Hacker News new | past | comments | ask | show | jobs | submit login
What drives IPv6 deployment? (potaroo.net)
132 points by fanf2 10 months ago | hide | past | web | favorite | 96 comments

> These days it's a client server network. Clients do not need persistent network-wide identity, and only need addresses as and when they communicate with servers. Servers do not need persistent identity either these days, as the identity of a server is a name-based distinguisher rather than an address-based identifier.

This is not the internet I've been sold in my youth, and this statement makes me sad and angry.

> and this statement makes me sad and angry

Your MAC and/or IP address should not identify you, and never should have been used as an identifier. It's the identity of a communication endpoint.

If the OSI model is about making the core of the network stupid and fast, which has proven benefits of scalability and/or extensibility, then identity/authentication is not the network layer's job and never was.

If a protocol assumes all hosts on a subnet are trustworthy (ARP/DHCP for example), it's an upper-level protocol design failure, not really having to do with transport (TCP/UDP)/network (IP) layers.

We need some kind of DNS-style federated service that can map the identity (MAC address?) of a non-stationary device to its IP address.

There's an elaborate protocol framework that does this for cellular data, I don't know much about it.

There is also SCTP.

Marketers or whatever your business is who depend on users having a persistent network wide identity are scammy. Many people who want at least a small CHANCE at privacy are happy with this situation (rotating IP addresses). Names are resolved through DNS, including load balancer endpoints where many names can share one IP.

Privacy is not the same as anonymity. I would like to have a network-wide identity that I can use to authenticate and communicate with my friends and family. This is not the same thing as allowing marketers to track me.

That sounds awesome, but if it’s network-wide, then marketers (who are also in the network) can also use it. Even if it’s some sort of cryptographically-secure bitstring, all it would take is for you or one of your contacts to leak it once. I don’t think it’s possible to have a persistent, global, private identifier: they seem mutually-exclusive.

Why does it make you sad and angry? It sounds quite reasonable to me. I'm especially happy that we went for human readable names rather than wierd letter/number combinations. Also nobody seems to know when to use these [] brackets around the addresses, and they are even hard to type for people who don't use the US keyboard layout. Last but not least NAT is not just a IP-range splitter but also a security feature.

I literally don't see a single thing to be sad about. Angry is even a little harder and honestly a little surprising.

The end-to-end principle where any node on the internet can talk to any other one. This allows anyone to start a service and services (and people) talk to each other without intermediaries. It levels the playing field. Losing that concentrates power and takes options from individuals.

Yep. CG-NAT puts all the power on your ISP.

You want VOIP, sorry your double nat'ed connection messes up about half the time, you better by telephone service with us instead.

How so? It's just a way of representation. The power is still with the ISPs, backbone providers and governments. Power would only flow to the end user if the communication technology itself would enable him direct 1:1 communication to everybody else.

E.g. if everybody uses IPv6 China can still block you when you are located in their network. Not a single grain more power to you.

Perhaps you don't remember the days when every computer on the internet was an equal peer. To be honest, I don't quite remember it either; I only caught the very tail end. But time was you could run a website off your home computer, or your own email server. Now you have to go pay money and hand over trust to one of the huge hosting providers, and the internet is a sort-of-bipartite graph with two classes of citizens: The home clients, and the corporate servers.

> But time was you could run a website off your home computer, or your own email server. Now you have to go pay money and hand over trust to one of the huge hosting providers

You still can, and you really don't have to host with a big provider if you don't want to. The only reason we hear about it so much is because all the engineering articles come from people who work at companies with insanely high scaling requirements. If you want to throw up an XAMPP server at home you still can, though you'll need to acquire either a static IP or a dynamic DNS record to point people to.

And in fact I run a Jabber server off my home IP. But if my ISP catches me at it, they could point to the line in their contract saying "no servers" and demand that I turn it off. (Or just block it outright.) They probably won't, but still.

> though you'll need to acquire either a static IP or a dynamic DNS record

That's the whole point. With some ISPs using CG-NAT, you don't have a public IP.

I have three computers at home running an SSH server. Two have to be on non-default ports, since I only have one IP.

Even multiplayer games were played by directly connecting to game servers that could be operated by anyone, no company-hosted clouds that will shut down after a few years.

We're an ISP, most of our customers are businesses. Of those, around 50% opt for a pre-configured LAN (i.e. we do NAT and usually CGNAT too).

For the rest we provide a static IP address, so we'll allocate a /30 (block of 4), and they get a single usable address which they will assign to their own manged router/firewall.

For the majority of our customers "networking" is either handled as overflow for their in/out IT resource or often by someone remotely savvy with tech.

For most of these people networking ranges from an infrequent concern to a vague mystery that can be sorted with a bit of googling.

For most, deploying and testing IPv6 has absolutely no upside and quite a bit of potential downside, that's because "everything works" on IPv4 and configuring IPv6 is just another potential source of error.

In addition, most people who opt for this setup do so in order to expose some internal service to the internet (port forward), again there is usually zero incentive to also deploy IPv6 as they can't be sure their client device will be using v6 when they come to connect, but they know it will support v4, everything does.

And so herin lies the issue, it's chicken and egg, they know they need v4, not every server they access or client who accesses their forwards supports v6, so they _have_ to implement v4. As such they see no reason to "faff" about with IPv6, and I don't really blame them.

We're considering charging more for dedicated v4 and possibly offering a free translation service (another point of failure :() but honestly, most would just pay the extra and then just resent us a little more. Our competitors continue to acquire v4 space as we do, this is what our customers want.

Until there is v6 only content (but who is incentivised to do this?) then I can't see any incentive for these users.

I made a major push to try to get IPv6 running at a small business.

In the end, despite the ISP at the business supplying IPv6, and getting some client side IPv6 going with OTHER ISPS (a pain) it fell over because.

1) Things like the VPN client software didn't get routes right when client side network was IPv6 oriented so VPN connections broke - a no go.

2) We had to continue to offer ipv4, as folks in the field were not guaranteed an ipv6 connection back.

3) The WAN fallback / failover stuff didn't seem to work well with IPv6 (another ISP to work out IPv6 with).

4) Security folks continue to be worried about giving all machines in a business globally routable addresses. The tools say NOT to filter ICMP when you run ipv6 reachability, the security people say to filter ICMP. Too much of pain to figure out who is right and if/how ipv6 changed ICMP

5) ipv6 seemed to purposely make this transition harder than it needed to be. I don't get why they couldn't have kept a simpler / more familiar framework with ipv6 as an option, even if less ideal. Ie, DHCP vs autoconfig stuff, ICMPv4 style instead of having security folks worrying me about the weird things unfiltered ICMPv6 might do. Seriously, make the goodies / cool stuff the add ons.

>Too much of pain to figure out who is right and if/how ipv6 changed ICMP

then let me make this easy for you: ICMP has become a vital part of the inner workings of an IPv6 network. You will break all kinds of functionality by dropping ICMPv6 packets.

If you are concerned, then drop ICMP echo requests and replies, but absolutely do not drop any other ICMP packets or you'll be one of those people that turn off ipv6 "because it's too hard to make it work" (no shit - when you actively break something, it's hard to make it work).

> ICMP has become a vital part of the inner workings of an IPv6 network. You will break all kinds of functionality by dropping ICMPv6 packets.

You've just neatly described my experience (and naivety), because I've always dropped ICMP and wondered why ipv6 never worked. In all of the articles I've read on getting ipv6 to work, this had never been explained.

The key thing with ICMP is for the love of Pete, don't drop valid ICMP type 3 (destination unreachable), specifically subtype 4 (fragmentation needed, but don't fragment set), because that breaks many real world connections on both IPv4 and IPv6.

> push

Thanks for trying! I did the same round. Tried to get v6, and finally gave up, because everything was broken in very stupid ways.

> I don't get why they

Because it happened in the early 90s, and since then all the RFCs that got layered upon that had to try and keep things consistent.

There could have been a simpler thing, but it was scrapped. IPv5 is missing for a reason.

And the goodies cannot be opt-in, otherwise no one will opt-in.

Of course this leads to a very slow deployment, because v4 with a lot of hacks just work, and will continue to work. It's easier to encapsulate things in DTLS (TLS + UDP) and gRPC and whatever (and deal with all of that in end user software) than trying to convert the whole World to IPv6.

> DHCP vs autoconfig stuff,

There's DHCPv6, so you don't have to use SLAAC.

> I don't get why they couldn't have kept a simpler / more familiar framework with ipv6 as an option, even if less ideal. Ie, DHCP vs autoconfig stuff

That's a statement made with 20 years of hindsight behind it. But if you had an extra 5 or so years of hindsight then it'd make more sense.

DHCP only predates IPv6 by two years (October 1993 on RFC 1531, vs December 1995 on RFC 1883). AppleTalk and Novell NetWare were still fairly common around that time. You're looking at DHCP as if it's ubiquitous, which indeed it is now, but it certainly wasn't while v6 was being developed and wouldn't be until a good few years afterwards.

In fact, router advertisements were defined in RFC 1256 in 1991, so they have two years of seniority on DHCP -- although I suppose you could make an argument that DHCP is a standardized set of BOOTP extensions, and that BOOTP has been around for longer.

Those are basically the same reasons why I don't use v6 at home and have turned it off in my home router. Everything just works with v4. v6 is a potential source of error and/or security risk.

I haven't felt the need to learn more about v6, and it is quite complex so it'll take me a day or so to learn enough to be able to configure my network and know that I haven't screwed that up. But I keep putting that off. There's far more interesting stuff to learn and do.

I would've gladly accepted and adopted a version that's just IPv4 plus 16 bits of extra address space, and anything else exactly the same. That would've solved the original address shortage problem, and would be a breeze to configure.

For me, and I think for a lot of people, the complexity and thus cost of v6 dwarfs the potential benefits and therefore that complexity is the primary force holding back its adoption.

I actually find IPv6 simpler than IPv4. It is extra address space plus some warts fixed.

However, at home I'm using IPv4 + henet tunnel, because the native IPv6 offer from the ISP is unacceptable. At work, we are using IPv4 only, and no plans to switch, because it would be extra work with zero benefits.

> I haven't felt the need to learn more about v6, and it is quite complex

No, it isn't.

> I would've gladly accepted and adopted a version that's just IPv4 plus 16 bits of extra address space

That's what IPv6 is for the most part.

> That would've solved the original address shortage problem, and would be a breeze to configure.

So is IPv6.

You are right, but it doesn't matter. Because even if v6 is easy to configure, usually the things you can't configure are broken and they are hard to fix. For example your upstream provider is stupid. Or a client's software, or some 3rd party server somewhere you have to live with.

My ISP broke their IPv4 gateway one weekend. Fortunately they have their IPv6 stuff working in parallel. I was surprised that only maybe half of the Internet is reachable via IPv6, and there was no pattern which sites worked and which didn't. There's still some work to be done before IPv6 is usable.

One Windows PC on our LAN got flipped into "internet sharing" mode, causing a DHCP battle which randomly killed IPv4 connectivity. That one was weird to diagnose at first since random sites still worked (ones with IPv6 support)

Is there a reason you assign a /30 instead of doing point-to-point routing?

Too many customer devices don't support /31 subnets unfortunately, for example with Draytek we've seen an issue where it would accept the subnet but we'd see a whole raft of connection issues making the connection unusable.

If we provide a dedicated IP for a connection where we provide the LAN we just put a single /32 on the loopback and NAT onto this which is obviously much more economic with addresses.

Why this subnet thing is even needed? I don't understand it. Why not provide just a single IP address? Seems like big waste of addresses.

Because a lot of things that should be thrown into a volcano are used as routers. And routers need their interfaces configured. And the upstream interface needs to be in a network. And so that network needs a broadcast address, the router needs its own address, there needs to be a next hop address, and since you can't allocate 3, you do 4.

The outliers that surprised me the most are the big Chinese providers (ChinaNet and China Unicom) in the provider table. Despite them having much less IPv4 addresses than users, they appear to make no significant effort to get IPv6 deployed.

What are they doing instead? Putting all users behind carrier-grade NAT that don't need dedicated IPv4 addresses? That must be hundreds or even thousands of users behind a single address, considering that they must have a range of users (businesses and such) that need dedicated, static addresses for practical purposes, thereby reducing the IP address and user pools at a minimum 1:1 relationship.

Or is it maybe the Chinese surveillance infrastructure that is not yet capable of snooping and manipulating IPv6 traffic, so the providers aren't allowed to roll it out?

In China you don’t get to accept incoming connections without a license anyway, so there’s no legitimate purpose for the vast majority of users, including businesses, to have a routable address. Users only need to be able to initiate connections to sites preapproved by the government to accept user generated data.

To even call what China has “internet” is a bit of a stretch.

I would bet it is a mix of columns A & B, but maintaining logs of CGNAT must have required significant developement effort and integration between the Chinese ISPs and the state surveillance apparatus. You'd think going IPv6 would be easier than doing all that :P

Actually the Chinese central government has issued multiple ordinances pushing IPv6 adoption, the latest in 2017/11/26. If you can read Chinese, you can read it here http://www.xinhuanet.com/2017-11/26/c_1122012631.htm.

But from my own experience, the actual execution of the plan is glacially slow. I don't know why. Chinese government usually is very good at execution, but not when it comes to IPv6.

> That must be hundreds or even thousands of users behind a single address

No, ChinaNet has 2.86 users per IPv4 address. China Unicom has 2.79. Far less than Indian carriers.

Source: TFA

I've seen those numbers, but they are idealized and only of theoretical nature. They do not account for unusable IPv4 addresses due to subnet structures, of which there are probably some within the theoretical IPv4 space available to a provider, and they do not account for self-used addresses by the provider that aren't within the blocks used to assign to customers. In addition, as I described, I assume the providers also have some customers who need fixed IPv4 addresses, maybe even whole ranges of them, like businesses often do. Those also greatly diminish the number of addresses left over for the "regular" customers.

Aren't those numbers calculated the same way? So they should be directly comparable. Why do you think that the subnet structure problem is not present for the other ISPs?

I've never claimed that. My claim was that the real number of customers per IP is probably magnitudes higher than the 2.xx factor from these numbers. The magnitude of "hundreds" might be a bit overblown, but that does not change the claims' general direction.

>> They do not account for unusable IPv4 addresses due to subnet structures, of which there are probably some within the theoretical IPv4 space available to a provider

You wouldn’t believe what a nation with an incredibly cheap labour can do. I can see how they just allocate a few engineers-technicians just to do allocation.

"And over there, we have our DHCP server. Well, he's at his lunch break, but that's where he sits."

In the US, Verizon is one of the worst offenders. They should be ashamed, touting FIOS as a premium service while it's been close to a decade since they put up their pathetic "IPv6 is coming soon..." announcement[1]. Their largest competitors, Spectrum (formerly Time Warner Cable) and Comcast have supported IPv6 for years already.

[1] - https://www.verizon.com/support/residential/internet/getting...

Spectrum doesnt’t really support ipv6 either. I have turned it on at times, run for weeks without issue, and then something breaks. When i pushed support, they always tell me its not really supported.

I think their support is a bit divorced from whatever the engineering reality is. I asked their support / sales staff about IPv6 and they said it was "only available w/ their business class service." I ended up buying my own modem and IPv6 has worked flawlessly ever since. The Motorola SB6580 they provided nominally supported IPv6, but they hadn't updated the firmware on it in years. Makes me wonder what exactly I was paying for w/ my "modem rental" fee.

Out of curiosity are you in one of the areas Spectrum took over, or are you legitimately on Charter's network? I am in one of the TimeWarner Cable areas they acquired, the IPv6 support was already in place well before the buyout.

I'm in a converted TimeWarner territory. I got marketing announcements several years ago that ipv6 was supported, and first started trying then. I usually try once or twice a year to get it going again, and it never works for more than a few weeks before I turn it off again out of frustration.

> Three surprising numbers in this table are those of 94% adoption in T-Mobile USA, 93% in BSkyB and 92% in Reliance Jio. They are surprising in that prior to these deployments we had though that an ISP deployment of IPv6 was only a part of the story. It was up to the connected user network to also use IPv6-capable equipment within their edge network... Upgrading equipment in the home or office takes time.. . Why can these three networks achieve significantly higher levels of IPv6 adoption? I suspect that this is a reflection of the difference between Mobile ISPs and fixed infrastructure of mixed ISPs... It would not be surprising to learn that a similar approach was taken in Reliance Jio and BSkyB.

BSkyB is a fixed line broadband provider, but in the UK it's usual for the ISP to supply the router, and for customers to change providers for a better deal fairly often.

Both parts mean the customer has a fairly recent router, which can be replaced if required by the ISP, and they know the model and can often perform firmware updates.

> BSkyB is a fixed line broadband provider, but in the UK it's usual for the ISP to supply the router

Yeah, this is where the “IPv6 is different^Wcomplicated to set up” argument falls flat for me. For most (consumer) users (at least in the UK), they get a free router from their ISP that’s already configured to do IPv4 NAT. For the minority that buy their own hardware, IPv4 NAT is enabled by default in hardware targeted at consumers. If it were configured to firewall inbound IPv6 traffic by default there should be nothing else to do. If you need to forward ports you’re in the admin screens anyway (unless you use UPnP).

This is like arguing IPv4 is inherently complicated because if you opt out of the provided hardware and buy some Cisco monstrosity you have to configure NAT by yourself. Which is perfectly true but the massive majority aren’t going to do that.

What really didn’t help adoption is that IPv6 support was an afterthought at best for a lot of router makers, and for a long time was riddled with bugs.

What isn't really helping adoption of IPv6 support now is attitude of some ISPs.

There are ISPs that use migration to IPv6 as a way to tighten their reign over users. They will give you DS-lite only (ok...), but with /64 (no /56, no /48). They will force their router on you, where in past with IPv4 they would provide an option for bridge. Their router cannot do PD (if it had more than /64, so maybe that's the reason why they do not provide that), so if you want a virtual net with VMs on your machine, you are going to waste your time playing around with IPv6 NAT, which doesn't work correctly anywhere. You can't control RA/DHCPv6 on the router, you cannot really control firewall rules. Suddenly, the ISPs has ony free reign over your network, but also over policies on your network.

So for undemanding users that's fine, it will work with Facebook and Netflix. For a power user, the IPv6 offer is unacceptable, not because of IPv6 properties, but due to limiting implementation that the ISPs force.

I wonder to what degree this is simply because the Interface for proper IPv6 management has had less work and therefore is much more restricted.

On the router I bought myself, there are a lot of settings for IPv4, and not a lot more than an 'enable-disable' toggle for IPv6. I guess this is so they can state 'supports IPv6', but for any real use, it is useless.

I have the joy of living in a community with FTTH and a 1Gbps symmetrical connection for < $100 / month.

I have the pain of that connection requiring an additional $10 / month just so I can get 1 (or 4, same price) static IPv4 address which is apparently “required” for me to get IPv6. After using a HE.net tunnel for a few weeks, the slowdowns induced led me back to IPv4-only world.

So even in an advanced situation, you might still be stuck with IPv4 because of very silly reasons.

The problem here is not that HE.net tunnels require a static IPv4 address, it's that your ISP won't connect you to the whole Internet.

Tunnels are garbage. You should either switch ISPs, or complain and wait.

> The problem here is not that HE.net tunnels require a static IPv4 address, it's that your ISP won't connect you to the whole Internet.

This, definitely.

To be clear, I used an HE.net tunnel after I was told of their policy. The tunnel works great with dynamic IPs if you also link up their endpoint to update your tunnel every time your IP changes.

> Tunnels are garbage. You should either switch ISPs, or complain and wait.

While the HE tunnel is somewhat limited (does it peak at 50 Mbps?), I find it's implementation way better than some ISPs that provide native IPv6.

HEnet at least provides more than single /64, and does not force a specific, limited router on you.

> does it peak at 50 Mbps?

I'm not certain about speed, but I did experience quite high latency during peak local traffic times (which went away when disabling IPv6).

In my experience that depends on what is the v4 path between you and HE's PoP and how good is you v4 ISP in regards to peering agreements. In most places where I used HE tunnels the latency through the tunnel was actually better for vast majority of sites I care about (which is simply effect of HE having global network and huge amount of peering partners).

