Hacker News new | past | comments | ask | show | jobs | submit login
40% of Google users now connect via IPv6 (google.com)
316 points by leohonexus 86 days ago | hide | past | favorite | 346 comments

I sure wish Starlink supported IPv6. They're a brand new ISP planning for millions of customers and decided from the start they couldn't get enough IPv4 addresses for everyone. Fair enough! But we're stuck with Carrier Grade NAT and it is a drag.

On Starlink it's impossible to host a server socket directly, which makes any peer to peer networking a PITA. Geocoding IP addresses doesn't work so I have to bend over backwards to convince, say, Youtube TV that I'm in the Sacramento metro and not LA where the POP is. Also the shared IP addresses seem to trip a lot of DDOS protection; I fill out 10x as many CAPTCHAs on Starlink as I do on my other ISP. And I sometimes get random network stability problems; a few weeks ago Starlink screwed something up so no one could keep a persistent connection up more than a few minutes. Seems to be fixed now, but I bet it was their CGNAT system.

I realize half the world lives with CGNAT. It's not unusable, at least web browsing works more or less. But IPv6 would solve all these problems. A little surprised that a new ISP created in 2021 wouldn't have IPv6 support as one of their launch features. There's hints they are trying to get it working but it's not an official thing now. Some discussion: https://www.reddit.com/r/Starlink/comments/tjr90n/starlink_i...

>I fill out 10x as many CAPTCHAs

This a feature, not a bug. You can now identify a traffic light on a subconscious level 3x further away than the average driver that has an assigned IPv4.

Where average drivers hesitate upon seeing a yellow light, wondering if they have enough time to go or not, you just know that a slight uptick in speed will get you through the intersection right as that yellow flashes over to red.

The downside is every time I don't identify one of the squares containing a bicycle, somewhere a self-driving car claims another victim.

shoot! now you tell me

Wait, so that's how Elon is now training his autopilot? :)

Tesla are paying for labellers, aka Data Annotation Specialists:


But, I would be surprised if they don't also use 3rd party labelled data sets.

Wasn't it just in the news that they are firing a ton of these?

Yes! That's how I actually found out they have them.

That’s a non-sequitur argument. Simply because your parent comment can identify the state of lights faster does not make them any faster at deciding whether to cross them because it doesn’t influence them to make different decisions based on the speed of their vehicle and then distance from the light.

it was a joke

This is 2022. Humor is verboten. You're cancelled.

A local ISP told me that they want to get into IPv6 as soon as possible. NATs are getting costly and moving just YouTube traffic to IPv6 would actually help a lot.

The problem is with end user devices that do not use a stable DUID and when the client hits the reset button, it changes. We are probably going to work around this by responding from the closest hop and taking the MAC into account.

Why should an unstable DUID matter? The prefix won't change.

What besides presenting the same DUID would cause you to get the same prefix again?

Could it be based on whatever physical port you’re attached to on the ISP’s network?

The host portion of the address changes. The prefix doesn’t.

The prefix delegated to you does change in many consumer ISP setups, like the upthread poster reported and I've seen in many cases in well, I think repeating your assertion doesn't really advance your argument.

Are you thinking of a scenario where the ISP customers share a single prefix? This would be contrary to all the estabilished best practices and deployment guidance for IPv6 since it wouldn't let you easily subnet. And may get the ISP in trouble with your RIR since it's just extorting customers for access to v6 addresses.

That is intentional. Stable identifiers that get transmitted over the internet lead to unavoidable tracking.

Why are NATs getting costly? Don't quite understand.

To do NAT, you need to map (external) port numbers to (internal) IP addresses. This is done using connection tracking: tracking the state of the connection and the appropriate mapping.

And connection tracking gets expensive at scale.

Yes, I understand how NAT works.

But CPU/memory is going down in cost way faster than bandwidth demand is increasing.

Regardless, its way way cheaper than buying IPv4 blocks clearly, otherwise people wouldn't be doing it.

Edit: ok, the problem isn't hardware, it's comedy license fees. https://itprice.com/juniper-price-list/cgn.html

$470k for a license to do CGNAT at 100gbit/sec. Surely these guys are opening themselves up to be replaced with some cheaper open source based software solution?

> $470k for a license to do CGNAT at 100gbit/sec. Surely these guys are opening themselves up to be replaced with some cheaper open source based software solution?

Good. CGNAT needs to die. Addressing is fundamental and customers deserve not just an address, but their own RANGE, especially now that it's feasible.

i'd love to be able to also ask for the reverse-dns zone to be delegated... if i've got a public subnet, it would be lovely to be able to use it properly.

a man can dream.

Software-defined networking is slowly becoming more popular, but it’s always going to be more resource intensive than these enterprise-grade routers that are typically implemented using FPGA / ASICs.

Having said that, I’m often equally baffled at just how expensive modern networking hardware is, but as it’s pretty much all of these carrier grade networking solutions being this expensive, I’m assuming it’s somewhat justified.

That doesn’t take away the fact that NAT just adds an expensive layer of complexity on top of it, and I can imagine that in the long term, IPv6 is starting to become much more attractive.

> I’m assuming it’s somewhat justified.

in a sense, yes. People claiming software based solutions can match performance of hardware basic ASIC's are simply not thinking about the scale and speeds of modern core routers and switches.

For instance, taken from the blog of ivan pepaljnak[0] > It’s hard to imagine how fast switching ASICs have to work – a modern data center switching ASIC can forward billions of packets per second. For example, the throughput of Broadcom Tomahawk 31 is 12.8 Tbps, and it can switch 8 billion packets per second, or 8 packets every nanosecond.

Another thing which makes routing at large scales with large traffic flows expensive is the separation of the control and data plane. most modern datacenter routers can continue forwarding traffic inside the ASIC while its control plane encounters a failure. (usually for a few 100ms to a second, after that the forwarding table will become stale, and this cannot be refreshed without a control plane).

Having a redundant control plane isn't that expensive, but it becomes harder and harder to keep this failover fast enough if your forwarding plane is pushing more and more individual traffic flows.

Then there are still other items which one can add to a modern router to make it do more but also cost more. (think about accelerated IPsec encryption, MACsec at line rate or DWDM functionality).

[0]: https://blog.ipspace.net/2022/06/data-center-switching-asic-...

Probably a bit of a cartel for "enterprise grade" networking equipment, is my guess. Was similar in the late 90s/early 00s for web/database servers.

My (uneducated) guess would be to look at the way patents last too long. So society ends up suffering, rather than benefiting from IP protection.

I’m not sure the price is justified, however the ISP market is extremely difficult/impossible to break through for startups or any company capable of building their own. It’s a self-fulfilling prophecy, the market is hard to break into (for other reasons besides networking equipment cost) so nobody who can actually do something about it is able to get in.

the cheaper solution is IPv6. if an organization is too resistant to change to implement IPv6, they're going to find themselves subject to exorbitant licencing fees in order to keep using the technology they are stuck on.

CGNAT also needs IP-port-user logging to support disclose request by law enforcement.

Not if you only allow each user 100 connections. That's 1200 bytes of ram per customer paying 100$ a month.

And you can charge them an extra $10 per month for 'pro' internet and let them have 1000 connections for 'all the family'.

That's a laughable low limit. Even the "pro" plan would be marginal for a single person without running into limits from time to time. And nevermind power users that might do something with p2p or have a couple more devices connected to the network.

But that's besides the point. Your home router can easily have millions of connections open (if they didn't skimp on the ram anyway), but if you have CGNAT boxes that do the same for tens of thousands of customers you also have to take into account that they have to move a lot of traffic. This means routing and doing NAT in software won't cut it anymore, but you need dedicated hardware coupled with very fast specialized memory to handle that traffic.

You can still do hardware NAT for the few thousand connections with the most packets and software NAT for everything else.

I bet across even an ISP network of a million users, 80% of the traffic at any point in time is within 10,000 connections.

You do realise that almost all connections are long-lived, and burst up and down in throughput? So the 10,000 “heaviest” connections right now are not the same as in, say, 3 seconds from now ?

So you propose constantly swapping in and out connections from “hardware NAT” to “software NAT”? What heuristic will you use to decide which connections go where?

Such a heuristic will probably look a lot like QoS, which is even more (much more!) resource hungry than NAT.

At which point will the obvious conclusion be, “maybe the carriers who actually deal with these problems have a point, NAT is indeed a significant amount of complexity, and let’s be happy IPv6 starts to make actual economic sense?”

How do you ensure each user is capped at 100 connections without that check incurring additional resources?

You have a per user counter. So instead of 1200 bytes it's 1201 bytes per user.

Memory isn’t the only dimension we care about.

You’ve basically proposed an absolutely horrible solution, for both the end-user and the ISP. Something tells me you haven’t actually done any actual low level network engineering, and just brush all this off as “how hard can it be”.

how are you going to keep this counter? Do you identify the bytes that are processed in individual flows? Which system will keep track of this? the control plane of the router maybe? great... you just added additional complexity instead of just pushing packets through a forwarding plane.

When an unrecognized flow shows up, punt it to software. Handle the counter there, and if it overflows then you drop the packets. No need to add anything to the control plane.

"punting it to software" from a router with seperate control and forwarding planes perspective, is forwarding it to a control plane, instead of relying on the logic programmed inside the ASIC to forward traffic.

Sorry, I meant no need to add anything to the forwarding plane, or interfere with its efficiency at all.

The point is, the really fast part doesn't need to be more complex.

The part that handles new connections needs to be marginally more complicated, but not enough that it should really matter.

Please don’t give Comcast ideas

because maintaining state for GCNAT tables is far more complex then just forwarding packets. routers doing NAT are thus more expensive then those just doing simple forwarding.

Also, in some countries ISP's need to map the use of a specific ip address to a specific subscriber for law enforcment purposes. GCNAT is no exception to this and creates a large amount of overhead because the public IPV4 prefix space is shared between multiple customers.

> because maintaining state for GCNAT tables is far more complex then just forwarding packets.

But it’s a solved problem with mature solutions, decades old. Is it really financially expensive?

compared to rolling out IPv6? definitely, especially on the longer term.

For instance, most Core/Edge routers (my experience is mainly with juniper MX series, but i assume the model is roughly the same for other vendors), you need specific licenses or interface card's to do stateful services like NAT.

Compared to doing IPv6, which is "just forwarding packets" and doesn't require the hardware to track state in nearly the same manner.

Most serious core/edge hardware vendors also do not put IPv6 behind licenses compared to CGNAT and other NAT-like features, because packet based forwarding is the most basic functionality a router should provide.

Routers which are able to do less state, also are frequently far less expensive.

You’re presenting a false dichotomy. The choice for an ISP today is not “v4 or v6”, it’s either “v4 or v4+v6”. A v6 only connection in the US is unusable.

The v4 fallback can operate on slower equipment if needed. The majority of bandwidth-heavy services support IPv6 (and the slowness will encourage outliers to migrate).

The more traffic you can get onto ipv6 the less stress is on the v4 infrastructure. Each v6 connection is one your CGNAT doesn't have to provide an ipv4 port for.

So what? That’s still just a scaling factor at that point and still requires you to have v4 cgnat infrastructure + ipv6.

You don't have to beef up your v4 infra as much though. Think 4 powerful v4 routers instead of 5 or something. If the traffic to the big streaming providers doesn't have to run through these routers, you can save a lot. Same goes for the ipv4 address space you have to rent/buy. The more connections are on ipv6, the less public ipv4 addresses you need to have.

So ipv6 support might be saving you costs already in a dual stack setting.

Take a step back to the wider context of a brand new ISP though. If you’re rushing to market like Starlink appears to be, you either implement just v4 and scale later or implement both v4/v6 up front.

Until there is a bunch of exclusive v6 stuff customers will be up in arms over missing, the answer of which thing to prioritize is obvious.

Yeah I guess it's the same as with the inter satellite communication which is promised for later, but not implemented yet so that they get at least some product out to customers. I don't think dual stack is that hard to do for entirely new networks though.

Also, one of the reasons to do satellite internet is lower latency which is a bit hurt by CGNAT infrastructure.

Last, generally brand new ISPs are in the situation that they have a hard time of getting ipv4 address space. The incumbents, especially the older ones, were around when ipv4 addesses were still plenty so they usually have way less problems with ipv4 address space. Starlink only has 166k ipv4 addresses according to https://ipinfo.io/AS14593 . Compare this to AT&T which has over a hundred million for their AS 7018 https://ipinfo.io/AS7018 alone, and there are other AS numbers they have like AS20057 with 7 million ipv4s. This roughly matches the number of AT&T customers while Starlink has more than double the number of subscribers than its number of public IPs, with growth ahead.

Having your core as v6 only lets you push NAT to limited places (one of the many options for 4x6x4 NAT, including stateless options if you're willing to cut certain corners off v4).

And v6 connections help drop the pressure on NAT resources - and sites that are optimizing for mobile connections are already going to be on IPv6 where possible (due to mobile networks prioritizing v6 traffic for various reasons, including licensing - and NAT resource costs)

CGNAT is just a slightly more fiddly version of DS-Lite (and frankly at this stage your internal network is either v6 or an ad-hoc informally-specified bug-ridden implementation of half of it). You're always going to have to do messy connection tracking stuff with connections going to v4-only sites, the only question is whether you want to do it for connections to v6-enabled sites as well or not.

All apps on iOS support DNS64 on ipv6 only network.

That doesn’t help for servers that are only reachable via ipv4 (see GitHub).

NAT64+DNS64 is specifically for IPv6-only clients to access IPv4-only servers.

A problem being solved doesn't mean the current solution is inexpensive or optimal.

The same could be said about IPv6. I think the point is that IPv6 scales better with traffic increases, to the point where switching from CGNAT to IPv6 becomes financially attractive.

What do you mean, solved problem?

> A little surprised that a new ISP created in 2021 wouldn't have IPv6 support as one of their launch features.

Worse, they had it and turned it off at some point!

They moved from behind Google to their own network, so it wasnt exactly turning it off.

Unfortunately customers tend to be happier with IPv6 turned off. There are lots of ways to misconfigure IPv6 and have it kinda work but slow and unusable. This is especially the case when you let users bring their own router.

Not really: Like was mentioned upthread, with CGNAT you end up fate sharing the reputation of a single v4 address with other customers, you get CAPTCHAs or just outright lack of service (eg instagram aggressively rate limits per IP). Not to mention worse service with apps that can use end-to-end connectivity when availabe, like video calls etc.

Many of our customers are on Starlink, and use our service to bypass the CGNAT allowing them to host web servers, SMTP servers, etc. Our service is called Hoppy Network, it provides a unique and publicly accessible IPv4 and IPv6 range over WireGuard.


Does this work if I'm already using tailscale?

They recently added a bunch of IPv6 addresses to their GeoIP file, and announced more via BGP, I suspect its in the works. FWIW, they arent any more specifically Geo located, so this won't fix your issues.

good, what does geo location offer aside privacy invasion?

Starlink was also initially promoted for gaming, where CGNAT is terrible.

Unfortunately Sony doesn't support IPv6 either.

Without the laser links Starlink also never got the latency advantages it was supposed to have for long range gaming (like US to Europe). Instead it goes down to a basestation and then through traditional means, but that may change with the new bigger satellites if the laser part works this time.

TIL Starlink doesnot have IPv6

Waiiiiiiit, it's NAT causing the bloody captchas.

Bugger this. I've had enough of the captcha storm.

Would them using CGNAT suggest they are tunneling your traffic as it goes between your station and the ground station?

I wonder if they’ll go IPv6 once they are doing inter-satellite routing?

They could do CGNAT at each ground station, with IPs dedicated to each ground station

Starlink dishes support ipv6, I've been using it for awhile. Their stock router box does not support ipv6 though.

What's the point of Starlink?

with 4G/5G home internet, there's no real point anymore.

You likely live in a country with a population smaller than 5% of the worlds.

Many people do not have this option.

For me personally, the pathing of 5G and my broadband are too similar, so Starlink acts as a redundancy for these.

Where I live, I can try to use 4G. I get one bar of signal and when it's working I get anywhere from 0.2 to 20Mbps with 700ms (!) latency. It costs $80 for 150Gb a month.

Or I can use Starlink. I get a solid reliable signal, anywhere from 20-250 Mbps with 60ms latency. It costs $110 for unlimited bandwidth.

The real competition where I am is fixed wireless. That's 12 Mbps, 70ms latency, and $100/mo.

Decent satellite internet for people who can't get anything else?

I don't see how 4G/5G home internet existing removes the point of it.

All your criticism is valid in the long run but right now, SpaceX'es focus is to scale up, focus on usability for majority of its customers and become profitable. Removing any unnecessary feature is a must in order to reduce risk.

> SpaceX'es focus is to scale up

> Removing any unnecessary feature is a must in order to reduce risk.

You can’t scale a space based planetary ISP without IPv6, this isn’t a feature, it’s a requirement.

IPv6 amounts to a firmware update which the current hardware is and any future hardware will be capable of. The major hurdle in scaling Starlink is fast and cheap deployment of 1000s of satellite hardware. At the moment, the sole focus of SpaceX in relation to Starlink is to get their V2 satellites to orbit in order to keep up with bandwidth demands. V2 requires the Starship system which is yet to make it to orbit.

TL;DR bigger fishes to fry ATM - yes you need IPv6 to scale, no you don't need it right now.

It’s really too bad that ipv6 is only… checks notes… 26 years old now. I realize that may be an unreliable metric, so it’s roughly equivalent to 2.88 react.js lifetimes, or 3.25 vue.js lifetimes.

When the ipv6 spec was released, the latest python release did not yet support list comprehensions.

In other words, there is no reason to not support ipv6 out of the box in 2022.

> In other words, there is no reason to not support ipv6 out of the box in 2022.

i'd go even further and say that no ipv6 support means obsolescence.

> there is no reason to not support ipv6 out of the box in 2022

Use the age of a service as the metric, not the absolute year we're in. It's probably reasonable to say that there is little reason not to support IPv6 for an ISP with X years of operation. Starlink is young still.

An analogy is worldwide sales for a new laptop company. You can say that in the age of globalism, there is no reason not to ship to every continent right off the bat. But for a startup with limited cash that has lot of building blocks to lay out, it's a huge risk. They should plan for it, but only branch out when they've got a solid foundation.

A better analogy would be a new laptop company selling laptops with Windows XP.

"Our staff is more familiar with XP. We promise we're still working on the Windows 10 drivers, but in the meantime you can try to run it in VMWare."

A new ISP should implement IPv6 first and then run IPv4 on top of it like T-Mobile. They shouldn't "add" IPv6 because it should have been designed in from the beginning.

They already had IPv6 support while they were still using google cloud for connectivity (not sure why they went with google for their initial phase instead of a more traditional carrier) and when they moved to their own network they disabled IPv6 for some reason.

The funniest bit is that I'm not sure you can get normal v6 on GCP yet...

> no you don't need it right now.

Yes we do. IPv4 exhaustion is a thing.

That's what CGNAT provides a temporary solution for.

I doubt there's much overlap between the people working on IPv6 and those working on getting Starship off the ground.

It's not a function of overlap. If they've determined IPv6 isn't a priority and instead a risk, then it makes no sense to dedicate resources to it right now. It's not as if everything else about the firmware/software is wrapped up and the software team is sitting on their hands doing nothing.

CGNAT itself is a enormous risk. It's WAAAAAAAAAAAAAAY more complex and unstable than v6.

> CGNAT itself is a enormous risk.


IPv6 isn't a substitution for CGNAT, it's an addition to it. You either have to keep CGNAT or replace it with dedicated IPv4 for each customer. Dedicated IPv4 is most likely too costly given the limited availability. SpaceX is also trying to cut cost aggressively.

It’s stateful.

Specifically, if a plain router stops working, BGP will route around it, and all you did was drop packets. If NAT stops working, you don’t just drop packets, you drop whole connections. Applications don’t tend to tolerate dropped connections as well as they tolerate dropped packets.

True. As an ISP you are gonna need an IPv4 stack no matter what. Even if that stack is CGNAT'd up the ass. I can't even ping news.ycombinator.com or amazon.com with IPv6.

That is the biggest problem with IPv6. Who is gonna be the first ISP to shut off their IPv4 stack? There is always gonna be some random website that is IPv4.

When all the big services become IPv6, the number of IPv4 megabits will become small.

You might just direct all the v4 traffic via a tunnel to another ISP which specializes in legacy services like IPv4, running SMTP/news servers, etc. Now you've saved all the cost of maintaining all the IPv4 peerings and config.

>When all the big services become IPv6, the number of IPv4 megabits will become small.

Well I have been hearing about the end of IPv4, and IP exhaustion for about 20 years now, and I fully expect people to still being moaning about it 20+ years from now while the majority of the interment still communicates over ipv4

Amen. I dual stacked my home network 10 years ago. 5 years ago I joined an ISP that gave me CGNATv4 and IPv6 and I opted to disable IPv6 at the router.

Why? If you have an IPv4 address, even a dynamic one, then IPv6 may not offer you a lot of practical benefit, but CGNAT-only sucks if you're at all technical.

It sucks if you're non-technical too, it's just harder for non-technical users to figure out the underlying source of any problems they have.

v6 also has better measured performance on webpage load times. Perhaps "pages load slightly slower than they could do" isn't a show-stopping problem, but faster would still be better, right?

CGNAT specifically means you can't have even temporary peer-to-peer connections, e.g. non-server multiplayer games generally won't work. And forget about trying to host anything, dynamic DNS services can't help you here. That to me is a much bigger problem than IPv4 in general being a bit slower.

It's a partial substitution. What percent of your traffic is youtube, for example?

Where did you get that information?

From Elon Musk in numerous interviews. Latest of which is with Tim Dodd.

Get a raspberry pi, set up two vlans, run wireguard, and send 100% of your uplink traffic to a remote vpn endpoint.

This gets you off their IP, and also has the added benefit of not letting them analyze your traffic.

And adds 20ms+ latency, another complex point of failure, and potential problems depending on the reputation of the IP address block of wherever you're hosting the endpoint. I've used VPNs to smooth over various Starlink problems since I got the service and it helps but it's not a great solution.

My he.net ipv6 tunnel adds about 2ms of latency on average, which I can totally live with.

At least when I was doing this, it also meant that I blocked Netflix and a few other services for my entire network.

Can you use that over a CGNAT?

Most likely you wouldn't with CGNAT, unfortunately, at least I can't see how. They need to ping your IPv4 address to set up.

As an aside, they also want to ping your IPv6 daily (at least in my logs) to keep the tunnel alive; otherwise quite stable.

I'm fortunate to not have to deal with CGNAT. But still waiting for IPv6. A he.net tunnel works for now for what I need: stable IPv6 for SSH tunneling from my IPv6 mobile.

There is no other solution that doesn’t allow SpaceX to snoop on all your traffic, unfortunately.

Having a non-residential IP address is likely to get you blocked from services like Netflix.

It would be nice if there were some way to decouple connectivity from addressing, without becoming a second-class citizen of the internet.

A good way is to refuse to give money to such services, which being unable to access them, dovetails nicely.

Incidentally this also makes torrenting safe, and everything on Netflix can be downloaded via BitTorrent.

That's an interesting point. I wonder what Starlink is doing with any DMCA complaints aimed at IP address traffic.

4K high bitrate HDR / dolby vision + dolby atmos is surprisingly a pain to find in general.

I don't use Netflix but that never happened to me.

I'd go so far as to say that it's actually never happened to anyone that doesn't use Netflix.

I can't tell if this is a 'by definition' comment or if you mean that Netflix is the only major service which blocks VPN IPs.

The latter isn't quite true, sometimes a site is having a bad day and sets up Cloudflare rules which make VPN access impractical or impossible, but it's more true than not: I can usually use Netflix off a VPN, just not consistently.

Oddly the hardest part of this right now is getting your hands on a raspberry pi!

You can get wireguard running on any consumer network appliance capable of running OpenWRT.

Why two VLAN's? Are you worried the traffic is analyzed by the ISP locally?

When I use a VPN I get significantly more CAPTCHAs.

I'm curious how much of this is mobile vs desktop. My assumption is that a much larger percentage of the traffic on mobile is ipv6.

In Germany, where the Google statistics show 64% IPv6 adoption, mobile carriers were actually the last to support IPv6, but even the last mobile carrier enabled it around a year ago.

Now it's mostly businesses that are still not using IPv6.

Over here in America T-Mobile has been IPv6-only with NAT64/464XLAT since the early-mid 2010s.[1] My local cable internet company still doesn't support IPv6 in 2022!

[1]: https://www.internetsociety.org/resources/deploy360/2014/cas...

yup, same for my ISP, they just completed a rebrand and finalized a bunch of mergers so maybe they'll finally see this as a cost saving measure and implement it.

All the carriers here enabled it for their direct customers, but many resellers still only provide IPv4 connectivity (with CGNAT).

I believe in the US ipv6 mobile adoption was much quicker.

I’m on Vodafone/Kabel Deutschland. IPv4 only, my only option would be to switch to CGNAT to get IPv6, which I’d rather not.

Not sure why thats the case for you. I'm on Vodafone/Kabel Deutschland too and got full ipv4/ipv6 dual stack? Is that one of those regional limitations that Vodafone seems to have?

Oftentimes you can just ask the customer service of Vodafone. If you reach a good agent, they will switch you away from CGNAT and you get a proper /56 public routable prefix on your cable line. Also works great for me. Be aware, the Vodafone modem won‘t forward the prefix for you. Use a Fritzbox or one of the other few cable modems where you get full control.

You are sure you are not behind a CGNAT? From what I’ve heard, that’s the case for everyone with IPv6.

Meanwhile, Github is completely unreachable via IPv6 to this day.

Found that out the hard way the other week when I went to order a build server without an IPv4.

I think they're extremely scared about their Enterprise github.com customers being unhappy when their IP allowlists or IP address audits are impacted by a switch to allowing v6 addresses, as this will surely lead to tons of headaches for their account managers.

To add, if they're moving to Azure this might make IPv6 deployment complicated: https://news.ycombinator.com/item?id=29327773

Github also can't send webhooks to ipv6 only hosts.

Did you make a pull request?

He can't access it to make a PR.


Its mostly impossible to run servers only with IPv6 since for some reason Canonical/Ubuntu decided to require IPv4 for snap, after years of not having any issues with IPv6 only deb mirrors.

Go is also basically bound to IPv4 since it depends on github to pull packages

its time to make hall of shame for software that does not allow developers to build IPv6 only going forward.

Your first point is easily solvable with `sudo apt remove snap`. It also solves a lot more problems and gets rid of broken software.

Wait, GitHub still doesn't support IPv6?

Neither does DuckDuckGo. Been a feature request for >5 years now.

I'm 99% certain that they turn off IPv6 to avoid complaints. Implementing IPv6 on a frontend load balancer is a trivial networking change. But the only way to ensure an IPv6 connection works is for the user's OS, networking, firewall, router, modem, ISP backend network, ISP DNS resolver, target website DNS, and target website load balancer & firewall, all have IPv6 configured properly. If a single step is misconfigured, or uses IPv6 tunneling/translation, every request might be blocked until the website disables IPv6. So don't support IPv6 at all and you avoid headaches.

Avoiding an unnecessary support headache is the basic reason why IPv6 has existed for 26 years and yet Google can still barely get 40% use for its own website. Everybody loves to design a spaceship, but nobody designs for moving between spaceships mid-launch.

I’m looking forward to the day when this same argument is made for IPv4 by default instead.

> Go is also basically bound to IPv4 since it depends on github to pull packages

Is this also true for the Go module proxy?


    $ dig +short AAAA proxy.golang.org

So Go is not “basically bound to IPv4” since the proxy is enabled by default.

My website has a few hundred thousand users.

My development is completely user driven.

I get hundreds of feature requests and other emails regarding my site per month.

So far, not a single user mentioned IPv6.

So I never added an AAAA record.

The codebase has grown for over 10 years now.

God knows what subtle breakages would happen when IPv6 requests come in.

I wonder if I ever will add IPv6 or just leave the site running on IPv4 forever.

> So I never added an AAAA record.

IPv4 servers are reachable by IPv6-only clients. ipv6test.google.com famously has only an A (IPv4) record for a reason.

> God knows what subtle breakages would happen when IPv6 requests come in.

Unless your product deals with the nitty gritty of the networking stack itself, pretty sure everything continues to hum along just fine, if the basics are covered.

    pretty sure everything continues
    to hum along just fine
Haha. Wishful thinking.

Have you ever worked with a live system that grew for 10 years?

There could be tons of IP specific things in there. To enforce rate limits. For security. To do statistics. To do A/B tests...

Yes, there could be. But in the end, those are just parameters of the specific networks/services that make up the internet. Considering that routing is not deterministic, you could get vastly different characteristics from point A to point B across the internet at specific times anyways.

Sooner or later, you will have to support IPv6. May as well slowly start testing bits and pieces, and avoid doing it in a rush later on.

I'm not sure I will have to.

So far, nobody said IPv4 will be turned off.

Maybe it will work for another 1000 years?

Railroads have been around for over 2000 years and are still going strong. Despite cars and planes.

Postal service has been going on for 4000 years. Since the times of the pharaohs! And It's still going strong, too. Despite phone, email and WhatsApp.

> Railroads have been around for over 2000 years and are still going strong. Despite cars and planes.

Rail is vastly superior to both planes and cars in many circumstances, if done right.

> Postal service has been going on for 4000 years. Since the times of the pharaohs! And It's still going strong, too.

With significant upgrades to both the transport and addressing layers :)

No - but I think at some point, you or your customers will see benefits in IPv6, or your clients may require it by policy (some of mine do). No rush, just saying, it takes time, may as well start with bits and pieces now.

As a provider, the main benefit I've seen is that every user has a roughly unique IP. It's easier to audit things. It's really messy when lots of users are behind CGNat. Another benefit, eventually, is the cost of IPv4 space (but admittedly not a big problem now).

>I'm not sure I will have to.

It's less likely that you will do so at a "customer" request, rather it will be ISP/Hosting provider that will start to charge you evermore increasing fees to rent your IP address. The the Ipv4 space gets more competitive you will see the fees for routable IPv4 address go up; and conveniently there will be "discounts" to go ipv6. That's when I imagine most businesses will make the switch.

Not many wide-guage railroads left in the UK now though, despite probably being better.

>IPv4 servers are reachable by IPv6-only clients

How does this work?

It unfortunately involves CGNATted IPv4, but it's either DS-Lite (https://datatracker.ietf.org/doc/html/rfc6333) where the end-user router emulates a dual-stack network but encapsulates IPv4 traffic on IPv6 from the perimeter to the CGNAT device at the ISP or just plain NAT64/DNS64 (https://datatracker.ietf.org/doc/html/rfc6147) where IPv4 traffic is relayed at dedicated IPv6 addresses operated by the ISP with the help of special DNS (which might be the GP meant for IPv6-only networks, but it tends to be unreliable for a lot of reasons).

In practice DNS64 is now being removed from a majority of networks because some specialty applications (I say "specialty" but these are work VPNs, conference systems and the like) reacts badly (because usually they can't understand IPv6 in the first place), replaced by either DS-Lite or plain dual-stack (possibly with CGNAT for IPv4).

I forget this part of IPv6 class (I've literally gone to several IPv6 classes throughout the years but then end up forgetting details because I've yet to use it in production), but since the IPv6 space is so large, it's trivial to put an IPv4 address into it, and so they make NAT 6to4 type gateways that map the IPv4 internet into a block on the IPv6 network.

This wikipedia entry is a pretty handy reference: https://en.wikipedia.org/wiki/IPv6_transition_mechanism

I think most or even all http servers and operating systems already can handle IPv6 no problem, one can set server bindings just the same as for IPv4.

Hetzner and other providers of this size already support hosting options for IPv6.

That said - my home ISP is not providing IPv6 at all, ISP we were getting office connection also provided no IPv6.

I'd be surprised if users ever asked you to do that. The driver is usually about your infrastructure reaching the most clients most efficiently, not about users seeing it's 4 instead of 6 and asking for numbers go up.

If your site is largely centrally hosted and doesn't require many IPs then nobody, including you, is going to care if it's v4 or v6 until ISPs stop providing v4 gateway services in the far far future as whether your site supports IPv4 isn't going to change anything for anyone. Well, unless your site is like the HN crowd where hacking for hacking's sake is the point in which case that's actually odd you haven't received an email.

Google is obviously the exact opposite of this use case hence their interest and monitoring of IPv6 support and the latency impact numbers.

> So far, not a single user mentioned IPv6.

That's because they don't know your website exists.

Question for the peanut gallery: Suppose I have a legacy ipv4 host which simply cannot do ipv6. Why couldn't I put some black box on my network connection in between my host and my uplink, which translates my host's IPv4 into a 4-over-6 IPv6 address? The black box can accept either v6 traffic and translate it for my host, or v4 and pass it straight through. The host only ever sees v4 traffic. V6-only clients can resolve an AAAA record against my host, and V4 clients can still resolve an A record.

As long as there is sufficient penetration of these black boxes, virtually everything should be able to talk to everything over v6, and the v4 shim can be removed.

I imagine this black box could be a relatively inexpensive ASIC or FPGA that could be a stand-alone widget, baked into hardware network adapters, or just built into routers, middleboxes, etc.

You're basically describing Cloudflare.

It is easy to make an IPv4 server accept IPv6 connections. It is relatively difficult to make an IPv4 client connect to IPv6 servers, because there aren't enough bits in the 'destination' field.

> I imagine this black box could be a relatively inexpensive ASIC or FPGA that could be a stand-alone widget, baked into hardware network adapters, or just built into routers, middleboxes, etc.

It's not that simple:

- The box has to translate IPv6 address space into IPv4 address space, but it's too big to fit. So the box has to be some kind of stateful reverse NAT, with all the problems that that involves, and the hardware requirements go way up.

- The IPv4-only host might make all sorts of assumptions about IPv4 addresses that are no longer valid. E.g. it might cut off addresses that it detects an attack from - but now as soon as two IPv6 addresess get mapped to the same IPv4 address you're going to block a legitimate user (in fact, since changing IPv6 address is easy, you're probably going to pretty quickly block the whole internet). E.g. it might expect to use an IPv4 geoIP database. E.g. it might be speaking a protocol like FTP where it's supposed to make an outbound connection to the client, so now your middlebox has to not only keep track of TCP streams but also the details of every protocol you want to be able to support.

That's basically NAT64+DNS64.

At waipu.tv (Video streaming) we have 64% of users connected via IPv6. Compared to 2021 adoption has stalled. 2020 was 56%. waipu.tv is germany-only traffic.

Here the link from our Prometheus showing the data for 2020, 2021 and 2022: https://twitter.com/waipuTech/status/1543593614411964416?t=-...

In the UK at least one of our main providers Virgin Media has still not enabled support for IPv6, to the extent that websites such as https://www.havevirginmediaenabledipv6yet.co.uk/ exist to vent frustration

Northern countries have lower adoption, I wonder if IPv6 works better in warm climates.

IPV6 works better in countries that didn't start with a legacy ipv4 infrastructure.

It works better for entities that were able to gobble up all of the ipv4 space before the rest had a chance in general

Just a small anecdote (I’m usually based in Asia); Recently I’ve been building a network analysis tool (like mtr) and I wanted to test it on macOS with IPv6 and struggled to find _anywhere_ where I could (i.e. home broadband, office, Internet cafes, mobile hotspot etc).

Of course, spinning up a cloud VM is an easy solution these days, but I was surprised at how poor the IPv6 adoption was where I live.

Higher mobile usage in Africa.

I appreciate IPv6 link local. mDNS + ipv6 ll addresses on my home network means I can connect to local devices, by name (mydevice.local) regardless of whether or not the router or DHCP/RA+DNS is working.

Anyone go out of their way to disable IPV6 on all their systems, even at the hardware level, like on routers etc? What's a good reason to avoid IPV6?

I recently disabled it on my router because dns would fail to work after a day or 2. When I did more research, it looked like others were running into the same issue, but there was no known fix, so the easiest solution was to disable ipv6 entirely.

I used to go out of my way to get ipv6 working (back when it was "new" I used a bridge service to get access), but I simply do not have the time to figure out what might be wrong with it anymore.

I run ipv6 but still use v4 for DNS

Firewalls are more complex on IPv6 (you need to pass a bunch of ICMPv6 through, to make it work), and some residential routers have very bad or even zero firewall support for ipv6, so your devices, that would otherwise be "protected" (not really) by NAT are now directly visible to everyone on the internet.

This usually isn't a problem for power users (who know how to set up and (re)confgure a firewall) nor for most basic users (windows firewall does that for them), but people "in the middle", who install some service and just fully disable the OS's firewall to be able to connect to it, are now vulnerable.

> Firewalls are more complex on IPv6

This is not true. Firewall rules work exactly the same in IPv6 land as they do in IPv4 land.

> you need to pass a bunch of ICMPv6 through, to make it work

Indeed you shouldn't block ICMPv6, but that is not really making anything "more complex".

> some residential routers have very bad or even zero firewall support for ipv6

Is there a proven set of routers that go through the trouble of supporting IPv6 routing but not include a firewall?

> Firewall rules work exactly the same in IPv6 land as they do in IPv4 land.

Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.

> Indeed you shouldn't block ICMPv6, but that is not really making anything "more complex".

But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890

> Is there a proven set of routers that go through the trouble of supporting IPv6 routing but not include a firewall?

Yeah, a bunch of ISP CPEs have just a single checkmark "IPv6 firewall" on/off, and some older ones not even that (i'm talking about old sagem and innbox equipment i came in contact with, not sure about other telcos and the shity cpes they give out to the customers).

> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.

The same is typically true of IPv6 for default configurations. You aren’t required to allow IPv6 hosts to accept unsolicited incoming traffic.

> But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890

With the exception of home agent, mobility and other IPv6-specific messages, many of these recommendations also hold true for IPv4. It’s just that nobody really bothers to think that deeply about it, block all ICMP and then are shocked_pikachu_face when Path MTU discovery etc don’t work.

> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back

Yeah and? How do you think IPv6 works, it’s exactly the same.

My router’s firewall’s ipv6 section help: “All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic. Any other inbound traffic must be specifically allowed here.”

People keep saying "the sky is falling, with ip6 all the hosts are open to the internet" but not really it is usually one rule.

on openbsd pf

block outside connections from initiating connections to your hosts

block in on $external_if from any to $ip6_network

on ip4, if the world was just you would have the same rule(in ip4). however the world is not just and you usually only get one address so you have to pull some shenanigans to spoof that address across all your hosts

match out on $external_if from $internal_net to any nat-to $external_if

Really we all have a sort of Stockholm syndrome and think yes, this is normal, this is correct and being able to end to end address a host is weird and wrong.

> it is usually one rule

But it is not, because you have to let ICMP pass through, for IPv6 to work (eg. for path MTU discovery to work (no more "classic" fragmentation in ipv6)).

So it's one rule to block incoming traffic, and a bunch of rules to properly allow ICMPv6 to pass through to the internal network (look at the RFC linked above)

This is what stops me from turning on IPv6 from my provider. The modem has a reasonable IPv4 firewall but jack for IPv6 and I don’t have the time to figure it out.

Not a residential user, but I ran a small p2p gateway for a few hundred users, and I ended up having to disable ipv6 resolution for remote servers because so many servers would just advertise an AAAA address that didn't work, so we got tons of timeouts. I would say this affected maybe 10% of servers. A lot of them seemed to be hosted on Hetzner, but I never got a good sense of the root cause—mostly seemed to be lack of testing or usage, like users who had typoed an ipv6 address or moved their servers and updated their A record without remembering to update their AAAA.

I've disabled it on my router. My reasoning is that I don't know what kind of firewall rules, if any, the router has for ipv6 traffic. If it's just going to forward any valid incoming ipv6 dst address, that would seem like a new risk. I'm happy to be convinced otherwise by knowledgeable folks.

Yes, there are situations like "The crap VPN (hello AnyConnect) my work makes me use doesn't work if IPV6 is enabled. And I could troubleshoot it, but it's easier to disable IPV6 on my PC".

Default config, last I checked, for AnyConnect is to block all ipv6 even if split tunneling it enabled, the client will block all ipv6 unless it has been specifically configured to allow

There's all sorts of things controlled at the head end. As mentioned, didn't troubleshoot it. But, disabling ipv6 on my PC, and then everything works. Turn it back on, nothing works.

Ubiquity has several gateway products that have no hardware acceleration for IPv6.

It's not a _good_ reason, Ubiquity should've included IPv6 support from the start with the price they're asking, but it's a reason.

Even worse, to this day, Ubiquity still does not support Android IPv6 clients because their internal-facing RA dnsmasq configuration has a bug. It would take an engineer a few hours to fix it; it's a one-line change. It's been reported and tracked internally in their support queue for more than two years; nothing has come of it.

It's stuff like this that's turned me away from buying Ubiquity.

Stuff breaks. I fought this fight a few years back just to educate myself, and the mere presence of IPv6 on the network, DHCPv6 addresses being handed out, AAAA records being returned from the local caching DNS, etc... made all sorts of software loopy. One I remember in particular was that if you hit a default openssh configuration from the local (!) network, even on a link-local address, it would try to do a RDNS lookup and take 6 seconds or somesuch to time out.

I remember a coworker telling me about a TV that would request and accept a DHCPv6 address and then fail hard getting to the internet. Wifi router firmware likewise messes things up, etc...

It frankly just wasn't worth the hassle. Mobile networks that can control and enforce the full stack have been able to make it work. My guess is home/wifi environments will be IPv4/NAT until the end of time, frankly.

Because its an over-engineered pile of shit. The only thing required was an increase in the address space, but we got IPv6 instead, which everyone sane resists to this day. Defaulting to hex addressing only a sheltered engineer would do.

It's not very over-engineered; most parts of it work the same as v4 does, just with bigger addresses.

Writing the addresses in hex is because doing so is easier. It lines up with the binary better which makes subnetting easier, and do you really want to deal with addresses that look like ""?

In the past there have been cases where firewall defaults were configured incorrectly for IPV6 and stuff would get inadvertently exposed. I don't think that's as common now but I could see just entirely disabling ipv6 to avoid this if you don't want to specifically test to make sure the configuration is correct.

If you have a large estate of IPv4 addresses, the more ubiquitous IPv6 gets, the less they're worth.

We're still at a point where at least 60$ of users (according to Google) are still IPv4-only. I imagine we're still a little far from the tipping point where IPv4 becomes less valuable.

I recently disabled IPv6 on my home network to make firewall rules more manageable, and I was always under the impression IPv6 adoption was slow. So I was pretty surprised to check and see Google user's adoption has reached 40%. I feel like ISPs are a big push for that.

It's probably mostly from mobile carriers. Thought I know Comcast runs v6 on large portions of their residential networks.

Yes I turn it off because it's always causing unpredictable problems. I actually tried to switch to all IPv6 and that was worse than ipv4 because you still need to run a full ipv4 stock to visit almost anything on the web without a proxy

I did it before because I assumed it was causing issues and not configuring things on my network properly.

I was wrong and the issues were elsewhere, but it remained disabled on the router for a long time.

I’m generally a person who resists change and I can’t tangibly see the benefits of ipv6; until I realised that “port-forwarding” is an exclusively NAT problem and it’s much easier with ipv6 to just natively open a port on the firewall if I want.

I do. I don't know why, but when debugging some network issues I discovered just shutting IPv6 down fixed the issue. Could it have been a buggy implementation on a single device on the network messing everything up? Maybe. But since I have no real benefit for IPv6, it was trivial to turn off.

It also lets me wait until other people (hopefully) build better privacy systems.

IPv6 has had privacy built in for years now, on every OS available. Your inbound address will remain static and possible MAC address derived, but unless you're hosting anything on it (or disabled your firewall) your network traffic will be perfectly private.

I've noticed several websites where IPv6 has lower latency than IPv4. The ease of accessing different VMs on cloud providers that will hand out a single IPv4 address, though alternatives like Betternet/Tailscale/Tor will also work around that problem.

"IPv6 has had privacy built in for years now, on every OS available. Your inbound address will remain static and possible MAC address derived, but unless you're hosting anything on it (or disabled your firewall) your network traffic will be perfectly private."

I've tested with IPv6 on and off on several machines over the course of months. Google's search results become wild and unpredictable on the same machines soon after switching to IPv4.

My theory is that they rely on that IPv6 address to know exactly who they are providing results to and thus selling to.

If that theory didn't hold water, there would be exactly zero difference in search results after switching to all IPv4.

I've switched between IPv4 and IPv6 and Google's search results are practically equally bad after switching between either. Unless you're behind CGNAT, I suppose.

I've noticed that many IPv6 address blocks have more up to date location information from parties like Maxmind.

Yes at my router for privacy. Not nat means no source device obfuscation.

No source device obfuscation equals device tracking

RFC3041 (Privacy Extensions for Stateless Address Autoconfiguration in IPv6) and it's successors have been around for 20 years now and are supported in every major operating system.

In fact, macOS is so aggressive about using temporary addresses that I had to turn off SLAAC in order to be able to ssh back into my desktop.

Yes at my router for privacy. No nat means no source device obfuscation

Yeah, we've disabled it at our SMB at the router-level. No real benefit from using it and it causes DNS issues. We were actually advised to do this by our commercial ISP.

>What's a good reason to avoid IPV6?

IPv6-only CVEs (these have existed!)

Cause there are no IPv4 only CVEs

You can have both if you want!

Yep, I do. About once a year I try IPv6, and give up after a couple weeks when I keep having weird transient errors that I can't pin down accessing websites and other remote hosts, all of which go away the moment I turn off IPv6.

Maybe it's me, maybe I have a bad config or bad hardware, but it just doesn't work for me.

I have AT&T fiber. I've been running IPv6 for about 2 years now and haven't had any issues at all. iCloud Private Relay also works via IPv4/IPv6, but I have had to disable it once or twice. Who is your ISP? How do sites like https://ipv6-test.com/ and https://test-ipv6.com/ score your connection when you have IPv6 enabled?

AT&T fiber. Haven't tried those particular sites, but the ones I did try to test it all passed (but weren't as thorough as the ones you linked).

Next time I try I'll use those sites and see what they say.

Yes. Actually no, not disable, I use Local-Local, there's a rare application here and there that needs to see an IPv6 stack is available then connects normally over IPv4. Google and anyone touting IPv6 can take IPv6 and have a nice day.

My guess is mostly mobile traffic?

I run a personal tech website containing OSS projects, and have been supporting v6 for more than a decade. Currently seeing few hundred unique visitors per day.

IPv6 has been steady at ~15% of all inbound requests for the past 5 years, with zero signs of increase.

Both my own fixed adsl service and a different mobile carrier do not offer v6, so I have to jump through hoops to verify my server setup.

Yeah I came here to say this. Mobile carriers in Sweden seem to have much better ipv6 support than regular broadband ISPs.

I realize there are a million ways to leak addresses, but in theory is a private ipv6 space brute forceable? ie: I have every service listen on a port on some IP, they all discover each other through some specific channel (like dns). Assuming the attacker doesn't have access to that channel, they would have to start scanning every ip to try to discover services, yeah?

There are ways to optimize an attack but pure brute force like IPv4 is impossible.

On a local link, if you know the ipv6 address of one machine you can guess others by getting their device ID (MAC address) and then modifying the known address. So you can use neighbor discovery to find the other MAC addresses to craft the IP addresses.

I think you can also take advantage of router advertisement or client solicitations somehow but I’m not familiar with the details (i.e. passive listening on multicast vis a vis broadcast)

Thanks. I'll have to do some googling on that.

There's neighbor discovery.

I'd be using IPv6, but it's not directly supported by Sonic Fiber in the bay area, strangely enough. Need to use 6in4 tunnelling if you want it.

I’m a Sonic customer, and have a fully working IPv6 connection from them.



Gigabit fiber from them explicitly says it isn't supported.

Whoa. I have no idea. I absolutely, 100% certainly, do though. I have Sonic gigabit fiber, and can use IPv6 to connect to remote hosts (and can connect to my LAN from remote hosts on specific ports I have open).

If your IPv6 prefix begins with 2602:240, then your router is using the Sonic 6RD tunnel.

It doesn't. I'm in the 2600:1700 network.

Can anyone explain why the trend is cyclical with a period of a week?

The peaks are on Saturdays so my guess is residential ISPs/personal traffic peaking on weekends while the mon-fri 9-5 are on older legacy IPv4 systems. But that's just a guess as the reason why.

Also, perhaps more people are out and about using mobile networks rather than WiFi on the weekends.

Thanks, that makes sense.

Office workers accessing the internet from their offices perhaps? My understanding is that NAT’s are more common for residential connections

Are there any advantages to IPv6 other than more addresses ?

In theory, IPv6 could be slighty faster over IPv4.


- Smaller headers

- Simpler routing

v6 actually has longer headers on average (40B instead of 20B) but is generally more efficient to process because it's a fixed header length.

ON the other hand, theoretically IPv4 header length could vary depending on the presence of IP options, so you'd need to compute the offset to continue processing the packet.

(I say theoretically because conventional wisdom is that IP options are unreliable in the face of middleboxes, so they're mostly unused. But compliant IPv4 processors have to calculate the header size anyways...)

And no CGNAT which should make a bigger difference. Xbox live supported IPv6 for years because gamers really care about latency.

"More addresses" has a handful of knock-on benefits; or, perhaps more accurately, ipv6 would let greenfield systems skip out on some workarounds made necessary by not enough addresses.

I just hope ipv6 doesn't have privacy nightmare that 1 device will always get 1 IP. Currently, the isp I use provides dynamic ip, so on every router restart my ip gets changed. If they starts to provide ipv6, I hope they give options to rotate it frequently, so toxic companies like meta, facebook, microsoft can't connect my device & ip.

It rotates about once a day in most operating systems. Called ipv6 privacy extensions. This is of course defeatable, but it provides a nice black hole for a device. It moves on and you can't connect to it anymore.

yeah im not sold by this. i want all of my source traffic to show my gateway as the origin, not my unique end devices.

privacy nightmare

On a protocol level, there is nothing in ipv6 preventing you from doing NAT. There are only less implementations of that, but it doesn't need buy-in from your ISP, as long as you control the router (and if not, you put a second router behind the first one which has your actual network).

I work for a large online service. We barely need your IP to track you. There are _so_ many other variables sites can use to track you. Even when you switch networks completely.

You're fear of IP tracking is outdated.

It's not a privacy nightmare. You could just run a proxy on your gateway and your connections would legitimately end up coming from it, but it wouldn't actually do much for your privacy.

Rotating the IP to get similar privacy to what NAT/PAT gave you is annoying I know with v6 we need to use DNS but I hate to say it. I miss Nat I hope the just give us nat66.

It only rotates the IP used for outbound connections; you still have a non-rotating IP you can use for inbound.

"This is of course defeatable"

Yes, which is why I don't use IPv6.


You are mixing up IPv6 prefix rotation and IPv6 privacy extensions, and you don't seem to take into account that IPv4 from most ISPs is much worse (typically, you get an IPv4 address from your ISP via DHCP and keep it nearly forever, nothing to defeat).

With IPv6 each device getting a unique IP is not a bug but a feature -- what will probably happen is that your ISP will lend out a /64 range to you, which your devices will use to assign a unique IP to themselves. This completely removes the need for NAT (also, keep in mind that a NAT is not a firewall or a security feature). BTW, dynamic IP rotation was never a guarantee and is only used because the pool of IPs were small. Use a VPN to avoid FAANG.

oh perfect for device tracking!!

hope you dont have any tweets that offend your goverment lol

How is it any worse than the current system? Use Tor or I2P.

NAT is not a privacy or security feature. You can treat it like it is, but only at your own risk.

While I understand the sentiment, NAT does so much to protect most users, it should be considered a security feature.

It's really not and here's some of the multiple methods on which NAT can be bypassed because it's not a security feature:




NAT itself doesn't provide any protection at all. You can set up NAT in dozens of different configurations (1:1 NAT comes to mind), but in the way consumer routers generally set up NAT, I can see why you'd say that (despite there being standard ways to forward ports without any user intervention such as uPnP). There's nothing "secure" about NAT.

Not having client devices accessable via unique IPs is a great security feature. Certainly an unintended side effect but NAT is what is dropping unwelcomed incoming traffic on consumer devices.

You mean a firewall? NAT doesn’t have to drop any packets. It can translate unknown flows into broadcast packets, forward them to a set ip (dmz), or drop them. NAT is not a firewall, even if some configurations make it kinda sorta, if you squint, look like one.

I think the argument is about the address origin being overwritten vs forwarded to the destination.

Is about device tracking and privacy

I don't think that works. A router should decrement the TTL of the frame, and thus showing that there is a router between the host device. The linux default is 64 and windows is 128 IIRC, so you can easily deduce the OS just from looking at the TTL. This can tell you whether an ipv4 device is directly connected. From there, you just need to look at IP ID in the packet and figure out which ones are increasing independently to determine individual devices behind the NAT.

So, no. NAT gives you 0 privacy.

Every ISP I know has their routers set to block incoming traffic by default. With most consumer router SIP ALG being defeated easily (NAT slipstreaming attacks etc) I'd argue that NAT is actually worse for security than just a simple firewall.

NAT doesn't.

1:many NAT does.

1:many NAT requires an affirmative choice on where to route incoming packets that aren't part of an existing stream.

In adaptation to that, most attacks are malware spread by email, or attack browser vulnerabilities, or attack services running on network devices, especially remote management systems.

> NAT doesn't.

> 1:many NAT does.

This is technically correct but how often do you really see 1:1 NAT.

It's not even technically correct; it's just wrong.

NAT doesn't make any choices on where a packet gets delivered. For packets that aren't part of an existing steam, NAT will simply not edit the packet. Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.

> For packets that aren't part of an existing steam, NAT will simply not edit the packet.

A 1:1 NAT should generally just swap IP for IP and not know about streams or ports at all.

> Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.

I would call that a routing rules error, even in the absence of a firewall.

You can still set up inbound firewall on IPv6, my ISP does it (to my annoyance).

IPV6 is sort of like the new MAC address hardware identifier. An IP for every atom in the universe!

There are a lot more atoms (10^80 or so) than IPv6 addresses (10^38).

How could a device have a hardware-embedded IP address, if the hardware vendor doesn't know which ISP you will use?

> How could a device have a hardware-embedded IP address, if the hardware vendor doesn't know which ISP you will use?

By putting the hardware part in the second half, and the ISP part in the first half.

You know, like how it works by default.

Most devices randomize the second half by default, using RFC3041 and its successors.

They do, these days.

But then why were you asking "how" a device could have a permanent hardware identifier with its address? Just don't implement those optional RFCs.

And the comment you were replying to didn't say it had to be the entire address, and there's no reason for it to be.

That's the issue I have with it, it's not a feature.

It's sad how much has changed in the past 10+ years. I remember arguments advocating for ipv6 for exact reason. 1 device per 1 ip. Back then, it was seen as something great.

I agree with what you said. It's just interesting how it illustrates how different things are now.

> I remember arguments advocating for ipv6 for exact reason. 1 device per 1 ip. Back then, it was seen as something great.

I remember a bunch of people being horrified by the idea of 1 device per IP. I think it's more a matter of who you were around then the group changing their mind, but maybe that happened too.

The first link mentions no more NAT as an advantage, but I think it's actually one of the big issues holding up adoption. Rightly ot wrongly, since the 00's the perception is that sitting directly on the internet with a public address is a big security no-no.

There's an argument to be made that mixing dynamic addresses with the pool of other users of the same ISP is beneficial for privacy.

The fact that peer-to-peer applications can finally start working is an unquestionable advantage.

I assume for mobile operators there are advantages for location roaming. I'm not sure when you change cells if IP stays the same, but must be a routing nightmare.

Ooooh, this is actually fun. Your IP does not change, even when switching from LTE, 3G, 4G and 5G. There's an excellent post in the old Sprint forums where a company network engineer explains how it works. I can't find it though, but it's pretty wild.

In brief, it is because internet connectivity on most cellular networks goes through single gateways and devices are effectively "tunnelling" to those gateways. As long as the tunnel stays up and the mobile device is still identifiable on the RAN then the IP address assigned from the internet gateway doesn't need to change.

What I found especially interesting is how it keeps track of the device, especially when transferring from say a LTE capable station to a station that only supports 3G.

OK so no advantage with IP6?

The per-country view is interesting - a huge country like India really going for it is good to see.

There is a huge phone network/ISP called Jio there. I read they are using 624 only.

Weird, the stats on the first graph show the 6to4 traffic being extremely minimal

I meant that they use NAT64, and it goes to Google over native v6

What happens to games and in general applications, which are old and only have an IPv4 input field? How is it bridged to IPv6? If a friend only has an IPv6 address, how can I connect to them?

I guess I will have to set up a VPN, which internally uses IPv4 addressing?

See other comment in this thread:


Seems like India is leading in IPv6 adoptions , Jio has leading ISP.

And if you click through to see the US, it’s over 50%.

I am surprised of such a low number. ISP and mobile carriers have been supporting ipv6 for years already.

Is it because a large portion of the traffic is done through corporate enterprise networks and proxies? Enterprises are the ones slowing down the adoption of ipv6.

Glad to see India in deep green.

Around 2008, my university (utwente.nl) supported IPv6. Google contacted us, asking if they could wishlist our network for IPv6 Google services. We agreed.

In my country, an ISP giving an IPv6 is rare, but using CG-NAT is incredibly common. I think they don't want to update the routers in the main nodes.

We are running out of IPv4. ISPs are switching to IPv6 to avoid CGNAT.

iCloud Private Relay is helping here. The network I’m on right now doesn’t have IPv6 but with iCloud Private Relay enabled visiting the IPv6 testing sites shows IPv6 in use.

A 7-day moving average on this graph would be nice.

Can anyone tell me why my iPhone has 4 ipv6 addresses but only 1 ipv4 address. I just don’t understand what’s happening here

Edit: my mind might been blurred by too many 4s and 6es, whoops. I thought it said "6 IPv6 addresses".

This still doesn't explain why it's six though, although I can think of four simultaneous IPv6 addresses - transient and persistent GUAs (which are accessible to the internet) a ULA (equivalent to IPv4 private address but which is rare in practice) and a link-local address (for communication to the router).


That was easy.

Why can't we paste aan ipv6 address into the browser address bar and have it go to that address? I'm forced to open [long brackets ] and the it works. Why!????

Ipv4 address just works without the hitch

Because of colons. Colons separate the different sections of an ipv6 address but HTTP URLs also use colons for the port, so the ipv6 IP must be encompassed in brackets to differentiate between IP and port.

If IPv6 had used dots instead, then addresses like "2001.db8." would be ambiguous between an IP address and a hostname.

Perhaps they could've required every IPv6 address to use ".." exactly once for zero compression. Then you'd have "..2001.db8.", "2001.db8..beef.de", etc.

I guess the nullary ".." could go in the middle, but that would enshrine the /64 boundary into the addressing scheme, which seems like a leaky abstraction.

is there "no" to automatically append brackets? like we do with ctrl+enter?

Is "2001::0:8080" 2001::0 port 8080, or 2001::0:8080 port 80? There you go. Of course you can argue for automatic conversion when there's no ambiguity.

It's 2001::0:8080 port 80. Require the brackets for specifying a port number with a v6 address, and don't accept a port without the brackets. That way there's no ambiguity.

For added fun, Firefox on Android doesn't even accept the bracketed form. They use a regex to determine if what you entered is a URL and they haven't bothered to add IPv6 support to it. There was an attempt, that got rejected because the regex became too slow, and then the issue was left open.

Well… only about 10 years after headlines were fearmongering about the world breaking due to IP addresses not being available.

The “breakage” is happening. It’s just in the form of crappy solutions like CGNAT and DS-lite to work around the shortage rather than the internet just not working at all.

also, ipv4 address space is becoming intrenched by large players because address pricing is becoming very expensive.

Want to start a new service and require global connectivity, good luck winning IPv4 auctions because AWS is buying up all address space, even if they are not using it.

They buy it up because they expect it will be needed by their customers, among whom is the US federal government. However, the world did not end, addresses can still be had, and things are still functional. I would say that the doom saying press was alarmist.

So, people worked around the problem and that world didn’t break.

What fearmongering? There were a bunch of articles about how we were going to run out of IPv4 addresses, and we have now essentially run out of IPv4 addresses. There's a reason everyone is being a dynamic IP address and hosting servers is hard these days.

Hardly seems like “fear mongering”.


Any given resource, as it becomes more scarce, goes up in price thus preventing there ever being zero of the given resource. The “world ending” result that fear mongering press outlets pushed is therefore not possible.

So why did you ever pay any mind to them?

The world isn't going to end just because v4 addresses are scarce (...and I don't think anybody was arguing that it would...), but that doesn't make the problems any less real, expensive or damaging.

Good question. No idea. Hate reading? I am not certain. Probably should reflect on it a bit.

The whole removal of nat and directly connecting to the destination with the source address seems like a privacy and security nightmare.. imo..

The security extension thing seems a bit wack. I'd still like all my traffic to originate from a single source and be tagged with that address only. This possible?

Nothing stops you using site- or link-local addresses and NATing to a single (or several) public IPv6 addresses, just as you do with IPv4. There was no "removal of NAT", it's just not necessary any more.

A proper firewall without NAT is generally fine, especially in combination with privacy extensions (which likely overall give better privacy than IPv4+NAT), but if you want to completely conceal the network layout behind your router, go nuts with NAT, no problem.

You can use NAT6 if you insist but there's no reason to. The aforementioned privacy extensions keep you from being tracked long-term based on address alone and your firewall is still blocking incoming traffic.

None of the computers I own personally use IPv6. IPv6 is a bad idea. IPv6 is a straight connection from the Internet through everything in the network, right to the individual machine.

Give my IPv4 and NAT or turn the Internet off.

I know it's been repeated a million times by now, but NAT is not a replacement for a firewall. Most residential routers are deny in by default so you get zero incoming connections from the internet unless you open the relevant ports, exactly as with NAT.

NAT is id10t proof though. It takes a concerted effort to set a static internal IP then NAT traffic to it and then allow that traffic through the firewall. The other advantage is that it obfuscates the internal addresses. IPV6 is is unnecessarily complex for what it solves. How hard would it have been to just add an additional octet? Pretty sure a large number of those that embrace it just love the opportunity to change something for the sake of change or their boss said do it. I’ll be sticking with IP4 as long as I can or until there is an actual benefit to IP6.

Quite hard, actually, since that's mostly what v6 already does and you can see how many things need to change to accommodate it. Most other parts of v6's design are the same as v4, so it's not really very complicated compared to what we've already got.

(Of course v6 adds more than just one octet, since one additional octet wouldn't be enough even for the current size of the Internet, let alone for future growth. It would be really stupid to go through all this effort, only to have to turn around and do it all again immediately afterwards because you forgot to add enough the first time around.)

Yeah I don’t buy the argument that we would have to do it again immediately. Unless i’m wrong- which I may be - adding an octet would increase the number of IP addresses x 255 give or take. Using the excuse of running out of addresses to do an unnecessary wholesale change is my definition of really stupid.

>IPv6 is a straight connection from the Internet through everything in the network, right to the individual machine.

It's not though. It goes through a router which has a firewall, which is the exact feature you're presumably wanting from a NAT but without any of the annoying downsides.

Disable inbound connections on your firewall and it's the same security as having NAT.

“In December 1998, IPv6 became a Draft Standard for the IETF,[2] which subsequently ratified it as an Internet Standard on 14 July 2017.”

40% adoption after 25 years? Really highlights how terrible IPv6 is in terms of backwards compatibility.

What we needed was an internet protocol with the benefits of IPv6 that runs as an extension to the IPv4 stack.

The current approach to duplicate everything into IPv6 is wasteful and time consuming, proven by the extremely slow adoption rate.

It's not as simple as that. There's no just "extending" the IPv4 stack unless you're going to "extend" every device that supports IPv4 with it. By that point you'd might as well just have IPv6.

IPv6 is perfectly backwards compatible with IPv4 with the IPv4-in-IPv6-address embedding and other technologies. The problem is that IPv4 is not forward-compatible with anything that has a larger address space. Thus a IPv4-only host will never ever be able to communicate with a non-IPv4 host, since there is no way to encode more than 32-bit of information in the IPv4 header.

So you will always end up in this situation where people just won't bother implementing the IPv4-replacement and you cannot simply switch to it.

But why couldn't we just put a middlebox in front of the host which translates a 4-over-6 address to a plain ipv4? The host box still sees only v4 but v6-only devices can still connect to it.

Like I could envision a simple router-like device doing this.

That's not the direction that's the problem - like I mentioned (IPv6 is backwards compatible), NAT64 and so forth boxes exist (but still not great since you have to hold state).

But the problem is that the inverse is not possible. How would a IPv4-only box connect to a non-IPv4 box? How do you encode more than 32-bit of information into the 32-bit destination address field of the IPv4 packet?

> What we needed was an internet protocol with the benefits of IPv6 that runs as an extension to the IPv4 stack.

My understanding is that the reason it's a new version is so existing IPv4 infrastructure would not need to be changed. This "ships in the night" approach has pros and cons, of course, but I'm personally happy to give folks who thought about this problem for many years the benefit of the doubt.

> The current approach to duplicate everything into IPv6 is wasteful and time consuming, proven by the extremely slow adoption rate.

The beauty of the IPv6 approach is that it doesn’t matter how long it takes.

I don't understand how it's "wasteful". Is it wasteful to support 3 versions of HTTP?

HTTP is backwards compatible

It's not. There's a negotiation process, but you can't use HTTP/3 to deliver content to a client that doesn't support it.

"HTTP/3 uses QUIC instead of TCP for the underlying transport protocol. Like HTTP/2, it does not obsolesce previous major versions of the protocol." - https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

Would you care to elaborate what "an internet protocol with the benefits of IPv6 that runs as an extension to the IPv4 stack" actually looks like at the technical level that would give the "backward compatibility" that IPv6 you claim is lacking ?

Despite the downvotes you are right. IPv6 replaces IPv4 rather than building on top of it and this really harmed adoption.

I read all of the IPv6-ish proposals at the time, and they all had major problems of one kind or another. The chosen proposal "really harmed adoption" when compared to a pie in the sky, not to the other proposals.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact