You must log in or register to comment.
Skill issue
IPv6 is easy to do.
2000::/3 is the internet range
fc00::/7 is the private network range (for non routing v6)
fe80::/64 is link local (like apipa but it never changes)
::1/128 is loopback
/64 is the smallest network allocation, and you still have 64 bits left for devices.
You don’t need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.
Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).
Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don’t have to play the static ip game to connect to it after changing your router or net config.
The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.
On my home network I make sure that my PDs are the same as my VLAN IDs so that I can at least know where a device is based on its IP. If I was smart I would also line them up with the IPv4 subnets as well.
In my personal life I will probably “never” intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than “it’s hard”
It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
And I would consider a detailed argument on why it is more secure to disable it to be a good reason.
Personally? I consider an IT team who don’t know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.
Yeah, I run dual stack without much trouble myself. I believe it is mainly difficult for people because eyeball diagnostics are impossible with 6.
My detailed explanation at my old job is that the dev team was full of idiots who hardcoded ipv4 addresses into their fucking code. Seriously. When we migrated from data center to cloud they had to go patch everything. The CTO wouldn’t do shit about it and the director was just there riding things out until retirement.
Don’t see how that is anymore vulnerable then up 4.
But you could do the same thing with a rogue DHCP server I IPv4… With similar methods to prevent the misbehavior on networks
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There’s no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
If you don’t have ipv6 internally, you probably can’t access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix
The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.
My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.
My favorite feature of IPv6 is that there are so many addresses available. Every single IPv4 address right now could have its own entire IPv4 range of addresses in IPv6. It’s mind-boggling huge.
you could assign every square meter of the planet an ip and use it for location, and still have addresses left over
Oh it’s way more than that!
After looking up some numbers, I note we could give every single square MILLIMETER on the planet its own entire IPv4 address space.
…And then every one of those IPv4 addresses could have its own entire copy of the IPv4 address space!
…And that would just be a drop in the bucket compared with IPv6! One good comparison I’ve seen is that you could assign an address to every atom on the surface of the earth (but not inside it) and have enough left over for 100+ more earths.
Rough math for the square millimeters:
The surface area of the earth is roughly 510 trillion square millimeters. Let’s round that up to a quadrillion or 1015.
The number of IPv6 addresses is 2128 or 3.4x1038. To be conservative again, let’s just round that down to 1038.
1038 / 1015 = 1023 IPv6 addresses per square mm of earth.
IPv4 address space is 232 or around 4 billion. let’s round up to 10 billion or 1010.
So then 1023 / 1010 = 1013 IPv6 addresses per IPv4 address per square mm of earth.
1013 / 1010 =
1,000 IPv6 addresses
per IPv4 address
per IPv4 address
per square mm of earth.
And that was with the conservative estimates along the way. I think it would actually be tens of thousands.
square centimeter is the one I heard
I understand some of these words!
They kept talking it was because address exaustion, and IANA sold all the remaining blocks they had…
I tested it at the time. Ran nmap ping scan across a block all night with zero results. IANA sold the internet
I use IPv6 every day and everywhere I can. It solves so many issues in large corporate and ISP network setups. And yes 10. Wasn’t big enough, and NATing is a PitA.
Honestly we just keep pushing it off when it’s not that bad. Workaround after workaround just because people are lazy.
How much slack did you have in your 10.* network? Or was it literally 16.7 million devices?
Having the breathing room is great.
You have two teams that independently set up private networks but now someone has to talk to them both?
In IPv4, they likely stepped on the same private subnets. In ipv6, they pretty much certainly did not step in the same ULA prefixes. My VPN setup is a mess of a maze to deal with the fact that most things I connect to are all independently allocated 10. subnets, with the IPv6 focused customer being easiest.
Also, if you want to embed information in your addressing, like vlan I’d or room information.
Besides, you can have addresses like fd37:5f1a:b4c1::feed:face, and that’s fun isn’t it?
I agree with everything you said but it still doesn’t make me hate ipv6 less.
Just my perspective as a controls (SCADA engineer):
I work for a large power company. We have close to 100 sites, each with hundreds of IP devices, and have never had a problem with ipv4. Especially when im out in the field I love being able to check IPs, calculate gateways, etc at a glance. Ipv6 is just completely freaking unreadable.
I see the value of outward-facing ipv6 devices (i.e. devices on the internet), considering we are out of ipv4s. But I don’t see why we have to convert private networks to ipv6. Put more bluntly: at least industry, it just isn’t gonna happen for decades (if it ever does). Unless you need more IPs it’s just worse to work with. And there’s a huge amount of inertia- got one singular device that doesn’t talk ipv6 at a given generation site? What are you supposed to do?
90% of industrial devices are still 100 Mbit/s.
I mean that’s of the ethenet capable ones… a huge chunk are still serial
I was going to say, my friend has to maintain some fucking DOS systems because their ancient embroidery machines only want to talk to software as old as they are, over connections as old as they are.
And the rest are pure analog
You’ll be lucky if you find ethernet on them. RJ45 serial is still pretty common nowadays
If you set up your DNS correctly then you don’t even need the IPs. Just give devices unique, human-readable names and maybe do separate sub-domains for each site or something.
For that to work industrial devices have to support DNS in the first place…
Oh, now that you mention it I’ve never tried to map a static DNS entry to a device without DNS. Welp, time to get thousands of raspberry pi’s to act as IP KVMs!
That would imply en existence of display/usb outputs…
We’re essentially talking a bunch of embedded devices talking to each other. You can give them all the dns entries you want, but if they (or the programming environment) don’t support DNS lookup you might as well put your dns server in excel.
The microcomputers (raspberry pi, arduino, whatever) could have a modern network interface and relay the communication to the embedded devices over oldschool serial. But yeah, straight DNS wouldn’t work. I like the idea though, gonna start posting my 10 favorite IP addresses on a piece of paper on the fridge. Who needs excel!
I’m a protective relay settings engineer at a contractor for lots of power companies. I’m dipping my toes into my first substation automation project. Getting to design the device native files, IPs, and other networking parts from the drawings package of site and device manuals. It’s all SEL equipment with a gateway at the top and local powerWAN, RTAC, annunciators, and relays below. I live thousands of miles from the site, so local testing would be challenging but probably have to fly or something lol. I have been doing some research on how to emulate this is a lab setting when all you have is the RTAC and some relays. Is this something SCADA engineers have to do sometimes? Like if you need to test a scheme when you can’t build it physically first?
Meh, the idea of having every address be globally routable makes a lot of sense. NAT is a great bandaid but it’s still a bandaid. It still limits how peer to peer and multicast applications function, especially on larger networks.
NAT444 is shit. I can’t even host a web server without routing it through a VPN, and my ISP can’t work out how to provide an IPv6 addresses yet. Give it to me and I will work out how to use it.
Slight update - Just looked and apparently they had a goal of rolling out IPv6 addresses to all customers by earlier this year. I’ll check my router config tomorrow and who knows. Maybe I will be able to get one now? Would be pretty sweet.
I am sorry to interrupt, my ISP gave me an ipv6 address, but I just can’t access anything through it even when I specify it in the firewall, maybe they are blocking this functionality because they sell static ips.
I can use dynamic DNS, the problem is I can’t host over NAT444 without something like a VPN.
Still not been given an IPv6 address though.
I see your satirical IPv6 meme and raise you the highest quality IPv6 evangelism you’ll ever see.
That was beautiful
I’m surprised by the comments here. I use 90% IPv6. For me v4 is only present for retro compatibility. The transition was hard however.
Was?
It’s still in progress…
I’m fully transitioned. The first step was getting an Internet provider that featured it. I had to change providers for that. Then I had to find equipment that worked. Some of the things that have an early implementation of IPv6 don’t actually work. It’s like they never actually tested it. Then I had to integrate IPv6 in the way everything worked. I’m a big user of unique local adresses, which I feel isn’t a really well known feature.
deleted by creator
Every atom of the universe should have its own ip.
For targeted location-based ads of course! Lots of revenue there
fun fact, the RFC introducing NAT calls it a “short-term solution”
I love the flat earther energy in this
CGNATs suck ass though, I had to buy a vps just to access my own network outside my home.
I’ve recently changed isp and am now hitting CGNAT problems. I have been running Nextcloudpi for years and now I can’t access it from outside. I’ve trying to understand if I can fix the problem using IPv6 but from what you’ve said I’m now wondering if a vps is the solution?
My ISP doesn’t properly support IPV6, otherwise it should work. I use wireguard to route just my server traffic to the vps.
I deal with cgnat on my 2 isps at home. Install tailscale on your vps and your router at home and then on your router you can share subnet devices over your tailscale network. Install a reverse proxy on your vps.
If set up correctly you can route a human readable web address (jellyfin.example.com) to your vps static ip address and then to, for example, a docker container with local address 192.168.100.1:8096, via reverse proxy.
Yeah, had the same issue with my ISP, but at least they switched me back to ipv4 after a support call. Didn’t want to pay extra for the privilege of not being reachable from the outside anymore.
I have never started using ipv6 so I’m in the clear here
C’mon, IPv4 has so many problems. Sure, let’s reserve a whole /8 for a single loopback address, that’s efficient. 🙄
Well of course, how else would you trick script kiddies that figured out when they DDOSed 127.0.0.1 and learned what a loop back was, and get them again in a few weeks with “ok ok my real address is 127.34.21.2”
Wait… I know 127.0.0.1 but what’s the second one?
not sure if you are joking, but any valid IP4 address starting with 127. does the same thing, loopback. 127.0.0.1 is just the standard most people use, you could use 127.127.127.127, or 127.1.1.1 or any random numbers 0 and 254 for the second 2, and 1 and 254 for the last and the effects will be identical.
A /8 subnet is basically everything after the first of the four segments, e.g. 127.*.*.*. marine_mustang was saying that loopback (what you think of as only 127.0.0.1) is actually an entire subnet, so any address that starts with 127 will hit the loopback interface. TIL, never thought about it much before.
Also for home network I don’t won’t my IOT to have a real IP to the Internet. Using IPv4 NAT you can have a bit of safety by obscurity
Its unlikely someone with guess your ipv6 of your iot.
No, but it’s far easier to explain how to configure your home network such that 182.168.1.* is for your regular devices like laptops, etc. and 192.168.2.* is for your IoT devices. Then block all access from 192.168.2.* to the internet so your IoT devices can’t “phone home”, can’t auto-update without your knowledge, can’t end up as part of a botnet, etc.
That’s the thing, you are still thinking in ipv4 terms, and that’s ok. It’s a different way to think of things using ipv6 and the proper way to configure them. No worries tho. Not like you are being forced to ipv6 for internal home networks.
Ok, so what would the equivalent be?
Create a new /64 and don’t give it a route to the internet.
I don’t won’t my IOT to have a real IP to the Internet
Why not? What’s the difference to them having a nat ipv4?
