Hacker News new | past | comments | ask | show | jobs | submit login
What you should know about IPv6 (lucb1e.com)
99 points by lucb1e on Nov 20, 2012 | hide | past | favorite | 17 comments

The article is wrong about address assignments.

First, /32 is the minimum allocation size, which means you (an ISP) can't get fewer addresses than that (not more as the article claims). The reason you'd want to have a minimum allocation size is because it makes routing tables smaller (better for an organization to have just one entry in the routing table that's huge that they can grow into, than to start small and add lots of small entries to the routing table as they grow).

Second, /48 is what ISPs typically give their subscribers, not what ISPs themselves get.

Edit: to clarify, the /32 minimum is a policy of ARIN and RIPE (not sure about the other RIRs). See for example https://www.arin.net/policy/archive/ipv6_policy.html#43 and http://www.ripe.net/ripe/docs/ripe-552#minimum_allocation. There is no mandatory policy for how ISPs should assign addresses to their subscribers. RFC3177 recommended a /48 in most cases, though that has recently been superseded by RFC6177, which recommends more flexibility rather than a one-size-fits all approach. See http://tools.ietf.org/html/rfc6177.

I find the article somewhat reckless in recommending that you ban entire /64s instead of individual IPv6 addresses. It's true that you need to be aware that a home user will likely be in control of an entire /64 (and possibly more), but if the offending IP address is at a university or a datacenter then a /64 ban could sweep up a lot of innocent bystanders. You really need to consider bans on a case-by-case basis.

Often, banning whole ISPs is necessary to actually get rid of offenders. Hackers and griefers have known how to get new addresses from their DHCP pool for at least 10 years, and now that they'll get access to an entire /64, many will be sure to exploit it.

In fact, I'll bet the malware-infested utility to automate this into a one-click process already exists.

I don't disagree with that, but please do some investigation before banning an entire subnet, or wait until you actually observe a user jumping around the subnet. And never ban an entire ISP if you haven't first given their abuse department a chance to do the right thing.

If you don't do this, you're harming innocent people.

Your warning has merit, but it's a little out-of-scope for the problem. I'm not talking about banning people from playing Halo, I'm banning them from just my server for medium durations like a day or a week. And chances are they're the only person connecting to my server from that ISP -- each of the ~30 people on the server probably has a different ISP.

Thank you for your comments, I'll edit the post accordingly!

I thought the RIR could be assigned a /32 subnet at most (by the IANA), and that the RIR would hand /48 out to ISPs. The book I read on IPv6 is from before RFC6177, perhaps that's where the confusion came from.

The article misunderstands IPv6 addresses. The best way to put it is that IPv6 offers addresses for 2^64 networks. IPv6 numbers networks, and hosts attach to networks.

In v4, hosts come first and networks second. In v6, networks come first and hosts come second.

What do you mean by come first and come second ?

What's a first-class and a second-class concept in the architecture.

In IPv4, the IP address is central to the architecture, and the subnet is secondary. In v6, the /64 network is the core, and everything is arranged around that.

Hmm, I understand what you mean, but does it practically change anything? Should I write something differently in the article?

You have to wade pretty far until this gets to the main user-visible advantage (global routability) and doesn't make a very compelling case of why you'd want it.

People have been lulled into this state of apathy about crippled IPv4+NAT connectivity (or don't know any better). The problem is that the network effect/chilling effect wrt app deployment/development isn't something that a user instantly sees, and the other, more immediate benefits are currently only significant for pretty advanced users (who are already aware of how NAT makes their lives hard).

> The first 32 bits form the minimum allocation size; you can't get assigned more addresses than this.

Well that's not true, if the below linked article is to be believed. The DoD has a /16, which is twice as big (bitwise, it's substantially larger in absolute terms) as the /32 the article says is 'the minimum allocation size'.

aforementioned article: http://gcn.com/articles/2007/02/03/dod-to-allocate-its-ipv6-...

Another commenter also pointed this out (which I happened to read first), and it has been corrected. Thanks for commenting!

That was interesting and highlights that I do not know a whole lot about networking. What would be a good source to get a basic understanding of these things work?

I'm not OP, but I found the Hurricane Electric Certification[1] quite useful.

The course is free and you can do it on-line. You will have to do certain tasks, (e.g. set up a ipv6 capable mail server), HE will check and if you were successful you enter the next level. If you make it through to sage level you will get a free T-shirt (which in my case they even sent for free to Germany).

The tasks are not difficult but completing the course will take some time. It is hands on experience and I learned a lot. I'm not affiliated with HE in any way.

[1] http://ipv6.he.net/certification/

There are probably interesting intros out there, but for what it's worth, the standard text book on computer networks is Tanenbaum: http://www.amazon.com/Computer-Networks-5th-Andrew-Tanenbaum...

I'm sure there's a book you can pick up but the most pleasant way of learning is solving a problem you have. Get a decent router, maybe something a little beefy like Netgear WNDR3800[1] so that you're not too constrained in what you can do with it, install OpenWRT on it and make your life a little easier.

Maybe you need a VPN to your company, or university? Unless it's some high security stuff, set up a client on the router and route the traffic through it to selected networks.

Or maybe your ISP doesn't offer IPv6 yet and you'd like to use it? Get a tunnel from SixXS[2], or HE[3].

Set up a file server, bridge your network with your parents' network, and let them use it. Keep their backups for example.

Create a completely separate open wifi network if you live in a densely populated area. You can also route its traffic through some other host, if your ISP doesn't look kindly on that sort of thing.

Learning without goals in mind seems a little tedious.

[1] http://wiki.openwrt.org/toh/netgear/wndr3800 [2] https://www.sixxs.net/main/ [3] http://www.tunnelbroker.net/

I don't know a single good source to learn about networking, I've learned it myself by just searching the web and asking people who know. I've been thinking of writing a piece on networking in general too, but it'd become quite lengthy.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact