Hacker News new | past | comments | ask | show | jobs | submit login
IAB Statement on IPv6 (iab.org)
142 points by liotier on Nov 8, 2016 | hide | past | favorite | 126 comments

IMO the major thing holding back IPv6 on the web is amazon. A huge proportion of services are hosted on AWS, and the lack of IPv6 addressing of instances cannot be forgiven.

Amazon seem to be slowly getting there: https://aws.amazon.com/about-aws/whats-new/2016/10/ipv6-supp...

Wow, how did I miss this, CloudFront getting IPv6 support is huge!

They also support HTTP/2 now, which is pretty sweet.

"Getting?" I set up some CloudFront instances (or whatever they call them) a month ago and it had an IPv6 checkbox (which was unchecked by default, for some reason), but it seems to have been working fine ever since.

Yeah the announcement linked is from a month ago

ELBs support ipv6 as well

Only EC2-Classic ELBs do, which is only available to users who signed up for AWS before Dec 2013 (and doesn't support all the new VPC goodness)

The good news is that Amazon has been slowly rolling out IPv6 support across various AWS services (ex. S3, CloudFront). Once they support IPv6 on EC2, though, that will be the big breakthrough!

Not to mention Route 53, which can serve AAAA records, but still has no IPv6 nameservers.

It should now: https://aws.amazon.com/about-aws/whats-new/2016/10/amazon-ro...

ns-1887.awsdns-43.co.uk. 60 IN AAAA 2600:9000:5307:5f00::1

I'd say ISPs to start with. In the UK, BT still hasn't rolled out IPv6. Neither has vodafone.

Also I have servers in colocation with two datacenters, and for both I had to ask to the support to get an IPv6 range. We are very far from IPv6 becoming a standard feature.

SKY have recently rolled out IPv6 suuport to nearly all customers: https://corporate.sky.com/media-centre/news-page/2016/sky-co...

I use AAISP as my ISP and they have been providing IPv6 for a very long time: http://aa.net.uk/kb-broadband-ipv6.html

That varies strongly by country[0]. My home ISP for example does DS-Lite and last week their AFTR was overloaded. So ipv4 was almost unusable while v6 worked fine. So temporarily I was already living in a post-v4 world.

[0] https://www.google.com/intl/en/ipv6/statistics.html#tab=per-...

> I'd say ISPs to start with. In the UK, BT still hasn't rolled out IPv6.

BT have at least partially rolled out support, as I have a v6 allocation on a BT broadband service.

I have read I can get it by upgrading to the very latest version of BT Home Hub (I am using 5). I ordered it yesterday. But my current Home Hub 5 is compatible, and I still don't have IPv6.

It looks like you would have got support on your existing device soon. A recent BT presentation says:

"[IPv6 support] Home Hubs 4 and 5 support from early 2017"


Actually I just received my new router and I now have IPv6!

It's time to switch HN to be IPv6 only forum, so 100% of HN'ers will be on IPv6 almost instantly. ;-)

Amazon and github are the two major offenders.


Baidu, Twitter, Instagram and Reddit are also major players who could make a huge difference.

The worst part about reddit in that case is that they use cloudflare which could be a 1 click update to ipv6. Previously they have stated that internal systems (spam, court orders, reporting) are holding them back from the change.

Still plausible, e.g. if their spam filters, court order handling and reporting expect to see IPv4 client addresses in their input and/or databases.

Cloudflare have a workaround for that too! https://support.cloudflare.com/hc/en-us/articles/202494830-P...

You know, Cloudflare gets a lot of shit around here for being a centralizing entity in a decentralized Internet (sometimes justifiably), but they've done a hell of a lot to push forward needed changes in the Internet infrastructure. Often at little benefit to themselves.

That is a concise, interesting read topped off by some Gibson quotes. Thanks.

I work for one of the companies on that wall of shame. I wonder to what extent it has the reverse of the intended effect. "Oh so not even Amazon, Twitter or GitHub gives a crap about IPv6? Why should we?".

Oh so not even Amazon, Twitter or GitHub gives a crap about IPv6? Why should we?

If this is really what they're thinking, then they have no pride in their work and will never be the best at what they do. I suspect most of the engineers working for Amazon, Twitter, and GitHub are well aware that they're lagging in ipv6, and are very intent on catching up.

It seems to have worked for python 3.

I kinda doubt that the site had a real influence on that.

Those are just one site each though. GitHub and Amazon are many.

Also, I am not sure if googleadservices.com should be on that list. Leaving advertising on IPv4 to die might be for the best. ;)

At a cursory glance, it seems that Google or Google-owned sites make up a majority of the IPv6-enabled sites. Seems to me the numbers would be a lot lower without Google's work.

The list also has a ton less green when you consider that most of the sites are just the google search page with different TLDs.

With poor adoption rate of IPv6 persists in China, half of those listed (taobao, tmall, baidu, hao123, qq, youku, sina, weibo, etc.) just won't change in near future.

I am visiting China. It seems impossible to get an IPv6 address from either China Telecom (the ASN lacks IPv6 peering) or a datacentdr within China. Sending traffic to a VM in South Korea has similarly had the issue where I cannot find any VMs with IPv6 support, although most have terrible latencies.

I don't understand; APNIC ran out of ipv4 addresses ages ago. How do they...internet?

I think IPv4 addresses can be bought for cheaper than the cost to transition to IPv6.

That site correctly lists apple.com as not supporting IPv6. The funny thing is that www.apple.com does support it.

Same with microsoft.com.

How is this the case?

Both Microsoft and Apple's www sites use Akamai's CDN, via a cname to a CNAME to something in akamaiedge.net, which support ipv6. The apex record of a domain (that is, the root record, microsoft.com or apple.com) cannot be a CNAME, it can only have an A, NS, MX or TXT record. A records make dynamic infrastructure hard, because they require API coordination between your DNS provider and your CDN. So Microsoft and apple host their own apex domain records via A records to static IPs in their own IP blocks, and have these servers issue a permanent http redirect to www.

apple.com isn't but redirects to www.apple.com which is IPv6 enabled (akamai)

as fastly goes, so goes github

IPv6 and a return to end-to-end addressing isn't really aligned with the AWS style of proprietary platform lock-in.

This makes no sense. AWS can give you IPv4 elastic IPs, which provide end-to-end addressing on IPv4. IPv6 will be no different in this regard.

"End-to-end addressing" is typically an end user issue, where end users use NAT. In the early days of the internet, nobody used NAT.

AWS encourages you to use VPCs for service-internal addressing. Yes, you can rent "elastic IPs", but in the AWS mindset they are special and to be used only for NATing Internet endpoints to your services. It's based on end-to-end addressing being special and a scarce resource. This is compatible with the traditional corporate intranet style of thinking, but it's also in the opposite of internet end-to-end addressing and they are in no hurry to change it.

ipv6 has a provision for locally routable addresses, because yes publicly routable addresses should be special. They should just also be free.

Link-local addresses are not routable and are not meant for application use, they're just for low level things like neighbour discovery and router advertisements (analogous to IPv4 ARP/DHCP).

There's also ULA that can be used for non-internet connected networks and some other special scenarios, but it would be a bad idea (and against recommended practice) to use them to port your RFC1918 addressing to IPv6.

I noticed the other day that IPv6 growth is slowing down, as Google measures it. Its access share used to double every ten or eleven months, now it doubles more slowly, and seems likely to reach 20% only in 2017 instead of this year, and if it goes on as in the recent months, 30% in 2018 instead of in 2017.

At a guess, many of most competent ISPs have done their thing and now we're seeing the more sluggish middle. Or? Comments?

