About two years ago, when we deployed our datacenter, I insisted for IPv6 first.
All out management network is IPv6 only, all kvm, switches, routers...
It was a pain and gives nearly no practical advantage (at the time), but the motivation was to make everyone "intimate" with IPv6. We learned a lot and we even discovered some implementation bugs (for example, Cisco default link local address is not /64 and this is not compliant with more recent RFC and will make them unable to communicate with BSD systems).
Now we have IPv6 everywhere and everybody from dev to sysadmin is aware of IPv6 and we start to see some real advantages. VPN are easier to manage, routing is easier, firewall is easier, clustering, failover... everything is "cleaner".
We still have IPv4 (dual stack) on some servers, but about 80% of them are IPv6 only with DNS64/NAT64.
Indeed, but also not everyone gets the payoff that GP did. We did IPv6 only and abandoned it after a while because there were some show-stoppers in our cloud provider that didn't work (at the time, this was a few years ago). It ended up being a good investment in the two people spearheading the work, but otherwise was a waste of time/money.
I don't know what your situation is, but I'm a regular programmer-type employee who has been through more mergers than I ever expected to. Every company I've been at used IPv4 addresses for the systems on their internal networks.
I've observed that one of the things that takes the longest to sort out after the merger "closed" (or whatever they call the "It's official. We now own you." phase) is merging the two company's internal networks. While some of the delay comes from removing redundant systems and "harmonizing" security policies and the like, the IT folks who I talked to about the process always told me that the thing that takes by far the longest time is IP address management... specifically, having to renumber networks and the systems on them, and reconfigure or reinstall the software on them to account for the renumbering.
If you're using IPv6's ULA addressing for your internal networks, the odds of an address collision are very nearly zero. With IPv4 addressing... unless your network is tiny, the odds appear to be very nearly one.
I don't know you as well as I should :) I should say I'm not that interested in selling something that is both free and 'politically' loaded.
People have made up their minds, they'll pick it up or they won't. No "skin off my teeth" at all. Implementation details matter to those who care. They have their reasons, I'm not one to question them.
One of the things I like about v6 is it allows us to give up the charade or vanity of addressing. At least minify it. One can define classes of networks and simply identify hosts by MAC (or FQDN assuming an AAAA record).
I already have to tote that information around to configure them. Having a v4 address can be seen as duplicating the role of identity, while risking conflict. Outright removal of v4 may offer benefits in some scenarios.
Now... 'conflict' is how BGP anycast literally works. Two or more hosts announce the same location. There are perfectly valid reasons to still use v4, neither precludes the other.
One past employer of a friend has an internal network using IPv4 only. Every night a database query runs on one database and updates a second database based on the results (a DSS updated from a data warehouse, I think). One of the TCP connections involved goes through five levels of NAT, internally to the company.
No one on the team liked adding the fifth NAT, but no one felt confident enough to undo any of the old NATs either.
If you use IPv6 internally you don't dig yourself into holes like that one. You have enough addresses that you can choose clarity and maintainability in little day-to-day choices and a few years later that clarity has added up.
No translation, no subnet allocation issue (because no scarcity), global reachability from everybody to everybody (as internet was meant to be), no overlap (because no RFC1918)
The world is much easier when everybody has its own identity.
I'm not the OP, but I expect VPNs are easier to manage because you don't have to worry about slicing up the very, very limited IPv4 non-public space and puzzling out how to resolve addressing collisions between all of the various networks you have to manage. With IPv6 you can just calculate a /48 ULA prefix and allocate /64s for your VPNs (and every other internal network) out of that. If ever you run out of room, just calculate another /48 and carry on... easy!
This and you can allocate prefix for services. Also you can do layer 3 access control because there is no NAT. Also NAT can get messy when chained. One very practical example is that if I am connected with SSH to a server, and connection is interrupted with a network gear config change for example, when it is back up, SSH will be still connected and might not even notice. With NAT, states can be dropped.
Not GP but in similar setups I've had good success with using the FWs (typically Fortinet or Palo Alto) as the NAT64 gateway. Hosted services that require 1:1 NATs also end up there anyways so it's a good fit for DC.
Outstanding. As Google’s IPv6 traffic portion approaches 50% (https://www.google.com/intl/en/ipv6/statistics.html) it’s clear IPv6 is here, now, today. I wouldn’t dream of launching a new public-facing greenfield project without it.
Nothing's realistically dropping support for v4 any time soon, so v6 support is optional. On the other hand, we're far, far away from all users supporting v6, so v4 support is not optional.
Running a single IP stack is infinitely simpler and easier than running two concurrently, and until that "single IP stack" can be v6, I see very little reason to support it.
I didn't recommend dropping IPv4. It's a terrible it to start a new project in 2024 without IPv6 support though. It's easy enough to build in from the beginning that there's not any real reason not to go for it.
And running a dual stack is trivially easy for almost everyone using it. That chart has almost half of Google's users coming in via IPv6. I promise you less than 1% of that 50% have ever even heard of IPv6, let alone done a single thing to configure it. With my ISP I'd have to go out of my way to turn it off, which I haven't done because this isn't 2008 where it broke things more often than never.
Exactly! IPv4 management is hideous compared to IPv6 once you grok it. The sooner you upgrade to it, the sooner you can deprecate horrid mitigations like NAT.
The fact that it exists. I was a network engineer before NAT became a common thing and remember how it use to be when nodes on the network were legitimately peers. NAT is a bletcherous band-aid for the fact there are more people than 32 bit numbers. Now we're seeing true abominations like CGNAT. That stuff needs to be lost to the realm of scary legends told late at night.