> You should either switch ISPs

Hahahah, you silly Europeans and your options. In the US we have the options of bad or slow!

It’s stupid that they require a static IP. However, the cost might be somewhat justified since IP addresses are block allocated. However, $10 per month seems very high, especially if it is for a static IPv6 address for which there is no shortage nor will there be in many lifetimes.

It's quite odd (and pricey).

I asked about just IPv6 (with dynamic IPv4), and they said that wasn't an option at all. /shrug

I'm currently looking into a cheap

    FreeBSD VPS <-IPv6 tunnel-> my EdgeOS Router
but I'm having trouble getting that working fully. I'm sure I'll get it eventually. :)

Meanwhile no ISP whatsoever in Italy has deployed IPv6 in any form or shape. We still get a dynamic publicly routable IPv4 on landline based connections, but that's it.

The ex-monopolist, Tim, has shown it's plans for IPv6 rollout almost ten years ago using DS-Lite, to no avail. It lingered around as a little known feature you can opt in if you are still stuck with an ADSL connection (it's not supported neither with VDSL, nor FTTH), that introduces an enormous amount of lag to IPv4 connections and it's arcane to set up.

Not even university campuses have IPv6, because most network administrators either do not care about it or do not know how to set it up. It sucks, and it's sadly the standard reaction this country has towards any new technology; everybody just tries to ignore new developments to delay training and setup costs, until it gets too late and inevitable to avoid, leading to rushed up deployments, skyrocketed costs and a general lack of awareness and knowledge about how it works or how it should be employed.

I for one find clean slate tech approach adopted by Reliance Jio in India very inspiring. IPv6 support from start which saves it tons of money for buying IPv4 addresses , similar to their decision to adopt native 4G LTE Volte from start that helps it save tons of bandwidth on voice compared to Legacy 2G , 3G voice options.

So they run v6, that's great, but they need to run 464XLAT (or something like that) too, and that probably isn't cheap either. (Though they'd probably pay a lot for v4 CGNAT too.)

They run a transition layer, and they likely need to run that almost forever; but chances are they won't need to continue to grow that layer , as they continually apply pressure to service providers to offer services via IPv6. Either explicitly as part of business deals, implicitly through direct IPv6 working better than IPv4 Nat, or a mix through weird NAT policies like when they were dropping 'idle' tcp connections after about 10 seconds for a couple weeks.

It looks like only mobile networks are embracing the change to handles the volume of mobile devices. The evolution of WiFi/phone hardware is quite fast, so they're not stopped by anything legacy, no ipv4 only devices and no one needs static ip on mobile.

It does have an interesting effect though. Apple now have a mandate that apps must work in IPv6 only mode, so they need to be developed and tested for it. This in turn means they need an IPv6 network to test it on, giving enterprise a reason to at least enable it (even if they haven't transitioned any internal services).

I believe t-mobile forced that on apple. T-mobile sells enough Apple phones that they can call Apple and say we need this feature in all phones we sell and Apple will do it. It isn't clear who would lose more if t-mobile decided not to sell the iphone but it isn't one Apple would want to risk.

I have no doubt Apple already have people wanting to do this which is another reason Apple wouldn't push back. They already had people wanting to do this, and so getting a few business people who otherwise didn't care on-board is enough to push the decision.

IPv6 drives me nuts. Not because it's inherently bad, but just because it's unpredictably and inconsistently implemented and supported.

I'm on a networking guy by any stretch, but I have enough experience to be competent at maintaining home, small business, and server environments.

My home provider, modem, router, and device all support IPv6, and when I found out I enabled it. And then, inexplicably, lost the ability to get the Nest app on my phone to connect. The only solve would be to toggle off Wifi and use cell service, let it connect to the Nest service, then turn Wifi back on (it'd work after that point, just couldn't get it to establish the initial connection). The only permanent resolution I could find was to turn IPv6 back off at the router level.

The irony is that both my home ISP (Comcast) and my mobile ISP (T-Mobile) are called out in that article as leading in IPv6 deployment. Yet their deployment strategy was varied, and only one led to an issue with connecting to Nest. While the issue was likely something with my internal network/router, if I couldn't figure it out then that gives me a glimpse on how frustrated non-technical users would be. That volatility in and of itself is what drives me nuts with IPv6.

What drives IPv6 adoption for me is that I have to pay monthly fees for even small IPv4 allocations, whereas my DC gave me a IPv6 /48 allocation for free without even batting an eye. My residential ISP's DHCPv6 server will happily furnish requests for a /56. Having loads of publicly routable address space is just awesome in the era of containers & VMs.

Money. QED.

I'm going to go ahead and say that I'm happy with CG-NAT because of the security and privacy benefits.

This thing of having a per-device IP address looks like the wet dream of marketers and those newspapers that won't let you look at more than X articles a month. No thanks.

NAT, including CG-NAT really provides no security benefits. Too many comments, blogs, etc, have been written on this topic for me to reiterate the specifics here.

NAT, including CG-NAT, provides near zero privacy benefits. Nobody is tracking by IP address - there are far, far, far, more accurate ways, again, I won't reiterate all the ways this happens, Google it (or is the TLS session resumption one still on the front page as one example?)

NAT, and CG-NAT provide real drawbacks. Drawbacks most people won't understand, and that's OKAY. Not everyone needs to understand them, but when you don't understand something, please don't advocate for it with specifics like "happy with CG-NAT because of the security and privacy benefits", instead, just leave it as, "happy with CG-NAT, I don't see any drawbacks".

I agree with the statement that NAT provides no privacy benefits, but there are security benefits to NAT. As Robert Graham says, "NAT is a firewall. It's the most common firewall. It's the best firewall."


That article is, well, wrong.

If all you rely on is NAT, and you turn the firewall on your router off, it is possible for outside attackers to send unexpected packets to through the NAT device and right to your endpoints.

The targets are limited to the entries contained within the NAT translation tables, but that's still a pretty leaky "firewall".

NAT is just not a firewall, all it does is translate addresses, or in the case of PAT, Ports+Addresses. It does not filter the packets it receives, it just translates them.

Any IPv6-capable CPE I have seen also has an IPv6 firewall that blocks incoming connections without the downsides of NATs.

I have seen some that don't. Back in early days of residential ISPs to offer IPv6. But, that's a thing of the past - and the same mistakes happened on the early IPv4 routers when dialup was disappearing, and DSL/Cable was kicking off.

Having IPv6 will be exactly as secure as IPv4+NAT by default on any CPE. And, just as with NAT+v4, it's possible to open your machines to the world if you have no idea what you're doing.

(This is actually pretty common for gamers who set the "DMZ host" router feature to aim at their desktop and flick off the firewall!)

Most of the IPv6 CPE I've used also has the 'feature' where it's almost impossible to allow incoming connections on IPv6 if you want to :(

Newer devices might support the Port Control Protocol, so applications can ask for the port to be forwarded on ipv4 and allowed in the firewall for ipv6

Which does not solve the common case when you want to pass unfiltered ingress trafic to few specific hosts and have the default reject unknown ingress behavior for all other LAN hosts. Just give me the ability to set my own firewall rules when I need to instead of drop-all/drop-ingress/accept-all combo-box with confusing label.

I don't think IPs were ever a viable tracking tool besides detecting the country. NAT has been the default for most home networks and as a marketer you really don't want to confuse a mid-forties dad with their 14 year old daughter. So you've always had very very different marketing profiles share an IP. Besides that browser profiles are just soo much more exact.

>I don't think IPs were ever a viable tracking tool besides detecting the country.

That depends on the ISP.

Many cable ISPs assign DHCP blocks to nodes that are defined by geographical areas. These can then be correlated with cellphone apps on wireless connections that also return GPS data to the collector. After a few thousand samples you get a really good picture of IP blocks that move and ones that are somewhat static.

Yes, I've never been comfortable with the device specificity of IPv6. Sure, temporary non-local addresses are now the norm. And they're usually not MAC-based. But still, I'd rather have IPv4 with NAT. Also, there's the issue that many VPN services don't yet route IPv6, and so IPv6 connections can bypass the VPN connection.

> Yes, I've never been comfortable with the device specificity of IPv6

these days it's really not much different from IPv4: During the lifetime of a connection, the prefix stays the same, so that's equivalent to the IPv4 address before that.

