It’s not you or your setup. I experience the same behavior. Tried with and without Private Relay, residential and commercial ISPs at different locations, and more to debug it. Same results.

I think GitHub has just gotten so aggressive with their rate limit policies that it’s straight up incompatible with their own product. The charitable interpretation is that they aren’t keeping good track of how many requests each page actually performs in order to calibrate rate limiting.

My theory is that they rate limit that URL aggressively due to AI scrapers. At this point it's faster to just clone the repo and do your searching locally.

Your work is probably all exiting through the same IP, you competing with others on the same IP is causing the rate limit.

Comically IPv6 now has almost all the neat stuff IPX did. There probably is an argument for more datagram centric networking these days as the underlying services are generally much faster and more reliable and there is so much more session tracking going on at higher application layers anyway.

IPX/SPX is datagram only. BUT it would be an opportunity to build a QUIC-like that runs over it :-)

Only if we're bringing back Token Ring, too.

I remember removing the IPX route entries from our Cat65 MSFC back in 2006 and from the ATM/Framerelay WAN Equipment. Wasn't very popular with the customers.

I also remember the first IPv6 Workshop on W2k SP3 back in 2002. Not that long ago.

I've used IPX exactly once in my life, playing Diablo over modems calling my dorm neighbor to establish the connection (in 2005).

Excuse me. Zero nines. Or two nines if you relax your definition of where they are in the number. https://infosec.exchange/@0xabad1dea/116334321751266751

You guys have nines?

Personally I’d look for the coveted 5 eights uptime.

As long as it is after the decimal separator I can try for that...

That seems weird given NIST, and the US Government, set a requirement for IPv6 Only back several years ago, and it sort-of became part of the JWCC requirements (It wasn't in the requirements, IIRC, because it came after those were set, but the government wouldn't fully approve use for JWCC if you didn't meet it).

You'd think they'd have sprinted for that feature as fast as they could go.

More importantly, it doesn’t support uptime well.

Couldn't tell you. I'm not part of the infrastructure team. I wasn't even aware the alerting service was moving.

QA found it a couple weeks later when they were testing alerting, and SMSes weren't coming through.

Zero observability and alerting too. Seems like they’re planning to be a productive future member of that team.

One of the big challenges with IPv6 remains that many of the knows-just-enough-about-networking people, like support staff, often never received any IPv6 training (or, for that matter, even enough IPv4 training that they don't need to Google things that come up in real life). Another is that the weird, awful, everyone-hostile corporate "solutions" often break IPv6 in stupid ways (like load balancers and logging tools being unable to cope with minor changes and requiring a full configuration rework).

Things have definitely gotten better over time, though. The massive 90s style corporate networks will probably never transition, but smaller and more modern companies don't have that issue.

Apple mandating that apps are IPv6 compatible and various government legislation forcing companies to make their shitty middleware IPv6-compatible has improved things quite a bit so far. As uptake keeps rising, the need for technologies like STUN and TURN will slowly start decreasing, and as a result more and more people will end up in "untested" situations where not having IPv6 and falling back to legacy paths starts becoming a problem.

Facebook is (AIUI) 100% IPv6-only on their internal network, and has been for many years:

* https://engineering.fb.com/2017/01/17/production-engineering...

* https://www.internetsociety.org/blog/2014/09/facebook-launch...

IPv4 is actually the "leftover" stuff they have to deal with at the front end.

But they are an eye-balls heavy service, with a lot of mobile devices, which also tend to be IPv6-native.

That's why ipv6 migration should be government mandated. Then it becomes just the cost of doing business

Good spot. Sorry to disappoint!

IPv4 is going to be a necessity for many many decades no matter what Microsoft do. Even when IPv6 is at 99%, people aren't going to want 1 in every 100 people to not be able to access their site at all. It'll need to be like 99.9% before we start seeing serious IPv6-only services.

> Outdated beliefs probably. When I talk about v6 support in our b2b saas, PM laughs and says nobody uses that shit.

Nobody except the 140M subscribers on T-Mobile US's network:

* https://www.youtube.com/watch?v=d6oBCYHzrTA

But sure, be IPv4-only and add latency by forcing traffic through an extra translation box.

It's because big tech is USA based mostly, where there's still a glut of ipv4 available.

Definitely not for the biggest ones. Google and Meta have so many machines in their data centers that IPv6 addressing becomes a technical necessity due to the risk of exhausting the RFC 1918 address space. Naturally, they were early adopters of IPv6.

Well it’s over 50%…

Well, even if there was a standard, that's still not a guarantee that the other side of the /64 would be following it. It's correct for you to rate-limit the whole /64.

... But that's no different from IPv4. Sometimes you have one per user, sometimes there are ~1000 users per IP.

Most of the ipv4 world is now behind CGNAT, one user per ip is simply a wrong assumption.

I mean, all your numbering woes vanished, so, that's probably an immediate quantifiable benefit unless you're so tiny you never needed any renumbering effort, in which case your "operational work" to deploy IPv6 was probably zero.

How does IP bans work in IPv6 case? One just blocks whole /64 or /56 address range?

Or the most likely more expensive rate limiting (computational wise)

> v6 oversteps on LAN features and makes bridging v4 and v6 way uglier than it should

How so?

But their VLANs still only support ipv4, which makes it hard to route external ipv6 traffic through the VLANs. You need tunnels.

I don't even know why clouds offer public IP addresses. In my opinion all clouds should only have a gateway that routes via host header for millions of customers. IPv4 should be a special priv for special situations at a higher price. Then these clouds could own maybe 20 IPs total instead of millions.

And the higher level libraries mostly do it for you, too, even if you directly specify IPv4 addresses in your code (due to NAT64 [1]). I think it only even requires special work from you as a developer if you're using low-level or non-standard libraries.

[1] https://en.wikipedia.org/wiki/NAT64

Nat64: https://developer.apple.com/support/ipv6/

Differential enforcement.

I’m guessing the app works but their prod servers don’t? If they can point the app during review at a “self hosted” GitHub Enterprise server on a test domain with AAAA that would pass the requirement as stated by gp , without requiring GitHub.com actually support ipv6.

You can, but a significant portion of that money is going toward paying off that IP.

"Skyrocket" is wrong but the market cap of IPv4 addresses is quite high.

For now, :) Hopefully it continues.

> if IPv6 prevents IPv4 rental prices from going haywire, then it's served a useful purpose.

Competition is good.

Exactly. To this point I went to a Comcast store to cancel my internet and the person asked me if I meant I wanted to cancel my “Wi-Fi”. I was very confused for a couple seconds.

It has been interesting to me to see how the usage of "my wifi bill" instead of "my internet bill" has shifted.

... and they were right.

v6 adoption is often an all or nothing, because if you run both stacks, you have to ensure they are consistent. While you can reasonably do it on your home LAN, doing it across an entire infrastructure is the worst.

Now you have to make sure all your subnets, routing, VLANs, firewall rules, etc work exactly the same in two protocols that have very little in common.

It is the equivalent of shipping two programs in different languages and maintaining exact feature parity between both at all times.

I switched my home ISP from cable (which supported IPv6) to fiber (which doesn't) and I've had a nagging disappointment ever since. But I guess consumers aren't really demanding it enough.

"seems" is doing a lot of heavy-lifting in your message

Wow, that’s very cool! Do you know how that works? Do they just connect you to a NAT64 gateway of your choice?

It's very hard to get rid of old standards.

"The past is never dead. It's not even past"

How far below is the question. It could level out at 60% - that is believable. However it can't level out at 99% - Somewhere around 95% major sites will decide IPv4 isn't worth supporting and they will just ignore that final 5% of customers, which will force them to upgrade - which in turn will give others confidence to remove their final 4% of customers - until IPv4 dies.

That’s indeed what they’re saying, but they’re simply wrong which is obvious from looking at the graph and accounting for seasonal variation.

Unfortunately my ISP here in Europe is not one of those offering IPv6.

Other than France or Germany its far from mostly.

It's frustrating that even brand new Unifi devices that claim to support IPv6 are actually pretty broken when you try to use it. So 10 years from right now even, unless they can software patch it upwards.

Except that is completely wrong. Consumer/residential networks have significantly higher ipv6 adoption rates that corporate/enterprise networks. That is why you see such clear patterns (weekend vs weekday) in the adoption graphs.

Comcast actually implemented IPv6 10-15 years ago so that they could unify the management of all of their cable modems. Prior to that they had many regional networks using with modems assigned management IPs in overlapping private IPv4 ranges.

> Porting all of that to support ipv6 can easily be a multi-year project.

FWIW, as someone who has done exactly this in a megacorp (sloshing through homebrew technical debt with 32-bit assumptions baked in), the initial wave to get the most important systems working was measured in person-months. The long tail was a slog, of course, but it's not an all-or-nothing proposition.

This is true, I worked for an old ISP/mobile carrier that started in the 80s about 10-15 years ago. They had basically any system you could think of still running, from decently modern vmware with windows and linux to hp-ux, openvms, sunos, AIX, etc. Could walk around and see hardware 30 years old still going, I think one console router had an uptime of 14 years or so. One time I opened a cabinet and found a pentium 1 desktop pc on the floor still running and connected, served some webpage. The old SMSC from the 80s on DEC hardware was still in its racks though not operational, they didn't need the space as the room couldn't provide enough power or cooling for more than a few modern racks. The planning program for fiber, transmission, racks, etc, required such an old java that new security bugs didn't apply to it, and looked and worked like an old mainframe program.

The core team supported ipv6 for a long time, but its rather easy to do that part. The hard part is the customer edge and CPE and the stack to manage it, it may have a lifetime of 2 decades.

>Why would you not just use a regular firewall?

No idea, but people do it. Every time this comes up on HN there are dozens of comments about how they like hiding their devices behind a NAT, for security

I set up NAT66 recently with DHCPv6. The IPv4 and IPv6 addresses are practically the same, except IPv6 has a prefix and a double colon as the last separator.

This really should be how SOHO routers do IPv6 out of the box.

Most people don't want 1:1 addressing for their entire home or office.

How so? The same working group published e.g. https://www.rfc-editor.org/rfc/rfc1933, and it's hard to see how v6 could have been designed for backwards compatibility in ways that it wasn't already.

I've asked lots of people to describe a more backwards-compatible design, and generally the best they can manage is to copy the way v6 does things, ending up with the same problems v6 has. This has happened so often that the only reasonable conclusion is that it can't really be done any better than it was.

> Just the obvious one: the people who designed IPv6 didn't design for backwards compatibility.

Nor for easy transition.

fd::1 is somewhere in the reserved ::/8 space where various stuff like old ipv4 mapped addresses and localhost reside. What you probably mean is something like fd00::1, but that is something you shouldn't use, because 'fd00::/8' is a probabilistically unique local address (ULA) block. You are supposed to create a /48 net by appending 40 random bits to fd00::/8. Of course, if your fair dice roll lands on all zeroes, and you are ok with probable collisions in case of a network merge, you are fine ;)

That's extremely common unless on "active" fiber (vs GPON, DOCSIS3, DSL, most fixed wireless, satellite, mobile, etc.)

Your wifi isn't symmetrical either.

> For example, in IPv4 each host has one local net address, and the gateway uses NAT to let it speak with the Internet. Simple and clean.

This is a troll right? NAT is a lot of things, but "simple and clean" is definitely not one of them. It causes complications at every step of the process.

Pure IPv6 is so much cleaner.

I will say that DHCP6 is probably misnamed. It does not fill the same niche has IPv4 DHCP, and this causes a lot of confusion with people who are new to IPv6. It should probably be called DPDP (Dynamic Prefix Distribution Protocol) or something like that. It's for routers not hosts.

In theory you should be using anycast DNS to find local hostnames, but in practice the tooling around this is somewhat underbaked.

> For example, in IPv4 each host has one local net address, and the gateway uses NAT to let it speak with the Internet. Simple and clean.

No, that’s not the IPv4 design. That’s an incredibly ugly hack to cope with IPv4 address shortage. It was never meant to work this way. IPv6 fixes this to again work like the original, simpler design, without ”local” addresses or NAT.

> In IPv6 each host has multiple global addresses.

Not necessarily. You can quite easily give each host one, and only one, static IPv6 address, just like with old-style IPv4.

> For example, in IPv4 each host has one local net address, and the gateway uses NAT to let it speak with the Internet. Simple and clean.

I assume you mean "interface", not "host". Because it's absolutely not true that a host can only have one "local net address".

EDIT: a brief Google also confirms that a single interface isn't restricted to one address either: sudo ip address add <ip-address>/<prefix-length> dev <interface>

> For example, in IPv4 each host has one local net address, and the gateway uses NAT to let it speak with the Internet. Simple and clean.

If you think NAT is "simple and clean", you may wish to investigate STUN/TURN/ICE. An entire stack of protocols (and accompanying infrastructure) had to be invented to deal with NAT.

Heaven help you if your ISP uses CG-NAT.

> Then there's IP fragmentation and PMTU that are a burning trash fire.

It's not significantly worse on v6 compared to v4. Yes, in theory, you can send v4 packets without DF and helpful routers will fragment for you. In practice, nobody wants that: end points don't like reassembling and may drop fragments; routers have limited cpu budget off the fast path and segment too big is off the fast path, so too big may be dropped rather than be fragmented and with DF, an ICMP may not always be sent, and some routers are configured in ways where they can't ever send an ICMP.

PMTUd blackholes suck just as much on v4 and v6. 6rd tunnels maybe make it a bit easier to hit if you advertise mtu 1500 and are really mtu 1480 because of a tunnel, but there's plenty of derpy networks out there for v4 as well.

> For example, in IPv4 each host has one local net address, and the gateway uses NAT to let it speak with the Internet. Simple and clean.

That's only true for smalltime home networks. Try to merge 2 company IPv4 networks with overlapping RFC1918 ranges like 10.0.0.0/8. We'll talk again in 10 years when you are done sorting out that mess ;)

> In IPv6 each host has multiple global addresses. But if your global connection goes down, these addresses are supposed to be withdrawn. So your hosts can end up with _no_ addresses.

Only a problem for home users with frequently changing dialup networks from a stupid ISP. And even then: Your host can still have ULA and link-local addresses (fe80::<mangled-mac-address>).

> ULA was invented to solve this, but the source selection rules are STILL being debated: https://www.ietf.org/archive/id/draft-ietf-6man-rfc6724-upda...

RFC6724 is still valid, they are only debating a slight update that doesn't affect a lot.

> Then there's DHCP.

DHCPv6 is an abomination. But not for the reasons you are enumerating.

> With IPv4 the almost-universal DHCP serves as an easy way to do network inspection.

IPv4 DHCP isn't a sensible means to do network inspection. Any rougue client can steal any IP and MAC address combination by sniffing a little ARP broadcast traffic. Any rogue client can issue themselves any IPv4 address, and even well-behaved clients will sometimes use 169.254.0.0/16 (APIPA) if they somehow didn't see a DHCP answer. If you want something sensible, you need 802.1x with some strong cryptographic identity for host authentication.

> Stateful DHCPv6 is not supported on Android (because its engineers are hell-bent on preventing IPv6).

Yes, that is grade-A-stupid stubborness. On the other hand, see below for the privacy hostname thingy in IPv4 and the randomized privacy mac addresses that mobile devices use nowadays. So even if Android implemented stateful IPv6, you will never be reliably able to track mobile devices on your network. Because all those identifiers in there will be randomized, and any "state" will only last for a short time. If you want reliable state, you need secure authentication like 802.1x on Ethernet or WPA-Enterprise on Wifi, and then bind that identity to the addresses assigned/observed on that port.

> With IPv6 there's literally _nothing_ similar.

Of course there is. DHCPv6 can do everything that IPv4 DHCP can do (by now, took some time until they e.g. included MAC addresses as an option field). But in case of clients like Android that don't do DHCPv6 properly, you still have better odds in IPv6: IPv6 nodes are required to implement multicast (unlike in IPv4 where multicast was optional). So you can just find all your nodes in some network scope by just issuing an all-nodes link-local multicast ping on an interface, like:

> ping6 ff02::1%eth0

There are also other scopes like site-local: > ping6 ff05::1%eth0 https://www.iana.org/assignments/ipv6-multicast-addresses/ip...

(The interface ID (like eth0, eno1, "Wired Network", ...) is necessary here because your machine usually has multiple interfaces and all of those will support those multicast ranges, so the kernel cannot automatically choose for you.)

> And even when it's supported, the protocol doesn't require clients to identify themselves with a human-readable hostname.

DHCP option 12 ("hostname") is an option in IPv4. Clients can leave it out if they like. There is also such a thing as "privacy hostname" which is a thing mobile devices do to get around networks that really want option 12 to be set, but don't want to be trackable. So the hostname field will be something like "mobile-<daily_random>".

What you skipped are the really stupid problems with DHCPv6 which make it practically useless in many situations: DHCPv6 by default doesn't include the MAC address in requests. DHCPv6 forwarders may add that option, but in lots of equipment this is a very recent addition still (though the RFC is 10 years old by now). So if you unbox some new hardware, it will identify by some nonsensical hostname (useless), an interface identifier (IAID, useless, because it may be derived from the MAC address, but it may also be totally random for each request) and a host identifier (DUID, useless, because it may be derived from the mac address, but it may also be totally random for each request). Whats even more stupid, the interface identifier (IAID) can be derived from a MAC address that belongs to another interface than the one that the request is issued on. So in the big-company usecase of unboxing 282938 new laptops with a MAC address sticker, you've got no chance whatsoever to find out which is which, because neither IAID nor DUID are in any way predictable. You'll have to boot the installer, grab the laptop's serial number somewhere in DMI and correlate with that sticker, so tons of extra hassle and fragility because the DHCPv6 people thought that nobody should use MAC addresses anymore...

How do the working IPv6 deployments cope with these issues?

>For example, in IPv4 each host has one local net address

Most of my home devices have multiple v4 addresses, not counting 127.0.0.1, so this assumption is incorrect.

The reason: Skill issue.

To be fair to the grand parent, the International Telecommunications Union is a specialized agency of the UN and actively promoting IPv6: https://www.itu.int/en/ITU-T/ipv6/Pages/default.aspx

I think it's fine if they have more than one priority.

> There are too many apps that hardcoded IPv4 in their code

That would work over CLAT, which most operating systems support.

It's fun and has now become an addictive rabbit hole - trying to get packets from one location to the other in the fastest, most direct way (and at hobbyist budget level).

Initial writeup based on IPv6: https://abarber.com/Setting-Up-ASN-IPv6-Routing-BIRD-Teltoni...

Have been having fun recently with an IPv4 block and Asynchronous routing, working on writing that up right now :)

Why are you (re-)implementing client security on provider end? If a client requires that only requests from a particular network are permitted... Peer in some way.

I do understand the value of blocking unwanted networks/addresses, but that's a bit different problem space.

Defense in depth is not the point, zero trust networking is.

30 USD/month and 0.045 USD/GB for ingress it is ok if you are big. It is a cheap service to build yourself. I do feel the pain of it being hard to get IPv4 minimal connectivity on ipv6 only hosts, i.e. for me a 1 USD/GB would be fine.

Those are still per-customer and require you to dedicate an entire IP address to it. That's overkill for a server which mostly talks over ipv6 but needs to connect to an ipv4-only service like Github once in a blue moon.

Any services like this for Hetzner?

I've had laptops with cellular modems built in going back to Pentium IIIs. The Compaq N600c had a "multiport" bay on the lid, one of the options was a GSM modem.

Jesus, what a waste

I've never had a modern laptop with a cellular modem, but every one I've owned has supported them internally. Even when they aren't provisioned with them, they're usually still supported as aftermarket options.