this moot

Yep this was exactly my point

------
ghshephard
I'd be very interested in knowing how these stats were calculated - 12% of the
United States on IPv6 seems a bit high. Maybe what Google is saying is that
"It's Available, but we're not saying people are using it." \- For example,
Comcast has had IPv6 widely deployed for at least a year, so most of their
customer might be identified as "Available" \- even if their browsers aren't
doing a AAAA lookup for www.google.com.

~~~
tw04
Not in the least. For all their atrocities, Comcast was one of the early IPv6
adopters and has rolled it out to their entire residential customer base
(people with older modems/routers that don't support IPv6 obviously won't pull
an IPv6 IP address). That's _EASILY_ 11% of US internet traffic.

~~~
furyg3
Just curious, do the internal interfaces on Comcast's IPv6 routers give out V4
or V6 addresses?

------
the_mitsuhiko
In Austria not having IPV6 support is a feature, and I assume it's that way in
many countries. If an ISP rolls out IPv6 for you here you lose your public
IPv4 address (DS-Lite).

~~~
cm2187
you mean you currently have a static IPv4 IP?

~~~
the_mitsuhiko
No. You have _an_ IPv4. Does not matter if dynamic or static. With DS-Lite you
have neither. You're behind a carrier level NAT.

~~~
feld
I would agree that carrier grade NAT is a downgrade

~~~
cm2187
It's horrible. I don't even see the point. IPv4 and an IPv6 can cohabit. Why
would they even alter your IPv4 access?

~~~
lotu
Presumably because they have run out of IPV4 addresses

~~~
tveita
Australia is under APNIC, which started rationing out its last /8 IP block in
2011.

Australia has a decent number of allocated addresses, around 2 per capita
(compare with India, with 29 addresses per 1000 persons)[1], but presumably
they will have to be reclaimed from existing users.

A newly started ISP in Australia could get a maximum of 2048 IPv4 addresses
from APNIC. [2] If it needed more it would have to transfer them from another
owner.

[1]
[http://en.wikipedia.org/wiki/List_of_countries_by_IPv4_addre...](http://en.wikipedia.org/wiki/List_of_countries_by_IPv4_address_allocation)

[2]
[http://www.apnic.net/community/ipv4-exhaustion/ipv4-exhausti...](http://www.apnic.net/community/ipv4-exhaustion/ipv4-exhaustion-
details)

~~~
mineo
They were talking about Austria (in Europe), not Australia :-)

------
cm2187
Out of curiosity (I live in the UK, a country that does not believe in
adopting new technologies less than 5y after everyone else), with IPv6, there
is no need for a NAT anymore. Will the local networks be directly on the WAN?
Will be interesting from a security/privacy point of view. Unless routers act
as firewall, in which case we are back to square 1...

~~~
calpaterson
Most home routers already act as an inbound firewall. Regarding "back to
square 1" \- the aim of IPv6 is not to expose thousands of poorly secured LAN
devices to the public net - it's to restore the point-to-point nature of the
internet. I would still expect most LANs to be firewalled when IPv6 is adopted

~~~
e12e
Just to expand on that, with IP6, it would make sense to simply give every
router, DSL "modem" etc a [ed: theoretically, publicly] _routable_ ipv6
subnet. This makes (in theory) everything easier: the firewall can simply
block/allow -- no need for long chains of NAT-rules. It might make networks
marginally more transparent -- but it really means very little in terms of
security. Nor really for privacy.

------
pdw
Can somebody explain how Belgium achieved 28%? It's the only country that's
colored bright green.

~~~
JamyDev
Because we pay too much for our internet :P

~~~
Yeri
EDPnet, a smaller ISP has been natively providing IPv6 for ~3 years already
(but 3rd biggest independent ISP?).

Telenet followed somewhere last year, and Belgacom (biggest) followed this
year (only on new modems though).

~~~
ay
Voo is doing IPv6 as well, AFAIK.

[http://www.worldipv6launch.org/measurements/](http://www.worldipv6launch.org/measurements/)
gives a per-AS breakout, with the %%% being the massaged number as seen by the
content-provider participants.

------
ollebro
I've looked around and I can't find one ISP that "support" ipv6 in Sweden. The
big ones alway replies with "We have enough ipv4 addresses for a long time
forward, you don't have to worry."

I'm not worried, I just want to have ipv6 access.

~~~
atomt
That is their usual excuse. But its just a bogus answer to shut people up -
its not only THEIR customers you want to communicate with.

------
wbond
IPv6 became available to me on my Comcast connection in the past six months,
but I ended up disabling it at my local router. Unfortunately it seems in my
area (North of Boston, MA) the IPv6 routing on Comcast's network is extremely
spotty. Sometimes connections would time out on all different ports (22, 80,
443). This lead to a rather poor experience for members of my household. I ran
into lots of issues with SSH. My wife ran into lots of issues using apps on
her iPhone. She was switching to her mobile data connection on a regular basis
to work around the issue. Since disabling IPv6 on our network, all of the
issues have gone away.

~~~
danyork
Did you contact Comcast about this issue? I know some of the folks involved
with the IPv6 rollout there and they are VERY focused on making the IPv6
experience as painless as possible.

~~~
wbond
No, after spending 3 weeks and 6 hours on the phone to add the correct TV to
my account I gave up spending time with Comcast.

If you happen to know a competent contact that I can provide info to, I'd be
happy. But I am not going to waste my time trying to get through to them via
normal channels.

~~~
jbrzozowski
@wbond I run the program at Comcast, want to ping me offline?

------
c0nsumer
I've been trying on and off to get IPv6 working at home, but the problem I
keep running into is poor performance from tunnels. I have service via Wide
Open West which is great for IPv4, but they have no plans to support IPv6. So,
I try using a tunnel...

Both HE.net and SixXS are so incredibly slow that I get >1 second pings to
something which is 30ms away via IPv4. The tunnel end point is only ~50ms
away, so I can only see the latency as being within the tunnel provider...

I really, really wish that I had a native IPv6 connection at home, but I don't
want to switch to Comcast, which is the only IPv6 option for me.

~~~
IgorPartola
Shoot an email to HE. Their support for this free service is better than most
commercial support teams I've interacted with.

Also, don't discount that it's possible that the other end of the equation,
the server you are trying to reach, has poor IPv6 connectivity. Fire up a
Digital Ocean instance for an hour (it'll cost you $0.10) and see if the site
is slow from everywhere.

I've been using HE.net's tunnels for a good long while now and they've been
great for me.

~~~
c0nsumer
Unfortunately, it's anything that's slow... When I've got a tunnel live,
Google properties and Facebook are pretty much unusable. Weirdly, sometimes
it'll work fine... Other times it won't. (The server I'm testing against with
is my personal site, [https://nuxx.net](https://nuxx.net), which has great
IPv6 connectivity already. I just don't want to tunnel my home connection
through it because that'll seriously push up the bandwidth use of the hosted
server.)

There's two things that I haven't taken the time to rule out yet: my router
potentially being problematic (it's an Apple Airport that otherwise works
well) and the ISP slowing down tunneled traffic. The former would require
setting up a new router, and the latter... I'm not sure how I'd do that yet.
IPv6 connectivity had been working fine until a month or two ago when things
just went weird.

Good thought on sending HE a message... I'll do that later today. Maybe
there's something they've run into before with this combo. When their tunnel
was up and working great it was surprisingly nice.

~~~
ay
This description might also match a partly-working path MTU discovery (a
possibly too-high rate of ICMP egress from HE end to content sites, blocked by
rate-limiter on the HE device).

In IPv4 you do not notice it (it almost never triggers) because there is less
tunnels and also because generally everyone does MSS clamping. In IPv6, you
have the tunnel and not necessarily MSS clamping.

Two ways to tackle it:

\- configure on the home router interface facing your LAN, IPv6 MTU less than
you have on the tunnel (I have 1400 just because I like round numbers :-)
Cleaner because works for (mostly) all protocols.

\- configure the first hop router to do MSS clamping for TCP on IPv6 to 20
bytes less than what it currently does (if at all). This will work for only
TCP, but that'll be the vast percentage of the traffic you are having problems
with.

~~~
c0nsumer
So... Changing the MTU didn't help. Even at the minimum of 1200 I still had
issues. Sometimes pings (even small 60 byte ones) would be fast, other times
they'd be upwards of one second. Not sure what's going on yet, as I've put
working on this aside for now.

~~~
ay
Okay, if there is a jitter on individual pings, it is certainly not the PMTUD-
related - and if there is no packet loss, then it is shaping - either
intentional, or some middlebox can't cope with the load.

When using AICCU (sixxs) - were you using protocol 41 or the UDP-based encap ?
if protocol 41, then experimenting with switching to UDP might be interesting.

------
eloisant
My ISP supports IPv6, but I deactivated it.

The reason: [https://blog.dave.io/2011/06/vpn-
ipv6-privacy/](https://blog.dave.io/2011/06/vpn-ipv6-privacy/)

~~~
blfr
Leaks are a problem and people are working on it[1] but you could reconfigure
your VPN to carry IPv6 traffic, too. At least OpenVPN is capable of it[2].

It's also a bit of an edge case. Browser-level proxying (Tor, SOCKS proxies)
shouldn't leak whereas for p2p/torrent it makes more sense to run the client
itself on a remote server rather than route traffic through it.

[1] [https://leap.se/en/services/eip](https://leap.se/en/services/eip)

[2]
[https://community.openvpn.net/openvpn/wiki/IPv6#ProvidingIPv...](https://community.openvpn.net/openvpn/wiki/IPv6#ProvidingIPv6insidethetunnel)

------
TD-Linux
It's kind of ironic that the graph about embracing future technology requires
Flash Player.

~~~
eridal
Anyone with _that_ installed can post a pic?

------
s_dev
How much time pressure are we under to replace IP4 with IP6? Is this something
that has to be done in 2 years or 10 years?

~~~
Arnt
It varies.

Some ISPs made sure to allocate rather a lot of addresses around 2010, and
have room to grow by allocating more efficiently. The ISP where my colo hosts
lives used one /30 per customer at the time (which is a fine, sensible
strategy, just not one that saves IP addresses). When one of those old
customers leaves, the ISP can use the /30 for four new customers.

Another ISP I deal with has already run out of v4 addresses, and some of its
customers only have CG-NAT access to IPv4 today. That ISP _already_ has to
optimize many things for low v4 address usage.

------
nandhp
Anyone know what that weird spike was in the first week of October 4?

~~~
danyork
No idea... a number of us who watch IPv6 traffic stats have been wondering
about that spike ever since it first appeared.

The spike does not appear in other data sets like that from APNIC:

[http://stats.labs.apnic.net/ipv6/XA](http://stats.labs.apnic.net/ipv6/XA)

------
talideon
I wouldn't be surprised if that 1.36% in Ireland was almost solely down to the
hosting company I work for.

I really wish the hosting providers here would get their acts together when it
comes to IPv6 deployment, but they're really dragging their heels on it. I
recently got a VDSL connection from Magnet and while I've a static IPv4
address for the connection, no such luck for IPv6.

------
kancer
I'm curious about the peaks and troughs in the graph. It seems the graph
reaches a peak every week, does anyone know a reason for this?

~~~
eXpl0it3r
Hehe this was an exercise question at my university. Look at the peaks again,
zoomed in on a week, and you'll see that it's always on the weekend.

This most likely means that more people have IPv6 connections at home
(weekend), than they do at their work place (throughout the week).

~~~
wjoe
You'll notice the same pattern on browser usage graphs - IE peaks during
working hours, every other browser peaks on weekends and evenings.

------
cientifico
In Germany, Kabel Deutschland, no longer offers ipv4. At least, My router only
gets an ipv6 one. (100/6Mb + phone line = 55 eur)

~~~
iso-8859-1
How do you access IPv4 sites? Tunnel?

~~~
danyork
Some of the carriers who have gone IPv6-only like T-Mobile USA use
technologies like 464XLAT to access IPv4 sites. Here's some info:

[http://www.internetsociety.org/deploy360/resources/case-
stud...](http://www.internetsociety.org/deploy360/resources/case-study-t-
mobile-us-goes-ipv6-only-using-464xlat/)

And RFC 6877 specifies 464XLAT:

[http://tools.ietf.org/html/rfc6877](http://tools.ietf.org/html/rfc6877)

and here is even more detailed info from T-Mobile:

[https://sites.google.com/site/tmoipv6/464xlat](https://sites.google.com/site/tmoipv6/464xlat)

Regarding DS-Lite, this video from RIPE NCC provides a nice overview:

[http://www.ripe.net/lir-
services/training/e-learning/ipv6/tr...](http://www.ripe.net/lir-
services/training/e-learning/ipv6/transition-mechanisms/ds-lite)

Both DS-Lite and 464XLAT are ways that an ISP can be IPv6-only yet still
access legacy IPv4 content and services.

------
Already__Taken
Can IPv6 become, ironically, the reason ipv4 never dies? Once a majority move
to v6 wouldn't that mean a whole bunch of the ipv4 space is being free'd up.

This allows those who never update to actually never update.