The actual machine address rotates very often, so there's no real value in using this for identifying unique devices.

If you want to profile specific devices, you're much better off using the same attributes you were using with IPv4 (user agent, TTL, other protocol specific fingerprint techniques)

But isn't NAT deprecated for IPv6?

You don’t need to nat for privacy. That was my point. If your machine uses a different outgoing address for every connection, it’s as well masked as if all your machines used the same address.

The only thing that stays static across connections is the provider assigned prefix and that’s equivalent to your dynamic ipv4 address.

Honestly, that sounds like a failing of the VPN services.

At the least, they should push a null default route to users that connect (assuming we're talking about the kind of VPN services that advertise as "protect your privacy with a VPN!").

Yes, good ones handle that. Also firewall rules.

But crappy ones don't. And some people end up using crappy ones, because they don't know any better :(

Crappy ones also sometimes leak UDP packets. Or all DNS queries or whatever. If you use crappy VPNs it's your fault if you then don't get the protection you want, no matter the transport protocol.

Or rather: Using IPv4 doesn't guarantee non-crapyness of a VPN provider.

But: Working IPv6 support guarantees at least some level of proficiency by the VPN provider, so they might be more reliable candidates to begin with.

Crappy VPN services do all sorts of crappy stuff.

But there's more needed with IPv6 than routing properly. The VPN provider needs to assign IPv6 addresses to customers, and that's harder than just NATing stuff. It's almost like being an IPv6 ISP.

But I've done a toy implementation. To get "anonymous" IPv6 addresses, so I could test VPN service clients for IPv6 leaks, without pwning myself. I needed a little help from an IVPN engineer, but it wasn't that hard.

As sneak says, almost everything uses privacy extensions by default.

You can do NAT over IPv6 too.

I depend on my ISP doing so. If I don't share a, let's say, /16 block with all the customers of my ISP, then it's not as safe as CG-NAT is.

The following may sound like out-of-the-blue. To expedite the discussion, however, allow me to state that it has been in reviews at the highest levels of responsible organizations without receiving a shot yet. So, please enjoy the information.

The IPv4 address shortage issues have been resolved. We came upon a scheme that can expand each public IPv4 address by 256M (Million) fold without affecting the current Internet. A proposal called EzIP (phonetic for Easy IPv4) has been submitted to IETF:


Essentially, among other benefits, EzIP can establish a sub-Internet capable of serving an area with up to 256M IoTs from just one IPv4 address. This is bigger than the largest city (Tokyo metro) and 75% of the countries. This can realize the CIR (Country-based Internet Registry) model proposed by ITU a few years ago stealthily even without setting up a CIR organization. If a government is not interested in this resources, private enterprises can make use of it to provide "local" Internet service in parallel to the current "global" Internet services, very much like the Independent telephone companies in the PSTN industry.

The current Internet then becomes the backbone / infrastructure / skeleton for interconnecting these sub-Internets, yet only for carrying inter sub-Internet traffic, very similar as the electric grid supporting islands of renewable energy generated by individual homes and businesses. Consequently, there will be a lot of spare IPv4 addresses for quite sometime to come.

Then, much of the efforts in deploying IPv6 are no longer needed.

Thoughts and comments will be much appreciated.

Abe (2018-09-07 10:49)

>local internet


Not on my Internet.

IPv6 is the only way going forward.

EzIP would be damaging to IPv6 adoption, and shouldn't be given the time of day.

Hi, snvzz:

0) You sound quite narrow minded.

1) The Internet is for everyone, not yours.

2) Like it or not, the "local Internet" / "sub-Internet" configuration enabled by EzIP can be deployed by anyone where there is the need. Each will appear like a simple IoT to the overall Internet. This is most likely why the high level people have not tried shoot at it yet.

3) "EzIP would be damaging to IPv6 adoption ...": What is so noble about IPv6? Frequently, Internet people proudly state that "three years is too long for Internet product cycles". Here we are, the IPv6 has been in development more than two decades, and in deployment near ten years. Hasn't it had its fair time to "experiment" the "idea from scratch"? Why are you so protective of it?

Abe (2018-09-11 23:28)

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact