Many hackers have familiar sayings in their heads, such as “If it ain’t broke, don’t fix it” and KISS (Keep it simple, stupid). Those of us who have been in the field for some time have habits that are hard to break. When it comes to personal networks, simplicity is key, and the idea of transitioning from IPv4 to IPv6 addresses seems crazy. However, with the increasing number of ‘smart’ devices, streaming media gadgets, and personal phones, finding IPv4 space for our IoT experiments is becoming difficult. Is it time to consider embracing IPv6?
The linked GitHub Gist by [timothyham] summarizes the essential concepts for home network admins to understand before making changes. The first major point is that IPv6 has a vastly larger address space than IPv4, eliminating the need to find spare IPv4 addresses. IPv6 assigns multiple addresses to the same interface. The 128-bit addresses are split into a 64-bit prefix assigned by your ISP and a 64-bit interface identifier. Using SLAAC (Stateless Address Autoconfiguration), clients can manage their own addresses. You don’t have to use SLAAC, but it will make life easier. The suffix typically remains static, allowing integration with a local DNS server.
Another major concept concerns routing. IPv6 uses RA (Router Advertisement) instead of DHCP for address assignment. Local clients receive a globally routable prefix, meaning each device can communicate directly over the Internet without needing an intermediate WAN IP address like in the IPv4 system. However, a stateful firewall is still necessary for security.
Finally, we will assign another address to the local clients that need to communicate with each other; this is the ULA (Unique local address), which is the address given to your internal devices, such as printers, media servers, and your pile of IoT gadgets. You can grab a ULA prefix from a website such as this one, to generate a unique locally routable IPv6 prefix, then assign this to your clients and let them autoconfigure the suffix part. This new ULA is assigned to your local DNS server. So, it’s a lot of work, but with IPv4 running on borrowed time, we might be forced to switch eventually, and it’s better to have a head start, eh?
Need convincing that there really is an IPv4 addressing problem? Well, this side of the pond, we ran out already. In case this is all too serious for you, we discovered a hack from a few years ago that seriously abuses the IPv6 address space. Go check this out!
Header: Raysonho @ Open Grid Scheduler / Grid Engine, CC0.
“finding IPv4 space for our IoT experiments is becoming difficult”
Not if all your IoT experiments are on a local network behind a NAT’ed connection. Bucket loads of available IP addresses.
I’m behind CGNAT.
That’s your ISP’s / mobile carrier’s fault. They should be using IPv6.
@rusty cans said: “That’s your ISP’s / mobile carrier’s fault. They should be using IPv6.”
The ISP probably does use IPV6 on the Internet-looking side, but employs RFC-6598 as a shared address space on the customer-looking side with a pre-assigned 100.64.0.0/10 network space (100.64.0.0 to 100.127.255.255) which is exposed to your home DOCSIS cable modem’s (or equivalent) WAN port as the IPV4 gateway.[1] Unfortunately this still imposes the same group of Advantages and Disadvantages of translating from IPV6 to IPV4 with Carrier Grade NAT (CGNAT) for IPV4 on your home NAT router’s WAN port.[2][3]
Remember, IPV4 addresses via CGNAT are assigned via DHCP. IPV6 addresses are not assigned via DHCP.[4] However both IPV4 and IPV6 addresses will automatically be assigned to a (e.g.) Network Interface on your PC via your home router connected to your DOCSIS modem (or equivalent). On my Windows 10 Machine for example, at the command prompt I enter “C:\Users\Username\ipconfig /all” to see everything about how my IP addresses are configured on my Windows 10 PC (my network interface is setup for automatic configuration of addresses, network masks, and DNS). I see two simultaneous IP addresses configured for my machine, one IPV4 and one IPV6:
IPv6 Address. . . . . . . . . . . : 2601:589:4900:19b5:4570:fd66:2f79:c51b(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.123(Preferred) <- Assigned by my home network router via DHCP
Unfortunately I cannot easily login to my DOCSIS cable modem via 192.168.100.1 to look at the modem's WAN IPV4 address assigned by CGNAT, but I bet it is somewhere in the 100.64.0.0/10 network mentioned above.
For me this is still a bit confusing. If you think I got something wrong here, please chime in with a better suggestion. Thanks.
* References:
1. Carrier Grade NAT – Shared Address Space
https://en.wikipedia.org/wiki/Carrier-grade_NAT#Shared_address_space
2. Carrier Grade NAT – Advantages
https://en.wikipedia.org/wiki/Carrier-grade_NAT#Advantages
3. Carrier Grade NAT – Disadvantages
https://en.wikipedia.org/wiki/Carrier-grade_NAT#Disadvantages
4. IPv6 Explained for Beginners
http://www.steves-internet-guide.com/ipv6-guide/
IPv6 has earthly business being on a private network. Definitely sounds like you have a need for a new ISP if the option is available. IPv6 on my local lan exposing everything to the internet is the worst suggestion in the history of IT security. Down trous and ANY/ANY. Wowzers.
You are basically right about CGNAT, and it is pest. No advantages for customers, except slower Internet with higher latency, and it might even get crowded and you will not get Internet access as you should.
And you do have an address on your WAN interface in your home router in the net 100.64.0.0/10 if you have CGNAT. If your external WAN port do not have a public nor a CGNAT address on your WAN port but some from the private address ranges (like 192.168.0.0/16), change ISP fast, because then they are incompetent. Really.
Change preferable to one that do service your proper IPv6 (a /56 net, if they deliver only a /64 to you, change to another ISP, as they then probably are incompetent. Really. But really check you get a /64 before you run)
Your IPv6 address are a public address, as it is in the net 2000::/3 (that is the first digit is 2 or 3, then it is a public IPv6 address). We know that the netmask is /64, as all local LAN should have a /64 network in IPv6. That makes things so much simpler and actually faster routers.
Your IPv4 address are as it should, a private ipv4 address in the net 192.168.0.0/16, which usually is divided into /24 nets.
Sorry to hear that. That is a real pest.
You can’t even set up reverse NAT for access from outside to your local network and machines.
You really need IPv6 from your ISP. Notice, you should NOT be given just one /64 public IPv6 net. You should at least have /56 network, so you have some 256 public IPv6 networks, that is 256 LAN with /64 network. And no /60 is to small, you need at least a /56.
(And if someone even suggest this. No, NAT is NOT anything to do with security, you use firewalls to do that.)
(CGNAT, is carrier grade NAT when your home router doesn’t have a public address on the WAN interface. You get an address in this network 100.64.0.0/10)
All my networked devices are on a local network as well. I picked a class B network so swimming in addresses. Don’t have a need for IPV6. Why you’d want your devices all on the ‘Internet’ is beyond my understanding — that’s just suicidal in my mind. And of course corporations do the same thing. One or two internet facing addresses (NAT), while separate networks internally.
Ipv6 is such a mess.
But nowhere near as much of a mess as NAT. It breaks connectivity. Look at all the hoops that SIP/RTSP have to jump through, and still it doesn’t work reliably.
But that’s exactly what IT professionals wanted!
They loved NATting. I’ve talked to quite a few in the past decades and they didn’t mind the bigger adress space, but all missed IPv4 NAT.
They argued they don’t want all their devices to be exposed to the internet.
They didn’t like the idea that each device on earth has its own IP address all day long.
And I can’t disagree. The IPv6 philosophy might be correct in principle (in an ideal world), but from a security point of view, it’s a nightmare.
Because, the end devices are often not very strong in defending themselves.Especially if we think IoT.
A smart toaster or smart lightbulb doesn’t have the computing power to run an anti-virus guard or to run a true firewall (a simple packet filter is possible).
If these devices are behind DSL router with a firewall with NAT feature, they’re at least not visible from the outside world.
They’re still visible in a local network, though, where they are meant to be accessed in first place.
In a business environment, these considerations are even more of importance.
Everyone talks about how good IPv6 is, except when it isn’t.
IPv6 is a threat very often.
There had been numerous cases when IPv6 capable OSes had created a so-called “shadow network”.
This happened when the network used to be a clean, pure IPv4 network.
After IPv6 protocol ad infiltrated the network, it bypassed traffic behind the back of the IPv4 equipment. Filter rules and other mechanisms nolonger worked, because IPv4 IPv6 tunneling happened.
Ok, strictly speaking, the problem isn’t (wasn’t) IPv6 here but the default settings of OSes like Vista/7..
But it doesn’t change the fact that IPv6 is a headache.
It would have been better, if merely the address range had been increased, without touching the mechanics of IPv4.
I’ve had my LAN running IPv6 for a while now, it’s great. Proper end-to-end connectivity is how the internet is supposed to work. Internally I’m running mDNS but I also put things into DNS, and then I can open up the relevant firewall ports and get to them from outside for cases when I want that.
The one place I differ from the document is that I would not recommend ULA if your ISP gives you a stable allocation, it’s just extra hassle.
I’m surprised to see so many people unwilling to try something new and increasingly necessary in these comments, doesn’t feel that it reflects the nature of a site like this.
Now if only my stupid mobile provider would get with the program and support v6…
(to Joshua)
That is so wrong – NAT is NOT A FIREWALL – yes, i know, some people treat is as such, but that is just wrong. NAT is a hack – a hacky solution for particular problem (IPv4 has not enough ip addresses).
IPv6 is the same as IPv4 from security standpoint – you still need to properly define your firewall rules. If you do, there is no difference.
And yes – when those “professionals” move from their cozy NATed network into something like AWS – where everything has public IP by default and things get interesting.
“But it doesn’t change the fact that IPv6 is a headache.
It would have been better, if merely the address range had been increased, without touching the mechanics of IPv4.” – It did – there is no difference – yes you have SLAAC and route advertisement but it is still essentially the same but with large address pool.
Yes – there is one problem – they are different protocols (because different addressing means different packet formats) so in firewalls you have 2 sets of rules – one for IPv4 and one for IPv6 – it happens that people set IPv4 rules, don’t bother about IPv6 and than somebody decides to enable IPv6 without adding the IPv6 rules. That is not a problem of IPv6 – that is ignorant sysadmins.
And as for firewall bypass due to tunneling – that is the same IPv4 or IPv6 – it is a thing – 6in4 tunnels can be filtered on firewalls – if some OS starts to use firewall bypassing 6in4 tunnels by default – that OS is a headache, not IPv6.
So again – NAT IS NOT A FIREWALL!
Nat is not a firewall.
Yah but that is good because firewalls suck.
Sure, I know all the professionals are going to get their undergarmets in a knot over that statement. And they have a point. In a large organization with al sorts of people connecting things or installing software it would be pretty hard to manage security without one.
But for a single person living alone, or even someone managing the lan of their typical household.. they are so often overkill.
I mean sure, you can get a consumer grade “simple” firewall. But those break all the time, often completing blocking connectivity in the process. And honestly.. most of them come with more malware than any hacker that wants to get in!
You can use a professional grade firewall at home. Most of that stuff is open source and free anyway. Wonderful. Now you have to get a f’ng degree in network security just to watch Netflix! My friends that do this… they are the ones that half the time have no internet at home because they have accidentally broken their network with something they tried to tweak in their firewall.
But what about going naked? No firewall, no NAT?
About a decade and a half ago I was all for this.
OMG but you aren’t protecting you ports! Your ports! Hackers are getting in your open ports!
No they’re not! If you don’t have something running, listening for packets incoming on that port the OS is just going to throw whatever comes in away! An open port is not a telnet session into some movie-OS-esque environment where the hacker can simply type “override password” and now they 0wnz you. Give me a break! It’s either going to sit and do nothing or it’s going to spit back a rejection message. Just don’t install shit on your computer that you don’t understand and aren’t willing to configure and secure. And if you are going to install it… you must have wanted it to work.. so you would be doing that configuration anyway AND writing a rule to let connections through the firewall too!
Well.. Like I said.. I would have said that a decade and a half ago. These days with so many random internet enabled devices… auditing every one of them is beyond the home Lan non-pro admin that I am talking about.
So install the consumer grade firewall that slows everything down, brings in malware and craps out blocking the internet all the time? Or install the pro grade one and take up a second career learning and managing it? Hell no!
That’s where NAT is beautiful. Nothing is getting through unwanted because there is no route. But.. setting up a port forward… definitely not rocket science!
This is why I am not switching to IPV6 on the LAN any time soon.
On the WAN… my provider doesn’t even offer it yet. OK.. I see how that could invalidate my LAN argument.. but hey.. they aren’t going to call me and inform me when that day comes that they do support it. Surprise.. everything is exposed as of last night!! I don’t want that realization. I have thought about setting up a tunnel so I would have IPV6 access… but… Netflix. All the free tunnels have been used to get around their region bullcrap. And they know this. So they block them all.
IPv6 is not a mess. It’s incredibly cleanly designed. It’s also now responsible for about 45% of internet traffic; at current growth rates, it will be the majority inside of a year or two.
@pigster you are right. Nat isn’t a firewall but it also is almost always located and faciltates by your firewall. Considering ever router on the internet is going to drop private IP space, nat is another layer of security. It also containerizes your local network logically.
The idea of allowing every device direct internet access sounds great on paper, but you are one firewall oversight away from allowing an exploitable device on the internet. This isn’t even getting into expecting the average Joe to deal with this.
Yes, this.
I so do not understand everyone’s willingness to sign up to put iot devices out on the public internet just because the OEM has a cloud mgmt system and says they should. Any truly safe and well-designed iot device should work from behind Nat and form a single session out to the cloud not to mention should support completely on land operation or through home assist.
I think a great many companies are insisting on putting all their products directly on the internet for the companies own convenience in troubleshooting knowing that they don’t have to deal with a consumer’s router – they are focused on their own profit instead of the consumer’s Internet safety.
Ya sure.. for the ignorant consumer that is perfect.
For someone with just a little more than two brain cells that can work together… skip the cloud crap. They should talk to some always-on master device on the LAN. This should be reachable via a port forwarded through the router speaking a secure protocol with good up-to-date encryption algorithms. Through this the user gets access on their cellphone, smartwatch or whatever.
That way all your data isn’t on some stranger’s system.
And the hardware you invested in will continue working even if they go out of business.
Also.. everything continues working (to the degree that is possible) even offline during an outage.
Just because you have a public (IPv6, because you can’t afford public IPv4 addresses) address on a device, doesn’t mean that it is accessable from internet. Your home router have a firewall, today and will have tomorrow. It is just that IPv4 NAT is such a mess that you need to figure out, AND then figure out the firewall rules.
With IPv6 you only need to handle the firewall, as there are no NAT. Which is a blessing.
And as your ISP will give you 256 public IPv6 /64 network LAN addresses, you can set up some networks for IoT-stuff that phone home, separated by a firewall from your file server, and separated from your media servers and game consoles, and separate from your personal machines and your spouse machines and children machines and guests machines.
Just mainly managing networks, and not single machines in one single LAN, as in IPv4. And if one of your machines get hacked and a tunnel, in this IPv6 network, you are still secured. Even if your IoT stuff that phones home to their server still get secured in a LAN of their own.
Security are easier with IPv6. And can be made even easier with some proper UI in the home router.
Okay that is fair, nobody wants every device they have on the public Internet but at the same time the number that we do is growing and IPv6 simplifys that greatly. Being able to just slap a VMs address into your firewall and DNS provider makes remote access to things like the Home Assistant front end dead simple.
Even better when one consider that ISP’s should give you 256 public IPv6 LAN (that have a /64 netmask), which make it easy to reserve some different LAN for IoT that phones home, your media stuff, your file server, your private machines, all your family members like children their own LAN. And so with guests.
You mostly only need to manage access between LAN. And a hand full, at most, servers.
Security is easier then with IPv4.
Sorry, you are not “swimming in addresses”. There are no CLASS routing addresses any more, that is an old obscure term not used any more. Year 1985 is calling to get that term back. You got CLASS LESS routing in “modern” IPv4-networks since before 1990..
You do NOT have a public /16 IPv4 address, you probably have a private one that isn’t routable on Internet. Which probably are these private addresses ranges 10.0.0.0/8 or 192.168.0.0/16. The other private address range are not /16 (which is as close to a class B network we now can get).
With IPv4, you have to use private addresses, and in best case, you got ONE public IPv4 address on your external interface on your home router with NAT. In worst case you will have a CGNAT, and you are really locked down, with slower transfer speeds then you should have, and higher latency then you should have. ALL because of then hell of NAT.
A local network (LAN) in IPv6 do have /64 netmask for PUBLIC IPv6 addresses (which basically meant the other 64 of the IPv6 address are nodes, so you have 2^64 IPv6 addresses in your LAN.
There are only 2^32 total address space for IPv4, not counting that localnet (127.0.0.0/8) is not usable, nor the private addresses 10.0.0.0/8 and 192.168.0.0/16 and 100.64.0.0/10 for CGNAT and a load of other addresses are not usable in IPv4.
So even if you uses 192.168.0.0/16 for your nets with IPv4, you don’t “swimming in addresses”. And your ISP should give you /56 networks to route, which is 256 of those /64 public IPv6-networks you get by IPv6. THAT is swimming in addresses.
And why do you need 256 LAN with public addresses? Because it make fire wall much easier and not as prone to errors like IPv6.
You give a IPv6 LAN to your media machines. You give one or two IPv6 LAN to your IoT. You give your media and game machines one IPv6 LAN. You give your personal phone and gadgets one IPv6 LAN, as with rest of the family. And you put one IPv6 LAN for guests to use.
Now you make firewall rules based on net work and not devices, that share the same LAN. Much easier to make safe rules without needing to know every device.
And no, you use device names as God meant it to be used, not numerical address.
This is what I’m thinking aswell. There’s 255 ones up for grabs, and if you actually manage to use all of those, it’s trivial to expand aswell.
And then I read the part about ULA..!? Almost as if the ipv6 adresses are too long and bulky to use locally..?
I like the general idea behind ipv6 but then they went and got stupid, and that’s why it’s basically not in use. (Oh but the whole internet uses it blah you say..) Basically not in use.
Had it just been 0.0.0.0.0.0.0.0.0.0.0.0.192.168.0.1 then everyone and their mother would have had this in all of their gadgets since 15 years ago!
Instead it’s still almost impossible to just set up for a normal mortal, and why??
Actually returning to the smart home i started with: all good and dandy locally since the local units can have a local ipv4 and you will have to hire staff to maintain your units before to run out of adress space. So the only real usecase is when you want to add a non local unit and have it talk to a specific unit in your local net. Or maybe several specific units. This is nontrivial with ipv4.
Although now you also have two exposed interfaces towards the internet that you need to make sure to lock down and keep updated, you should probably add a firewall or routing device either end and.. well you could use that to just expand your local net to the remote location, vpn?
Which is to say, not without its own issues but all of a sudden we have some difficult issues to solve but ipv4 is not one of them. If anyone wants to move to a new address standard then make ipv7 128-bit ipv4 and watch it conquer the world in a few years.
Only 255?
There’s the entire 192.168.x.x space, so 255^2 and the 10.10.x.x space, so a second group of 255^2 there. If you can use up 65000 addresses on an internal network, then I think you know enough to go from there and fix that problem (sub networks/nats, etc)
10.10? more like 10.-anything, to wit.
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
so, 2^24, or 2^20, or 2^16 addresses in those spaces.
Though it is true that off-the-shelf consumer-grade routers might constrain you to a /24 subnet, but that’s just their limited software. (And possibly a defensive move to avoid provisioning the RAM for state tables.)
The IPv4 address are 32 bits, so a /24 net will give you 256 – 2 = 254 unique addresses, that is private and are not allowed to be used on internet. So you need the ugly hack NAT.
The IPv6 address are 128 bits, s a /64 net will give you 2⁶⁴ addresses in each of your LAN. And your ISP should give you 256 of those LAN.
And yes, just because you have a public address, doesn’t mean that you can be accessed from Internet, unless you allow it. Because firewalls usually locks everything that isn’t allowed.
And with that number of LAN, you put each “security level” device in the same LAN. So your IoT devices in one LAN, and unlock/lock as needed in the routers firewall for that LAN. Then you put your file server in one LAN, your media and game machines in one LAN. Your personal computers/phones in one LAN, your family members in one LAN each, and some for guest.
Then you only need to give access between each LAN, as you like. And maybe literally one hand full of addressers for servers in the firewall.
Learn to use sipcalc or learn to read RFC and netmasks.
10.0.0.0/8 are the private addresses, or 192.168.0.0/16. But they are usually divided in /24 networks in LAN. And those are private addresses, that can’t and are not allowed to internet.
While with IPv6, your ISP should give you 256 possible IPv6 LAN in one /56 network. All public addresses, so if you choose, you can make them accessable from Internet. And each /64 IPv6 LAN have 2⁶⁴ public addresses. Compare to 2³² for ALL IPv4 addresses that exists. And lots of them can’t even be used on internet, like 127.0.0.0/8, and those private addresses mentioned above (and there are more addresses that you can’t use in IPv4). Basically, for each IPv4 address, you can put one internet. And that will be the number of public addresses in ONE IPv6 LAN.
This makes it easy to set up your LAN with better security then you will with IPv4.
Like one LAN for your private computers (laptop, phone, etc), one LAN for IoT that phones home, one for each person in your household, one fore each guest.
And all you need to manage is the firewall rules between LAN (and a literal a hand full of servers), which get better security and is easy with a nice web UI for your browser.
It’s not impossible to set up; it’s trivial. Hell, almost all US cable ISP users are using IPv6 for the bulk of their traffic at home and aren’t even aware of it. Most home routers now just get v6 prefixes and advertise it to their home machines seamlessly.
I have, several times, talked to people who argued to me that IPv6 was too hard to use and would never get any adoption, only to show them they had themselves been using it for months without realizing it.
There’s a certain irony in the fact that home users who don’t know anything about networking almost all are using IPv6 in the United States now, because they don’t know enough to turn it off. Most of the people who are not using v6 at home are the more sophisticated users who have custom setups (like Linux based firewalls they hand crafted) who get angry about having to think about something unfamiliar.
One would think that people in a hacker site like this would like to have some network to learn about and set up, to hack to their likeing and security.
But no, they are usually the moste non hacking persons.
You know that your ISP should give you one a /56 IPv6 net for you to divide into /64 IPv6 LANs. All public addresses. So you can run as few or many public servers as you want. No, NAT doesn’t have anything to do with security, it is just an ugly hack because public IPv4 address has run out.
And because you then have 256 public IPv6 LAN, you can just reserve one or two for your IoT, and lock those down to only be accessed by the IPv6 LAN you want to be able to access them. Making secure Firewall much easier.
Then you just add your media and gaming machines to one LAN. One to your devices, and one for each of your family members. And one or two LAN for your experimenting and hacking. And it is easy to set up machines in IPv6.
You just give those machines you want to be accessed from outside in a LAN, and then give then a pre set IPv6 address that is added to DNS and only used to access from outside (or from your network). Then open the firewall to give other access to those servers. They can be static or given by DHCPv6. You can also see to it that some machines are given an address from DHCPv6, based on MAC address. Or you can just let some machines in some LAN get their own public addresses.
So with IPv6, you don’t need to restrict yourself because you only have one public IPv4 address, in best case. You just give the routers fire wall some proper settings, and you have control over traffic between your IPv6 LANs, all 256 of them.
I honestly cannot understand why you’d ever want to run IPv6 internal. I have IPv4 and IPv6 to my router. Internally everything is IPv4. Nothing is routable unless I want it to be. IPv4 is so much easier to remember, reason about, and router internally.
For lack of having an IPv6 ISP, I set up a ULA on my internal network for the exercise of it.
If you try to reason about it like an IPv4 network, you’re going to have a bad time. You just need to embrace IPv6 for what it actually is, and then enjoy the benefits. I would consider link-local IPv6 a clear improvement over IPv4. I don’t need to remember any IPv6 addresses because the vast majority of my devices support mDNS. I just use hostnames internally.
I always disable ipv6 on my equipment!
I used to do the same until I wanted to expose a couple of services and ran up against the ISP’s CGNAT. Renting an ipv4 address was not feasible as a hobbyist for me here in India.
I’ve kind of embraced the ipv6 way of doing things now, and I’m no longer finding it all that painful anymore. Except when I find myself in a network that does what I used to do and disables ipv6.
That is a really bad practice.
If you don’t have any IPv6 router, there are no difference. No need to do that, for any reason. Certainly not for security nor performance.
If you don’t have a IPv6 router, you can’t use anything but IPv4 NAT to reach Internet.
When you set up IPv6, you can easy set your devices in a LAN in IPv6 which is blocked in the routers firewall, so they can’t access internet and internet can’t access them.
If you want devices to be accessed from Internet, you put them in a IPv6 LAN which are open to/from Internet. And you might want to let some devices access to internet, then you put them in a IPv6 LAN which the devices have access to internet from the firewall in the router.
Because NAT isn’t security, it is a bad hack. You still need a firewall in a IPv4 router.
And IPv6 doesn’t have, because it doesn’t need NAT. So you just need to set up the firewall if you want a server accessible from Internet, which is a mess to do from IPv4. And no security advantage at all compared to IPv6.
Setting a secure network it so much easier with IPv6 then messing with firewalls and NAT in IPv4.
+1
Many retro fans also use CIFS protocol and IPv4 in a home network.
But there are also other users who’re using vintage Macs and Apple IIGS systems.
They may use AppleTalk protocol instead (a DOS network stack is also available, so PCs can join).
DOS gamers may still use IPX/SPX to play DOOM or Descent in a network..
You usually set up dual stack any ways, so it still will work for IPv4 devices.
And set up and use IPv6 will not stop machines from using Novell Network (IPX/SPX), IPv4, Apple Talk etc. It will just not pass the router/firewall.
So adding IPv6 to your net work actually is only advantages. Both in performance and security, as you should have 256 public /64 LAN with IPv6. And all IPv6 LAN should have /64 netmasks. Which gives 2^64 IPv6 addresses in a LAN.
Because if this, you give devices to different LAN depending on security, and makes the rules in the firewalls so much easier to write. No need to fight NAT.
I don’t get why people claim v4 is easier to reason about. The only thing that’s a bit easier is that the digit strings are shorter, but so what, you shouldn’t be memorizing your IP addresses anyway.
And with IPv6 you get 2⁶⁴ public addresses per IPv6 LAN, and you should get 256 such LAN from your ISP (that is one /56 IPv6 network). Which makes it much easier to manage security.
Just make one LAN for devices that should only be able to initialize access to external devices to one LAN. Other devices that should also be able to be accessed from Internet to another LAN. And then set up the firewall between the LAN in your routers firewall.
New apple OS’s now require IPV6 to operate…without it you icloud services break. If you block IPV6 you can’t do backups, get email properly, icloud backups, get your targeted SPAM ads,…
What I want to know from the IPV6 fanboys is how do you have a firewall/LAN security when devices can start making their own router advertisements and bypass your firewall completely using tunnels. Yes IPV6 is secure by design…giving jailbirds the keys to the jail and saying everything is fine because the jail has secure locks isn’t good for anyone but SCAMMERS and SPAMMERS (aka google, facebook, etc)
The number 1 source of malware on the internet is still google. Scammers pay for google adwords and get their malware top postings on the “search” results. AI makes the search results even more useless.
You block tunnel in your firewall.
And as you should get 256 public IPv6 LAN with /64, you can use different LAN for different security levels, and then set up the firewall as you please, controlling security for different classes of devices.
You hardly ever add rules in a IPv6 firewall for single IPv6 addresses, you do the main rules between the different LAN you get.
Yes, security in application will not and never will be fixed in the network layer. Not with IPv4 and not with IPv6. But that is another issue, all together.
Devices can do both of those things in v4 too. You deal with them in v6 the same way you deal with them in v4: RA Guard (same thing as DHCP Guard but for RAs) to prevent rogue RAs and inspect all traffic (including TLS MITM) to make sure nobody makes a tunnel.
Most people don’t bother with either on v4, but if you do then you can do the same thing on v6.
Well IPv4 and IPv6 are mutually exclusive. Yes, you can run “dual-stack” on your systems (support for both), but it will come laced with problems that are out of your control. Dual-stacking was the worst possible idea for IPv6 and that’s the reason it will NEVER get 100% adoption. I appreciate that an IPv4 address can be written as “::127.0.0.1” (for backward compatibility) but it should have stopped there. As long as my system supports both protocols concurrently, something will fail and it will cause more headaches than anything for any and all admins. That should have been left for routers only, where a router would always rewrite “IPv4” connections from 192.168.0.1 to ::192.168.0.1 and then forward the traffic to IPv6-only hosts. As long as we hold onto IPv4, we’re stuck with this abomination.
This is untrue. The fact that there are literally hundreds of millions of v6 users worldwide who know nothing at all about networking and aren’t even aware that they’re using v6 every day should tell you that dual stack works perfectly.
I have literally walked into the home of several v6 skeptics who have told me they would never use v6, and shown them that they were literally already using v6 for years and hadn’t been aware of it. Google’s stats say that about 45% of their traffic is now v6 on any given day, and it’s been rising quite steadily, so I think that claims that the whole thing doesn’t work are unsupportable.
I don’t see the problem you are trying to state.
Dual stack works, but you have to secure both.
IPv4 is easy, don’t open Reversed NAT. Nothing have changed, you just not open the NAT backward, as it is usually used today. Notice that NAT isn’t about security, firewall is about network security (not application security, which is another level).
The thing with IPv6 it bring back internet as it was supposed to work, that each machine in internet could, if allowed, access any other machine.
And as IPv6 ISP should give you 256 public /64 IPv6 LAN network addresses, you should divide your network into different LANs. So you can easy put your IoT stuff that need to talk to an internet server in one LAN, which you lock down.
Then you put your game and media systems in one LAN, and lock that down as you want.
Then you put your ordinary computers in one LAN, or even one LAN per house member, like you get one LAN, your spouse get one, children get one etc. And then you lock them down as you like them. Gives them access to whatever other LAN they need to access, and lock the rest down.
Much easier to have a control over the access of your computers. And not set insecure IoT devices in the same LAN as your file servers, printers etc.
IPv4: let’s give all of the research facilities massive allocations.
IPv6: let’s give everyone massive allocations.
I can’t help but feel we’re repeating the same mistakes…
Let’s every shitty equipment have a public Internet address… so much fun for evil hackers.
Wait, 99,99% of the Internet users are data consumer and never hosts services!
You have a smart phone, don’t you? You know that IP telephones are servers, even your smart phone are. So yes, many do host servers, in every IP telephone, which modern smart phones are.
And just because your device have a public address, doesn’t mean that the rest of Internet have access to it. It could, if you allow in your home router. But that is basically the same security as before. If some one hack your router, you are screwed, with or without IPv6.
And as you should get 256 public IPv6 LAN from your ISP, you can put all IoT stuff that is controlled from external servers and which they phone home about, maybe even have some back door. You put them in their own LAN, which you look down as needed.
Then you have 255 other public IPv6 LAN networks to use you can use for other stuff, like IoT stuff you have the code for and can trust, put in another LAN. And you secure that in the firewall of the router. And then one LAN for your file servers, for your games and media, for your own personal computers, your spouse and children and guests LAN. And then you set up the firewall in your home routers as you like.
Better security then what you have with one LAN and perhaps if you are lucky, one public address.
Yes, smarter people then you and I have thought this through.
In this case, there are more addresses than atoms in the universe. We’re fine.
thing is that the addresses are not linearly assigned, but are assigned within a semantic structure.
2^128 might be enough for all atoms in the universe, but is it enough for all volume of the universe, including the empty spaces between the atoms?
We feared exhaustion in ’90-sh less because we were coming up on 4.3 B devices, but more because the vast amount of that technically available space was unused since it was doled out in lots and included mostly non-existent devices by way of ‘classes’.
“So just make more space!” Some said. Some others said “NAT” the few devices into one address that is actually routable. And others said “CIDR” to make the granularity of the spaces more flexible. NAT and CIDR were temporary work-arounds, but here we are 30-years later and they’re still holding fast. And even desirable in some cases as we became more aware of security issues of having things broadly directly addressable. NAT’ing routers became a handy place to consolidate your security efforts in the form of ‘firewalls’.
Actually, first was CLASS routing, which some people still uses, like B class network. (please, please stop using that, even I have hard to remember that, except the pain. Yes, I set up IPv4 for a University back in second half of 1980, and we started to get rid of the pain with CLASS routing, remember how much better it got with CLASSLESS routing with netmask).
Then was CLASSLESS routing introduced, where each machine had to have a net mask. What a releaf it was when we CIDR way of writing netmask (like /24 after the IP address).
Then we could start using IPv4 addresses much more efficient. The University could use just a part of a B class network instead of several B class networks.
Later in the 1990:th, the shortage of IPv4 addresses arrived, and we started to use RFC1819 or private addresses, like 10.0.0.0/8 and 192.168.0.0/16 and had to start using NAT. Not a happy time.
Now with IPv6 we are back where we started, and shouldn’t have ever leaved. Where every machine on Internet have a public address (which in IPv6 is 2000::/3, which is all addresses with start with 2 or 3). And we still have fire walls, which make us being able to block network access we don’t want to allow.
No, NAT is not about security. It is an ugly hack because we run out of IPv4 addresses. But with IPv6 that isn’t a problem any more.
Now we can use firewalls in the way it is intended, and internet as it was intended.
And with IPv6, each ISP customer should get 256 public /64 LAN as it is supposed. And the firewall can be between LAN and not on individual machine addresses. And we can stuff unsecure stuff like IoT in their own LAN, not have any access to our file server nor private computers. We can see to that in the firewall of the home router.
Talking to ::192.168.0.1 is… nice, and all. Talking to fe80::11ad:e5eb:8b23:695a just plain sucks, though. Why they thought that kind of addressing was at all ergonomic is a flat-out mystery.
And that’s before getting into the fact that every interface has multiple IPv6 addresses…. Ugh.
Yeah, they could have done so much better. There is definitely a reason that IPv6 adoption is so damn slow, even though we do actually need it (or something like it) for the future…
It’s not a problem if you just embrace mDNS. Hostnames are even friendlier than IP addresses.
mDNS is great until you step outside its very limited use case. The primary and most important deficiency IMO: It does not play well with subnets or VLANs. It’s possible to bridge, but it’s not easy to get right, let alone to scale. And that’s just one of its weaknesses; it’s historically a very unreliable protocol.
In short: if you’re just a home user, mDNS will probably be fine. If you’re a business user with a network more advanced than an Xbox and a PC? Not just no, but *hell* no.
I’m honestly surprised that Apple makes it work as well as they do these days.
There’s a reason that your average sysadmin (or devops engineer in the modern) tends to remember IP addresses. We’ve had DNS for a very long time, and it’s very reliable — and yet we *still* end up needing to know actual IP addresses far more often than one would like, *even when DNS is fully available*. That will not change with IPv6.
IPv6 just takes it from “easily memorized” to “must have a reference document somewhere… at best.”
Yeah I have basically *never* used mdns… I have tried it several times, sometimes following some tutorial, with various results. A few times it has worked.
When it doesn’t work, I use ip. And 99% of the times I use ip, it’s because something already does not work, and I don’t need to add another layer that probably also does not work into the troubleshooting process.
I could look into configuring mdns to be more stable… But the thing is, when everything works, mdns is not competing against ip. It’s competing against a bookmark or a link(on an already open page). Its one click vs several characters.
You was never intended to use IPv4 addresses and certainly not IPv4.
The link local IPv6 address are nothing like the private IPv4 addresses.
And if you want to access your server, then give it a easy IPv6 static address and put that in your DNS server. Or use mDNS, like it is meant to be used. Then you can use the same name when you reach your machine with IPv4 or IPv6 addresses.
Yes, every interface used to get accessed from internet or access internet will get multiple IPv6 addresses.
– First is the fe80::/64 address which is the link local address. This IPv6 address will be used when accessed from another/same machine on the same link/LAN. Without this one, IPv6 will not work. So this is the only one that must exist. That you can’t turn off.
– Second if you have a router in the LAN; you could get an public IPv6 address in the IPv6 net 2000::/3, that is starts with a digit 2 or 3. That one will use the LAN prefix (which always is a /64 network) that it gets from the router and make a public IPv6 address based on the MAC address, which generate the lowed 64 bit of the 128 bit IPv6 address.
The second can also be generated from the network address but the host part be randomized instead of from the MAC address. This can be configured on your machine, and can be turned on so it automatically get the right public IPv6 address.
The middle of the host part will always be FF:FE and have a high bit set.
– Then you can set up, if you want to configure that, so outgoing traffic generate a temporary global address that is used in 5 minutes (or so) then generated a new one. And as long as there are package that could return for that address, that older address will still be there. So if you surf a lot, you can have several of these temporary addresses. Used so that web sites should not be able to trace your machine when it access the web site. You can turn this one off.
– Then you can, if you want to, set a public address that can be set up to be used when you access the server, but not surfing the internet from the server. That is just intended to be used to access this machine, so it is usually added to an external DNS server. So other can reach this server through this address. Usually you only have one, but you can use several static ones. One for each service you set up. Might be useful if you set up server on that machines. But his has to be manually set. And if you see to that the middle of the host part is 00:00, then it never will mix up with the automatically generated addresses.
Not that hard, isn’t it?
You only use the static address if you want to add that into a DNS. Except from that, you use the machine name in DNS or in the link local mDNS. OR you use the static address that you created, if you make it easy to remember. You never uses the FE80::/64 address you mentioned when accessing one IPv6 machine. Not on internet nor in your LAN.
Three is another mayor problem, ip4 routing can be done without software, just 16 bit counters and a relays are enough.
This is impossible with ipv6.
It needs security patches for all systems and I can assure you that’s gonna be a problem in the long use.
+1
That’s akin to the transition from RS-232 to USB, I think.
With RS-232, you could still drive transistors directly and control logic circuits without a computer (just TTL logic, counters, flip-flops etc).
Especially the RS-232 status lines were being handy here. Like having a 4-Bit parallel port.
USB complicated this, because it now required a microcontroller somewhere in the chain.
Or let’s take ISA bus. It’s still not entirely dead. Server boards and Indus boards still have PC/104 or ISA.
That’s because ISA bus can directly interface with standard TTL parts.
No microcontroller or bus controller needed on the expansions card.
It’s pure logic, A/D and D/A converter ICs, some addess decoders..
No, this is plainly not true.
Where IPv4 are 32 bit, IPv6 are 128 bits.
There are more to IPv4 (and IPv6) then just 16 bit counters (you need 32 bit counters),
I love how NAT and IPV6 are still massively misunderstood.
NAT is not a security mechanism. Firewalls are. Your router still decides what is allowed in with IPV6, and should default to deny incoming connections. Only connections you explicitly allow inward should get in.
With IPV6 you don’t need NAT, and while the 64/64 split is generally true, there are other setups for subnets out in the wild. Not every ISP is gonna give you a /64, some will only give you a single IPV6 address and you’re SOL for anything more. As some others have pointed out, getting rid of NAT fixes things for several protocols that have to send data through multiple connections (FTP, SIP/RTP, IRC/DCCP) and makes it so you don’t need to do stupid tricks to find out your public IP address, and trick your router into mapping ports in (STUN protocol).
“But NAT hides my internal network structure” – Not really. 99% of NAT’ed networks use 192.168.0.1 as their gateway thanks to home routers coming with that default. Cable Modems & DSL modems have fixed local IPV4 addresses that are pretty easy to guess by ISP, often with default passwords that the user hasn’t got a clue about. There have been successful CORS attacks against home routers & cable modems. All NAT is giving you is a false sense of security through obscurity.
Thank you! If anyone is using NAT as a de-facto firewall – relying on not having a WAN IP per device instead of a correctly configured firewall – then they are doing it wrong!
Then there must be a lot of people using it “wrong”, I suppose. 🤷♂️
Welcome to the general world Joshua. I see you have not spent alot of time here, but I’m sure you will like it.
As to your question, yes unfortunately, that is the usual behavior of most people.
No its a silly argument. Tending towards 0 people are using NAT as a firewall. The basic customer for decades buys a router and uses it as it comes out of the box. That is with DHCP and an active firewall, and 1 WAN DHCP leased address given to them by their ISP.
“But NAT hides my internal network structure”
Nobody said that, in either the article or the comments. From the conception through to the inception or IPv6, all your devices are intended to be routable from anywhere else on the internet. IPv4 was not designed for that, that’s the entire point that was made.
Beyond that… what year are you living in? 192.168.0.1 default IP? default passwords? you even referenced FTP up there?
Just to reiterate… you really just stated “IPv6 will make FTP work better”
That’s not true, is it? IPv4 was designed to put all devices on the internet from the start in 1983. It was about 11 years later that address depletion became a problem and NAT’s were invented as a stopgap.
Wait, what? No! IPv4 absolutely was designed and intended to use globally routable addresses for everyone. The reason we didn’t realize that intention is because we ran out of IP addresses.
s/The reason we didn’t realize that intention is because we ran out of IP addresses./The reason we started forgetting that design decision, was when we started believing that NAT was a solution/
“All NAT is giving you is a false sense of security through obscurity.”
Are you absolutely sure about this?
Because if you’re wrong here,
you’re essentially telling people it’s not being worth to be used as a safety mechanism.
Which in turn makes you responsible for their trouble.
Not from a legal point of view, maybe, but it’s indirectly being your fault then.
It’s comparable to as people telling they need no anti-virus software, I think.
As far as I remember, vintage OSes like Windows 98 and XP SP0 used to be infected within minutes when being exposed directly to the internet.
This was common in the dial-up/modem days before we had DSL routers with “firewalls” (port filter/packet filter) and NAT feature. Back then it was still common to have dumb DSL/Cable modems at home, too.
Nobody asks you to directly expose any OS to the internet. IPv6 routers still contain a firewall. Removing NAT doesn’t mean removing the firewall as well. They will still block incoming connections as usual unless you explicitly forward a port.
Also, I’m pretty sure that Win98 and XP getting infected had nothing to do with network equipment.
He is absolutely right
NAT is not a security measure – never was – never will be
as such people must be told not to use NAT as security measure. Correctly set firewall rules are a security measure – NAT is not.
“you’re essentially telling people it’s not being worth to be used as a safety mechanism” – that is correct – NAT is not a safety mechanism – it is very bad to tell people that it is – that can actually lead them into trouble.
The security measures must be designed in a way, that if you remove the NAT, nothing changes. Home routers almost always have firewalls that you can’t turn off, so that’s fine.
“It’s comparable to as people telling they need no anti-virus software” – that would be comparable to saying “you don’t need firewall” – nothing to do with NAT.
This is ehy I have IPv6 off TPLink defaults to allowing all inbound IPv6 connections with no config option.
And I dont have the time or extra money to get and setup an extra firewall to sit between my router and the rest of my network.
“TPLink defaults to allowing all inbound IPv6”
A quick internet search shows that to be completely false. I’m not sure where you are getting this information from, but it’s wrong. Spreading false information like that helps no one.
If you can prove me wrong I’d love to see it, but I certainly haven’t been able to find any instances of that being true.
It’s not that NAT is a security mechanism itself, but that IPv4 behind NAT makes it easy for people to reason about their home firewall setup and get it right. The structure of IPv4 addresses makes it easy to think about VLANs and Subnets – it is visually obvious which addresses go together. IPv6 addresses are more confusing to look at and visually not as distinguishable. I feel there’s more risk of me missing something and creating a vulnerability when I’m trying to reason with IPv6.
Then you do it wrong.
You should get something between /60 and /58 (16-256) network from your ISP. If not, change to one that knows what they are doing.
Then you can just add a different public /64 LAN to each of your VLANS. And you don’t need to think about subnets, as each LAN in IPv6 SHOULD be /64. Even in tunnels where you only have two addresses.
So if you just start thinking about IPv6 as what IPv4 should have been, and how it was when I was administrating IPv4 networks at the university back when there was no NAT around 1990, then it will be easy.
Unfortunately for your stated argument 99% don’t use 192.168.0.1 because of home routers. Home routers use a wide variety of addresses even within the same brand.
https://www.softwaretestinghelp.com/default-router-ip-address-list/
IF some ISP isn’t giving you a IPv6 network with /64, sue them to get your money back, and run from them.
Each customer to an ISP SHOULD HAVE at absolute minimum a /60 network. Which is the divided in your home router to 16 /64 networks. But then, consider change ISP, because then they are stupid, and should not run a ISP.
A customer should actually have a /56 (or company a /48) network which is divided into 256 /64 networks by your router. Then you can use those 256 IPv6 LAN addresses to divide your network into different LAN. For instance one for all your computers, one for each house hold member, some for guests. One for IoT that phones home. One for your file server etc.
Then you set up the firewall so that IoT LAN only can be reached from your other LAN, and only can reach the servers the devices needs to phone home too.
Much easier to manage LAN and security this way.
But yes, NAT is 100% not security.
And yes, IPv4 NAT only hides your computers behind ONE public address. They can still trace your machines IPv4 address.
With IPv6 you can set up your machine so it generates a new IPv6 address in your /64 LAN each 5 minutes when you surf a web site. Those IPv6 addresses will be totally useless to track your machine. Even less so then the IPv4 NAT address.
So yes, IPv6 hides, by design, your internal network structure. Which IPv4 are not.
And as you wrote. That IPv4 address that is stored in those web servers you connect, goes straight to your home router. And with a data base and nmap command, you can even know what version of the software you run on your home router. And use that to choose the right attack if it is known.
That you don’t get with the IPv6 and randomized outgoing IPv6 address for surfing. Hm, I didn’t even thought about this problem with NAT.
I love IPv6 I think if you run services on the internet it is by far superior to IPv4 – it is not vastly different. I am changing ISP and have to live without my protocol 41 IPv6 in IPv4 tunnel for the next few weeks and it makes me very sad.
With the extra IPv6 frame efficiencies I found I had superior bandwith over IPv4 and honestly people always make a big deal of having a “huge subnet” – your allocated subnet size is only of consequence if it is too small – some providers only allocating a /128 – now that is something to complain about.
On the servers I regularly block /64’s and it is a huge time saver with attackers – much less spread than with IPv4 /29’s, /32’s allocated as they are ad-hoc (census et al.).
My biggest shock was that the RFC for IPv6 was accepted pre Y2K, so it is mature and there are no real show stoppers now to using it in any use case – it is baked into proper network for at least a decade.
With respect to application developers when catering to IPv6 you just have to adjust your table-column widths definitions, and perhaps add a little bit of logic to validate addresses – it is not a massive burden.
If you make the leap to at least dual stack – I can assure you, you will not regret it.
I am not sure I care if my ENC28J60’s and their MCU’s want directly addressable addresses – but the real computing machinery I own will always and forever be IPv6.
I honestly cannot wait to see the back of IPv4.
“What’s our IPV6 strategy?”
A tale as old as time.
I see absolutely no point in using IPv6 for devices inside a local network, how many devices do you think you need to connect on a LAN to be able to run out of addresses? Why do you want your devices to be directly exposed to the outside world? IPv6 is all nice and dandy but I see it more useful only for devices that actually need to be exposed to the outside world. From a security standpoint I prefer network segmentation, and besides that IPv4 is so much easier both to set up and to remember. IPv6 exists and has its use cases, doesn’t mean that you should necessarily switch to it in any case, for a home LAN for example I don’t see any reason to do so.
The thing isn’t about running out of addresses. It is about IPv6 is objectively better then IPv4.
It is about all devices have a public address, and you can, if you want to, make devices accessible from internet.
Notice, accessible, IF you want to, and open the firewall for the device.
And about network segmentation, you get /56 network from your ISP that you can divide into 256 different public IPv6 networks (as it should always be /64 in LAN). And you can then put your devices that phone home, that is IoT devices that you buy, in that LAN. And then open and close the Firewall between different LAN and internet as you like.
No, IPv6 is easier to set up, as you only need to add the device to a LAN and it will work with no infrastructure. And with just a router, if you want to. Or with a DHCPv6-server if you want to.
And you really should not use IPv4 or IPv6 addresses, you should use mDNS or DNS for accessing machines. And with DNS you can use the same name for both IPv4 and IPv6.
So for home LAN, you should use IPv6 because it is as easy, or easier, to manage as IPv4, and you can easy add security by divide the network into different LAN depending on how you classify they device.
And lastly, it is just disturbance to have IPv6 for devices that should be accessible from outside. Because that make a difference that doesn’t need to be there, and you would need to know which devices have IPv4 and which have IPv6.
Lastly, IPv6 is a new thing to learn and hack with. And this site is devoted to hack stuff, isn’t it? :-)
Strange to see so many on a hackaday forum whinging about the superiority of security through obscurity.
The whole point of an Internet is well, interconnectivity. When you duct tape fixes 7 ways from Sunday because you are too lazy to configure a firewall, you have cut several parts of that net.
Base 16 is definitely harder to remember, especially since we don’t have supercomputers in our pockets and bags, or fiber tablets to draw on.
Yes, security by obscurity is NAT and IPv4.
And strange to see so many complain about new stuff to tinker with on a site that is devoted to hack stuff.
Yes, point of Internet is about connectivity, that each device should be able to connect to any other device if allowed. And IPv4/NAT is ruin that. IPv6 is restoring what Internet was all about from the beginning. Interconnectivity.
Why should you learn base 16? Which is about as hard to remember as decimal numbers in IPv4. But again, who do enter numerical addresses in 2024? You should use mDNS or DNS instead and the machine name.
What is missed in this whole discussion is the trend of zero trust networking. ZTN will become ever more prevalent as a security model going forward. (see twingate, netbird, et. al.) One will not be provided services without an approved token for critical systems.
What effects does that have on a network? I would advocate that in a ZTN large flat address spaces become the norm. No longer is the network used as a security realm. Its all pushed to the application layer. In that realm of a very large, very flat address space then autonegotiation of the base layer IP has IPv6 for the win.
i will someday have to learn IPv6, i suppose. i do think it’s great to have a lot of global addresses. and i don’t like NAT.
for local things, it seems dumb…a lot of things on my local network today really should be given external addresses and they use NAT. but i also have a few truly local things, and i don’t want them to be globally-addressable at all. really, having a lot of external addresses would be nice in that it would free up my local network for truly local things.
this ULA idea is new to me. i like it. i have run into conflicts before, like when i upgraded to fiber internet, my router really wanted its configuration interface to be 192.168.1.x, and i had to go through a bunch of contortions to reconfigure it for 192.168.100.x before i could use it. and my VPN addresses are all assigned around the requirement of not conflicting with my work VPN.
but i am concerned about the ‘ergonomics’ (good word) of this. i like to use /etc/hosts or dns to save typing as much as the next guy, but i definitely find myself in the position once in a while of typing 192.168.1.254 or 10.3.0.1, when something is broken or new. i’m not excited about typing IPv6 addresses even once.
This is a common misunderstanding of IPv6. You are not required to use global addresses in IPv6. If you have things which are local and which you would like to be local-only, you can use link local IPv6 addresses.
Yes of course you can but with millions of IP addresses available behind the RFC 1918 IP space why in the world would any homeowner need to. I couldn’t use up all of the ipv4 NAT private IPS if I tried.
And every single one of my neighbors could repeat the same trick endlessly and simply not to our carriers public IP.
If getting a computer online is teaching a one legged man to walk, IPv4 is teaching them to walk with a peg leg, and IPv6 is teaching them to walk with a prosthetic leg, then IPv4 with NAT is teaching a one legged man to walk by jamming a broom in his rectum and calling it a peg leg, no matter how nice a broom or how much practice you have with it it’s still a pain in the ass.
You still don’t get it, do you?
It is not about number of addresses, even if it is good to have 2⁶⁴ addresses instead of 2⁸ -2²⁴ addresses in IPv4. It is about RFC1918 can’t be used on internet, even if you want to. But all IPv6 LAN which you got from your ISP can be, if you want to.
It is about being able to make stuff available on internet, if one chooses. By just open up the firewall. That all 256 IPv6 /64 LAN you get from your ISP can be used to divide your network into security divided LANs. One LAN for IoT that phones home with it’s own network address, one for your media and game computer LAN, one for your private computers, one for your servers like file server, etc
And all have public addresses that you can open or close as you please, based on public IPv6 network addresses. Between your LAN and Internet.
And IPv6 is better design, and easier to configure and set up firewall for security.
My primary issue with IPv6 is that it’s hard to block unwanted IP’s.
And if I used it I would probably find I had devices and software that would choke on it because they/it are too old?
One time I blocked a site I disliked but I had IPv6 enabled and so my browser went to the site anyway and I was WTF until I saw it automatically went to the IPv6 version of the site since it would not find a route to the IPv4 version… Such wonderful convenient automation eh. Almost AI-like.
Why do you think it is any harder to manage a firewall with IPv6 then IPv4?
How old stuff do you have? Are they from last millennia? If it is 20-25 years old or younger, it should be able to use IPv6. And you usually still have dual stack. Where your IPv4 is still using NAS, and not able to be reached from Internet, even if you wanted. But IPv6 all devices can be reached from Internet, if you want too, and fix the firewall in your router to let them be accessed. No need to try to convince a NAT and firewall to work together. Instead of just manipulate a firewall.
Yes, IPv4 and IPv6 is different protocols (you know, different names), so they use different fire walls.
Internet, IPv4 and IPv6, is designed to circumvent all hinders in the route between the sender and receiver. It is old military stuff that was designed to withstand a nuclear attack bringing down some communication centra. Still working.
So you say it still works, great. :-)
I like to be able to memorize an IP address at least for a couple seconds. Makes all the difference for me…
Well. How about fe80::1, is that so hard? Just set the static address of that machine to this.
Or if you have a global address, where the LAN netmask always is /64, thus the network is the first 64 bit.
Example 2001:dead:beef:020::10/64 or 2001:dead:beef:020::11/64
Is those that hard.
Remember, IPv6 is designed from the beginning to have many addresses, which IPv4 was not.
And really, do you really need to remember an IPv6 address, when you use DNS or mDNS in a link local context. Then you only need to know the name, not any numbers, being decimal or hexadecimal. I do prefers to remember name compared to numbers.
1: A Link local address that always start with fe80::/64 and the second half is based on the device MAC address or random 48 bit number. And one bit in the top 16 bit group of the four in the node address part is set to 1 and FF:FE in the middle. This is link local and it always exists. If Link local address doesn’t exist, IPv6 wouldn’t work.
2: A global address (always start with 2 or 3, that is 2000::/3) that the network part (high 64 bits) it gets from the router and the lower 64 bit is from the MAC address, like link local or random, like link local. This generation of global address can be turned off.
3: A global address that is given from DHCPv6 server. Works like DHCPv4. Can be random or static set like with IPv4 DHCP. Can be turned off, or used instead of 2.
4: A dynamically generated IPv6 address where the host part is randomly generated. This is only used until a new one is generated after 5 minutes or so. It is used for all traffic that is used to reach other server, for surfing web sites for instance. When a new is generated the old will stay until all packages that is expected to go back has come back or timed out. So there might be may of this kind of address. Used so web sites should not be able to track what one does based on IPv6 address. It is for privacy. You can turn this off.
5: A static address, that you set manually, and is used in DNS to reach a certain service and need to be set statically so it doesn’t change. Only uses for identify services. You can have more then one of these. Can for instance be the simple type in the beginning.
I administer a couple of Linux machines for my parents who live on the other side of the country (long story short, I don’t want to put out Windows fires every week), and having everything set up with IPv6 actually simplifies things. (Well, it would if I also didn’t have to keep IPv4 going too)
Of course there’s a firewall. In fact, everything except port 22 (SSH) is blocked. But it’s super nice to just `ssh dadscomputer` wherever I am to log in when needed. I even have DNS set up so that I can `ssh dadscomputer.mydomain.com` if I’m away from my normal shortcuts. No need to remember IPs or forwarded ports. If I’m doing it from my phone though, I usually have to shut off Wi-fi as most networks don’t do IPv6 :/
As far as security goes, all accounts must use public keys (except for mine, but I have a strong password). I actually see more login attempts from port-forwarded IPv4 (on a nonstandard port) than IPv6 on port 22. Each machine gets 2-3 IPv6 addresses, depending on how it’s feeling:
* SLAAC-configured temporary address (cycles every so often; outbound connections are supposed to use it for “privacy”)
* SLAAC-configured static address (based on MAC, I might disable this)
* DHCPv6 address (gets associated with public DNS entry by DHCP server)
I’ve been running dual stack for several years now. Everything on my network except for some IP cameras supports IPv6, but those are isolated on their own VLAN anyways. It’s very nice to be able to access things using the same domain whether I’m at home or connected over 5G. I don’t have to mess with a VPN unless I’m using some crappy public WiFi that doesn’t support IPv6. I don’t get all of that bot log spam that I had on IPv4 either.
I have a problem with this “NAT is not a firewall” stuff. I agree that it isn’t one, but the old way isn’t stupid.
The alternative is like saying if your locks work properly, every room in your house should have a door to the outside. But there’s no need to create a door to get into your bedroom closet from outdoors, no matter how good the lock is. Make them go to the front door and only forward those things that you actually want to expose.
You may already do something similar in layer 2, isolating wireless clients from each other or separating iot devices from trusted devices by not defining a way to go from that port or vlan to the other port or vlan, for example.
Along similar lines, having a separate network and then natting invalidates the idea of (some) communication by requiring you to define how it may occur before it can exist, rather than having it fully ready but just turned off. It may often end up about the same; if your firewall gets compromised you’re going to have a bad time no matter what, but still. Plus, for all that having very limited public addresses can be annoying, I have some reading to do before I can understand whether the privacy measures being used for ipv6 might not still reveal too much about the origin of traffic by device in the same building as compared to funneling everything out of the same address like ipv4.
Exactly, NAT can help give you less attack surface. The easiest solution to the exhaustion problem is just for the ISPs to use IPv6 for the WAN, and we all can use IPv4 for LAN. You can implement IPSEC with IPv4 too.
“I could have done it in a much more complicated way,” said the Red Queen, immensely proud.”
Lewis Carroll