• henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    74
    ·
    edit-2
    6 months ago

    All consumer and enterprise equipment made in the last 10+ years natively support IPv6.

    I object to this statement. You can buy name brand routers today that don’t implement it properly. Sure, they route packets, but they have broken stateless auto configuration or don’t respect DHCPv6 options correctly, and the situation is made worse because you don’t know how your ISP implements IPv6 until you try it.

    God help you if you need a firewall where you can open ports on v6. Three years ago I bought one that doesn’t even properly firewall IPv6.

    I tested a top-of-the-line Netgear router to find that it doesn’t support opening ports and once again doesn’t correctly support forwarded IP DHCPv6, which even if that works correctly, your Android clients can’t use it 🫠 Decades later there’s no consensus on how it should function on every device. This is a severe problem when you are a standard.

    The state of IPv6 on consumer hardware is absolute garbage. You have to guess how your ISP implements it if at all, and even then you’re at the mercy of your limited implementation. If you’re lucky it just works with your ISP router. If you’re not, it’s a PITA.

    EDITs: spell corrections and clarification.

    • Blaster M@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      1
      ·
      6 months ago

      You shouldn’t be forwarding anything - lan devices are directly accessible from the internet with ipv6. The router’s job now is to firewall inbound ipv6 packets. You should be able to simply open the inbound port for that device in particular.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        15
        ·
        edit-2
        6 months ago

        Right, that’s how it should work. Unfortunately that’s not how it actually works most of the time in consumer.

        Many devices don’t provide an option in the UI to open an inbound port on IPv6. For example, the latest and most expensive Linksys gaming router blocks all inbound connections and there are no options for different behavior. It doesn’t support opening any ports for v6.

        The most recent TP link device I tested for my dad doesn’t even have a firewall. If you know the global IP, you can connect to any port you want.

        • Blaster M@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          6 months ago

          And that’s why I abandoned cheap consumer routers many years ago… closest devices to implement ipv6 port management firewalling even half good was/is the ASUS devices. I got fed up and went pfsense and/or unifi one day and never looked back.

          UDM handles ipv6 real good, and pfsense can even get /64 subs from an ATT router for all its lan interfaces.

          • henfredemars@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            I’ve never tried ASUS or UDM. I might have to give that a go. Alas, I can only speak on the selection of what I have tried in the recent past.

    • CosmicTurtle0@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      12
      ·
      6 months ago

      Omg…I thought I was doing it wrong. I was trying to map ports on my router and it just wouldn’t do it properly.

      Networking is not my strong suit so I assumed I was being an idiot and reverted back to IPv4.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        6 months ago

        The problem is mainly that IPv4 port forwarding is network address translation, but on IPv6 it’s instead IP forwarding with a firewall rule.

        The latter is conceptually simpler, but it’s a different mechanism and one that most home routers don’t bother to implement. This is quite ironic because IPv6 was intended to restore end to end connectivity principles.

        Don’t get me wrong; I’m quite happy with the standard. They are very few good implementations of that standard, and given the momentum of its predecessor, implementers just don’t care.

        • CosmicTurtle0@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          6 months ago

          I absolutely hate how dependent we’ve gotten to IPv4. To the point that Amazon is charging almost $4 a month per IP. It used to be free. These assholes are buying IPv4 addresses so fast that they are literally driving up the price.

          Is there a resource that you can recommend on learning IPv6 based on my knowledge on IPv4? A lot of resources I’ve seen are way over engineered for my feeble brain.

          Like I know what IP addresses are and what port numbers are. I don’t understand the difference between how IPv6 addresses are assigned (both locally and generally speaking) and what makes it different from IPv4.

          I know it’s not DHCP.

          Edit: This post provides a link to a great summary for those who know IPv4 but need to learn IPv6.

          • henfredemars@infosec.pub
            link
            fedilink
            English
            arrow-up
            3
            ·
            6 months ago

            It absolutely can be DHCP. There’s two main ways to do it: stateless auto configuration, and DHCP. Super briefly, you can assign IP addresses the same way you used to if you want, or you can let devices pick their own.

            I’m afraid I can’t recommend a great resource, but I really like the Wikipedia article because it’s very precise in its terminology. I appreciate that with learning a new subject. I’m not even that precise here. For example, I use the term IP forwarding more liberally than what it actually means.

    • Melody Fwygon@lemmy.one
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      6 months ago

      This is why I use PFSense and Hurricane Electric as a v6 tunnelbroker. I have working functional IPv6 with SLAAC and DHCPv6 and full Routing Advertisements on my LAN running side-by-side so that no matter which the device implements how poorly; it gets an IPv6 address and it works and is protected by the firewall.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        6 months ago

        That sounds awesome.

        I really like stateless, but it bugs me that the router has to snoop on traffic if you want a list of devices. The good ones will actually do this, but most are blind to how your network is being used with IPv6.

        And it really bothers me that Android just refuses to support DHCPv6 in any capacity. Seems like a weird hill to die on. There are too many legitimate use cases.

        • Melody Fwygon@lemmy.one
          link
          fedilink
          English
          arrow-up
          4
          ·
          6 months ago

          I run both because of this; and because SLAAC enables features in Desktop OSes that offer some level of additional privacy.

          For example; Windows can do “Temporary IPv6 Addressing” that it will hand out to various applications and browsers. That IPv6 address rotates on a periodic basis; once every 24 hours by default; and can be configured to behave differently depending on your needs via registry keys.

          This could for example, allow you to quickly spin up a small application server for something; like a gaming session; and let you use/bind that IPv6 address for it. Once the application stops using it and the time period has elapsed; Windows drops the IP address and statelessly configures itself a new one.

          • kungen@feddit.nu
            link
            fedilink
            arrow-up
            1
            ·
            6 months ago

            I also like the privacy extensions, but how often does your prefix even change? Most places I’ve seen you get a /64 announced and it basically never changes – so somewhat elementary to “break through” that regardless.

            • Melody Fwygon@lemmy.one
              link
              fedilink
              English
              arrow-up
              2
              ·
              6 months ago

              I have a /48 that I can basically roll through.

              A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I’m not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.

              With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.

              I actually use /55s to cordon off blocks inside the /48 that aren’t used too. So dialing a random prefix won’t help. You’d be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way…and it doesn’t work because I’m not subnetting on any standard behavior.

    • riodoro1@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      6 months ago

      This. Ipv6 on all house routers are for scrolling facebook only. Want to do anything more? Switch back to ipv4

    • AVincentInSpace@pawb.social
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 months ago

      Comcast has finally gotten around to giving hosts inside the firewall publicly routable IPv6 addresses, but port forwarding (which, by the way, can only be done through Xfinity’s website or mobile app which then connect to and configure the router through the ISP interface – if you go to the port forward configuration in the router’s webui, all you’ll see is a message that it’s now “easier than ever” to configure port forwards) can only happen on IPv4. Want to open a hole in the IPv6 firewall? Well that’s just too fucken bad.

    • BlessedDog@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      6 months ago

      Funny, I have an ancient DOCSIS modem from a company that went bankrupt ages ago which supports all these features flawlessly. Only thing it’s missing is DNS options, it’s hardcoded to use the ISPs DNS. Oh well.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        6 months ago

        Sadly it’s not an option for example you want WiFi 6. A good chunk of really awesome hardware doesn’t support it.

        Of course, it’s always possible to use bridging and multiple devices. That’s what I have now.

        Lastly, the original statement supposed that all recent hardware supports IPv6 by default. OpenWRT doesn’t typically fit that description.

    • Kusimulkku@lemm.ee
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      6 months ago

      I’d imagine it’s more or less the same all over, as long as the government can put pressure (or directly owns) the ISP.

  • Blaster M@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    ·
    edit-2
    6 months ago

    It’s amazing how many internet providers still won’t enable IPv6, even though it is hugely beneficial to their own networks (more efficient routing = less router overhead = more bandwidth and less power usage = SAVE MONEY).

    IPv6 was pernanently turned on for the Internet in 2011. That’s THIRTEEN YEARS AGO.

    All consumer and enterprise equipment made in the last 10+ years natively support IPv6. There is no excuse anymore. You can enable dual stack and setup / get your v6 block and go for it. The v6 routing tables are much simpler than the v4 routing tables, as it only has to point to the prefix network for any address, and prefixes are handed out so the ISP gets a contigious prefix block. The routers sort the rest out.

    IPv6 has the 2000::/3 range for internet traffic. That’s 2^125 ip addresses possible. We’re not running out of those even if we have an internet on every planet in the solar system.

    IPv6 Prefix Delegation works like DHCP but for IPv6. It’s not indecipherable magic runes.

    Router asks for a v6 range -> ISP router gives the range -> Router then either further subdivides into subnets, or uses DHCPv6 to give out v6 addresses. Simple.

    But of course, nobody wants to do it the simple way… AT&T and your strange subnetting spec-breaking routers.

    Odd that Comcast/Xfinity, the company that somehow manages to have even worse service than AT&T, implements IPv6 near perfectly. They give prefixes when your router asks. Their own gateways give prefixes to routers behind when requested. It works. If the arguably worst internet company can deploy IPv6 this well, any company can.

    In addition, every device also has its own link-local ipv6 (fe80::/16) that is not routed, but can be called directly and it normally doesn’t change, as it is based partly on the network card’s MAC address. Need to connect your printer by ip address? Use the link local v6 and stop having to play the DHCP or static IP charade.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      10
      ·
      6 months ago

      I’ve seen a few isps here in the UK doing some weird pointless stuff with ipv6. Like dynamic prefixes. Why? What’s the point?

      But you can get good ones. I’ve had the same /48 prefix for 10 years now.

      • sep@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        6 months ago

        I am 50/50 between incompetence. Or so they can keep on charging extra for a static ip.

        • r00ty@kbin.life
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          I’m fairly sure it must take extra work to make dynamic prefixes. I’ve heard some weird justifications about localised routing. But modern ISPs generally don’t work that way at all. For example, my ISP has endpoints in multiple cities, and can fail over to another city if need be. All my static IPv4 and IPv6 instantly move with me in that event.

          • sep@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            6 months ago

            Yes it does take extra work. Problem is often that that work was done in the past when isp implemented their ipv4 metodology. And instead of using the ipv6 rollout as a chance to improve their design and operations. They just add ipv6 into their ipv4 design and methodology. They encumber their ipv6 rollout with their decades of technical debt and cruft they have normalized in their ipv4 world. And it will makes things harder for themselfs when trying to turn off ipv4 in the core.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Oh my God disgusting. My ISP uses dynamic prefixes also, which reflects a lack of understanding of the most basic IPv6 fundamentals.

    • Melody Fwygon@lemmy.one
      link
      fedilink
      English
      arrow-up
      6
      ·
      6 months ago

      I get a free /64 and /48 directly from Hurricane Electric using their TunnelBroker and use PFSense to deploy that v6 locally on my LAN. Everything in the house has a v6 and is protected by the necessary firewalling too.

  • DontRedditMyLemmy@lemmy.world
    link
    fedilink
    arrow-up
    23
    ·
    6 months ago

    Now the ISPs can charge us if we want a public IP, so really this is a win for big ISP… not sure why you guys aren’t appreciating that! /s

  • smileyhead@discuss.tchncs.de
    link
    fedilink
    arrow-up
    21
    ·
    6 months ago

    Privacy fans, choose wisely:

    • have CGNAT on carrier side and add little tiny more work to track people
    • have public IP, making it easier to selfhost, to build P2P networks, to use anonymizing network like I2P, to host Tor nodes, to reach out to friend without central approved big tech cloud, that you can still hide with your own NAT or by using VPN
    • qaz@lemmy.worldOP
      link
      fedilink
      arrow-up
      8
      ·
      6 months ago

      I meant “ISP’s use CGNAT over IPv6” as ISP’s use CGNAT instead of IPv6 to solve IPv4 address limit issues, not as using IPv6 through CGNAT, although some do use IPv6 through CGNAT for backwards compatibility with IPv4 only devices.

      • umbrella@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        6 months ago

        oh i get what you mean. i can understand using ipv4 cgnat to solve these issues.

        mine thankfully uses it by default but allows advanced users to switch to a normal ip if they want to.

    • interdimensionalmeme@lemmy.ml
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      6 months ago

      If it makes tracking hard to impossible then its BASED The end to end principle died in 1994, I’m sad too that we can’t all be one happy family, but let it go.

      • smileyhead@discuss.tchncs.de
        link
        fedilink
        arrow-up
        4
        ·
        6 months ago

        If it makes tracking hard to impossible then its BASED

        But it does not make tracking impossible and only a little harder. From privacy standpoint it’s like using manditory VPN hosted by your carrier. And as we know, you must trust your VPN provider to not log.

        And is it worth it? I would much more prefer to have real IP address and be able to host things in my house, including a full speed I2P node that would really make “tracing impossible”. Someone needs to host such nodes.

    • qaz@lemmy.worldOP
      link
      fedilink
      arrow-up
      41
      arrow-down
      1
      ·
      edit-2
      6 months ago

      There is IPv4, it’s an internet address that points to a specific computer, or at least it’s supposed to. IPv4 supports up to 4294967296 addresses, which might seem like a lot until you realize how many devices are connected to the internet. Almost the entire IPv4 range is full, and ISPs have resorted to letting 1 IP point to multiple computers also known as NAT. It’s what your router does, and why your laptop and phone all connect to the internet using your routers’ IP address. Carrier Grade NAT takes it one step further and allows hundreds or more home networks to connect from a single IP address.

      CGNAT kind of sucks because you can’t run servers behind them because it doesn’t know which of the hundreds of computer traffic has to go to. IPv6 would solve this entire mess, but ISP’s won’t invest in it because they don’t want to spend the money and just delay the inevitable until they have to.

      True ELI5: We ran out of signs for house numbers and instead of getting new ones we started giving everyone in a street the same house number

      • aldalire@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        9
        ·
        6 months ago

        Thank you. So in a way if the carriers upgrade their infrastructure there would be a decrease in privacy because then it’s a one-to-one correspondence between IP address and customer, but then the customer would have the ability to host servers? The one scenario where the industry dragging their heels on upgrading is actually good for the consumer (in some respects) lol

        Adding commas to that number: 4,294,967,296 addresses. More humans that IP address seems like a huge miscalculation in the internet infrastructure

        • Bloody Harry@feddit.de
          link
          fedilink
          arrow-up
          7
          ·
          6 months ago

          Who could’ve thought in 1981 that more than a few thosand universities would ever like to connect to the then 250 machines big ARPANET. With 4 billion addresses, there was plenty of headroom at the time.

          In 50 years, when the last ISP finally switches to IPv6, we’ll be wondering how short sighted we were as now every pencil has an IP address in the interplanetary compu-global-hyper-meganet.

          • confusedbytheBasics@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            ·
            6 months ago

            We planned for that. We should be fine at least until we are an interstellar species. We could assign an IPV6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future.

        • sep@lemmy.world
          link
          fedilink
          arrow-up
          5
          ·
          6 months ago

          Goverments (depending on juristiction) have laws requiering isp’s to keep track of cgnat port combos. So not only is there no privacy from ipv4 cgnat. Now the isp must also spend a lot of money on the nat state tracking database.
          If you need that kind of privacy, use a vpn and the tor onion network.

        • frezik@midwest.social
          link
          fedilink
          arrow-up
          5
          ·
          6 months ago

          It’s a bit more complicated than that. Governments still spy on an IPv4 address, but because that address is shared, it’s spying on everyone behind it. At least with IPv6, it’d be targeted.

    • mako@discuss.tchncs.de
      link
      fedilink
      arrow-up
      10
      ·
      6 months ago

      Usually the NAT is at home in the router and every customer has their own IPv4 address. NAT at the ISP means several customers share an IPv4 address. If the authorities are now investigating the activities of an IPv4 address, it is difficult to say which customer it was because multiple of them shared the IP address.

    • ChillPill@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      6 months ago

      I know very little about ipv6, but CGNAT is Carrier Grade Network Address Translation.

      NAT (Network Address Translation) is how your home router takes your one public IP address and is able to simultaneously allow your phone, your PlayStation, and your smart fridge use the internet.

      CGNAT is basically the same thing expect on a much larger scale and controlled by you ISP.

    • Sonotsugipaa@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      IP addresses ran out, IPv6 adds more addresses than we may need, ISPs decide to take away the user’s ability to host servers (more or less (more less than more)) rather than upgrading the infrastructure

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 months ago

      I have two different ISPs serving the entire town I live in, both offering symmetric gigabit fiber to the home to the entire town, but can I get a lick of IPv6? Of course not!

  • frezik@midwest.social
    link
    fedilink
    arrow-up
    12
    ·
    6 months ago

    I tried an IPv6 AWS Lightsail instance recently. It had a private IPv4 address, but it’s not behind NAT and won’t route outside the network.

    Which would be fine if all the software packages you need can access things over IPv6 on their servers. One that doesn’t is WordPress, because of course it doesn’t. That means no plugins or updates except by manual downloads.

    But hey, who would ever want to run WordPress on a cheap Lightsail instance?

  • pingveno@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    6 months ago

    My university is still mostly on IPv4 for our infrastructure. We got in early on the IPv4 address gold rush, so we got a full /16 block. Not quite MIT’s 18.0.0.0/8 block, but enough so there’s little pressure to move. It can be a little embarrassing, feeling like an institution that should be breaking ground is instead trailing behind. At the same time, our IT department is chronically understaffed, so I can understand not doing the switch. It’s not as simple as just flipping a switch, there are many ramifications of IPv6 that aren’t immediately obvious.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      7
      ·
      6 months ago

      There’s literally nothing stopping a moderately skilled IT team from integrating ipv6. You can run any site easily using both. The exceptions are few and even those aren’t that hard to deal with.

      Source: been running dual ipv4/ipv6 Web servers for over 10 years (maybe 15 would need to check) . Likewise had ipv6 dual stack at home for a similar amount of time, initially using tunnels and then native.

      Almost every server provider will give you ipv6 for free. There’s really no excuse these days not to run your services on both protocols now.

      • jrgd@lemm.ee
        link
        fedilink
        arrow-up
        5
        ·
        6 months ago

        The worst gotchas and limitations I have seen building my own self-host stack with ipv6 in mind has been individual support by bespoke projects more so system infrastructure. As soon as you get into containerized environments, things can get difficult. Podman has been a pain point with networking and ipv6, though newer versions have become more manageable. The most problems I have seen is dealing with various OCI containers and their subpar implementations of ipv6 support.

        You’d think with how long ipv6 has been around, we’d see better adoption from container maintainers, but I suppose the existence of ipv6 in a world originally built on ipv4 is a similar issue of adoption likewise to Linux and Windows as a workstation. Ultimately, if self-rolling everything in your network stack down to the servers, ipv6 is easy to integrate. The more one offloads in the setup to preconfigured and/or specialized tools, the more I have seen ipv6 support fall to the wayside, at least in terms of software.

        Not to mention hardware support and networking capabilities provided by an ISP. My current residential ISP only provides ipv4 behind cgnat to the consumer. To even test my services on ipv6, I need to run a VPN connection tunneling ipv6 traffic to an endpoint beyond my ISP.

        • r00ty@kbin.life
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          You can get non VPN tunnels. I used both Hurricane electric (https://tunnelbroker.net) and sixxs (https://www.sixxs.net). I believe sixxs stopped offering services in 2017 though.

          I’m lucky that I have a choice of multiple ISPs all offering service on gigabit symmetric fibre. I’ve managed to keep my old setup of a /29 IPv4 allocation and /48 IPv6 allocation. But before IPv6 was available, I used tunnels at the point of the router with no problem. As such, the internal network doesn’t need to know there’s a tunnel and gets native IPv6.

  • RecallMadness@lemmy.nz
    link
    fedilink
    arrow-up
    4
    arrow-down
    2
    ·
    6 months ago

    CGNAT is good. One more layer of obfuscation between me and the internet.

    Sucks for those wanting to run services from home I guess.

    • frezik@midwest.social
      link
      fedilink
      arrow-up
      8
      ·
      6 months ago

      What is actually happening is that governments still spy, but it’s on everyone behind that address.

      People really need to stop pretending IPv4’s flaws are good things.

    • confusedbytheBasics@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      6 months ago

      CGNAT sucks any time you want a reliable link to anyone else behind a NAT. Multiplayer games, p2p sharing, video calls all are less reliable.