~~~
yoha
People who adopt IPv6 addresses tend to keep an IPv4 address as well.

~~~
kalleboo
Until we see more carriers moving users over to DS-Lite, where their IPv4
usage is NATed
[https://news.ycombinator.com/item?id=8680759](https://news.ycombinator.com/item?id=8680759)

------
ipv6pixie
Doesn't IPv6 also mean the permanent death of privacy? Think about it. IPv6
kills all the stupid NAT schemes IPv4 required. Everyone gets a permanent
static IP address. Your browser delivers it to every site you visit. It's the
ultimate permanent cookie. Of course Google is so happy for this.

~~~
Arnt
No, you don't get a permanent static IP address. That depends on the ISP. And
even if your ISP hands out permanent addresses, your devices can change
addresses often. Most of my devices do change addresses, and I didn't have to
turn it on.

Both v6 and the linux stack are privacy-friendly.

~~~
chimeracoder
> Both v6 and the linux stack are privacy-friendly.

Yes and no.

The privacy extensions will create new addresses, but they will always belong
to the same /64\. To my knowledge, TWC will allocate a /64, but there's no
_guarantee_ that power cycling your modem will generate a new /64[0]. I
believe other ISPs work the same way - they may give you a new /64, but
they're not required to and don't guarantee it in the SLA. And most people
won't power cycle their modems often anyway, which means they could have the
same /64 for months on end.

If we're talking about online tracking, it's very easy for trackers to just
throw their hands up and treat all addresses within a /64 as if they represent
a single user + device. This isn't completely accurate, but it's no less
accurate than IP address tracking with IPv4.

Furthermore, I am unaware of any reliable commercial VPN providers that
currently provide IPv6 connections (at least over OpenVPN[1]), so if you have
dual-stack connectivity, your IPv6 connection can compromise your privacy even
for your IPv4 connection[2].

[0] Technically this is true for ipv4 as well, but due to the relative
scarcity of addresses you're less likely to get a pseudo-static ipv4 address.

[1] OpenVPN now supports IPv6 clients, though I don't know of any actual
deployments of this. PPTP is IPv4-only.

[2] I think this blog post is sadly still accurate:
[https://blog.dave.io/2011/06/vpn-
ipv6-privacy/](https://blog.dave.io/2011/06/vpn-ipv6-privacy/)

~~~
Arnt
Well, I have two consumer DSL connections at home from different ISPs with
completely independent infrastructure (a few billable hours pays for a year's
redundancy). Both of them behave give me new, unpredictable v6 prefixes via
DHCP every 2h/1d.

So obviously not _all_ other ISPs work the way yours does.

~~~
crazy8s
So, you are dependent on the ISP cooperating to give you privacy? What could
possibly go wrong? Downvote me all you like guys. This just proved my point.
NSA will love IPv6 adoption.

~~~
Arnt
Sure. We're dependent just like we were on IPv4, except that the ISPs' address
pools are bigger. The same things can go wrong.

~~~
samuelsmith
That sounds a bit disingenuous. IPv4 was always on a forced rotation because
a) limited address space and b) ISPs wanted to milk customers for static IP
charges. IPv6 eliminates a). That leaves b) which isn't really a factor on
mobile devices. It really is a permanent cookie if the ISP decides to
implement it that way. I can't say I trust AT&T and Verizon after their
'header enrichment' shenanigans.

~~~
Arnt
What do those two ISPs on another continent have to do with my argument?

------
digital-rubber
How come some countries have a negative -10ms *latency?

~~~
ema
I think it's latency relative to ipv4. So maybe their ipv4 networks are more
congested.

~~~
digital-rubber
ah yes that would explain it. Thanks

