This is required by law. [0][1]
Every ISP is required to be fully ipv6-enabled by the end of this year. The deadline has been pushed back multiple times , most recently due to covid. But this time it seems its going to stick. All lagging ISPs seem to have deployed v6 at this time.
There has been a "National IPV6 Plan" in place since 2010, and full coverage has been pushed under that plan in stages. Anyone interested can read all about it in (extensive) detail[2].
CGNAT is pretty expensive compared to rolling out IPv6 and tunneling IPv4 on it using stuff like MAP-E. I guess they still have no need to NAT everyone ATM because they have plenty of IPv4s to distribute to their subscribers.
CGNAT is pretty much the only setup on mobile though. Dunno if any equipment vendor doesn’t do that.
Would worry about most average cell phones sitting directly on the public internet.
I think there’s a reason we haven’t heard about mass-owns of mobile phones and it’s because they’re always effectively behind firewalls, not because of their superior security.
"80% of smartphones in the US on the major cellular network operators use IPv6 and major mobile networks are driving IPv6 adoption with Verizon Wireless at 84%, Sprint at 70%, T-Mobile USA at 93%, and AT&T Wireless at 57%"
And this were numbers from four years ago.
NAT is not a firewall and it's dangerous to think of it as such, because it causes people to follow a lax approach to security and think they are protected, when they actually aren't.
From practical standpoint, most common NAT setups come with "default deny incoming" firewall, and systems have relied on this fot a very long time.
I hope that IPv6 is rolled out to homes, most ISPs would do the right thing and set up customer routers firewall in "default deny incoming " mode. Otherwise, the number of worms would increase a lot.
We may argue that Windows Firewall (and macOS) by default already do that. On Linux, I usually set nftables like such on all my machines, but it's trivial for "user friendly" distros to ship sane defaults for nftables.
What scares me a lot is that lots of folks out there still rely on iptables, and do not realize that they need ip6tables to set IPv6 tables - I dread of the moment some random ISP will push IPv6 routes, SLAAC picks up an IPv6 on a random Linux box and that box gets instantly pwned because it has no ip6tables rule whatsoever blocking inbound traffic.
That’s fine and all: but are they issuing mobile phones a publicly addressable IP or not? Can a Verizon subscriber run a web server on their mobile phone and share their IPv6 or not?
NAT66 is, in general, utterly broken and most OSes prefer IPv4 to ULAs - thus, if a mobile subscriber can connect to an external IPv6 service, it's very likely the address they were given by their carrier is publicly routable.
For some reason CGNAT seems to be the norm here in Sweden, IPv6 is still almost nowhere to be seen, only existing in a select few cities.
I've been behind CGNAT since I think 2010, at first with DSL with a small ISP and then with one of the big ones with fiber (bredband2), who introduced CGNAT many years ago to prepare for moving to IPv6, which they have still yet to do.
They even stopped supporting their 6rd tunnel apparently.
Obviously they will need to sooner or later. IPv4 address space is mostly depleted; at one point or another, regulation is the only thing that will help.
We had the same in Brazil, scheduled per connection type (DOCSIS was first, etc). It's the only way IPv6 will happen, and more people should push for this.
Indian isp are not using IPv6 though they seem to assign most users local Nat addresses my guess is looking how cheap internet is in India using real IPv6 addresses would increase internet prices
It's intended to be the opposite with fewer IPv6 prefixes needed, compared to the level of fragmentation for global IPv4 deployments combining many smaller prefixes to scavenge enough address space.
Because generally it would be a bad idea for the government to force certain technologies upon the private sector, even if in this case it might be fine.
Forcing micro USB and now USB-C on electronic devices has been one of the best ideas by the EU overall. Remember using ten different charging cables? Gone, due to a helpful piece of regulation by the government.
This is one of the situations where the proliferation of standards is preferable to technological superiority. I far prefer USB-C to be ubiquitously available over having marginally higher transfer or charging speed.
I still have the same issue as before except I’ve added a suite of USB C connectors. I still have micro/mini and regular USB devices on top of all the USB C stuff. Not to mention the premium for a USB C charger.
Only if you want fast charging. I run my MacBook Air over a USB-A to USB-C cable and it slowly charges under light use at around 2.5A and 5V. And tops off to 100% while not in operation. If you want more voltage, then yeah, you’ll need a more specialized charger, whether USB-C or proprietary.
You have to admit it's a better connector mechanically, though. Also, the vast majority of USB-C devices charge fine from USB-A. The devices that require an expensive charger are things that have previously required a proprietary charger, like laptops.
> the vast majority of USB-C devices charge fine from USB-A
I’ve gotten myself stuck a few times with this assumption. My MacBook Air (and probably any MacBook) will accept a trickle at 5V, but my Dell laptop will not.
It isn't a good policy and if that is one of the best ideas of the EU then they have failed as a political project.
1. Corporations are exactly the tool we use to work out what trade offs of cost v. standardisation are best. Everyone is going to claim victory for a bureaucratic committee then a few years down the track we'll discover technology moves on and the regulation is force people to make stupid choices. Removing the flexibility to adapt at the forefront of technology is going to turn out to be foolish in hindsight. These devices aren't even 20 years old and the EU has already decided to start fossilising the tech.
2. There is a decent chance that this will corrupt the USB standard itself. We're already seeing the bizarre profusion of naming [0]. If there is an incentive for corporations to create incompatible things that are all named "USB-C" they may well manage it. Calls to mind the OOXML vs ODF format wars.
3. This is a total waste of political attention. I suppose now we know how the EU ended up in such a catastrophic posture with their energy policy. Their best and brightest were back-seat-driving iPhone design. Thank goodness for the Europeans, they may not have reliable power but if they did they won't have to search around for the right cable. And if we need to send phones into the land war, we know what adaptors to send with them!
> Thank goodness for the Europeans, they may not have reliable power but if they did they won't have to search around for the right cable
yeah... about that.... we in fact have electricity in the outlets, we have countries where the grid has lower chance of a power outage than the chances of a UPS failing. We dont have people rushing to buy gasoline for their generators as soon as a wee bit of bad weather hits..
hows it going in california right now? Babylon bee had a pretty funny, atleast from an outsiders perspective, "news" article:
There are plenty of other good ideas coming from European unification. But standardizing the connector has certainly been a success. We already have 11 years of hindsight. And despite agreeing on micro USB initially, this hasn't stopped a smooth upgrade to the logical successor, USB-C.
The USB standard is messy, but I think there's been ample evidence that this is not because of the EU. Bluetooth is also very messy.
Point three is just nonsense, I got nothing to add to that.
In this case, it seems different because IPv6 is the kind of thing that I doubt any free market competitor would ever be able to supplant. Part of that is the nature of IPv6 itself, as it was designed to be as future proof as it could be. I just don’t see a competing protocol as offering any kind of substantial benefit.
I personally can’t find a reason to switch over on my home network.
I understand why v6 is necessary for the internet but I can’t reconcile it with my home network.
I tried a few times migrating over and it’s just an insane amount of work for essentially nothing… all the firewall rules, containers to subdomain mappings, all the wifi clients would get a completely new numbering scheme. And it changes when you change ISP if I understand correctly because your prefix changes.
It just seems insanely complex to me for no benefit. I have nginx as a proxy on ports 80 and 443 which dispatches the request to the right application based on the subdomain, and that’s it. I don’t understand what ipv6 would do for me in that context.
And most (all?) games or VoIP or other network applications all know how to deal with NAT by now.
With v4, I can have subnets and firewall rules so that my printer can only talk to local computers, or my tv only to my home assistant instance. Now idea how I’d move this all over to v6.
There is no need to move your whole private network over to IPv6, although it might provide a good learning opportunity. You could start with enabling IPv6 for your nginx reverse proxy and make it listen on its IPv6 address.
IPv6 has subnets too and firewalling is still possible, only NAT isn't needed anymore (which is good).
Edit: Reading your post again it sounds like you have mental model of either IPv4 or IPv6, when in practice it is often mixed. Each client can have an IPv4 and IPv6 address - even multiple ones! When you enable IPv6 on your router it gets a subnet from your provider and announces the prefix on your network. The clients then generate their public IPv6 address based on this announcement. Note: Even though they now have a public IPv6 address, the router's firewall should block incoming connections to it by default. That's the case for my router, but to be sure you should check it yourself for yours.
Yes it confuses me very much. If I were to get an ipv4 and and ipv6 to the internet but my internal network stays ipv4, then the ipv6 networking would never get used anyway and I might as well disable it, correct?
Now if I also let internal devices get both a v4 and a v6, they essentially all become directly exposed to the internet through v6 don’t they? That’s the part that really confuses me. And if they aren’t publicly accessible from the internet then I’m back to v4 NAT where I was all along which kinda makes v6 pointless doesn’t it?
> If I were to get an ipv4 and and ipv6 to the internet but my internal network stays ipv4, then the ipv6 networking would never get used anyway and I might as well disable it, correct?
If you enable IPv6 on your router it will likely advertise an IPv6 prefix on your internal network, which in turn will lead to your clients getting IPv6 addresses - unless you disable IPv6 on their interfaces. Clients will then make use of IPv6 to connect to any service that has an IPv6 address, as they prioritize IPv6 higher than IPv4.
> Now if I also let internal devices get both a v4 and a v6, they essentially all become directly exposed to the internet through v6 don’t they? That’s the part that really confuses me.
They won't become directly exposed - the router's firewall should block incoming IPv6 traffic by default. This is the case for my router and should also be the case for others. To be 100% sure you could do a quick check and try to ping your device from the internet using its IPv6 address. You will likely see a message saying: "Destination unreachable: Administratively prohibited" or get a timeout.
> And if they aren’t publicly accessible from the internet then I’m back to v4 NAT where I was all along which kinda makes v6 pointless doesn’t it?
You can open ports in the router's firewall for IPv6 addresses.
However, the main advantage for you would be that your clients can access public IPv6 addresses - which they currently can't. This might not be a big deal yet, but as IPv6 slowly gains some traction it will be noticeable in the future. Some hosters already charge extra for IPv4 addresses.
>they essentially all become directly exposed to the internet through v6 don’t they?
Most consumer routers have a stateful firewall [0] for IPv6 that basically behaves like NAT. But it's less of a problem than on IPv4 anyway. It's possible to scan the whole IPv4 Internet in less than 5 minutes. [1] And this is done constantly by many people. The IPv6 address space is way to big to do this and you have to harvest addresses. [2] It's always a good idea to have a firewall but unlike IPv4 you don't get port and vulnerability scans seconds after you expose a host to the internet.
>which kinda makes v6 pointless doesn’t it?
IPv6 is mostly useful for ISPs. There are just not enough IPv4 addresses for everyone.
>Even though they now have a public IPv6 address, the router's firewall should block incoming connections to it by default. That's the case for my router, but to be sure you should check it yourself for yours
This is why I won't enable IPv6 unless ISPs dramatically change how their hardware works. My ISP-issued modem+router doesn't even have a way to disable routing or automatic updates. I can test the firewall today, but what guarantee is there it'll just keep working?
The comment you're replying to is referring to Homeland. If all you have is an ISP-issued device, then you don't need to worry about it, just use the defaults.
Also, I doubt ISPs will ever change their home routers to default to IPv6 because of the complexity it'll add to customer support with no extra benefits.
It's not the router that decides which IP version to use but the operating system and AFAIK all default to IPv6 if they have an address. And yes many ISPs have activated IPv6 by default that's the reason we see 80% IPv6 usage here. It's not because 80% of the users have actively activated it. Most of them have no idea what an IP even is.
Is there a specific reason you trust your router for IPv4 but not for IPv6 traffic? IPv6 privacy extensions should be enabled by default on most devices. So even in the unlikely case of a device being exposed, someone has to know the temporary IPv6 address and then try to access it while it is still in use. This device would also have to run a vulnerable service on some port that the attacker has to know. All in all, I think that this is a pretty unlikely scenario.
"Most devices", "should be, "unlikely case", "pretty unlikely". That's my impression too, and none of those are good enough. I have many internet connected devices (appliances) and really don't want to worry about someone remotely accessing them. Behind the NAT it just isn't possible.
It could be with UPnP, which as a security conscious person you likely have disabled. Do you trust it staying disabled or none of your many devices trying to use it to poke holes in the NAT?
Even if you have to use your ISPs modem/router device, it might have a bridge mode where it just becomes a modem, enabling you to use your own router. It might be worth checking this option if you didn't already.
It is possible -- NAT won't protect you from inbound connections. Even using RFC1918 addresses on your LAN won't protect you from all inbound connections. You need a firewall for that.
If you don't trust the ISP device to firewall, then you can't trust it even for v4. You need to run your own router.
"Well, our ipv4 addresses of 4x8bit, well, we'll just switch those to 4x64bit or whatever."
Then it becomes like a gradual y2k migration. Old servers could be addressed by the new ones, and if the old ones didn't want to address the new ones, well, that was their problem. You didn't need new infra, addresses, etc, you simply upgraded the software.
Or, using NAT, the 4x64s would provide some NAT port with an 4x8bit address to respond with. As the internet switched over to 4x64 in the DNS and freed up 4x8bit addresses, they could be dedicated to the translation.
I know the ship sailed long ago, but what am I missing here? Can this still be done with some "IPv8" movement where everyone gets fed up with IPv6 hassle, and also just wrap in ipv6 addresses somehow? Why didn't the original group simply expand the size of the numbers in the address quads?
Yeah the current holders of IPV4 ranges would have gotten large segments of address space, but if there are 4x64bit, that's still several universes of per-atom addressing.
As for India, it's unsurprising a nation with a billion people and on the outside looking in of ip address governance is more gung-ho about ipv6 adoption. Plus, India is probably mostly mobile phones in terms of computing, and ipv6 was the basis of mobile phone internet infrastructure from the ground up.
This is actually one of the most interesting parts of the Urbit project IMO -- their addressing scheme has 8, 16, 32, 64, 128 address support. The addresses are displayed in memorable terms that fit into an astromoical-styled system.
A /8, an example being "~rel" (one syllable names based out of a bank of 256 memorable 3-letter syllables)-- these are galaxies and are extremely rare (128 galaxies total). Then you have /16 stars which are like "~tabrel", combining two of these syllables -- their are 64,000 stars. And then finally, you have /32 planets like "~sampel-tabrel", which are 4b illion and enough to be valuable and stop spam, but are somewhat disposable kind of like a phone number.
Each one of those planets can spawn billions of /64 moons (sampel-tabrel^dambel-gabnel) which can be used for IoT or family members.This naming scheme draws a good delineation has both human understandable names and memorable addresses you can use for a lifetime -- as well as tremendous scalability to support routing between trillions of addresses.
> Why didn't the original group simply expand the size of the numbers in the address quads?
Almost all fields in IP header have fixed size - so it doesn't really matter that you just change address size - it is already a new and incompatible protocol.
And adoption of IPv6 wasn’t so slow due to its design or any technical properties. Simply no one wanted to do additional work as long as supporting only IPv4 worked fine.
But IPV6 always had an "Internet2" vibe to it between dual stacks, different syntax/separator, hostility towards NAT firewalls. Like they wanted to be completely separate and force everyone to move to them. And this is back in the day when another stack meant another hunk of infrastructure, probably new switches, etc, not just a bunch of VMs allocated via API in IaaS.
As in they didn't even seem to consider that maybe you adapt the existing IPV4 code to some form that can handle both protocols. It seemed like they wanted to force total software rewrites and hardware purchases all over the stack.
I mean look, one if-then to identify the packet type is not that bad. Or simply have the ipv4 as the first part and the wrapped packet has another 128-256 addressing bytes.
No such thing as a "NAT firewall"... and v6 was designed this way because nothing else really works.
Almost all existing code that was written to handle v4 was written to handle addresses of exactly 32 bits, not addresses of arbitrary length. Longer addresses therefore required writing new code to handle them. v6 is close enough to v4 that you can write code that can handle both families, but neither the existing code or the new code was under the control of the people designing v6.
You use dual stack because it's maximally compatible with existing devices and code. There are plenty of ways to run single-stack v6 if you want to, but they all have some compatibility issue or another (and the compatibility issues stem from the way v4 was designed, not the way v6 was designed).
v6 addresses use : rather than . because they could otherwise be confused with DNS. For example, a string ending in ".be" could have been a v6 address or a subdomain of the .be ccTLD.
IP packets do start out with a version field, so your "one if-then to identify the packet type" requirement is exactly what v6 already does.
> Or simply have the ipv4 as the first part and the wrapped packet has another 128-256 addressing bytes.
You've invented 6to4. It already exists, but people seem to prefer native.
Meanwhile in Italy basically nobody (except Sky and Iliad) offers any support for IPv6.
TIM had a very poorly functioning technical trial of native IPv6 12 years ago, and while it still exists (and sucks) it only works on ADSL (not VDSL, 20Mbps ADSL).
I guess that carriers have just too many IPv4 to throw around, mobile connections are all NATted with no sign of any future roll-out of IPv6 in sight.
If your ISP doesn't disable ICMP you can get yourself an IPv6 network for free using something like HE's tunnelbroker. This has the tendency to break Netflix/Disney Plus/whatever, though, because they see it as an attempt to change your location.
I use Tunnelbroker to provision IPv6 to some services I run on a VPS provider that hands out a /128 for some obscure reason. It works great if you can configure the tunnel in your router.
The biggest difficulty for home use is to set up DNS in such a way that streaming services don't resolve over IPv6 so you don't get blocked (or, as I did for a while, to just pirate content when they refuse access to the services I pay for; my Jellyfin + *arr setup is often easier to manage than finding the right service to watch my shows on).
I kinda doubt it. Only new ISPs are rolling out IPv6 ATM, because they know they will not be able in the future to get enough IPv4 to satisfy demand. Everyone else is sitting on a crapload of IPv4 and will never bother to implement IPv6 until it is mandated by either the Italian government or the EU, whichever comes first.
I work at a decent-sized ISP in Sweden, and we've been trying to get IPv6 to customers for over 10 years. It's hard. The way the Internet is built (many municipal broadband networks[0]) means there's middle networks that might not support IPv6 (the reason used to be "no interest" and "it's not a priority").
PTS is starting to show some interest[1], we'll see what leads to.
That's kind of what I'm hinting at, the municipal entities assigned to handle the installation of fiber started this 20 years ago, which means that even 1Gbit is not the norm, the old 100Mbit connections are. I know a person that works at such a place and they have zero interest in upgrading their routers, because it would only cost money for the labour and equipment.
Slightly off-topic, but what should you be ashamed by something that is totally independent from you, that you can't control in any way? Personally I'm ashamed only if I do something wrong myself.
The whole point if nationalism is to have self-governance in order for people to be able to effect their destiny. If modern nationalistic governments are to be seen as distant and impervious, then how is that different from the imperial era? And if the people do have control over their governments, then why should they not feel shame over not exercising that power constructively?
For some reason the modern democracy focused on a set of traits collectively known as left/progressive and right/conservative. In some countries you basically only can choose between the left and the right with no any other option. Statistically, the government formed by any of these parties will do more things not the way you wanted. So unless you have some significant direct democracy mechanisms like Switzerland, you have no control over most issues, not to mention marginal ones such as an internet protocol used in your country.
Usually when people say they are ashamed of their country/state/municipality/club etc, they are not mentally flagellating themselves averting gaze from the rest of the world while hoping for the ground to swallow them. It is a manner of speech.
FWIW, airtel broadband, one of the largest (or the largest?) fixed line broadband providers, doesn’t offer IPv6 for all customers. It seems like mobile broadband from even a lower ranking provider (like Vi) does offer it. I doubt if all ISPs will meet this goal by the end of this year.
The modem is less than a year old. But airtel doesn’t give an IPv6 address. This is in one of the major cities where one would expect technology to be advanced.
Question to those familiar with IPv6. My company has /24 IPv4 PI blocks. We are not a LIR. Can I request a /48 or larger IPv6 prefix from my sponsor LIR (what is the largest IPv6 prefix that can be obtained this way?) Can such IPv6 prefix (not being a LIR) be further distributed to customers? (e.g. we offer some internet access) - afaik there were some restrictions when not being a LIR. I am not sure what the current state of IPv6 policy is.
If you're talking about the RIPE region, then;
- Can I request a /48 or larger IPv6 prefix from my sponsor LIR -> Yes. Something bigger than a /48 might be hard, but /48 shouldn't be any problems.
- Can such IPv6 prefix be further distributed to customers? -> No. A IPv6 PI assignment can only be used by yourself and your own infrastructure and not assigned to customers[0].
Other RIRs will have the information on their website, or your sponsoring LIR will be able to answer any questions :)
Thank you.
Just to make things clear, customer from section 7 also equals end user? That is, if I were given for example a /48 from a sponsor LIR then I am forbidden to divide that and delegate resulting prefixes via DHCP/PPPOE to end user CPEs to whom I want to simply provide dual stack internet access?
My story about ipv6 is from a travel. I connected to a friend's wifi. It worked for some time and then a strange thing happened. I was able to google but I was not able to connect to my company's services. I debugged the cause and it looked like the router received ipv6 address but not an ipv4. There was some tornado going around that might something to it.
This was the first time I felt like being on the ipv6 network. I also wonder why I was not able to access to ipv4 servers, I assume that in India people have no problem accessing ipv4 only networks.
Anyway - this was the first time I had to deal with ipv6 :)
On the business side. One ipv4 costs us $3/mo. We never had any problem with this, didn't feel any business reason to upgrade and in particular we (as most of the companies) do not have any permanent test of ipv6 connectivity going on. So even if this had been setup at some point, we would never notice a regression here.
So - unless our customers started asking for ipv6, government pushed some regulation or the address' prise would go up - I do not think we will do anything about ipv6, like most other companies.
The $3 are an early warning signal. You can start upgrading slowly on the cheap when you have all the time in the world, or you can do it for much more money and higher risks come crunch time, when you "see a business reason."
I don't have an axe to grind with IPv6 in particular, but I wish managers who consistently make short-sighted management decisions when the writing is so obviously on the wall, would face unemployment.
Generally, IPv6-first networks use shared IPv4 addresses for connectivity to legacy servers. Think CG-NAT but slightly more optimised.
I don't know why a tornado would only knock out IPv4, seems to me that the prefix administration for IPv6 should run on the same location as the DHCP administration for IPv4.
I would've switched most of my systems over to IPv6 by now if it wasn't for my workplace using Ubiquity hardware that still lacks IPv6 hardware acceleration, forcing the admins to disable it or face unnecessary network slowdowns. I like to be able to use my password manager and such on their WiFi just in case.
Indian regulation forcing IPv6 availability may lead to limited IPv4 availability in one of the biggest developing economies in the world, which may lead to business reasons for switching over. I can only hope, we've been stuck with IPv4 for way too long.
Meanwhile, here in an exurb in the same country that the Internet was created in, my only real broadband option is DOCSIS3.1 gigabit with Wave/Astound... which sounds nice, except it's still very-much IPv4-only with zero signs of IPv6 rollout - including confirmation from a customer service rep from about 2-3 weeks ago that there's still no plans to deploy IPv6.
The ipv6 routing on major ISP(Jio) that started popularizing it is pretty bad, half of the packets go to singapore and back to india. You often need to explicitly use v4 to get better latency.
My ISP in Ontario, Canada, has full ipv6 sorry for their cable customers, but tech support is clueless about it still. I had issues with ipv4 connectivity once and they struggled to understand that ipv6 was working perfectly and it was strictly v4 not working at all
While everyone should migrate asap, i hope the powers that be learn lessons and next time create standards that consider himan factors as well (personally recollection is important to me too, not that that's a major factor in stalling migration)
There has been a "National IPV6 Plan" in place since 2010, and full coverage has been pushed under that plan in stages. Anyone interested can read all about it in (extensive) detail[2].
0. https://dot.gov.in/ipv6-transition
1. https://dot.gov.in/sites/default/files/Revision%20in%20IPV6%...
2. https://dot.gov.in/sites/default/files/2016_11_18%20IPv6%20N...