This is not the internet I've been sold in my youth, and this statement makes me sad and angry.
Your MAC and/or IP address should not identify you, and never should have been used as an identifier. It's the identity of a communication endpoint.
If the OSI model is about making the core of the network stupid and fast, which has proven benefits of scalability and/or extensibility, then identity/authentication is not the network layer's job and never was.
If a protocol assumes all hosts on a subnet are trustworthy (ARP/DHCP for example), it's an upper-level protocol design failure, not really having to do with transport (TCP/UDP)/network (IP) layers.
There is also SCTP.
I literally don't see a single thing to be sad about. Angry is even a little harder and honestly a little surprising.
You want VOIP, sorry your double nat'ed connection messes up about half the time, you better by telephone service with us instead.
E.g. if everybody uses IPv6 China can still block you when you are located in their network. Not a single grain more power to you.
You still can, and you really don't have to host with a big provider if you don't want to. The only reason we hear about it so much is because all the engineering articles come from people who work at companies with insanely high scaling requirements. If you want to throw up an XAMPP server at home you still can, though you'll need to acquire either a static IP or a dynamic DNS record to point people to.
That's the whole point. With some ISPs using CG-NAT, you don't have a public IP.
I have three computers at home running an SSH server. Two have to be on non-default ports, since I only have one IP.
For the rest we provide a static IP address, so we'll allocate a /30 (block of 4), and they get a single usable address which they will assign to their own manged router/firewall.
For the majority of our customers "networking" is either handled as overflow for their in/out IT resource or often by someone remotely savvy with tech.
For most of these people networking ranges from an infrequent concern to a vague mystery that can be sorted with a bit of googling.
For most, deploying and testing IPv6 has absolutely no upside and quite a bit of potential downside, that's because "everything works" on IPv4 and configuring IPv6 is just another potential source of error.
In addition, most people who opt for this setup do so in order to expose some internal service to the internet (port forward), again there is usually zero incentive to also deploy IPv6 as they can't be sure their client device will be using v6 when they come to connect, but they know it will support v4, everything does.
And so herin lies the issue, it's chicken and egg, they know they need v4, not every server they access or client who accesses their forwards supports v6, so they _have_ to implement v4. As such they see no reason to "faff" about with IPv6, and I don't really blame them.
We're considering charging more for dedicated v4 and possibly offering a free translation service (another point of failure :() but honestly, most would just pay the extra and then just resent us a little more. Our competitors continue to acquire v4 space as we do, this is what our customers want.
Until there is v6 only content (but who is incentivised to do this?) then I can't see any incentive for these users.
In the end, despite the ISP at the business supplying IPv6, and getting some client side IPv6 going with OTHER ISPS (a pain) it fell over because.
1) Things like the VPN client software didn't get routes right when client side network was IPv6 oriented so VPN connections broke - a no go.
2) We had to continue to offer ipv4, as folks in the field were not guaranteed an ipv6 connection back.
3) The WAN fallback / failover stuff didn't seem to work well with IPv6 (another ISP to work out IPv6 with).
4) Security folks continue to be worried about giving all machines in a business globally routable addresses. The tools say NOT to filter ICMP when you run ipv6 reachability, the security people say to filter ICMP. Too much of pain to figure out who is right and if/how ipv6 changed ICMP
5) ipv6 seemed to purposely make this transition harder than it needed to be. I don't get why they couldn't have kept a simpler / more familiar framework with ipv6 as an option, even if less ideal. Ie, DHCP vs autoconfig stuff, ICMPv4 style instead of having security folks worrying me about the weird things unfiltered ICMPv6 might do. Seriously, make the goodies / cool stuff the add ons.
then let me make this easy for you: ICMP has become a vital part of the inner workings of an IPv6 network. You will break all kinds of functionality by dropping ICMPv6 packets.
If you are concerned, then drop ICMP echo requests and replies, but absolutely do not drop any other ICMP packets or you'll be one of those people that turn off ipv6 "because it's too hard to make it work" (no shit - when you actively break something, it's hard to make it work).
You've just neatly described my experience (and naivety), because I've always dropped ICMP and wondered why ipv6 never worked. In all of the articles I've read on getting ipv6 to work, this had never been explained.
Thanks for trying! I did the same round. Tried to get v6, and finally gave up, because everything was broken in very stupid ways.
> I don't get why they
Because it happened in the early 90s, and since then all the RFCs that got layered upon that had to try and keep things consistent.
There could have been a simpler thing, but it was scrapped. IPv5 is missing for a reason.
And the goodies cannot be opt-in, otherwise no one will opt-in.
Of course this leads to a very slow deployment, because v4 with a lot of hacks just work, and will continue to work. It's easier to encapsulate things in DTLS (TLS + UDP) and gRPC and whatever (and deal with all of that in end user software) than trying to convert the whole World to IPv6.
> DHCP vs autoconfig stuff,
There's DHCPv6, so you don't have to use SLAAC.
That's a statement made with 20 years of hindsight behind it. But if you had an extra 5 or so years of hindsight then it'd make more sense.
DHCP only predates IPv6 by two years (October 1993 on RFC 1531, vs December 1995 on RFC 1883). AppleTalk and Novell NetWare were still fairly common around that time. You're looking at DHCP as if it's ubiquitous, which indeed it is now, but it certainly wasn't while v6 was being developed and wouldn't be until a good few years afterwards.
In fact, router advertisements were defined in RFC 1256 in 1991, so they have two years of seniority on DHCP -- although I suppose you could make an argument that DHCP is a standardized set of BOOTP extensions, and that BOOTP has been around for longer.
I haven't felt the need to learn more about v6, and it is quite complex so it'll take me a day or so to learn enough to be able to configure my network and know that I haven't screwed that up. But I keep putting that off. There's far more interesting stuff to learn and do.
I would've gladly accepted and adopted a version that's just IPv4 plus 16 bits of extra address space, and anything else exactly the same. That would've solved the original address shortage problem, and would be a breeze to configure.
For me, and I think for a lot of people, the complexity and thus cost of v6 dwarfs the potential benefits and therefore that complexity is the primary force holding back its adoption.
However, at home I'm using IPv4 + henet tunnel, because the native IPv6 offer from the ISP is unacceptable. At work, we are using IPv4 only, and no plans to switch, because it would be extra work with zero benefits.
No, it isn't.
> I would've gladly accepted and adopted a version that's just IPv4 plus 16 bits of extra address space
That's what IPv6 is for the most part.
> That would've solved the original address shortage problem, and would be a breeze to configure.
So is IPv6.
If we provide a dedicated IP for a connection where we provide the LAN we just put a single /32 on the loopback and NAT onto this which is obviously much more economic with addresses.
What are they doing instead? Putting all users behind carrier-grade NAT that don't need dedicated IPv4 addresses? That must be hundreds or even thousands of users behind a single address, considering that they must have a range of users (businesses and such) that need dedicated, static addresses for practical purposes, thereby reducing the IP address and user pools at a minimum 1:1 relationship.
Or is it maybe the Chinese surveillance infrastructure that is not yet capable of snooping and manipulating IPv6 traffic, so the providers aren't allowed to roll it out?
To even call what China has “internet” is a bit of a stretch.
But from my own experience, the actual execution of the plan is glacially slow. I don't know why. Chinese government usually is very good at execution, but not when it comes to IPv6.
No, ChinaNet has 2.86 users per IPv4 address. China Unicom has 2.79. Far less than Indian carriers.
You wouldn’t believe what a nation with an incredibly cheap labour can do. I can see how they just allocate a few engineers-technicians just to do allocation.
 - https://www.verizon.com/support/residential/internet/getting...
Out of curiosity are you in one of the areas Spectrum took over, or are you legitimately on Charter's network? I am in one of the TimeWarner Cable areas they acquired, the IPv6 support was already in place well before the buyout.
BSkyB is a fixed line broadband provider, but in the UK it's usual for the ISP to supply the router, and for customers to change providers for a better deal fairly often.
Both parts mean the customer has a fairly recent router, which can be replaced if required by the ISP, and they know the model and can often perform firmware updates.
Yeah, this is where the “IPv6 is different^Wcomplicated to set up” argument falls flat for me. For most (consumer) users (at least in the UK), they get a free router from their ISP that’s already configured to do IPv4 NAT. For the minority that buy their own hardware, IPv4 NAT is enabled by default in hardware targeted at consumers.
If it were configured to firewall inbound IPv6 traffic by default there should be nothing else to do. If you need to forward ports you’re in the admin screens anyway (unless you use UPnP).
This is like arguing IPv4 is inherently complicated because if you opt out of the provided hardware and buy some Cisco monstrosity you have to configure NAT by yourself. Which is perfectly true but the massive majority aren’t going to do that.
What really didn’t help adoption is that IPv6 support was an afterthought at best for a lot of router makers, and for a long time was riddled with bugs.
There are ISPs that use migration to IPv6 as a way to tighten their reign over users. They will give you DS-lite only (ok...), but with /64 (no /56, no /48). They will force their router on you, where in past with IPv4 they would provide an option for bridge. Their router cannot do PD (if it had more than /64, so maybe that's the reason why they do not provide that), so if you want a virtual net with VMs on your machine, you are going to waste your time playing around with IPv6 NAT, which doesn't work correctly anywhere. You can't control RA/DHCPv6 on the router, you cannot really control firewall rules. Suddenly, the ISPs has ony free reign over your network, but also over policies on your network.
So for undemanding users that's fine, it will work with Facebook and Netflix. For a power user, the IPv6 offer is unacceptable, not because of IPv6 properties, but due to limiting implementation that the ISPs force.
On the router I bought myself, there are a lot of settings for IPv4, and not a lot more than an 'enable-disable' toggle for IPv6. I guess this is so they can state 'supports IPv6', but for any real use, it is useless.
I have the pain of that connection requiring an additional $10 / month just so I can get 1 (or 4, same price) static IPv4 address which is apparently “required” for me to get IPv6. After using a HE.net tunnel for a few weeks, the slowdowns induced led me back to IPv4-only world.
So even in an advanced situation, you might still be stuck with IPv4 because of very silly reasons.
Tunnels are garbage. You should either switch ISPs, or complain and wait.
To be clear, I used an HE.net tunnel after I was told of their policy. The tunnel works great with dynamic IPs if you also link up their endpoint to update your tunnel every time your IP changes.
While the HE tunnel is somewhat limited (does it peak at 50 Mbps?), I find it's implementation way better than some ISPs that provide native IPv6.
HEnet at least provides more than single /64, and does not force a specific, limited router on you.
I'm not certain about speed, but I did experience quite high latency during peak local traffic times (which went away when disabling IPv6).
Hahahah, you silly Europeans and your options. In the US we have the options of bad or slow!
I asked about just IPv6 (with dynamic IPv4), and they said that wasn't an option at all. /shrug
I'm currently looking into a cheap
FreeBSD VPS <-IPv6 tunnel-> my EdgeOS Router
The ex-monopolist, Tim, has shown it's plans for IPv6 rollout almost ten years ago using DS-Lite, to no avail. It lingered around as a little known feature you can opt in if you are still stuck with an ADSL connection (it's not supported neither with VDSL, nor FTTH), that introduces an enormous amount of lag to IPv4 connections and it's arcane to set up.
Not even university campuses have IPv6, because most network administrators either do not care about it or do not know how to set it up. It sucks, and it's sadly the standard reaction this country has towards any new technology; everybody just tries to ignore new developments to delay training and setup costs, until it gets too late and inevitable to avoid, leading to rushed up deployments, skyrocketed costs and a general lack of awareness and knowledge about how it works or how it should be employed.
I have no doubt Apple already have people wanting to do this which is another reason Apple wouldn't push back. They already had people wanting to do this, and so getting a few business people who otherwise didn't care on-board is enough to push the decision.
I'm on a networking guy by any stretch, but I have enough experience to be competent at maintaining home, small business, and server environments.
My home provider, modem, router, and device all support IPv6, and when I found out I enabled it. And then, inexplicably, lost the ability to get the Nest app on my phone to connect. The only solve would be to toggle off Wifi and use cell service, let it connect to the Nest service, then turn Wifi back on (it'd work after that point, just couldn't get it to establish the initial connection). The only permanent resolution I could find was to turn IPv6 back off at the router level.
The irony is that both my home ISP (Comcast) and my mobile ISP (T-Mobile) are called out in that article as leading in IPv6 deployment. Yet their deployment strategy was varied, and only one led to an issue with connecting to Nest. While the issue was likely something with my internal network/router, if I couldn't figure it out then that gives me a glimpse on how frustrated non-technical users would be. That volatility in and of itself is what drives me nuts with IPv6.
This thing of having a per-device IP address looks like the wet dream of marketers and those newspapers that won't let you look at more than X articles a month. No thanks.
NAT, including CG-NAT, provides near zero privacy benefits. Nobody is tracking by IP address - there are far, far, far, more accurate ways, again, I won't reiterate all the ways this happens, Google it (or is the TLS session resumption one still on the front page as one example?)
NAT, and CG-NAT provide real drawbacks. Drawbacks most people won't understand, and that's OKAY. Not everyone
needs to understand them, but when you don't understand something, please don't advocate for it with specifics like "happy with CG-NAT because of the security and privacy benefits", instead, just leave it as, "happy with CG-NAT, I don't see any drawbacks".
If all you rely on is NAT, and you turn the firewall on your router off, it is possible for outside attackers to send unexpected packets to through the NAT device and right to your endpoints.
The targets are limited to the entries contained within the NAT translation tables, but that's still a pretty leaky "firewall".
NAT is just not a firewall, all it does is translate addresses, or in the case of PAT, Ports+Addresses. It does not filter the packets it receives, it just translates them.
Having IPv6 will be exactly as secure as IPv4+NAT by default on any CPE. And, just as with NAT+v4, it's possible to open your machines to the world if you have no idea what you're doing.
(This is actually pretty common for gamers who set the "DMZ host" router feature to aim at their desktop and flick off the firewall!)
That depends on the ISP.
Many cable ISPs assign DHCP blocks to nodes that are defined by geographical areas. These can then be correlated with cellphone apps on wireless connections that also return GPS data to the collector. After a few thousand samples you get a really good picture of IP blocks that move and ones that are somewhat static.
these days it's really not much different from IPv4: During the lifetime of a connection, the prefix stays the same, so that's equivalent to the IPv4 address before that.
The actual machine address rotates very often, so there's no real value in using this for identifying unique devices.
If you want to profile specific devices, you're much better off using the same attributes you were using with IPv4 (user agent, TTL, other protocol specific fingerprint techniques)
The only thing that stays static across connections is the provider assigned prefix and that’s equivalent to your dynamic ipv4 address.
At the least, they should push a null default route to users that connect (assuming we're talking about the kind of VPN services that advertise as "protect your privacy with a VPN!").
But crappy ones don't. And some people end up using crappy ones, because they don't know any better :(
Or rather: Using IPv4 doesn't guarantee non-crapyness of a VPN provider.
But: Working IPv6 support guarantees at least some level of proficiency by the VPN provider, so they might be more reliable candidates to begin with.
But there's more needed with IPv6 than routing properly. The VPN provider needs to assign IPv6 addresses to customers, and that's harder than just NATing stuff. It's almost like being an IPv6 ISP.
But I've done a toy implementation. To get "anonymous" IPv6 addresses, so I could test VPN service clients for IPv6 leaks, without pwning myself. I needed a little help from an IVPN engineer, but it wasn't that hard.
The IPv4 address shortage issues have been resolved. We came upon a scheme that can expand each public IPv4 address by 256M (Million) fold without affecting the current Internet. A proposal called EzIP (phonetic for Easy IPv4) has been submitted to IETF:
Essentially, among other benefits, EzIP can establish a sub-Internet capable of serving an area with up to 256M IoTs from just one IPv4 address. This is bigger than the largest city (Tokyo metro) and 75% of the countries. This can realize the CIR (Country-based Internet Registry) model proposed by ITU a few years ago stealthily even without setting up a CIR organization. If a government is not interested in this resources, private enterprises can make use of it to provide "local" Internet service in parallel to the current "global" Internet services, very much like the Independent telephone companies in the PSTN industry.
The current Internet then becomes the backbone / infrastructure / skeleton for interconnecting these sub-Internets, yet only for carrying inter sub-Internet traffic, very similar as the electric grid supporting islands of renewable energy generated by individual homes and businesses. Consequently, there will be a lot of spare IPv4 addresses for quite sometime to come.
Then, much of the efforts in deploying IPv6 are no longer needed.
Thoughts and comments will be much appreciated.
Abe (2018-09-07 10:49)
Not on my Internet.
IPv6 is the only way going forward.
EzIP would be damaging to IPv6 adoption, and shouldn't be given the time of day.
0) You sound quite narrow minded.
1) The Internet is for everyone, not yours.
2) Like it or not, the "local Internet" / "sub-Internet" configuration enabled by EzIP can be deployed by anyone where there is the need. Each will appear like a simple IoT to the overall Internet. This is most likely why the high level people have not tried shoot at it yet.
3) "EzIP would be damaging to IPv6 adoption ...": What is so noble about IPv6? Frequently, Internet people proudly state that "three years is too long for Internet product cycles". Here we are, the IPv6 has been in development more than two decades, and in deployment near ten years. Hasn't it had its fair time to "experiment" the "idea from scratch"? Why are you so protective of it?
Abe (2018-09-11 23:28)