A joke in networking circles is that the switch from IPv4 to IPv6 is always a few years away. Although IPv6 was introduced in the early 90s as a result of the feared imminent IPv4 address drought courtesy of the blossoming Internet. Many decades later, [Geoff Huston] in an article on the APNIC blog looks back on these years to try to understand why IPv4 is still a crucial foundation of the modern Internet while IPv6 has barely escaped the need to (futilely) try to tunnel via an IPv4-centric Internet. According to a straight extrapolation by [Geoff], it would take approximately two more decades for IPv6 to truly take over from its predecessor.
Although these days a significant part of the Internet is reachable via IPv6 and IPv6 support comes standard in any modern mainstream operating system, for some reason the ‘IPv4 address pool exhaustion’ apocalypse hasn’t happened (yet). Perhaps ironically, this might as [Geoff] postulates be a consequence of a lack of planning and pushing of IPv6 in the 1990s, with the rise of mobile devices and their use of non-packet-based 3G throwing a massive spanner in the works. These days we are using a contrived combination of TLS Server Name Indication (SNI), DNS and Network Address Translation (NAT) to provide layers upon layers of routing on top of IPv4 within a content-centric Internet (as with e.g. content distribution networks, or CDNs).
While the average person’s Internet connection is likely to have both an IPv4 and IPv6 address assigned to it, there’s a good chance that only the latter is a true Internet IP, while the former is just the address behind the ISP’s CG-NAT (carrier-grade NAT), breaking a significant part of (peer to peer) software and services that relied on being able to traverse an IPv4 Internet via perhaps a firewall forwarding rule. This has now in a way left both the IPv4 and IPv6 sides of the Internet broken in their own special way compared to how they were envisioned to function.
Much of this seems to be due to the changes since the 1990s in how the Internet got used, with IP-based addressing of less importance, while giants like Cloudflare, AWS, etc. have now largely become ‘the Internet’. If this is the path that we’ll stay on, then IPv6 truly may never take over from IPv4, as we will transition to something entirely else. Whether this will be something akin to the pre-WWW ‘internet’ of CompuServe and kin, or something else will be an exciting revelation over the coming years and decades.
Header: Robert.Harker [CC BY-SA 3.0].
Don’t look at me, I have v6 disabled in my home system’ kernels and plan to keep it that way until I either can’t get a v4 address or they start charging extra. There’s no up side to me to have to keep track of two stacks, since you can’t reach many things without v4 still, only extra work.
Meanwhile I’m over here and have had to do a grand total of bupkis to take advantage of IPv6. I don’t see any valid reason to disable it in my house, it hasn’t caused me any issues.
That’s the thing, you’re not gaining any “advantage” at all and you’re losing even the minimal protection home NAT gives against intrusion. Plus, if you run a firewall like you should, you now have to maintain two sets of iptables||nftables rules; which is my main objection.
The advantage is not having to care about it at all, since the whole thing is already properly pre-configured anyway. In your case you still had to reach inside your systems and flip that ipv6 switch off.
You realize that applies to v4 as well, yeah? This is not an argument you can win. It objectively and measurably takes more effort to admin a home network of v6 boxes than v4 and if you want to be able to reach the entire Internet you need to put the further work in to make that happen either through a 6to4 gateway or by running dual stacks.
No, you do not gain by running v6-only unless it’s a business situation and your provider charges for v4 addresses. You in fact lose. Always.
To add to Mighty Buzzard’s point, “properly pre-configured”? Are you sure? It’s very unlikely it is actually secured properly, to the extent that many orgs currently block or otherwise disable IPv6 to prevent security issues in addition to removing maintenance overhead and literal hardware overhead.
It’s not free, and it’s not helping you in any way. Believe me, 25 years ago I was all for it, 15 years ago I was still trying to find excuses to use it myself, not anymore. We can wait for it to mature.
My home network is dual stack, didn’t really need to do anything for that, it just worked. According to the ISP gateway around 67% of traffic is over v6.
Dodo: You obviously don’t run a firewall. No, the one that comes with your router does not count. Most of them default to everything being wide open or nothing open at all, which requires extra administration, which was the entire point.
Are you the mighty buzzard from sn?
Yup. There’s only me and one other guy with the handle as far as I know, so if it’s tech stuff it’s probably me.
Hm
How, exactly, is an autoconfiguring network stack more work? And as address space is the single least-significant part of the protocol, why is that your focus?
Autoconfiguring? It’s going to write my iptables/nftables rules, is it? No. It’s v6’s much touted “autoconfiguring” is nothing but glorified DHCP, which v4 also has. So, using every bit of v6’s shiny magic that I keep hearing about, it’s exactly the same amount of work to set up. Except you can’t memorize the addresses as you do so like you can with v4.
One obvious part that’s not the same is running dual stacks means literally twice the firewall work.
My understanding is that the mobile carriers and most ISPs use v6 internally but v4 at the edge because of the clients.
They are used for specific things, and cell is the only area where provisioning a routed ipv6 address is widely done. Most cell provider use is for the addressing and tunneling.
I am still on IPv4 because almost no consumer grade routers support doing IPv6 and being able to filter what devices on the network are actual publicly accessible. I would rather not have my 3D Printer and Thermostat on the public internet. BUT my home server needs to be.
You could solve that by taking them off DHCP but that would inevitably cause headaches down the road.
They do, but, and take this seriously, do not rely on your consumer router to provide protection when you use IPv6. Just disable it and be satisfied you have lowered the resources necessary for it to manage your network.
ahem pfsense. oh my bad he said consumer. and i can’t uncheck that allow ipv6 traffic checkbox enough! wait ipv6 thats 128bits right how will i ever ssh into vms? I’ll never remember!. oh hah dns hostname. i imagine it like when i had a wall phone i knew all my friends phone numbers by heart. you had to. or write them down then cellphones gave them all hostname lookups!
Just get Google and Bing to start lowering the search rankings for sites that don’t support IPv6 and most of them will start supporting it soon.
I would love to be able to run my network IPv6 only without having to use a workarounds like NAT64 and 464XLAT to access legacy sites. IPv4 should have died 20 years ago.
Why? Do you have a logical reason to run a more difficult to use stack or does it just give you a special feeling in your trousers to use newer stuff?
See, right now I can remember every v4 address on my home network with no effort. And I can memorize an arbitrary one from the great wide Internet in a scrolling log at a glance. How long does it take you to commit a complete v6 address to memory? That alone is enough to make it an inferior stack unless it can come up with some major improvements to warrant that big of an inconvenience.
I’m stuck on CGNAT for IPv4, so I have to use IPv6 for anything I want to access away from home. I just assign a subdomain to everything I need to access so I don’t have to bother memorizing IP addresses.
Websites that support IPv6 are also nicer to use. IPv4 only sites give lots of CAPCHAs for CGNAT users.
Tailscale, for same reason.
Okay, that’s a legit reason to run dual stack. It’s not terribly common among US ISPs from what I can tell though. Moreso in phone carriers, because you’re going to be using wifi half the time or more and it ceases to be their problem.
Autoconf is hardly more complicated.
I can remember every IPv6 address on my home network, too, mostly because I know how the address works.
IPv6 has lower latency and higher security, but if you WANT to run an inferior, high-latency, low security protocol, that’s your problem but don’t make it ours.
Autoconf is DHCP with people who don’t know any better bragging like it’s something special or new.
No, the full address not the collapsed one you can only use within that /64 or /32 or whatever you’re on. If it’s publicly accessible you need to know the whole damn thing. If you don’t it isn’t an address, it’s vague, utterly unhelpful directions that involve “turn left where the big oak used to be before that storm last year” that’s useful for nothing at all.
IPV6 stacks are still pretty much in their infancy. Even Mikrotik has deficiencies in their ipv6 implementations.
It’s not broke, there really is no need to “fix” it. You can pry my ipv4 address from my cold dead Mikrotik router.
There have been IPv6 certification packages for years. I know, I was the record maintainer for those on Freshmeat. If you use problematic stacks, that’s a choice.
If you want to run so thing as high latency and as weak on security as IPv4, go ahead. But it IS very much broken. If all you think IPv6 does is address space, you never looked.
Oh that explains why you’re cheerleading something unnecessary and useless so hard.
tbh that’s what i dislike about ipv6…if it only gave address space, the transition would be relatively easy to wrap my mind around. but it also adds all this other ‘stuff’ that ideally needs understanding and configuring. the only part of it i’ve learned is ipsec, which i found to be both unusable and redundant to vpn. which i think is just one tiny example of how so much of ipv6 can be rendered irrelevant through use of relatively confined ipv4 hacks
honestly i’m just too lazy to configure separate firewall / forwarding rules for ipv6. even though i think once that’s accomplished, it’ll probably have some benefits (perhaps less NAT). feels like a steep learning curve for something that’s totally optional and useless to me today.
“A joke in networking circles is that the switch from IPv4 to IPv6 is always a few years away.”
Uhhhhh, maybe like a decade or two ago? Most folks are happily and unwittingly using IPv6. A long transition where both stacks are in use has always been understood as necessary, there was never going to be a singular “switch”.
-A former Charter Communications & Comcast Network Engineer
“with IP-based addressing of less importance, while giants like Cloudflare, AWS, etc. have now largely become ‘the Internet’. If this is the path that we’ll stay on, then IPv6 truly may never take over from IPv4, as we will transition to something entirely else.”
Please stop
I don’t care about cloud giants and MITM services that provide “protection” for their customers.
The CIX and peering need to stay free and the cloud clowns can run their little circus. I connect to friends across the globe and we self-host. The cloud scammers won’t even get a rusty penny.
I’m already paying the only two subscriptions I ever need for technology:
My electricity and internet one.
People who follow “End to end principle” and don’t want NAT. Did they notice if they don’t live IRL in one?
Cities for lack of space (like ipv4) build apartments. Others are living in gated communities. Fences, guards, concierges. There are those who pay to live there. No public address.
I want that for my network. My appliances and guests leave their bikes at night. I am the concierge who receives the mail. Eventually I will invest in an NPT or NAT6 solution.
You are confusing addressing with access. Guards outside of an apartment complex don’t prevent me from sending envelopes addressed to a specific person on a specific apartment within that complex. It’s just up to the guards to decide whether to let the envelope enter their premises or not.
Guards are not part of the postal system. The last part is set by the receiver.
Mr. Transmission wants to receive your packet at 1.1.1.1.1:123. A concierge will receive it and do the address translation of his packet to internal street 42 house 3. He may put a label on top, as NAT changes the packet header.
You will not see any of this from the outside. Only 1.1.1.1.1 port 123.
*1.1.1.1.1 is wrong. 1.1.1.1 is a valid IP
NAT is security by obscurity, ie. not security at all.
I tried IPv6 once, but it turns out my brain’s max address space is four octets. 😝
Most honest answer here lol. Hope I’m long gone from this world before I have to keep track of IPv6 addresses. Take all the time you need.
Imagine trying to manage a blacklist of IP addresses in the IP6 world. With IP6 addresses being so plentiful and free/cheap the bad actors can’t wait for the end of IP4.
Be careful what you wish for!
A IP4 blacklist has a theoretical max of about 4 billion addresses which can be easily cached in RAM on a decent server. Do the maths on the potential RAM requirements of an IP6 blacklist….
You can blacklist ranges (since any IPv6 user get a /64)…
Bad actors can already use entire /21 to /24 v4 blocks and have many IPs you need to ban.
With IPv6, this ability gets a lot stronger, but the solution is pretty simple.
Just keep track of the abuse and start banning progressively larger blocks.
Initially you ban the specific device with a /128 ban. If they stop, then that is nice.
If they bypass, ban the /64, and if the abuse continues on an adjacent IP, ban the overarching block.
You keep this up until you’ve found the block size of the offender, which you can then report.
This has the benefit that within a local network, one bad user won’t the to get the other users banned.
Also, not only bad actors, but also good actors get all the addresses!
Where NAT+UPNP can easily get you hacked, with v6 they can’t even find the device.
You try searching the entire /64 bock for that vulnerable printer. (18 quintillion addresses, good luck!)
I think you missed the main concept – the blocking is never ending with IP6:
The game of “Whack a Mole” you play banning IP addresses (whether individual IP or ranges of IPs) gets infinitely more difficult when there is no scarcity of IP6 addresses. No scarcity is one of IP6’s biggest selling points!
Every person with even the most basic education has heard of how the law of supply and demand determines the price of an item:
When a useful item is scarce its value is very high (e.g. IP4 addresses, Bitcoin or gold) meaning it becomes expensive for a bad actor to just keep buying more and more IP4 addresses as they ‘burn’ their previous ones as they eventually get added to all the blacklists.
With an over abundance an item eventually loses its value (e.g. IP6 addresses or a fiat currency where the central bank just keeps printing more of the stuff) meaning IP6 is a bad actor’s paradise because no matter how many IPs or ranges you or others ban in a blacklist there’s still plenty more so the bad guys can just keep grabbing new IP6 IPs or ranges much less expensively compared to in the IP4 scenario …. and they will …. and the IP6 blacklist game of ‘whack a mole’ will likely become a game that’s much harder to win.
On IPv4, you have to maintain a blacklist that contains the IP addresses. On IPv6, you don’t, because are structured data and not addresses at all. You don’t need to record any part of the structure that is of no relevance to you.
That is the stupidest thing I’ve read today. And I spent hours catching up on /r/dankmemes this morning.
Isn’t there an West vs East difference of some sort?
I vaguely remember reading that Chinese Internet focuses on IPv6 and barely uses IPv4.
Then there’s Japanese Internet, which still has classic desktop websites.
Or N.-Korean Internet, which is a thing of its own, too.
No offense, but I think a lot of article headlines on HaD do lack an “.. in the US”.
Because many articles do primarily apply to US and their “partners”, the western world.
In places like Asia, China or India, the content may or may not apply.
This.
I noticed a lot more problems (e.g. IP address being blocked) when living in Uganda. There, like in many countries, there are fewer than 1 v4 address per 100 people. I’m not sure but I feel like that was causing issues?
“While the average person’s Internet connection is likely to have both an IPv4 and IPv6 address assigned to it, there’s a good chance that only the latter is a true Internet IP, while the former is just the address behind the ISP’s CG-NAT (carrier-grade NAT), breaking a significant part of (peer to peer) software and services that relied on being able to traverse an IPv4 Internet via perhaps a firewall forwarding rule. This has now in a way left both the IPv4 and IPv6 sides of the Internet broken in their own special way compared to how they were envisioned to function.”
To be fair, IPv6 was a mistake. It was clear from start it would have adoption issues.
If IPv6 specs had left everything as-is, except for a bigger address space it would have been adopted.
But no, the guys at the forums had to “improve” it and had to add unwanted changes.
The matching German word would be “verschlimmbessern” (betterworsening).
Another idea would have been to use bankswitching to extended the address range. To 36-Bit, maybe?
As quirky as it sounds, it might have been more easily being adopted than IPv6.
Bankswitching is NAT.
“If IPv6 specs had left everything as-is, except for a bigger address space it would have been adopted.”
That’s exactly what has stopped me. I’ve tried many times over the years to get it running and can’t get it to work. Meanwhile I can do v4 with ease.
Give me something I can just punch straight in to a DNSmasq config and I’m all ears.
“””enable-ra
dhcp-range=::1,constructor:eth0,ra-names,12h”””
Make sure your “eth0” has an IP in the block you want to send RA’s for, and that’s pretty much it.
see https://weirdfellow.wordpress.com/2014/09/05/dhcpv6-and-ra-with-dnsmasq/ for details, yes you do have to at least think a little bit about how you want to handle sending out DNS records.
If this site had likes I would like your comment a million bazillion times!
Or even if they just changed the IP packet’s version number to 6 instead of 4 and left EVERYTHING ELSE the same. The only difference with an IP 6 packet would be that the target and source IP addresses used 5 bytes (32 bits as you suggest) or even 6 bytes (48 bits) instead of 4 bytes.
It would have fixed the IP exhaustion issue without entering into a “verschlimmbessern” scenario!
They just couldn’t help themselves could they!
It has been 10+ years since I have been able to get a public v4 IP at home without paying for a business class connection.
My ISP/MSP have had full v6 support for as long as I remember, meaning I can access my own servers when out.
As for security: Modem/Router has a v6 FW that defaults to block all incommong connections.
I have worked a couple of decades in IT (not primarily network), and I get that v6 is new/complex/scary, and on the inside can get away with ignoring it.
But on the outside there are 8E9 people, and they should not be dependent on someone elses servers for everything.
Reminds me of an old quip. “Algol 60 was a major improvement on its successors.”
For me the four biggest things blocking my adoption of IPv6 are:
1) My home devices don’t support it or it’s way harder to configure to get it working
2) Most of the possible visitors from the internet cannot reach my server if i make one on v6 (v4 being costly and with great bureaucrycy to get)
4) NAT provides additional layer of safety for devices behind it. Nothing like that on v6, everything is pants down in the open.
4) No industrial monitoring and control technology i use in my recent job supports v6. Even new things. Why bother?
4(3?): To be fair, it’s an extremely thin layer of safety that’s only useful against the noobest of script kiddies. It’s still a positive value of security though, even if it’s tiny.
Let’s go through those.
1. Virtually everything that supports IPv6 supports autoconf, because it’s baked into the standard. Turn on autoconf and it’ll autodiscover the IP address, the router, the nameserver, and any other resource needed.
2. 6to4 is not hard and most gear suppirts it.
3. IPv6 supports NAT just fine, has done for years. Hell, NAT was fundamental to how the old Telebit IPv6 routers supported transparent routes. It also supports a range of protections forcwhich no v4 equivalent exists.
4. I honestly can’t think of any that doesn’t. CheckMK, SNMP, Nagios, Solarwinds, MRTG, Uptime Kuma, Smokeping, Pchar, CERT SiLK – they’re all IPv6-ready. Can you list the ones you say aren’t? I’m genuinely curious, and rather shocked, by the claim.
4) He did say “industrial”. That generally means kit anywhere from forty to fifteen years ago when you’re talking computer kit. Updating something that works is something you never want to do in that setting. A single hour of lost production because you overlooked something in your zeal to have the shiniest and newest stuff could very well mean you’re in the unemployment office tomorrow instead of at work, because it will likely cost the company more than you make in a year.
I don’t understand where this article is coming from. Yes, adoption is slow but 45% of global traffic to Google is IPv6. France and Germany are at 75%. India is at 72%. USA is at 48%. Other sources of data (eg APNIC) show similar numbers. The article doesn’t mention IPv4 exhaustion or the expense of CG-NAT for network operators.
CloudFlare, Akamai, CloudFront etc make IPv6 adoption extremely easy – it is usually just a tickbox.
An increasing number of large networks are using IPv6 in the core and only using IPv4 at the edges.
I am sure that IPv4 will be around for longer than me but in the meantime IPv6 is (slowly) taking over the world. And I predict that once it gets over a certain percentage (90%?), the IPv4 internet will stop being maintained as carefully.
Here in NL my ISP doesn’t support IPv6, and previously when I lived in Germany no ISP supported it. This may be slowing adoption in Europe a bit.
Addresses are a very tiny component in IPv6 and really should be the least-stressed part.
Transparent IP Mobility, autoconfiguration, much lower latency (and better security) due to fragmentation avoidance and word-aligned headers, vastly superior and simplified multicast, anycasting, extensible headers – – these things matter far far more than mere IP counts, expecially as people count IPv6 addresses as though they were in the IPv4 format, which they’re not.
The problem with IPv6 is that journalists have, by and large, talked about the stuff that never mattered and was never going to matter, and ignored entirely the stuff that does, as evidenced by the dreadful comments.
I started with IPv6 on September 27th, 1996, as recorded in the RIPE registry. It has changed some over the years, mostly shedding important features because hardware manufacturers were lazy, but the features I listed are features that remain and are intrinsic to why it is used extensively on the backbone, mobile phones, and the Internet of Things.
Ah, the lightbulb moment finally,
I’d always wondered about reasons for adoption of IPv6, but the simplification, reliability, performance and additional capabilities you’ve outlined have done it for me. That, and I’d like to stop paying my ISP for public IPv4 static addresses if I can.
OK, I will adopt IPv6 using baby steps once I’ve completed a little more research…
I’m happy to be part of the problem! Ipv6 sucks and I won’t adopt it until forced.
Great, device level citizen tracking.
Thanks to a comment on HackerNews I have discovered that rfc1149 has been updated for IPv6:
https://www.rfc-editor.org/rfc/rfc6214
I feel like this could be the removal of the true stumbling block in IPv6 adoption and surely now it can really take off.
For reference:
IP Datagrams on Avian Carriers https://www.rfc-editor.org/rfc/rfc1149
IP over Avian Carriers with Quality of Service https://www.rfc-editor.org/rfc/rfc2549
imagine if it was literally the same just with an extended address space. call it ipv5.
just add one octet on the left, for a total of five. the next address after 255.255.255.255 would be 1.0.0.0.0. eventually you might need a sixth octet on the left. but that day would be a long way off. you would still be able to read, write, and remember addresses. you would still be able to reason about subnets. the router would simply have a nat rule for when an address with the upper bits set crosses the bridge to an ipv4 node. when an ipv5 host happens to have a low-numbered address, its translation to ipv4 would be completely transparent.
imagine if it had been designed for transitioning instead of replacing.
I 100% agree. The IP exhaustion issue could have been sooooooooo easily solved and without replacing it with an IP abundance issue which means tracking bad actors and maintaining blacklists becomes an exponentially greater issue with much more ongoing maintenance required due to the abundance of IP6 addresses making them cheap for bad actors to replace if their last range gets blacklisted.
IP addresses are not so cheap (free) in an IP4 (or IP5 with 5 byte addresses!) world – which is exactly what you want!
Quite a few of these are already included on https://ipv6bingo.com/ and the fallacies around “just adding one or two octets” have long been debunked.
Dual stack at home since Nov 2012, changed ISPs to get it after the losing ISP could not give a timescale.
Fixed single v4 and fixed /48 on v6 provided by PPPoE and DHCPv6-PD.
Home router firewall has feature parity on v4 and v6 with same default deny unsolicited incoming on both.
Target devices on LAN are automatically handled as named objects so that a single rule can apply to their v4, v6 or both when allowing incoming traffic.
Home router auto-adds LAN devices to local DNS but I have my own DNS server anyway.