1. 37
  1. 13

    While I haven’t actually turned off ipv4, occasionally I’m checking which findings I connect to are not v6 compatible. Turns out that from my daily set, there are two most common groups: GitHub, and sites on providers which support v6 but haven’t configured the entries.

    I really wish that big providers like CloudFlare and AWS flipped their steps in manuals at some point. Instead of “here’s an example how to configure your service (with v4 of course), oh btw we do support v6” make it “here’s an example how to configure your service with v6 and v4 addresses” (in that order).

    1. 2

      I turned up a new service on CloudFlare earlier this month; IPv6 was enabled by default. (New account too, which might affect it?)

      1. 1

        Yeah, for the ipv6 defaults at least CF is good. And I just looked through their docs - they seem to have both v4 and v6 listed everywhere now, so that’s cool. I’ll stop using them as an example :-)

      2. 1

        I disagree that v6 should come before v4, since plenty of ISPs (including mine) usually block v6 traffic.

        Maybe once a month I’ll notice that I can ping a v6 address; a few hours later, it’s a no-go.

        Pressure first needs to go on ISPs to support v6 traffic. Only then can we consider making v6 the “default”.

      3. 4

        I’ve seen similar articles to this, but what I haven’t seen is a compelling list of reasons why you’d want to do this. Yeah the world is tight on public IPv4 addresses, but NAT is a thing and it doesn’t seem as dire as everyone said it was ~25 years ago.

        1. 15

          NAT means extra call latency. It means paying for extra IPs if you want to have separate data and management endpoint. It means getting rate limited and captcha’d because someone using the same ISP as you was misbehaving.

          1. 8

            As @viraptor said, NAT is bad for latency due to circuitous routing. It also makes direct connections on the net really difficult which makes it hard for any P2P protocol to take root. The limited IPv4 range also makes it really hard to send email or do anything else where IP reputation matters since there’s a high likelihood that a bad actor had an IP at some given point in time.

            1. 2

              I agree on the latency, but you can’t expect the return of P2P connectability thanks to ipv6 because everybody will still be running a stateful firewall that drops all unsolicited incoming packets.

              There are some upnp like mechanisms for ipv6 to punch holes through firewalls, but they are much less common than their ipv4 counterparts and even if they were, at most you get as good connectivity, but hardly better.

              1. 2

                The limited IPv4 range also makes it really hard to send email or do anything else where IP reputation matters since there’s a high likelihood that a bad actor had an IP at some given point in time.

                On the flip side, won’t this make it very difficult to block bad actors?

                1. 10

                  Relying on IP reputation has always been a terrible way to do security. There’s much better ways to do security.

                  1. 2

                    Moving away from IP-based reputation seems like a decent way to get back to a world where running your own mail server is possible again.

                    1. 1

                      or have the opposite effect, because google, etc decide to only allow a whitelisted group of IPs from “good” mail providers.

                  2. 5

                    I’d rather have a hard time blocking bad actors than accidentally block good ones

                2. 5

                  Ironically, private IPv4 ranges and NAT make it much easier to actually have a home network where all gear has its own fixed address and you can connect to it.

                  Most providers that bother to provide IPv6 on consumer connections at all use DHCP-PD in the worst possible way—the prefix they give you actually changes from time to time. That way you never know what exact address a device will get, and need a service discovery mechanism.

                  With NAT, even if the ISP gives me a different WAN IPv4 address every time, that doesn’t affect any hosts inside the network.

                  1. 7

                    The big thing in IPv6 is “multiple addresses all the things”. Yeah, the public address for your device will change a lot, both due to prefix changes and due to privacy extensions. If you want a stable local address at home, don’t use the public one, use a ULA prefix.

                    1. 2

                      Giving things names is a lot nicer to work with than remembering IP addresses, though. mDNS+DNS-SD is good tech.

                      1. 3

                        mDNS is problematic for security because, well, there isn’t any. Any device on your network can claim any name. No one issues TLS certificates in the .local TLD that mDNS uses and so you also can’t rely on TLS for identity unless you’re willing to run a private CA for your network (and manage deploying the trusted root cert to every client device that might want to connect, which will probably trigger any malware detection things you have installed because installing a new trusted root is a massive security hole).

                        1. 1

                          It’s only for the local network, and I trust my network. It get trickier if you don’t, of course.

                          1. 2

                            It’s not about trusting your network, it’s about trusting every single entity on the network. Any phone that someone brings to your house and connects to the WiFi can trivially claim any mDNS name and replace the device that you think is there. This is mostly fine for things like SSH, where key pinning give you an extra layer of checks, but isn’t for most protocols.

                            1. 2

                              I meant to write that I trust the devices on my network, but to access my wifi they’ll need my password - which they don’t get if I don’t trust them 🤷‍♂️

                              Given the convenience and lack of reasonable things to fear could happen it’s a net win for me, at least.

                              1. 2

                                Do you ever hand out the password to people that visit your house? Do you allow any IoT devices that don’t get security updates anymore? Do you run any commodity operating systems that might be susceptible to malware? If you answer ‘yes’ to any of these, then mDNS provides trivial a mechanism for an attacker who compromises any of these devices to impersonate other devices on your network.

                                1. 2

                                  Don’t use the same network for all those? :)

                                  I have a separate subnet (with no outbound internet access other than to an NTP server) for “Internet LAN of Things” devices, another one for guest Wi-Fi, and another one for my personal devices that I can actually trust.

                                  1. 1

                                    I use a separate vlan for guests. Problem solved.

                      2. 4

                        fundamentally the amount of devices behind NAT is limited by the amount of open sockets the firewall can have for tcp connections made by internal clients… the shortage is still relevant but we have kicked the can down the proverbial road, I’d wager another 10 years before enough connected devices seriously clog the available ipv4 space.

                        1. 6

                          Centralisation has also played a big part. 15 years ago, we expected to have a load of Internet connected devices in houses that you’d want to be able to reach from any location in the world. We now have that but they all make a single outbound connection to a cloud IoT service and that’s the thing that you connect to from anywhere in the world. You need a single routable IPv4 address for the entire service, not one per lightbulb. That might not be great for reliability (it introduces a single point of failure) but it seems to be the direction that has succeeded in the market.

                          1. 7

                            I think technology (lack of IPv4 addresses) and business needs (having your customers create an account and letting you see how they use your products is incredibly valuable) have converged to the “cloud service” model.

                            Although, even if every lightbulb in your home has its own IPv6 address services to help manage them would spring up quite quickly, and the natural way to solve the problem would be a semi-centralized service gathering them all under one “account”.

                      3. 2

                        I get 502 bad gateway on mobile and I thought it was satire. And somehow it is, ironic , I guess.

                        Like a 502, on a bad gateway…

                        1. 2

                          Great write-up, I love reading about stuff like this, it tickles the network bug inside of me.

                          rofl… github not fully supporting ipv4 is laughable at best, negligent at worst. But it does leave room open for competition.

                          been meaning to switch off and go ipv6 for some time now I may take the plunge on my BSD machine

                          1. 1

                            I’d like to know how to get wireguard working with IPv6. When I have an IPv6 connection, I often have to disable IPv6 locally, so that I can fail over to IPv4, which works fine with wireguard.

                            1. 1

                              Posts like these make me wonder how prevalent IPv6-connected households are.

                              Is it common for ISPs to offer IPv6 for home connections nowadays? I’m not aware of any in my area that do.

                              1. 1

                                In the UK, it seems pretty common. I haven’t had to do anything to enable it with BT. A quick test shows that they are running their DNS cache with IPv4 connectivity only, so it can’t reach authoritative name servers that are v6-only, but in general a lot of my traffic goes over v6 without my having to do anything.