I was asking about practical issues, not just complaints of subjective ugliness. While I'll grant that CGNAT can be pretty bad (though not entirely indefensible for mobile networks), I don't think we can ever return to "every node being a peer" in any case, not when any typical network will have a firewall that denies incoming connections.
>I don't think we can ever return to "every node being a peer" in any case, not when any typical network will have a firewall that denies incoming connections.
Forgive me if I'm missing something here, but how is that any different WRT IPv4 vs. IPv6?
In both cases, except for those services one wishes to expose to the Internet (assuming one has a use-case for that), all incoming connections should be blocked, IPv4 or IPv6.
Or are you arguing that NAT masquerade confers some sort of security benefit on one's network that precludes the necessity of blocking incoming connections?
I'd argue that NAT (N:1 or 1:1) doesn't provide any security benefit. Nor does IPv4+NAT reduce the complexity of firewall rules as compared with IPv6.
In fact, I'd posit that NAT makes things more complicated and not less. That said, you can use NAT/NPT[0] with IPv6 (along with ULA/SLAAC) if you really want.
As such, I'd say that IPv6 provides the best and worst of IPv4, plus additional benefits.
IF we ever get completely off IPv4, that will be a good day.
I don't think I'm disagreeing with you regarding firewalls: what I was trying to say is that "every node being a peer" isn't a good argument against NAT, since these days it holds neither in IPv4 nor in IPv6, now that everything has a firewall in front of it.
> In fact, I'd posit that NAT makes things more complicated and not less.
Sure, it clearly adds some iota of additional work, but I've never seen it as being the worst thing in the world. I'm young enough to have never witnessed the legendary paradise of globally-reachable static IPs for everything, so it seems more like "just the way things are". And yet there is widespread hatred against the existence of NAT, and I can't tell if it's primarily ideological, or if NAT is causing real practical difficulties for many setups. (Though at least the issues with CGNAT are easy to see. And also with broken NAT implementations.)
Meanwhile, one might argue that things like SLAAC in IPv6 can similarly add conceptual difficulties compared to IPv4. E.g., "How do I identify some particular device in my network, if its link-local IP is changing on a regular basis?" (To which the answer is something DNS-like, I guess?) So switching a network's internal operations from NATted IPv4 to NATless IPv6, with all of its different mechanisms, would seem like more of a tradeoff than an unequivocal win.
> I don't think I'm disagreeing with you regarding firewalls: what I was trying to say is that "every node being a peer" isn't a good argument against NAT, since these days it holds neither in IPv4 nor in IPv6, now that everything has a firewall in front of it.
In residential environments you can do whole bunch with UPNP/PCP, but with IPv4 you have the added complexity of STUN, TURN, and ICE:
With IPv6 you simply punch a whole and and the two clients simply talking to each other with their GUAs.
(In more tightly controlled environments (e.g., work), firewall policies and hole punching are dictated by IT.)
> Meanwhile, one might argue that things like SLAAC in IPv6 can similarly add conceptual difficulties compared to IPv4. E.g., "How do I identify some particular device in my network, if its link-local IP is changing on a regular basis?"
If a device gets its address via DHCP(v4), how do you identify it? SLAAC is for dynamic environments, but if you want static services, configure IPv6 statically.
At least with IPv6 you don't need DHCP infrastructure (and complexities like IP helpers configured on routers) to get going.
> With IPv6 you simply punch a whole and and the two clients simply talking to each other with their GUAs.
Eh, I wouldn't call it that simple. With an IPv6 firewall, TCP hole-punching is still difficult to impossible depending on how strict the connection tracking is (necessitating something TURN-like), and UDP hole-punching still requires some timing trickery. It's useful to keep a connection open with a STUN server regardless, in case that influences the firewall. All that NAT does is add a few more possible failure points, depending on how the router sets up mappings.
In the end, these are just hacks on hacks regardless, since we're never going to have reliable UPnP or similar on every network.
> If a device gets its address via DHCP(v4), how do you identify it?
I manage its assigned IPv4 address from the router, which itself presumably identifies it by MAC address. Doing it centrally from the router is often easier than trying to change the device's own settings.
Regarding static IPv6, can you still have static addresses within a network, while using rotating privacy addresses for outside connections? I've always been somewhat unnerved by the idea of each device in a network having a persistent address that can be separately tracked.
IPv4 as well as IPv6 was designed with endpoint to endpoint communication in mind so when NAT was conceived (originally intended to be a stop-gap while we moved to IPv6) we also had to re-write many other protocols and create many new ones since NAT broke IPv4's design principle (each IP needs to be unique)
This has lead to many context specific problems as many of the re-written protocols don't work as well not to mention the added complexities of protocols designed specifically with NAT in mind. As another network engineer I can attest to the problems this has caused. Pretty much everything from overlay VPN networks, VoIP solutions, security and ACLS, and just our day to day maintenance tasks are complicated by NAT. It has gotten so out of hand that many of us have dedicated NAT routers just handling NAT translation.
It's so weird to me that so many people in our industry spout scalability but then laugh off IPv6... How the heck do you guys plan to communicate to the ever increasing amount of smart devices? IPv4 literally ran out a space years ago...
I mean adding IPv6 support doesn't make nodes "legitimate peers". NAT still exists in a v4+v6 world; there will always be a distinction between "nodes with a public v4 address" and "nodes without a public v4 address".
You're missing the point, I believe intentionally. You can't get away from IPv4 as long as you have users who can't access IPv6-only servers. All your users and potential users can access IPv4-only servers.
> You can't get away from IPv4 as long as you have users who can't access IPv6-only servers.
That depends on your definition of "can't get away from". Your users can live on a IPv6 only lan and have the IPv4 world available to them. IPv6 supports 4 in 6 - ie you can embed IPv4 addresses in IPv6, so all you need is a gateway that translates IPv4 to IPv6 for them.
I've done it. At a conference, to unsuspecting users. All phones support IPv6 well, so they didn't notice. Not one complaint - I was blown away by how well it all worked.
It was done because some noisy attendees insisted on being assigned routable IP addresses. That can be difficult to provide with IPv4 for obvious reasons, whereas ISP's will happily hand you thousands of billions of IP{v6 routable addresses, for free.
I set up the gateway myself, rolling my own using a linux box I had lying around. Adding the 4 in 6 capabilities is maybe an hours work on top of all the other setup you have to do on the box, and that includes googling to find what tools you need and how to configure them. It's not hard.
> All your users and potential users can access IPv4-only servers.
Not all servers are user-accessible. For instance, a database server or a NAS server might only be accessed by other servers within the same organization. Using IPv6 between these internal-only servers, instead of RFC 1918 addresses, can simplify things.
And can make things far more complex too. You now need people to understand both ipv4 (for your public facing) and ipv6 (for your internal ones).
Instead you could just choose ipv4 only and reduce a lot of complexity. Sure there are also downsides -- if you're in a large org and are running out of RFC1918 space, or you're rationing it to smaller than /24 networks, that can be a pain (I don't see a benefit of more than 256 host addresses on a subnet as that's already far to large a broadcast domain)
#2 has essentially no downsides and is radically simpler.
That's my point. It's not terrible to start a new project without IPv6 support, because adding IPv6 support adds a ton of complexity for almost no benefit.
I never claimed or insinuated that you recommend dropping IPv4. If I thought your recommendation was to drop v4, my argument about the complexity of dual-stack would've made no sense.
> I never claimed or insinuated that you recommend...
Check my handle. I'm not who you seem to think I am.
> ...adding IPv6 support adds a ton of complexity for almost no benefit.
That doesn't at all match my experience with IPv6 support in greenfield projects for the past decade+. You actually have to do extra work to make them IPv4-only. Remember that the statement you initially responded to said "It's a terrible it to start a new project in 2024..."
> > I never claimed or insinuated that you recommend...
> Check my handle. I'm not who you seem to think I am.
Sorry, I didn't notice. Pretend I said "they" rather than "you".
> > ...adding IPv6 support adds a ton of complexity for almost no benefit.
> That doesn't at all match my experience with IPv6 support in greenfield projects for the past decade+. You actually have to do extra work to make them IPv4-only. Remember that the statement you initially responded to said "It's a terrible it to start a new project in 2024..."
Huh, I never found it difficult to ... not add an AAAA DNS record to point to a server. It surprises me that you find that to be extra work.
> Huh, I never found it difficult to ... not add an AAAA DNS record to point to a server.
Have you attempted to make greenfield software written in 2024 support only IPv4 addresses and be deliberately incompatible with IPv6 addresses? It's a lot more work than just using what the standard libraries give you and just getting support for v4 and v6.
I have actually made a green field project in 2024 and created a VPS for it and not added an AAAA record to point to that VPS, it was pretty easy to not add that AAAA record, I could do it in my sleep (in fact I do spend most of my nights not adding AAAA records to anything)
Now the software itself would probably work v6 if you set up the infrastructure for it, but that's not what I'm talking about. (I don't know for sure that it works with v6 though, never tested)
I know for sure that I've written some software before which doesn't work with IPv6 because the buffer I pass to gethostbyname is 4 bytes, but to be fair I haven't written such software in 2024. I have also written software to configure a device's interfaces and routing tables which only does DHCP4 and only configures v4 addresses, but that was in 2023 not 2024, maybe dhcp4 would've magically worked with IPv6 if I had done it this year
> The gethostbyname*(), gethostbyaddr*(), herror(), and hstrerror() functions are obsolete. Applications should use getaddrinfo(3), getnameinfo(3), and gai_strerror(3) instead.
Certainly some will be needed for 'legacy' purposes for the foreseeable future, but the more you can reduce the use of them at your edge, the less money you'll be shelling out.
Depends on your users; there are, for instance, plenty of phones that only natively have v6 and have to use NAT64 to reach v4 websites. So if you have such users, there might be a benefit to supporting v6 directly.
There are already cases of Internet connectivity issues due to overloaded CGNAT. I know for a while I could only visit IPv6 websites, IPv4 technically works but the amount of packet drops meant that my IPv4 internet speed was only about 15KB/s!
It's the whole reason why I discovered a DNS server that synthesizes AAAA records, for websites that actually support IPv6 through their CDN. [0]
> As you said though, those users can reach v4 websites.
Therefore, the question is: Can those users really reach IPv4 websites?
Mind you, I don't expect the CGNAT-overloading issue to relieve over time -- unless we deploy IPv6 everywhere ;)
> NAT registers in the microseconds for packet processing time, that isn’t even comparable to Internet path jitter.
NAT, at scale, can get expensive:
> Our [American Indian] tribal network started out IPv6, but soon learned we had to somehow support IPv4 only traffic. It took almost 11 months in order to get a small amount of IPv4 addresses allocated for this use. In fact there were only enough addresses to cover maybe 1% of population. So we were forced to create a very expensive proxy/translation server in order to support this traffic.
> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.
No, I mean that the IPv4 packets go through a stateful NAT engine on the provider side, instead of going through potentially multi-path L2/L3 switching fabrics that are stateless w.r.t. the content of the packets (especially if they're actually routed L3 fabrics, not auto-discovering L2 fabrics).
Thus the packets have to take a detour through the NAT engine instead of taking the shortest physical path to the destination as they can with a plain stateless L3 switched fabric.
E.g. in an AON with L2/L3 switches on the provider side of the last-mile link, you can easily bend the packets right around in that switch if you're WebRTC calling your neighbor. No need to even go beyond the curbside switch.
Other than that, it's still typically gonna be a physical detour to the NAT engine instead of going straight to the destination, as the NAT engine isn't fused into the main fabric data plane.
Does NAT port exhaustion not count as "materially affecting bandwidth"? At least, the maximum bandwidth is capped. Furthermore, the keepalive packets (required to maintain a port mapping) must cause the maximum useful bandwidth to be reduced, do they not?
Either way, expecting no effects on latency/bandwidth when additional processing is involved is a rather insane take. If anything, you should be the person presenting evidences to prove your position. Ideally, the cost effectiveness of whatever you present should be included too.
Anecdotally, I have experienced IPv4 slowdown due to CGNAT overload. Make of it what you will.
> Does NAT port exhaustion not count as "materially affecting bandwidth"?
In a home network this is a negligible concern. In a CGNAT setup it is a limitation of the hardware or ISP, not really NAT. Furthermore it impedes establishing connections, not bandwidth.
> Furthermore, the keepalive packets
First, what keepalive packets? NAT does not introduce packets into an existing TCP or UDP stream; for TCP it uses control packets to detect state and whether teardown is needed. For UDP keepalive packets depends on the underlying protocol; for example wireguard supports a persistent keepalive. But is this material though? Will this even materially affect a dialup connection?
> Either way, expecting no effects on latency/bandwidth when additional processing is involved is a rather insane take.
You're putting words in my mouth. I asked does it materially affect bandwidth or latency or does it bottleneck it in some way. My argument is that NAT introduces packet process delay in the magnitude of microseconds per packet processing. This is negligible when most applications on the Internet deal with latency in milliseconds. Lastly, if the point is to compare, it'd be NAT against no NAT, not really NAT against IPv6. I find your position weak insofar saying port exhaustion or keepalive packets limit bandwidth; if it does, quantify it.
> Anecdotally, I have experienced IPv4 slowdown due to CGNAT overload. Make of it what you will.
That's on your ISP, not NAT. It's no different to your ISP delivering gigabit to last mile and using dialup links for connectivity. They need to adequately resource the network.
> Furthermore it impedes establishing connections, not bandwidth.
Can't have bandwidth if you are TCP RST'd.
> First, what keepalive packets?
Any devices or protocols sending a useless keepalive packets (e.g. Wireguard has this) just so the NAT won't take away the precious 5-tuple and give it to others.
> NAT against no NAT, not really NAT against IPv6
I am sorry, but I cannot imagine a "No NAT" solution that doesn't involve IPv6. So yes, NAT vs No NAT is still NAT vs IPv6.
Unless you still have a /16 IPv4 block in your hands, in which case, go on. Just remember that in this case you are the exception and not the rule.
> That's on your ISP, not NAT. It's no different to your ISP delivering gigabit to last mile and using dialup links for connectivity. They need to adequately resource the network.
NAT being stateful is ultimately the cause of this. No statefulness, no need for (additional!) expensive equipment, no resource constraints.
> Nothing's realistically dropping support for v4 any time soon […]
Or potentially ever, as predicted when IPng was being originally thought about:
We believe that it is not possible to have a "flag-day" form of
transition in which all hosts and routers must change over at
once. The size, complexity, and distributed administration of the
Internet make such a cutover impossible.
Rather, IPng will need to co-exist with IPv4 for some period of
time. There are a number of ways to achieve this co-existence
such as requiring hosts to support two stacks, converting between
protocols, or using backward compatible extensions to IPv4. Each
scheme has its strengths and weaknesses, which have to be weighed.
Furthermore, we note that, in all probability, there will be IPv4
hosts on the Internet effectively forever. IPng must provide
mechanisms to allow these hosts to communicate, even after IPng
has become the dominant network layer protocol in the Internet.
I'm on a laptop on an ipv6 only subnet at the moment which mostly does the job with dn64/nat64.
The only benefit of this is to increase familiarity with ipv6. I'm trying to push some colleagues to do an ipv6 only section of our network which has limited interconnect, but there's a lot of concern about devices that still don't support ipv6, and ultimately what's the business reason to do it compared with subnetting 10.0/8 and natting at your firewalls
And many people are happy to not know what an IP address is either. That's fine.
I find it amazing how that lack of curiosity about how computers work extends into modern software developers, I guess that the majority of the industry nowadays are people that do things like "bootcamps" and go into it for the money.
I have no need for ipv6, however I wanted to know about it so spent a couple of hours setting myself up with it. I don't bother with the latest fads that last 3 or 4 years and then are replaced by a new fad, but ipv6 has been around long enough that it's clearly not a fad.
I have plenty of curiosity around how computers work. I've implemented compilers and interpreters, designed CPUs (I made a RISC-V CPU in Logisim which could run programs compiled with clang!), designed ISAs, back in university I had a lot of fun both writing a networking stack from almost-scratch (starting with only C and the raw ethernet packet API in Linux, building toy versions of ARP, IP, routing daemons and TCP) and writing a toy kernel, I have an ongoing game project where I'm writing the engine from scratch in C++ and using plain OpenGL to render, and this past year I've taken up PCB design and CAD. All this just because I want to learn stuff and make stuff. Don't assume that just because someone doesn't share your particular interests, they lack curiosity.
IPv6 has been around long enough that it's clearly a failed project. It's been 30 years and it hasn't even breached 50% adoption. It's not even at the hard part yet, which will be the long tail.
>IPv6 has been around long enough that it's clearly a failed project
You have a very radical definition of "failed". Take your emotions out, and perhaps you would get a more objective evaluation of the technology.
For one, it's very clear that IPv6 has only, truly received global attention after the depletion of IPv4 address space -- someone has already linked the Google IPv6 adoption page, go have a look at it, look at the flat line before 2012. That means we have spent about of 10~15 years of time deploying IPv6, not 30 years, and getting to 50% adoption in such a time period is not what I'd describe as a failure.
Secondly, if you are defining failure as "less than 50% prevalence in 30 years" then HTTPS before 2014 will probably fall under the same category too. (Don't underestimate the age of SSL/TLS.)
The only way this stuff trickles down to the masses is people that know what they are doing forcing it on them through their products. Very, very few 'engineers' actually go out and learn the state of the art these days in my experience, with most just culting around whatever the current marketing fad is.
Hell just look at SDWAN land and everyone acting like it is the second coming of jesus when it is just a fancy marketed version of technologies that have been available for decades.
I personally push for IPv6-only internal networks whenever possible, and have deployed several such designs in datacenters.
Unfortunately, a lot of applications are building on platforms where IPv6 is an afterthought if even present at all. Take for example Azure, where IPv6 support is a fucking joke. From core services like Route Server not supporting it, to it being impossible to build v6-only networks due to forced v4 subnet and vNIC requirements, to many services that Microsoft provides only running on v4.
As much as I want to push IPv6 everywhere, that physically cannot happen until companies support it for all use cases. In the mean time dual stacking can be better than nothing but the complexity is non-trivial when the alternative is just running straight v4...
IMO the separate-stack nature of ipv6 was a mistake. I can see why they did it, but the changes could've been a lot more incremental otherwise, and we might've been done already. Everyone talks about the biggest change being the 128-bit address space, but the real leap is that pre-existing ipv4 blocks weren't preserved in ipv6.
The changes couldn’t have been more incremental. Routing hardware only understood the IPv4 header (and at that time I believe a lot of this was baked in silicon). There was no way to create an IPv4+ without needing to replace all the internet’s routers before it could reliably work.
How would have it made it easier to migrate when all of the new blocks wouldn’t be accessible (in either direction) if the traffic passed through any router that hadn’t yet been upgraded? Nobody could really use any of the extended space at all until every single router had been upgraded to this IPv4+.
It is a common misunderstanding (I hear “we could have just made IPv4 bigger” a lot) but apart from the routing issues above (needing to replace every router before it could work at all), the endpoints are also a problem. Nothing in the expanded space could actually call out to a legacy IPv4 endpoint - it could sent packets to it, but that legacy host wouldn’t be able to return packets back since it wouldn’t understand the larger address. And of course the legacy endpoint couldn’t initiate a connection to anything in the extended space either from its side.
So you not only have all the same problems of IPv6 (like needing to upgrade everything), you actually add a bunch of problems of breaking the ability of big parts of the internet from being able to communicate with the rest.
Dual-stack was necessary because everything couldn’t be switched over on the same day. If everything was upgraded at once, your extended-IPv4 idea would work, but otherwise it would break the internet!
> It is a common misunderstanding (I hear “we could have just made IPv4 bigger” a lot) but apart from the routing issues above (needing to replace every router before it could work at all), the endpoints are also a problem.
Don't forget all the DNS software: "A" records are hard-coded to 32-bits, so if you wanted >32 you needed a record type (what we now call "AAAA", RFC 3596).
Then all the DNS programming APIs had to be updated and all the C header files with new structs.
I'm not saying we can avoid updating routers/hosts/DNS/etc, but it's only one piece of the migration puzzle. Otherwise we'd be done already. I elaborated when responding to a similar question: https://news.ycombinator.com/item?id=41603782
> Everyone talks about the biggest change being the 128-bit address space, but the real leap is that pre-existing ipv4 blocks weren't preserved in ipv6.
RFC 2765 isn't about keeping ipv4 blocks in ipv6, if I understand correctly. It's about translator boxes for ipv6-only hosts to talk to ipv4-only ones by acquiring temporary ipv4 addresses.
You can; but I'd not be surprised if there are commercial setups that use IPv6 packets for everything, including situations with IPv4 addresses.
I think it would allow getting rid of most of the ethernet header overhead, by basically just talking bare IPv6 packets.
And to do that, you mentioned a condition that's either ① satisfied by current IPv6 or ② impossible to satisfy, and for which that's clear on even a moment's reflection. Not sure which of those two you had in mind, but in either case: Please don't do such things.
I keep seeing people say this, but nobody ever takes the next step of proposing how this "missed opportunity" might have been fixed.
The reality is that there is no possible way IPv6 could have been designed that would both solve the IPv4 address exhaustion problem and natively interoperate with IPv4. When you send a packet to an IPv4 host, it needs to know where to send the response, and there simply aren't enough bits in the IPv4 header to fit more than 2^32 possible addresses.
You need something in the middle to translate between IPv6 and IPv4 addresses, and we already have that: it's called NAT64. It works the same way you would expect NAT to, and just like NAT on IPv4, there's no need to codify it as an explicit part of the IP protocol itself.
I think it was bad timing. We might have been able to migrate to IPv6 wholesale when the Internet was much smaller in the early 90s. One thing that comes to mind is the kumbaya moment when everyone got together to switch from BGP v3 to BGP v4 to support CIDR.
> We might have been able to migrate to IPv6 wholesale when the Internet was much smaller in the early 90s.
In the early 1990s IPng/IPv6 was not yet invented, and when it was being considered they realized a flag-day (like (mostly) happened with NCP->IP) was unlikely:
We believe that it is not possible to have a "flag-day" form of
transition in which all hosts and routers must change over at
once. The size, complexity, and distributed administration of the
Internet make such a cutover impossible.
Rather, IPng will need to co-exist with IPv4 for some period of
time. There are a number of ways to achieve this co-existence
such as requiring hosts to support two stacks, converting between
protocols, or using backward compatible extensions to IPv4. Each
scheme has its strengths and weaknesses, which have to be weighed.
Furthermore, we note that, in all probability, there will be IPv4
hosts on the Internet effectively forever. IPng must provide
mechanisms to allow these hosts to communicate, even after IPng
has become the dominant network layer protocol in the Internet.
"Killed" is a bit harsh, given that it's half of all Google's traffic. A huge chunk of that is probably from cell phones where IPv6 support is the norm.
Not really.. IPv6 was theoretically ready in 1997. But, it was theoretical. It was still buggy. In 2000s Internet expansion skyrocketed and noone really cared about IPv6. Buggy, too different from IPv4, basically overengineered. They made prediction that was absolutly off.. And thats why adoption is crappy.
It does seamlessly work w/ services like Apple's Private Relay. I was surprised to see an IPv6 address when checking my IP address on external websites. Maybe eventually proxies like this might be the solve for this.
The fact that a company like monopolistic, abusive, privacy invading company like Google that desperately desperately wants me to run ipv6, ensures that I will disable it on every device I own and corporate network I run.
You've perhaps seen the Onion article whose headline goes something like "Heartbreaking: The Worst Man You Know Just Made An Excellent Point"?
You're simply kneecapping yourself if you refuse to learn how to acknowledge and incorporate good ideas that happened to be uttered by execrable entities.
I… think that at the end of the day, Google wants you to run v6.
Google competes with Facebook. Facebook wants sites to host Facebook Pages and such, which needs no IP addresses. Google wants lots of websites and other services on an open web, to which it can sell lots of ads, and for which it can run a good search engine that again brings in lots of opportunities. A lack of IP addresses isn't a problem for Facebook, but it is one for people who want to host new web sites and other services. And therefore Google wants to alleviate that problem, with which IPv6 can help.
Excellent logic! Hitler drank water and, if you had the chance to ask him, he would have likely suggested you also drink water. Does that mean you won't drink water now?
If Hitler was pushing a new kind of water which he argued was superior to the old water you've been drinking all your life, maybe some skepticism would be warranted?
I'm not saying that "I will disable v6 because Google wants me to enable v6" is a good argument, but your rebuttal is pretty bad as well.
I am running as many IPv6 only services as I can.
All MY core services that I use daily are v6 only.
At the end of 2024 i am still shocked to see how much new software does not work without ipv4.
My most recent struggle was with Seq - the opentelemetry server for example.
It is full of new software created in the recent few years that just refuses to work without ipv4. And not because it need to reach some server on the internet. It just does not work if you do not have ipv4 (even private).
The software which Habgdnv was referring to? Seq being their most recent problematic encounter, but there's apparently more. I don't know the details, you'd have to ask them.
This seems as good a place to ask as any: how does one obtain a (larger) block of IPv6 not via their ISP/datacenter and then route it (to a network they control) through their ISP/datacenter-provided IPv6 uplink? Is that even possible?
It’s not magical, it’s exactly the same as IPv4, you either peer with them via BGP and advertise it yourself, or you give them an LOA to advertise it on your behalf.
Literally you just talk to your ISP. A support ticket or a technical phone contact. They'll either just do it for you or get you set up to announce your routes to them.
You'll need an ISP that does actual business networking things, probably. I doubt Xfinity home service would do it for you.
>It would be nice if someone made a wiki somewhere of which ISP's worldwide will do this on which plans.
More or less all of them with a business tier of service will do this.
>I'd really like to have two ISP's and BGP peer with both, so that if one goes down all my systems keep the same IP address and maintain connectivity.
The smallest subnet that is going to get advertised outside of your ISP (outside of the ASN you're in) is a /24, you can't have multiple ISPs and get that kind of address space for your personal stuff.
The design goals of the Internet you're referring to are about networks not going offline, a global routing table with individual entries for every user is not sustainable.
> The design goals of the Internet you're referring to are about networks not going offline, a global routing table with individual entries for every user is not sustainable.
With a bit of a redesign it would be. Most mesh networks tackle this problem. In the worst case, a routing table entry for every human in the world is only 8 billion entries, which would fit in RAM on a typical server today. And every optimization you do dramatically reduces that number (eg. make users who have similar network configs and peers have neighbouring addresses, allowing you to coalesce potentially millions of users into a single route)
It would fit in RAM but then you actually have to search through RAM. I have a router that is doing a very modest 3gbps of traffic, or about 2000pps that all need lookups, and about 40 updates per second that goes into that table.
I should also mention that's 40 updates per second for a default free zone of about 950,000 routes. 8 billion routes would be an minimum update frequency of ~370,000 routes per second assuming the same stability.
What about updates? Propagating routing table changes for even 8 billion devices (assuming each human has on average one device, which is quite the assumption to make) would be incredibly resource-intensive.
Your challenge is getting every ISP to accept this. The routing table might fit in the RAM of a typical server, but perhaps not so easily in the RAM of many routers still deployed in the field.
It's a nice idea, but sadly it'll lose out to commercial realities in many cases.
I'm just saying that rearchitecting the Internet / routers to support billions of routes would be a challenge, and it might just be too slow to have a routing table that big.
I had a tunnel with them I was using for a while, but ended up turning it off a couple of months ago.
Any request to a CDN will be slower since you’re not hitting the cache closest to your actual ISP, and since it’s “a VPN” a lot of things start to break, need more captchas, or get blocked for you since there’s a higher level of abuse from HE’s tunnel broker IP blocks.
Oh wow, I didn’t know they were still around! I used that to get an IPv6 address more than a decade ago; I think they used the bastardized IPv4-mapped-to-v6 address format at the time. But iirc it involved extra network hops because it was tunneled rather than routed, but maybe I’m misremembering.
I was very happy to get symmetric Gig internet at my new place but very bummed that my ISP doesn’t offer IPv6.
I had enjoyed learning about and deploying it on my LAN whenever Comcast added support (SLAAC is magical) but I guess I’ll be waiting for quite a while to play with it again :(
There's also a cool trick you can do with IPv6 addresses for servers where you use RA to broadcast your IPv6 prefix on the LAN and the OS assigns itself a valid public IPv6 using the MAC address for uniqueness.
Very clean and easy.
I had to get into IPv6 for real when I switched ISPs and the French Free relies on IPv6 for some services.
IPv6 is hard. You have to learn brand new concepts for something which is only a medium for your actual apps (I self host a lot).
I do not know if there would have been a way to make it more "advanced user" friendly but if the was, it's a lost opportunity to get wider adoption faster.
Only at small scale: the flat MAC lookup quickly becomes more expensive than matching against a handful of (post-consolidation) routing prefixes.
E.g. in their setup only the switch the hosts are directly plugged in needs to be aware of the individual hosts; all other switches/routers only look at it with a granularity no finer than this access switch. And at some point even coarser.
All 'boring' packets are hardware switched/routed with no CPU involvement in everything bigger than your home cable router.
For both switched and routed networks it's possible to build hardware that can route at the same speed as the ports, so in 2024 performance isn't really a reason to choose switched or routed.
Cost might be though - I believe that for the same number of gigabits, hardware sold as a switch is substantially cheaper.
If you think IPv6 is too complicated, you are either overestimating IPv6’s complexity or underestimating IPv4’s complexity. IPv6 is undeniably simpler. It has a cleaner header format that is simpler to parse, it has no need for on-path routers to perform fragmentation, it combines host/router discovery and various diagnostic control packets down into a single protocol called ICMPv6, it has stateless address autoconfiguration and correct link-local address behaviours amongst others. It fixes decades of mistakes that have accumulated in IPv4.
Perhaps to someone who's never been exposed to IPv4.
But for those who know IPv4 from before, it means almost a complete rewrite of all the knowledge. Just about every detail of setting up an IPv6 network is different from an IPv4 network, with just the superficial bits staying similar.
It also has bits that are undeniably more complex than IPv4, like dynamic address allocation. You got SLAAC, RA, stateful and stateless DHCPv6, with the latter being required in certain cases. And with that you now got two different ways to provide DNS servers to clients, and which one takes precedence is undeniably non-trivial[1] and even implementation dependent!
Any solution that requires updating clients, servers, and networking equipment to support the protocol and/or adjust the network address scheme of the environment will require the exact same steps doing an IPV4 to IPV6 migration would require.
Not so. IPv4->6 removes all existing v4 address blocks and redoes the addressing scheme. Those changes weren't necessary for expanding the address space. This implies that day 1 of using ipv6, all your addresses are different (and way longer), all your routes change, DNS DHCP etc all need to be swapped out, and bans/reputation are all reset with no clear replacement. And there were a bunch of smaller changes / new features.
Whatever you do to get more addresses, it will look similar in the end, but the steps could've been very different.
How would a computer with an expanded address scheme communicate with another device with an unexpanded IPV4 address? How would that client get its response back?
How would a router know what to do with it without updating its software?
At the end of the day, you are talking about using a different than IPV4 address scheme and using a different protocol than IPV4. Everything in the stack will need to be updated. Every hop on the route, every single piece of software that will interact with the network address. Backwards compatibility still requires everything but the older device to be updated.
Yes, everything has to be updated eventually, but going forward doesn't have to be this hard. A network and its hosts could start supporting ipv6 without changing anything else. Same addr and routes as before, same NAT, and no DNS6/DHCP6/etc, so very low effort and risk to turn it on. If a peer only supports v4, talk v4 to it for now.
Then once there's sufficient v6 adoption, you can disable v4 entirely and start using /40, /48, etc..
But same addr is the problem we are trying to solve in the first place. Using your IP-new proposal (let's call it IPv5): If every IPv5 addr is just a padded version of the same IPv4 addr, then once IPv4 addresses are exhausted the IPv4-mapped-into-IPv5 addresses are also exhausted.
At that point you need to start handing out IPv5 addresses to hosts without an IPv4 address. And then, how does a IPv5-only host talk to a IPv4-only legacy host? That's the fundamental issue!
The same addr thing only buys you time until the address exhaustion becomes real.
You still make the same big changes, but the difference is you don't have to do them all at the same time. You also skip the complicated add-ons of ipv6 and don't reassign everything.
Ipv5 as you call it: Phase 1 is getting routers/hosts to understand v5 headers, while users enable v5 and change nothing else. Phase 2 is the transition where people keep using padded addrs while things* are updated in-place to just support longer ones, which doesn't affect users**. Once that's done, we get to use the full space, which some users may ignore and some may use. For better and worse, the existing /32 blocks would still be around initially. Maybe this would appeal to previous ipv4 holders better; they still own the same % of the pie. Maybe 8.8.8.8 would stay forever.
What makes me kinda sure would've worked? Right now, the world has mostly already completed the equivalent of phases 1 and 2 for ipv6. There might even be a way to reuse the ipv6 protocol as-is for ipv5.
* DNS, NAT, DHCP, ARP, routers, VPSes, OSes...
** "User" includes corp network admins, cloud/datacenter operators, ISPs, and simple home customers.
But you can do that with IPV6? I have both an IPV4 and IPV6 address on this very device.
My confusion in the claims that we could do it differently is how the protocol could be updated without actually doing the work of updating everything on the network and adding the new address scheme.
That's my proposal, ipv6 with extra steps. As in, incremental steps instead of one impossibly big change. tl;dr keep the pre-existing v4 /32 blocks day 1, and the rest follows.
Edit: I said "my" proposal, but pretty sure the same idea has been brought up many times.
Getting rid of IPv4 address allocation is one of the huge advantages of IPv6. IPv4 is chopped up into little pieces and the routing table is mess from it. Starting from scratch, IPv6 can make that better.
IPv6 also realized that most people don't need their own address space. It is valuable in IPv4 to own an allocation, but IPv6 is so huge it doesn't matter.
For setup, IPv6 does it automatically for customers. Peering requires entering IPv6 addresses, but that is a one time thing.
> Getting rid of IPv4 address allocation is one of the huge advantages of IPv6. IPv4 is chopped up into little pieces and the routing table is mess from it.
Basically IPv6 only solves problems if you're paid full time to do network administration.
If you just run a small network among other things, it creates problems. Because you can't hold the new structure in your head if it's not your main job.
> Starting from scratch, IPv6 can make that better.
Yeah right. Want that "things you should never do" Joel link?
He was talking about Netscape, but I think IPv6 is a much better example.
The nice thing about IP v6 is there is effectively "no structure" to hold in your head. You never need to think about or find out what the netmask is, it's always /64. You never need to calculate the next subnet boundary, increment the digit before ::. You never need to do all sorts of the things associated with IPv4 structure, private addresses and conflicts, NATs and double NATs, DHCP server just to have clients automatically work...
The biggest downside for IPv6 in small networks is, ironically, something which was added later and not part of the initial (nor actually required, but devices opt to do it anyways) and that's "randomized auto rotating addresses" for security. Without them addresses look something like 1234:abcd::${mac} or 1234:abcd::12 but with them they look like 1234:abcd::4729:ab65:f902:7ee0 and a device might have 4 active if it's been running the whole day. I think this one extension is something like 80+% of people's reaction to IPv6 and it didn't even call for it originally.
These are all defaults, by the way. Subnets don't have to be /64 - that ended up being the default by historical accident; though it's nice that it forces every ISP to give you at least a /64 which you can subnet further if you want to, though without SLAAC.
Privacy addresses should be used for outgoing connections. Don't treat one as a static address. If you need to write down an address, give that machine an easily remembered static one.
I feel like residential ipv6 would be at least a little further along if routers simply always enabled NAT by default for it, like what cell providers do. Solves all these questions and problems for inexperienced users. Instead, you gotta ask, is the firewall enabled and default-deny, are ULAs enabled...
The second thing is the problem with not having NAT. On a home or corp network, I like NAT. I'm not trying to host 20 servers there. Sure ipv6 can use it too, but it's never default and often not supported on the router.
So yeah, 192.168.1.55 is my Mac's local ip, it's easy to remember.
Inside the home you can usually get away just using the internal link local addresses. E.g. my main PC is fe80::10, my wife's pc is fe80::11, my router is fe80::. You can even use that when you get "fancy" e.g. my NAS is fe80::12 internally or ${public_prefix}::12 "externally" (that one actually works on either side).
This address will also run afoul with the "privacy first" randomizations on most devices by default. This addition is truly the scourge of letting IPv6 seem dead simple to use.
Don't forget that IPv4's link local addresses (169.254.0.0/16) are also randomized for the same reason: making link-local addresses use sequential numbers by default requires a centralized node to coordinate them, which is counteractive because link-local address are designed to not require one.
IPv6's answer to IPv4 private addresses (e.g. 192.168.0.0/16) is ULA (fd00::/16). Newer routers are beginning to assign local hosts with ULA addresses, thus if you want to have a stable address to a local device, you can simply connect to it by ULA.
Yeah, the route fragmentation a disadvantage of what I've had in mind. My focus is just on getting things to speak v6 to fix the scarcity problem first. Maybe at some point the owners could've swapped addresses back to defrag things.
How is that better than IPv6? Remember that there is no way to squeeze more address bits into IPv4 header, that need to come up with a new protocol. In fact, need to come up with a whole suite of new protocols. You could just make the addresses bigger but still need to deploy.
IPv6 changed some things, most of them for the better, and it already works. The only problem is migrating and the problem is people who don't want to switch.
One example of how IPv6 is better than IPv4 with more address bits, is that 128-bit address is big enough to put the whole IPv4 address in. NAT64 put the IPv4 address in the 64-bit host section. MAP-T puts the whole NAT state in address, getting rid of expensive CGNAT.
I don't understand why all my devices randomly assign themselves non-functional IPv6 addresses with no involvement from any router. Often it's even multiple non-functional IPv6 addresses.
IPv6 assigns link-local addresses automatically. They are for talking to other computers on same the network. It works when you don't have router. It won't interfere with anything else.
IPv6 supports multiple addresses on each machine for different scopes: global, internal, local. IPv6 uses address hierarchy to figure out which one to use to reach destination.
All out management network is IPv6 only, all kvm, switches, routers...
It was a pain and gives nearly no practical advantage (at the time), but the motivation was to make everyone "intimate" with IPv6. We learned a lot and we even discovered some implementation bugs (for example, Cisco default link local address is not /64 and this is not compliant with more recent RFC and will make them unable to communicate with BSD systems).
Now we have IPv6 everywhere and everybody from dev to sysadmin is aware of IPv6 and we start to see some real advantages. VPN are easier to manage, routing is easier, firewall is easier, clustering, failover... everything is "cleaner".
We still have IPv4 (dual stack) on some servers, but about 80% of them are IPv6 only with DNS64/NAT64.