Posted by mahirsaid 3 days ago
In my direct experience, in the USA, at least Spectrum, AT&T, and Xfinity (Comcast) still run IPv4, of course, but they also have IPv6 working and on by default on their home internet offerings.
All mainstream computer and mobile OSes support it by default and will prefer to connect with it over IPv4.
‘Everyone’ in many areas is using it. For many of us, our parents are using Facebook and watching Netflix over it. Over 50% of Google’s American traffic is over it. It just works.
It works plenty well. I access everything accessible via IPv6, and the rest through their 464XLAT, transparently.
My LAN still has IPv4, because some ancient network printers don't know IPv6. OpenWRT on my router supports IPv6 just fine. Of course I do not expose any of my home devices to the public internet, except via Wireguard.
For example, I recently attended the IETF meeting in Montreal, which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
I went to IETF a few years ago and ran into issues on their IPv6 only network because I host some stuff from home, and my residential ISP doesn't support IPv6 at all. It made me really want to get all that fixed.
Unlike IPv4, my LAN addresses include the prefix, so every time they change it, all my LAN addresses change.
Combined with the lack of DHCP6 support in many devices, this means reverse DNS lookups from IP to hostname can't be done, making identifying devices by their IP essentially impossible.
IPv6 also has local addresses, but a lot more of them. Anything starting with fd00::/8 is a local address with 40 bits available as the network number. So you can set up your local network with the prefix fdXX:XXXX:XXXX::/48 (where the Xs are chosen randomly) as the prefix and still have 16 bits left over for different subnets if you want. These addresses do not change when your ISP changes your public prefix.
And if you want to add reverse dns for SLAAC addresses then just have your router listen for ICMPv6 Neighbor Announcement addresses and use them to update your DNS server as appropriate. Or configure your servers to use stable addresses based on their MAC address rather than random addresses (which are better for privacy), and then just configure the DNS as you add and remove servers.
This conversation is going in circles.
Yes, a topic of active discussion at the IETF. See perhaps BCP RFC 9096, "Improving the Reaction of Customer Edge Routers to IPv6 Renumbering Events":
* https://datatracker.ietf.org/doc/html/rfc9096
And informational RFC 8978, "Reaction of IPv6 Stateless Address Autoconfiguration (SLAAC) to Flash-Renumbering Events":
* https://datatracker.ietf.org/doc/html/rfc8978
A few drafts, like "Improving the Robustness of Stateless Address Autoconfiguration (SLAAC) to Flash Renumbering Events":
* https://datatracker.ietf.org/doc/html/draft-ietf-6man-slaac-...
Using ULA seems to be what a lot of folks recommend:
So I don’t have the changing ip issue. I do however have an issue if I want to change ISP as it’s a whole mess of rules to update rather than a couple of dns entries and two dst nat rule (one per public IP)
I believe the idea in v6 if you have multiple prefixes on the same network - including a local fc00::/7 one for local services. Layers and layers of things to break.
Using Openwrt which pretty much all home routers are built on, all I have to do is tell my router which offset to give my subnets from the prefix and it does the rest.
Both for subdividing up the prefix from the ISP and my ULA prefix I use for internal devices.
I have changed ISPs I think 3 times with no ill effects. Plus it works when my ISP occasionally gives me a new prefix.
The only tweaking I had to do was when I went from an ISP that game me a /48 to one that only gave me a /56. I had been greedy and was handing a /56 to my internal router. I changed that to a /60 and updates it's expectations about which subnets it could hand out and all was good.
But I expect two layers of home routers without NAT is a bit of an exception.
(same for ping)
If setting your client machine MTU to 1280 (`ip link set mtu 1280 dev eth0` or equivalent) magically fixes it, that's your problem.
I'd love to test all the internet services I host to make sure everything works over IPv6, but I can't. At least, not without using a 4to6 relay of some sort - but that adds latency to everything I do.
I just checked - apparently my ISP is "evaluating IPv6" because they're running out of IPv4 addresses and want to use CGNAT for everyone. I suppose its not the worst reason to switch to ipv6. But they've been making excuses for years. I really wish they'd get on with it.
Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
My router doesn’t support 64, so I have to use my isp’s which is speed constrained compared with native 4. Ok that’s on my setup. Haven’t tested my 5g provider and where 64 occurs, I’d hope in their network, but how do I configure my dns64.
Still need to provide v4 at the edge and thus 46 nat so I can reach internal v6 only servers from v4 only locations
Perhaps lost of that is because my router doesn’t do 64, but again that just shows that v4 is still essential. I haven’t found a single service that’s v6 only, so if I have to run a v4 network (even if only as far as a 64 natting device) why bother running two networks, double the opportunity for misconfiguration and thus security holes. Enabling dual v6 on my IoShit network would allow more escape routes for bad traffic, meaning another set of firewall rules to manage. Things like SLACC make it harder to work out what devices are on the network, many end user devices are user hostile now and keeping control of them on v4 alone is less work than in v4 and v6.
Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
> Things like SLACC make it harder to work out what devices are on the network
Again, not true. If you really don’t trust your devices, then DHCP isn’t going to save you. Malicious hosts absolutely can self assign an unused v4 address, and you’ll be none the wiser if you just look at your DHCP leases.
> To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
Have you done this? Did it actually work for you?
When I tried it, clients would regularly send to router B with an address from router A, and often ignore the priorities. As I understand the RFCs/client behavior, the router priority field is only relevant if multiple prefixes are in a single advertisement, otherwise most recent advertisement wins.
Once you need to aggregate the advertisements, you may as well NAT66, cause it will be easier.
Could be DirectAccess. Microsoft's earlier built-in VPN solution before Always On VPN. DirectAccess works only with IPv4 inbound so you can't use IPv6 only stack. Under the hood it uses a combination of v4-v6 transition and translation protocols, but it still requires the Windows client machines to have IPv4 addresses.
If you can run PowerShell commands on the laptop and if "Get-DnsClientNrptPolicy" returns some DirectAccessDnsServers then it's DA laptop.
Nope. Large scale DCs are IPv6 only underneath, exascalers like Google and Meta have stated that multiple times. I.e. https://www.youtube.com/watch?v=Q3ird3UDnOA also see various NANOG talks https://www.youtube.com/@TeamNANOG/videos
Hyper scalers != cloud computing.
It is also impossible to report IPv6-specific outages. CenturyLink technical support is the worst of the worst, with agents utterly incapable of doing more than pushing a "check ONT" button on their end and scheduling a technician visit with a multiday window. If you ask them for the 6rd configuration information, they act like you're speaking an alien language.
Even among their technicians, IPv6 knowledge is rare. Imagine the guy installing hundreds of dollars of gigabit fibre equipment at your demarc staring you like an idiot because you spoke two extra syllables between "IP" and "address". I'd think the term "IPv6" is chatbot poison if it weren't for the fact it's a human physically in front of me.
The result is their service is effectively IPv4-only.
Interestingly, if I pay for their IPTV service the internet side becomes a bare ethernet port over which I can do DHCP for the upstream interface and number the downstream subnet out of my /28.
I have debated paying for TV service as a sanity fee.
My own home is Verizon, and they simply do not offer IPv6 in my area (nearby Washington DC).
Until you want to like, use GitHub.
for example:
Microsoft Word DOC. Due to the market dominance of Word, it is supported by all office applications that intend to compete with it, typically by reverse engineering the undocumented file format. Microsoft has repeatedly internally changed the file specification between versions of Word to suit their own needs, while continuing to reuse the same file extension identifier for different versions.
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
In all seriousness, I have IPv6 enabled and GitHub works just fine for me. Though at a slower speed sometimes because the IPv4 CGNAT is heavily congested in my area.
2. Actual implementation MUST be ubiquitous (it never will be) some examples - glo fiber in Virginia, and while I can get pfsense assigned a ipv6 address, there is usually no upstream gateway (meaning that if I disable IPv4, I will not have internet). I say usually because of four times I've checked, once I did get assigned a gateway which was unresponsive even to icmp.
Starlink roam - assigns ipv6 but no bridge so if you disable v4 you lose access to most internet.
Frontier FiOS in Florida - does not support ipv6 at all on my node. I have seen business nodes in Orlando/Tampa assign addresses with bridging but again, without browser or dns translation it's not a practical solution.
3. 'Everyone' is not using ipv6, everyone plugs in or logs into a device that has whatever network stack it has. Those users are not suddenly going to jump through hoops simply to avoid CGNAT and get a unique network address
4. Infrastructure; I have two modest half racks on the east coast at decent sized datacenters (esolutions and peak10), neither of those hosts offer ipv6 routing blocks by default. No provider I have gotten quotes for offers ipv6 by default
Where can we read some examples of this
I've read commentary about pros and cons of IPv6 over the years but never anything that suggested IPv6 was "niche" or "unreliable"
In order to have inspired the quoted statement these examples would have to be found in forum comments published before the quoted statement was made
Comments made in response to, i.e., after, the quoted statement would not qualify
From my perspective:
• CGNAT is a feature, not a bug. I'm already deliberately behind a commercial VPN exit node shared with thousands of others. Anonymity-by-crowd is the point. IPv6 giving me a globally unique, stable-ish address is a regression.
• NAT + default-deny inbound is simple, effective security. Yes, "NAT isn't a firewall", but a NAT gateway with no port forwards means unsolicited inbound packets don't reach my devices. That's a concrete property I get for free.
• IPv6 adds configuration surface I don't want. Privacy extensions, temporary addresses, RA flags, NDP, DHCPv6 vs SLAAC — these are problems I don't have with IPv4. More features means more things to audit, understand, and misconfigure.
• I already solved "reaching my own stuff" without global addressing. Tailscale/Headscale gives me authenticated, encrypted, NAT-traversing connectivity. It's better than being globally routable.
So yes, my parents are using IPv6 to watch Netflix. They're also not thinking about their threat model. I am, and IPv4-only behind CGNAT + overlay networking serves it well.
"It just works" isn't the bar for me to adopt IPv6. "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will.
IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property, stateless autoconfiguration, the assumption that endpoints should be reachable. That philosophy is baked in. For someone like me, whose threat model treats obscurity, indirection, and minimal feature surface as assets, IPv6 isn't just unnecessary, it's ideologically opposed to what I want.
Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.
Only for IP based trackers. Any webpages embedding facebook/twitter/microsoft/google trackers have already deanonymised you through a variety of fingerprinting techniques. This includes if you use private browsing sessions, and even qubesOS. You get a fuzzy feeling doing the things you do (and I do these things too), but that battle is lost.
> NAT + default-deny inbound is simple, effective security … That's a concrete property I get for free
Depends on your definition of “free”. Is it cheaper to lookup just a connection state table, or is it cheaper to look up both a connection state table and a NAT table?
> IPv6 adds configuration surface I don't want … More features means more things to audit, understand, and misconfigure.
100% agreed. More complexity, more attack surface, more things to go wrong.
> I already solved "reaching my own stuff" without global addressing … It's better than being globally routable.
I do something like this too. It’s more private and more secure. It adds more complexity, and it restricts my ability to access things from terminals I don’t personally own & control unless I create another exposed vector though. “Better” is subjective based on metrics being optimised for.
> IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property
Apologies, but global addressability as a first-class property is exactly how the internet was designed. NAT was originally deployed as a hacky add-on to temporarily alleviate the lack of addressing space in IPv4 until a successor could resolve that.
That said, the internet of the 90s was a very different beast to the internet of today. A lot of your concerns and perspective is absolutely valid and extremely reasonable given the internet of today.
> "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will … Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.
IPv6 can absolutely be configured in ways that just gives you a new addressing scheme and does away with a lot of the other complexity. You’re just very much straying off the happy path, removing complexity by introducing … other complexity.
FWIW, I’m operating my home networks much the same way you do. I’ve also been dual stacking networks since the 2000s. Things have come a long way since the original pure-dogma introduction of ipv6.
To be fair about fingerprinting, there's no such thing as "bulletproof", but I do have a pretty robust setup. DNS level ad and tracker blocking, browser extension level ad and tracker blocking, LibreWolf's extensive anti-fingerprinting measures, kernel-level measures like kloak, I block all third party JS by default, etc. My goal isn't to become invisible and untraceable to nation states (which is essentially impossible when 90%+ of all global ISPs can and do sell netflow metadata, enabling timing and packet size correlation even across multiple hops, even with background traffic forgery / traffic pattern obfuscation), but rather to frustrate lower-level tracking efforts, and mostly to reduce attack surface for security reasons, and to reduce the total amount of information I'm sending to adversaries, even if it technically increases uniqueness. For instance, WebGL, JS JIT, WASM, WebRTC, and even SVG rendering are similarly disabled by default on my browsers, and I may very selectively enable them on a case-by-case basis depending on how important I feel the web property I'm trying to access actually is. I'll spoof my UA, my screen dimensions, and use residential SOCKS5 proxies, one by one, to identify which fingerprinting measures are being used to block me with YouTube, for instance, without enabling JIT compilation or SVG rendering. This approach absolutely does make me more distinctly identifiable (less anonymous), but doesn't necessarily make me less private, nor less secure, if e.g. ad network JS never even runs on my box in the first place. Security is the base of the pyramid, it is the prerequisite for privacy, but doesn't guarantee it. Privacy is the middle layer, it is the prerequisite for anonymity, but doesn't guarantee it. I'm aggressively climbing that pyramid where I can while accepting some tradeoffs where the net benefit is positive to me. I don't think of any of these - security, privacy, or anonymity - as binary properties, but rather a unified journey I am on to enhance gradually and iteratively over time. Switching to IPv6 would greatly complicate and regress my path through much of the journey I've already completed.
If I could leave you with a couple questions: What tangible benefits have you reaped from IPv6 that simply weren't possible on IPv4? Has the ROI for you on going dual stack outweighed the costs on your time, attention, and configuration work required for securely handling edge cases, dealing with weird or unexpected routing issues, for straying from the happy path?
Personal networks: Globally unique addressing. That then lends itself to not needing any kind of split DNS for services, or worrying about addressing clashes with whatever LAN I happen to be on with my own network.
Work networks: Increased revenues.
> Has the ROI for you on going dual stack outweighed the costs on your time, attention, and configuration work required for securely handling edge cases, dealing with weird or unexpected routing issues, for straying from the happy path?
Personal networks: Absolutely not. I removed the dual stacks and went back to IPv4 only everywhere.
Work networks: That's a question for the bean counters.
I bet OP has already blocked at least 3 of them. Private browsing is only a partial solution, blocking/unblocking domains, scripts, etc. on a case-by-case basis is a more reliable way to defend your right to privacy against abusive practices (I'm talking about fine grained adblockers such as uMatrix/uBlockOrigin) daily.
I admit it can be a hassle sometimes, in particular if one explores the net every day, but staying away from bad actors (such as some of those 4) is one way to maybe eventually stop them - even if "vote with your clicks" feels as pointless as "vote with your feet" when you're just one in many millions.
For example, I recently attended the IETF meeting in Montreal--practically the epicenter of v6 thinking--which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
Most do not.
There are far more single person, small, and mid sized companies that do not.
This includes b2b, regional ISPs, etc.
It is well supported, easy to configure, private, secure.
...and I don't have to configure and secure ipv6 in parallel
IPv4 in the home is dead easy. You only need to remember the last digit (unless you've got multiple networks, but most won't). You can ssh to any device by remembering that ".1" is router, ".2" is NAS etc. Firewalls are simple.
You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "192.168.0.1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).
I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.
It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.
Tailscale is sexy and it worked fine until one day while roaming it wouldn't connect without "admin work", so I instantly dropkicked it. I'm now using the very unsexy OpenVPN Cloud (free for limited use) and in over two years it has never failed me. Plus it doesn't fuck with the IP addresses with fancypants tailnet addresses - I access devices directly using their DNS names which resolve to private addresses.
So, from inside or outside the home I can access the NAS to watch a movie, sync photos to Immich, print a document, check my IP cameras or ask my wife to put a document on the ancient scanner and access it via the raspberry pi phpscan website (which is on https://scanner.myhome.net)
I'm sure there's a very good reason not to do this and someone will now point it out.
# You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "2003:123:4:5::1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).
# I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.
# It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.
There is literally no difference between v4 and v6 here.
Exactly. I randomly try to "upgrade" to ipv6 in my home once in a while and i always give up because I'd have to do the whole enterprisey setup for no good reason.
Edit:
Basically ipv6 is too complex and automated to hold your home network's whole configuration in your head without effort.
So the techies don't set it up at home unless they have a fetish for overcomplicated setups. They're not familiar with it so they don't push for it at work either.
Adoption is solely driven by ipv4 address space exhaustion. There is no "new toy!" feeling involved.
You could try fd00::1, fd00::2, ... for short internal static addresses. You don't have to use a random prefix in that range - it's just policy (for good reasons that might not matter for a small network).
Yeah, and my Windows box is again accessible from the outside with whatever services MS deems to run by default...
Yes, there are firewalls, but isn't it better if a potential attacker doesn't even know what's behind my router?
P.S.: Since webrtc showed up to do whatever it wants with my network, peer to peer has started to mean "donating resources to some company" to me.
On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger.
If you want attackers to not know what's behind your router, you want v6.
Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible...
The more technically knowledgable you happen to be on the subject, the more you realize IPv6 is some unreliable thing when compared to IPv4. Perhaps no longer niche though.
It's unfortunately still an afterthought for many backbones - and not just US-centric ones. There is a noticeable difference in performance metrics from clients served via IPv4 endpoints vs. IPv6 for web assets in the same locations from the same transit providers.
It is pretty much the opposite of "just works" depending on your definition of "just works". It results in more Traffic Engineering per bit served by a large factor compared to IPv4.
You know the list of "benefits" is thin when the second item is entirely theoretical. Even though IPv6 doesn't have to do NAT traversal, it still has to punch through your router's firewall which is effectively the same problem. Most ISP provided home routers simply block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.
Even if that were not an issue, my bet is that there are close to zero popular games that actually use true peer to peer networking.
https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_tr...
They linked a whole article detailing the complexities of specifically NAT traversal.
I should think it obvious that by removing an entire leaky layer of abstraction the process would be much simpler. Yes, you still need a coordination server, but instead of having to deduce the incoming/outgoing port mappings you can just share the "external IP" of each client--which in the IPV6 case isn't "external," it's just "the IP".
Also NAT is a pretty simple abstraction, it's literally a single table.
...And now, let's try punching a hole through this "simple" table. Oops, someone is using a port-restricted or symmetric NAT and hole punching has gotten just a tad more complicated.
That's why most routers use a stateful firewall. Then nothing has to "punch through" it just has to be established from the local side.
> block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.
This is why STUN exists.
> my bet is that there are close to zero popular games that actually use true peer to peer networking.
For game state? You're probably right. For low latency voice chat? It's more common than you'd think.
This is exactly the problem. Unless you expect users to manually share their IPs with every other user in a given lobby through an external service, you would need to make a central peer discovery and connection coordination mechanism which ends up looking pretty similar to classic NAT traversal.
Can someone explain why it's ambiguous?
On the subject, IPv6 is one of the strangest inventions on the internet. Its utility and practically are obvious no matter how you look at it except... just one thing.
Network-related things are generally easy to remember and then type from memory: IPv4, domain names, standard port numbers. Back in the day it was the phone numbers, again, easy to remember and dial when you need it. IPv6 is just too long and requires copy/paste all the time. This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
2000::1::1 could be 2000:0000:0000:0000:0001:0000:0000:001, or 2000:00000000:0001:0000:0000:0000:001
There's ambiguity on where to fill in the five groups of 0000 in the second case.
Edit: Whoops. Didn't read what the above post was in response to. My bad.
Except if you're using a mobile phone, in which case many telcos hand out only IPv6 addresses to handsets. 2018 NANOG presentation "T-Mobile's journey to IPv6":
* https://www.youtube.com/watch?v=d6oBCYHzrTA
From 2014, "Case Study: T-Mobile US Goes IPv6-only Using 464XLAT":
* https://www.internetsociety.org/deploy360/2014/case-study-t-...
But who cares about mobile phones, right? They're only second-grade devices.
I'm used to cablemodems with static ipv4 for months basically until mac changes
ref:https://old.reddit.com/r/tmobileisp/comments/1gg7361/why_is_...
I booted an LTE router using a T-Mobile SIM.
Within an hour I had changed WAN IP. Both were from AS749 US-DOD NIC
in 33.79.135.0/24 & 21.140.100.0/24.
Your website will load faster on cellphones if it supports IPv6. This is because the packets take more direct routes (because they don't go to the central CGNAT server) and because less processing is applied to them. Almost all mobile networks are now IPv6-only, with IPv4 traffic tunneled and CGNATted. Apparently T-Mobile is the rare exception.
They're probably using CG-NAT, though IP changes that often is a bit aggressive.
TMobile uses IPv4 addys in DOD's address space. They do change unexpectedly often.
And yeah. Being DOD IPs, they're cgnat'd behind tmobile's public ASN.
The length of the addresses and the clunky nature of their ASCII representation is absolutely the #1 reason the IPv6 has taken this long. User experience is the most powerful force affecting large scale adoption, and IPv6 has poor UX.
I think the UX is partly fixable by creating less horrible ASCII representation, but this would take a lot of coordination that was hard even back then and is virtually impossible now. If someone told me in 500 years we're still running dual-stack IPv4/IPv6 absolutely unchanged, I'd believe it.
E.g. 2600:15a3:7020:4c51::52/64 is not too horrible but 2600:15a3:7020:4c51:3268:b4c4:dd7b:789/64 is a monster by unrelated intent of the client.
"Modern" tooling in the consumer space is pretty dire for IPv6 support too. The best you can reasonably get is an IPv6 on the WAN side and then just IPv4 for everything local. At least from the popular routers I've experienced lately.
Of course I know why. If you turn it on it slightly increases edge case issues as complexity always does. Most people don’t actively need it so nobody notices.
Privacy extensions are worthless because there are just sooooo many ways to fingerprint and track you. If you are not at least using a VPN and a jailed privacy mode browser at a bare minimum, you are toast. If you’re serious about privacy you have to use stuff like Tor.
V6 privacy extensions are like the GDPR cookie nonsense: ineffective countermeasures with annoying side effects.
SLAAC sucks too. They should have left assignment up to admins or higher level protocols like with V4. It’s better that way.
"But people can NAT the v4 with another router to hide it!" -> sure, and the same crappy solution works with v6.
"But at least prosumers can replace the ONT via cloning the identifiers and certain hardware" -> also no change with v6.
Randomized addresses do have valid use cases though, particularly when connecting to Wi-Fi networks other than your own when set to randomize the MAC per connection (not just the scanning MAC) as well, but I'm just not really convinced this is a realistic example as framed.
IPv6 was designed by political process. Go around the room to each engineer and solve for their pet peeve to in turn rally enough support to move the proposal forward. As a bunch of computer people realized how hard politics were they swore never to do it again and made the address size so laughably large that it was "solved" once and for all.
I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
My personal preference would have been to open up class E space (240-255.*) and claw back the 6 /8s Amazon is hoarding, be smarter about allocations going forward, and make fees logarithmic based on the number of addresses you hold.
IPv4 was not designed as such, but as an academic exercise. It was an experiment. An experiment that "escape the lab". This is per Vint Cerf:
* https://www.pcmag.com/news/north-america-exhausts-ipv4-addre...
And if you think there wasn't politics in iPv4 you're dead wrong:
* https://spectrum.ieee.org/vint-cerf-mistakes
> IPv6 was designed by political process.
Only if by "political process" you mean a bunch of people got together (physically and virtually) and debated the options and chose what they thought was best. The criteria for choosing IPng were documented:
* https://datatracker.ietf.org/doc/html/rfc1726
There were a number of proposals, and three finalists, with SIPP being chosen:
* https://datatracker.ietf.org/doc/html/rfc1752
> I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
The primary reason for IPng was >32 bits of address space. The only way to make them shorter is to have fewer bits, which completely defeats the purpose of the endeavour.
There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
> There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers that could have been used to flag that the first N bytes of the payload were an additional IPv4.1 header indicating additional routing information. Packets would continue to transit existing networks and "4.1" capable boxes at edges could read the additional information to make further routing decisions inside of a network. It would have effectively used IPv4 as the core transport network and each connected network (think ASN) having a handful of routed /32s.
Overlay networks are widely deployed and have very minor technical issues.
But that would have only addressed the numbering exhaustion issues. Engineers often get caught in the "well if I am changing this code anyway" trap.
The scheme described by you fails to achieve this goal.
Header processing and alignment were an issue in the 90s when routers repurposed generic components. Now we have modern custom ASICs that can handle IPv4 inside of a GRE tunnel on a VLAN over MPLS at line rate. I have switches in my house that do 780 Gbps.
At the time when it was designed, IPv6 was well designed, much better than IPv4, which was normal after all the experience accumulated while using IPv4 for many years.
The designers of IPv6 have made only one mistake, but it was a huge mistake. The IPv4 address space should have been included in the IPv6 space, allowing transparent intercommunication between any IP addresses, regardless whether they were old IPv4 addresses or new IPv6 addresses.
This is the mistake that has made the transition to IPv6 so slow.
See IPv4-mapped ("IPv4-compatible") IPv6 addresses from RFC 1884 § 2.4.4 (from 1995) and follow-on RFCs:
* https://datatracker.ietf.org/doc/html/rfc1884
* https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresse...
How would you have implemented it that is different from the NAT64 that actually exists, including shoving all IPv4 addresses into 64:ff9b::/96?
Great, there's an extra bit in the IPv4 packet header.
I was talking about the data structures in operating systems: are there any extra bits in the sockaddr structure to signal things to applications? If not, an entirely new struct needs to be deployed.
And that doesn't even get into having to deploy new DNS code everywhere.
They didn't use the reserved bit, because there's a field that's already meant for this purpose: the next protocol field. Set that to 0x29 and it indicates that the first bytes of the payload contain a v6 address. Every v4 address has a /48 of v6 space tunnelled to it using this mechanism, and any two v4 addresses can talk v6 between them (including to the entire networks behind those addresses) via it.
If doing basically exactly what you suggested isn't enough to stop you from complaining about v6's designers, how could they possibly have done any better?
And what's wrong with a newer version of a thing solving all the problems people had with it...?
There are more people than IPv4 addresses, so the pigeonhole principle says you can't give every person an IPv4 address, never mind when you add servers as well. Expanding the address space by 6% does absolute nothing to solve anything and I'm confused about why you think it would.
I do get that but I also get 'There are so many I could have all I wanted ... or I could if any of our fiber ISPs would support it, that is'
That becomes 2001:0c2d:4308::/48 instead
After that you just need to remember the subnet number and the host number. If you remember 12.45.67.8 maps to 192.168.13.7 you might have
2001:0c2d:4308:13::7
So subnet “13” and host “7”
It’s not much different to remebering 12.45.67.8>192.168.13.7
I was sort of expecting that this week.
I had to transcribe a v6 addy for a WAN-WAN test (a few mi apart).
That's when I noticed that Charter (Spectrum) had issued
2603:: for one WAN and
2602:: for the other WAN.
https://www.iana.org/assignments/ipv6-address-space/ipv6-add...
I was reminded of this 2d ago; I was testing one IPv6 WAN from another. DDNS had failed so I didn't have my usual crutch to lean on.
Because you don’t know how many zeroes are on each side around the 0001 in the middle.
It can be 2000:0000:1:0000:0000:0000:0000:1 or 2000:0000:0000:0000:0000:1:0000:1 etc.
IPv4 also has a similar, though rarely documented or utilized, shortcut system. Try `ping 1.1` for example. It expands to 1.0.0.1.
In IPv4 you also have 127.257 equal to 127.0.1.1, 123456789 equal to 7.91.205.21, and 010.010.010.010 is a well-know DNS server. This notation is also rejected by most implementations.
google.com: 2607:f8b0:4009:819::200e (5 groups) -> 2607:f8b0:4009:0819:0000:0000:0000:200e (3 groups of added zeros)
a ULA address: fd2a:1::2 (3 groups) -> fd2a:0001:0000:0000:0000:0000:0000:0002 (5 added)
localhost: ::1 -> 0000:0000:0000:0000:0000:0000:0000:0001
In IPv6 addresses, :: is all zeroes and there's no ambiguity.
Your link does not show different addresses from a valid compression, it shows different addresses from an invalid compression. The link examples what we don't do.
Conversely, if we compress the expanded addresses in your link, we will get 2 different compressed addresses.
That is only true for autogenerated/SLAAC IPs. In contrast, manually assigned IPs are often much simpler and easier to remember in IPv6 than in IPv4. I have one common subnet prefix that can be uniformly split to end networks and last number in IP address for such network always end with 0 (and therefore the first device is xxx::1). While in IPv4 i had multiple prefixes, each split non-uniformly based on how many devices was expected to be on that end network, and because most end network prefixes were smaller than /24 (say /26-28), the last number of IP address varies between these networks.
I guess it could be possible to implement sort of mnemonic phrases for addresses, à la bip-39, but it would be just trading one kind of pain for another.
"the :1 is short for :0001 basically" is easy enough: you get 2001::0001::0001.
Then "just put that bit at the very end" -- but which bit? If it means the ":0001", then there's two of them and they can't both go at the very end. If not, then it fails to specify which bit. Either way I don't see how these instructions are followable at all, let alone easily.
Posed as a question, disingenuously.
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
No free upgrade.
A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.
Now, if the ER7212PC was a firewall that would be something else.
(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)
What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?
The problem is that TP-link does not give two cents to security in their products.
> And no, I'm not being pedantic
You very much are.
Except the ER7212PC, nor anything else under the Omada (sub-)brand, is not a consumer / household device. The tagline of Omada is "Networks Empower Business":
* https://www.omadanetworks.com
If you want to haul your boat buy an F-150 pickup and don't complain that your Golf doesn't have enough towing capacity: buy the tool that you need for the problem/job you have. If you want an all-in-one then buy an AiO and not a router.
>> And no, I'm not being pedantic
> You very much are.
Expecting a router to not-route IPv6 is the unreasonable thought.
I am suggesting the ER7212PC is not a home network device, and thus having the two functions glommed together is an anti-feature in its design. The tagline of Omada is "Networks Empower Business":
* https://www.omadanetworks.com
Expecting that a router to not-route IPv6 by default is to misunderstand its purpose.
Then buy a device that does default NATing and other consumer-y if you want that. Don't complain that a generic routing system routes IP—whether IPv4 or IPv6—by default.
If you want a firewall buy a firewall. If you want an all-in-one firewall/gateway/AP/whatever, buy it.
In this particular case the "problem" is not in the device but in purchasing the wrong tool for the job at hand. If you want to haul lumber buy a cargo van or pickup truck, not a VW Golf.
Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
The ER7212PC, nor anything else in the Omada line, is not for residential consumers which is what RFC 6092—"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"—refers to.
And RFC 7084 has two instances of the word "firewall", one (§3.1) in reference to IPv4 NAT:
A typical IPv4 NAT deployment by default blocks all incoming
connections. Opening of ports is typically allowed using a Universal
Plug and Play Internet Gateway Device (UPnP IGD) [UPnP-IGD] or some
other firewall control protocol.
S-3: If the IPv6 CE router firewall is configured to filter incoming
tunneled data, the firewall SHOULD provide the capability to
filter decapsulated packets from a tunnel.
AFAICT the ER7212PC is not a "NAT router" but just a "router".
Even some switches have ACL functionality for the IP layer, but they're sold as switches and not as firewalls.
[1] https://www.cac.gov.cn/2025-05/20/c_1749446498560205.htm
> NAT64 - the method I’ve setup for this test
> IPv6 is absolutely ready for prime-time and has been for awhile
So... No, you spent a week effectively using both v6 and v4 with extra steps. If someone said "Linux is ready for primetime" but their setup only worked because they ran a bunch of applications in a Windows VM, I'd call that strong evidence that it really wasn't. Same here.
That said... This is from early 2023. Any chance it's better now?
I accidentally went IPv6 only on my home wifi for a few weeks a while ago. I only noticed when GitHub didn't load (I avoid work things at home, hence accessing GitHub being rare.)
Relatedly, fuck GitHub and their incompetence at rolling out IPv6. It's nothing other than that at this point. Blank, unadulterated incompetence.
It's less steps though. You can do all your network setup in the nice v6 world, and set up v4 emulation for those who need it. Yes, it's not yet practical to turn of v4 entirely, just like it's not yet practical to turn off Rosetta on your ARM mac.
https://www.sidnlabs.nl/en/news-and-blogs/can-we-do-without-...
Until nearly everything is on v6 too it won’t be realistic to ditch the mechanisms that provide v4 access.
- My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
- Linode allows transferring v4 addresses between machines, so if I need to rebuild something I can do so without involving my client who usually has control over DNS. They do not support moving v6 addresses, which means that the only sites I have control over that support v6 are the ones that I control DNS.
Making IPv6 a thing seems like it would be super easy if a couple hours could be spent solving a bunch of dumb lazy problems.
Being a priority doesn't mean it's high priority. It could be a priority, but the lowest ranked one, so other stuff always comes first. :P
T-Mobile wireless US is pretty invested on IPv6, so if they take over the network, they may well push it.
It's "T-Mobile Fiber Home Internet" which looks to be a bunch of local ISPs they've been snatching up, so we'll see what happens. USI's customer service and reliability have been amazing so hopefully that doesn't get screwed up.
Maybe 2026 will be the year of IPv6. I kinda doubt it given I'm some jackass and dedicated network professionals still don't use IPv6.
The netmask for IPv6 is nearly always /64. ISPs give out /60 to allow multiple subnets, but router makes /64 subnets from that.
I have Comcast, and they do give me a /56, but you can't ask for a /56 in the DHCP-PD request, because they don't support a single request grabbing all of your prefix space. You have to ask for /60's, which I had to find out through trial and error.
But it may have been even worse (my memory is fuzzy) because I think at one point I did successfully get a /56, but that then exhausted my DHCP allocation, and then after I rebooted my router I couldn't get anything any more. It didn't help that the router I had been using (Unifi security gateway) didn't seem to keep a static DUID that comcast was happy with, so I kept getting new prefixes every time it rebooted.
Comcast probably has so few customers that bring their own cable modem/router at this point that they basically don't have any support for this, you won't get anything from them over the phone, they just push you to pay them to rent their equipment (where they configure all these parts the way their network expects.) You have to be adventurous to run your own equipment with IPv6.
Does it use SLAAC on the WAN side or DHCPv6? How do I get a range for my lan then, DHCPv6 prefix-delegation? Or maybe it’s statically assigned somehow. Some carrier’s just use link-local ok the WAN, with no public v6 just RAs for the link-local, and a GUA block via IA_PD.
Regardless there are too many ways this is done, and this hampers adoption as it’s not just the “switch it on” operation you suggest.
Nearly every ISP uses DHCPv6-PD cause harder for manual configuration. The range is in the DHCP-PD, your router picks a subnet. The WAN address is automatic, and don't care about it cause never see it. Mine is link-local and hadn't known until I checked.
If you don't want to use the public addresses internally, then you can assign ULA addresses. If you don't want to use MAC derived addresses, assign them static host addresses.
For names, I use mDNS. I don't know the IPv6 address for my server. If I did need it, I would get it from the router.
It’s fine for mobile providers, where the client activation defines what’s needed and the carrier essentially just needs to support two OS’s (iOS and Android).
Also mostly fine for residential when the carrier provides the CPE, and can set it up to work with how they have the network built.
But if you’re managing your own router it can be complex to know exactly what to use. And most ISP support aren’t very good either.
If you happen to be an expert it’s fine, but if you’re a power user not a full time network guy there is still way more complexity than there ought to be.
The only way I got IPv6 working well with them was to bypass their gateway. Now all my VLANs have /64, which is the standard subnet size.
It was a painful experience of trying to work out if I had misconfigured it, if it was something to do with my opensource router software or if it was my ISP or the end services. I didn't get to the end of working this out and reporting issues and I just gave up. Due to the intermittent nature of the issues I was facing I never managed to get a report of issues my ISP would accept.
So I'll give it some time and give it a try after a year and see if things have improved, but it was definitely not ready for prime time.
In theory this makes sense, but in practice my personal experience is that not a single wireline ISP I've ever seen deploy CG-NAT offered IPv6 service at all, nor did any of them indicate any intent or even interest when asked about it.
The mobile providers on the other hand have almost entirely gone IPv6-first, using 6>4 transition methods as the default form of v4 access which I fully support.
4>4 CG-NAT should never have existed and providers who deploy it without offering fully functional v6 should be shamed.