In Belgium we're up to 49.5% of Google traffic over IPv6, which is pretty impressive. All major ISP's have IPv6 enabled in a dual-stack setup right now. This works because almost all of them provide an all-in-one modem/router/access point, all remotely managed, so it's easy to just flick a switch on the ISP end and magically have everything go over IPv6.

What's holding back further progress is mostly people with their own NAT routers/DHCP that's not set up for IPv6, or company networks where the transition isn't planned. That's going to change very, very slowly indeed.

IPv6 was always going to be an S-curve. My guess is we'll see switchover at about the same rate up to 80%-90%, and then a long tail.

If I remember well at least 2-3 years ago it was complicated to measure IPv6 usage on a high-end router, and that was tied to billing.

Every vendor (Cisco/Juniper/Alcatel/Huawei) had a different way to do it and since B2B billing depended on it IPv6 adoption was not as easy as expected.

What was complicated about it?

Every vendor had a different way to measure how much octets went through an interface on IPv6 using SNMP.

And the standard MIB (management information base) for SNMP only gave you IPv4 traffic.

So, if you wanted to measure the traffic you interchange with a third party on IPv6 you had to be tied to a specific way of doing in (some had private or experimental MIBs for that, in other cases you had to move the data through a tunnel and measure traffic inside the tunnel minus overhead.).

Very easy to make mistakes specially if there is a problem with the traffic late at night and somebody forgets to put you in the loop.

Here in France, there have been leading ISPs (Free ADSL), good citizens (SFR), and laggards that keep on dragging their feet (Orange, Numericable). Things got worse when Numericable bought SFR, halting progress with stupid rules in place that when you get the budget version of a contract you don't get IPv6 because reasons.

Let's not get started on "pro" versions where you just don't get IPv6 at all, ever, and on the phone you can even get them mumbling that it's not even on the table (Completel).

Is Free still doing 6to4 (which was probably fine at the time) or did they start doing native ipv6?

Free was doing 6rd, which is similar to 6to4 but not quite the same.

I'm on Free and I had to disable IPv6 because one of their routers was dropping about 60% of the IPv6 packets: GitHub, Google, Bitbucket took several minutes to load.

As soon as I switched to IPv4 everything worked fine.

I suppose that nobody at Free is really monitoring their IPv6 network in the same way they do it for IPv4.

In the UK, only one big(-ish) ISP supports IPv6, and 2 significantly smaller ones. BT claim to be pushing it out next year, but they still have a large number of older consumer-end router/modem devices which can't be updated for it, so it'll take another half a decade for those devices to fail and be replaced. Once BT have pushed it out, many of the companies that depend on them for varying things should be able to build implementations fairly quickly.

BTnet (BT's higher-end leased line etc. services) do support native IPv6 fwiw, but when I spoke to them (this was in Scotland) they said no customers ask for IPv6 to be enabled, and it's not enabled by default. (But if you ask them they'll do it no problem - verified to be true.:) But the situation is different with all that older consumer equipment as you say...

Here in Japan, the largest consumer fiber wholesale network (NTT) "supports" IPv6, but you need a separate, $100 router that talks PPPoEv6 since none of the common consumer routers (including the one they provision you with) seem to support it.

I also haven't been able to get PPPoEv6 working in macOS.

Anything that can run OpenWRT should be able to do PPPoE with IPv6.

Just explaining why there's poor IPv6 adoption. Anyone can get IPv6 though a tunnel if they really want it...

I focussed on your suggestion that it had to cost $100.

If people don't need IPv6, then why bother. My impression is that the content providers don't care about IPv6, so I assume they have plenty of IPv4 space.

Some large consumer ISP are short on IPv4 address, but in that case, they will will make sure their customers get IPv6 capable CPEs.

Anything else is a very nice hobby.

From this: https://www.google.com/intl/en/ipv6/statistics.html doesn't look like it is slowing down, it's not exponential though, but was it really? It's much easier to double up when number of users is low.

Here at Brazil, I know of no consumer facing ISP that supports IPv6. But we have been busy dismantling a quasi-communist government, so things may change faster in the future (if we are successful in the dismantling).

All mobile operators use it for their infrastructure because the procols make it mandatory.

Then they have a big ipv4 nat for cell phones in the BTS. Weird.

I check the google stats[0] on ipv6 adoption every few months. Last time I checked it was barely 9% an now it's on 15% !

I would have never thought we'd get this far this fast. Looks like the switchover is actually going to happen.


Really interesting how it spikes on weekends! I wonder if this is because more home broadband connections are ipv6-enabled compared to businesses?

Yea, ISPs are upgrading home users for them.. Businesses tend to have their own equipment, and need to DIY the change, even if IPv6 is pushed down the wire to them by the ISP.

Yes, but mobile phones even more so (e.g., the push to IPv6 in iOS 9: https://developer.apple.com/news/?id=05042016a)

I guess it's hobbyists who's normal internet connection is ipv4, but on the weekend they have time to dick around with ipv6 devices and connections.

Comcast and Verizon Wireless rolled out IPv6 years ago, and resolves IPv6 addresses first by default. Nobody is dicking around, it's just transparent.

> Nobody is dicking around

Well, I am. Now let met enjoy my statistical insignificance !

How does that explain the massive spikes on weekends?

People do more internet at home on weekends than they do on weekdays.

possible i guess

do we see something similar with .onion addresses?

ive found it much more reliable and secure to give devices i want access to from anywhere a .onion address rather than a ipv6 one.

secure by design rather than plaintext insecure and only works on some internet connections occasionally by design nightmare that is ipv6.

Looks like the US is up to 30% now! I suspect mobile traffic is largely driving this as all the major carriers are moving to ipv6 only and proxy an ipv4 address when needed.

We have a product that uses ipv6 for inter-server communications. We've since learned that most major corporations routinely disable ipv6 on every computer.

Not helping.

Heard a "funny" story about Facebook switching over to pure IPv6 and their issues dealing with largely untested IPv6 implementations. For example, switches which, when presented with an IPv6 BGP route while they don't have IPv6 configured, crash. Apparently they took down an entire data centre full of rack switches finding that out.

My second-favorite problem, after that was solved, was developers constantly using IPv4-only code. Their eventual solution was to just disable IPv4 entirely so that anyone committing IPv4-only code was committing broken code.

It's amazing how much work it takes to bring people into the future.

Very "funny", but that kind of crashes happened more than you imagine.. in telcos.

Usually the problem is memory. A machine with full routing enabled needs much more memory for IPv6 than for IPv4 and when routers run out of memory they just crash, reboot, and start again...

Usually the problem is memory. A machine with full routing enabled needs much more memory for IPv6 than for IPv4

Interesting - why? I would have thought that routing tables for ipv6 would be a fraction of the size of their ipv4 equivalents. Am I wrong? Or is this just sloppy programming on the part of those switch programmers?

Topically, here are the minutes from the latest UK IPV6 Council meeting: http://www.ipv6.org.uk/2016/08/31/ipv6-council-meeting-octob...

Sky and BT both looking good, sadly Virgin didn't present this year.

I've not run into a problem solved by IPv6. There's no incentive for ISPs to provide good service, so they can just follow the mobile carrier route and nat/proxy when exhaustion becomes an issue.

As other countries go IPv6, more IPv4 addresses become available for the big cloud providers.

I run into NAT almost every single day. It wastes time, breaks things, consumes router resources, rules out certain technologies/products/services and duplicates so much work it's just unreal.

IPv6 != No NATing.

Example: Verizon Wireless.

You mean IPv6 != No Firewall. Firewall are going to cause pretty much the same problems as NAT.

Quite. But there's no need, nor excuse for NAT on IPv6.

True, but that's just kind of dumb.

As a sysadmin, if I had limitless IPv4 addresses, I'd still use NAT on servers and clients because it's a useful security layer. There's little reason that individual devices need globally routable IP addresses.

> it's a useful security layer

No, it's not. As a sysadmin, you should know the difference between NAT and a stateful firewall, and that NAT alone doesn't prevent packets from being routed to local addresses.

> There's little reason that individual devices need globally routable IP addresses.

NAT has been more damaging to the development of network software than any other factor. NAT breaks the development of true network software, such that entire categories of software haven't even been considered.

NAT forces extremely complicated hacks[1] and centralized management of true peer to peer connections. The benefit of the internet has been that any peer has the capability to publish. NAT breaks that benefit, turning the internet back into cable TV, where most people need an imprimatur[2] to publish.

[1] http://www.brynosaurus.com/pub/net/p2pnat/

[2] https://www.fourmilab.ch/documents/digital-imprimatur/

This needs to be repeated everywhere. There are too many system admins with dangerously bad ideas about IPv6 and NAT. NAT needs to die in a fire and if you're rolling out NAT for IPv6 you're wasting your time and your company's money for a bag of nothing.

But with an extra layer to configure and for a vendor to properly implement, surely that also means it's an extra security liability?

>consumes router resources

Thats a weird claim to make against IPv4. Grab a calculator and see how much memory is required by a IPv6 /64 address space.

Not much! Just a few bytes for each packet. Running a NAT service requires a big table of all the active connections, ie. it's stateful - IPv6 with no NAT needs no per-connection state in the router so that's a big space-saving.

As I understand it, there have been a few nation-scale Internet outages that have been a result of IPv4 address tables reaching their resource ceiling (not relating to NAT) - another example of how IPv4 is no longer fit for purpose regarding hardware resources.

Those were caused because Cisco by default (optimistically) partitioned a big chunk of the routing table memory for v6 routes. The fix was to reduce the memory usage for v6 and give that memory back for v4 routes. So really it was allocating so much space for v6 before there was any need that caused those outages.

If 32 bit address tables are reaching capacity, increasing the size of the address space is unlikely to resolve the problem.

Doesn't ipv6 include efficiencies for this, like hierarchical prefixes?

In practical reality, doesn't that just mitigate the strain caused by an explosion in the size of the address tables?

A sometimes large but solvable part of the problem in ipv4 routing table sizes is numerically adjacent routes that could be aggregated into fewer announcements but aren't; ipv6 doesn't help with that. Another part of the problem is that many networks have lots of allocations that aren't adjacent, so they can't aggregate them; ipv6 should help with that as there's room for big allocations.

I guess it depends on how big the efficiency gain is, but afaik it's pretty big.

So you don't want stateful inspection on your private LAN router? Its ok for every hacker to portscan the 100's of IoT devices in your house? You're a very trusting fellow.

How many IoT devices need to allow incoming connections at all? And how many connections do they need to make?

IoT devices, if I had any use for them, would go on my private LAN. My private-public router can do complex stateful tracking, because it only has to handle a few connections at a time. Meanwhile my grown-up internet devices go on the public side and get actual internet access, meaning that e.g. two people inside my house can play an online game with a person outside my house, and aren't slowed down by a complex connection-tracking router. Also means my guests don't get access to my IoT devices.

> How many IoT devices need to allow incoming connections at all? And how many connections do they need to make?

If they need outgoing connections, they likely also need incoming when we are speaking about stateless filtering. Without incoming connections only UDP would be allowed and it would be usually impossible to determine if the packet should be send again (it would only be possible if there was out of band method to detect it).

Ok, I will admit that it's possible to check the TCP headers and just drop incoming SYN packets without ACK, but then you need to start trusting that the IoT device can handle invalid TCP packets.

> Ok, I will admit that it's possible to check the TCP headers and just drop incoming SYN packets without ACK, but then you need to start trusting that the IoT device can handle invalid TCP packets.

I have more faith in that than I have faith in a router that does complex state-tracking logic to not contain RCE vulnerabilities itself.

Are you recommending NAT as some sort security-by-accident measure?

The claim isn't about memory needed to flesh out an entire address range, but resources allocated to things like nat in ipv4.

Why am I trying to fill out in memory an entire /64? More importantly what purpose will doing that for a home network that will at best have 100 nodes even with ipv6? The memory needed to route and track 100 ipv6 nodes vs 100 ipv4 is a rounding error. Even if I enabled privacy extensions the amount of addresses is miniscule.

Nat sucks, end of story, and yes ipv6 requires more memory. It is a bigger address range after all. We also gain a lot of what we lost with ipv4 years ago.

I don't need to grab a calculator to figure out what I have already witnessed.

I've come across several routers that stop working (partially or completely) or spontaneously reboot when there are too many active NAT sessions. At a few customers I've had to set session limits to prevent some devices from being unable to talk to the WAN.

I get better peering though the HE tunnel broker than I get on IPv4. :)

Especially to exotic destinations and to services which my ISP feels like choking a little (such as Youtube)...

IPSec is one. You would burn two IPv4 to enable IPSec between two machines you control. That's a no brainer with IPv6. It is cumbersome and expensive with IPv4.

And given that most datacentres (outside of cloud services) are IPv6 enabled, this makes sense to secure server to server communications.

and yet news.ycombinator.com is still not IPv6 enabled...

Better late than never I guess, but come on... IPv6 is nearly 20 years old in 2 years...

I'm wondering what will happen when ISPs start doling out IPv6 addresses, will every customer get a unique, static IPv6 address?

Right now my ISP (BT) gives you an IPv4 address, but it's dynamic. They charge extra for a static IP

I don't have an answer to your question but the latest news from BT is:

"All BT broadband lines support IPv6 with a compatible router, except IPstream connections"


I hope we don't have IPv6 only protocols and sites anytime soon. My cable company still is not supporting IPv6... It seems like something a major American ISP would of done by now.

On the contrary, having IPv6 only sites and protocols would greatly help adoption.

One of the problems is that a lot of companies think that IPv4 is good enough, since there's no discernable difference to end users right now. Every IPv6 site is also accessible over IPv4, and the community is already heavily invested in engineering around the shortcomings otherwise created by NAT on IPv4.

Coupled with the additional cost and security considerations that have to go into an IPv6 deployment, we've got a good recipe for encouraging both ISPs and corporate providers to stay on IPv4 for as long as possible. (If we're unlucky, we might even see ISPs roll out carrier grade NAT instead of upgrading.)

Which one?

I used http://test-ipv6.com/ to run the test.

Your Internet Service Provider (ISP) appears to be SCRR-10796 - Time Warner Cable Internet LLC, US

I'm in Ohio.

Time Warner Cable provides IPv6: https://www.timewarnercable.com/en/support/faqs/faqs-interne...

Your issue is site-specific; most likely your modem is outdated, but your router may also be configured to not try to acquire a block of IPv6 addresses.

Interesting. No communication from them. I figured this is the sorta thing they'd mass contact people about to update.

I remember asking the installer about 3 years ago about it. He said I'd have it as soon as they turn it on at the central office...

I'm not really too worried about it yet as it's not a problem really yet. I hate talking to support people.

I went to the IPv6 page and it's not showing a V6 IP Address http://screencast.com/t/Xuq4VOfnS but the Dynamic page for IPv4 displays it in those text boxes(editing is disabled on them even though they look like inputs. A bit confusing UX if just looking at the image)

So it appears my firmware has it... strange. This is on the modem itself, not the router as it's a all in one.

Just found this: http://forums.timewarnercable.com/t5/IPv6/Not-getting-IPv6-A... from two months ago "I got someone from Tier 3 on the phone and he told me it was not available yet in my area." so hmm, sounds like some areas might be last to get it then.

This is telling organizations developing standards to basically pretend IPv4 doesn't exist and is no longer in use. At least that's how I read it. Seems a bit premature.

When will Verizon FiOS enable IPv6?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact