Google Hits 50% IPv6 - Hacker News

Posted by barqawiz 10 hours ago

364 points | 350 comments

JdeBP 7 hours ago|

Just to add to the 'but the ISPs do not' anecdotes, it has been six months since someone last commented so it is probably time to mention this again on Hacker News:

* https://havevirginmediaenabledipv6yet.co.uk/

A major ISP in the U.K., that said in a public statement on World IPv6 Day in 2011 that

> As well as our core and access networks being capable of supporting IPv6, we're rigorously testing our entire network to ensure that all customers have a smooth and simple transition when the time comes to flick the switch and turn IPv6 on. We're really pleased with how our tests are advancing and are happy to say that by the end of 2012, we'll be able to fully support customers looking to switch to IPv6.

has not managed to actually flick that switch in 15 years.

* https://ispreview.co.uk/story/2011/06/08/uk-isp-fluidata-hai...

IgorPartola 1 hour ago||

The way to pressure ISPs to support IPv6 is stupid but effective:

1. Sites that help shoppers choose can add a big visual red flag to any ISP that doesn’t support IPv6. Consumers don’t know what IPv6 is by and large but they do understand seeing a big red flag.

2. Same thing for websites. Add a banner that says “hey your ISP doesn’t support proper internet connectivity which this site utilizes. Contact them to let them know that you are having internet issues.” Again, consumers do not know what’s IPv6 is, but they do know what annoying banners are.

xp84 52 minutes ago|||

From a US perspective, for your #1, the idea of people “shopping” for broadband, is astonishing. Most people here have available to them one single DOCSIS provider and that’s it. A few lucky ones have a FTTP option too, but that definitely not available to more than 25% of addresses.

(It’s true that you can use cellular for your home internet, but I consider that extremely compromised.)

js2 36 minutes ago|||

I've got AT&T fiber coming in one side of my house and Google fiber in the other. AT&T since 2017, Google since last year. And I'm in the suburbs. I must be in a very small percentage of households with such availability.

As far as IPv6, both provide it, but after running with IPv6 on AT&T for about a year, I disabled it because whenever I had a rare random connection issue, I never knew whether IPv6 was the culprit and it was one less variable to debug.

r3trohack3r 18 minutes ago|||

Starlink shattered this monopoly in my area.

GenerWork 12 minutes ago||||

This will work on nerds (aka the HN crowd) but the average person will read that and wonder why they should care when the page loaded. Also, if you keep displaying the banner people will grow accustomed to it and ultimately ignore it.

kvdveer 1 hour ago||||

What would be the incentive for site owners to reduce the appeal of their site? The user has connected to the site, so there's obviously no immediate problem.

londons_explore 51 minutes ago||

Back when Https deployment wasn't widespread, Chrome added a deliberate delay to http sites so Https sites appeared faster. That was the incentive for deployment for many, because until then Https was generally slower (extra round trips to set up the tls connection).

kortilla 59 minutes ago|||

Regular person, “This site requires some weird technology, I’ll shop somewhere else.”

This is one of those “if everyone just” solutions that doesn’t work because shopping websites would never do that. Amazon has tons of evidence that even the slightest bits of friction result in noticeable drops in sales.

londons_explore 50 minutes ago||

And yet Amazon's site seems to be half baked and buggy every time I visit.

gertrunde 5 hours ago|||

I once asked them if we could enable IPv6 on a 1Gb DIA circuit, and the response I got back was that "we can convert the circuit to IPv6, but you'll need to give up your IPv4."

I don't think I bothered asking them again!!

(Edit "them" = Virgin Media)

inigyou 5 hours ago|||

Sure they didn't just mean they'd change your static IPv4 address to a different one?

gertrunde 2 hours ago||

Quite possibly.

But the way that they dealt with the whole thing smelt very "we don't know what we're talking about", enough to put us off.

And shifting all the IP space about would have had costs with very little return, so little business appetite to go through it.

bebe83939 4 hours ago|||

[dead]

jonathantf2 7 hours ago|||

Purely from a business perspective, for VM there is no point. They have more than enough v4 to keep them going, customers (outside of a tiny technical minority who probably wouldn't chose VM anyway) do not see any benefit.

That plus other ISPs v6 implementations breaking things randomly, I understand why they don't bother.

lambdaone 4 hours ago|||

The slow adoption of IPv6 by many older companies is at least in part a paradoxical result of the success of IPv6 elsewhere, particularly in new builds where there is practically no overhead in deploying IPv6 in a green-field environment - see for example the mobile telecoms market in developing countries, where new builds are IPv6-first.

This has taken pressure off the IPv4 legacy address pool, reducing the urgency for older providers.

End-users are typically completely unaware of whether their traffic is being carried over IPv6 or IPv4, and so simply do not care one way or the other. (This particular post is more than likely being made over IPv6, since news.ycombinator.com has an IPv6 address and my OS, browser, router and ISP all support IPv6 straight out of the box, as is now true for the majority of users in my country.)

Hizonner 6 hours ago|||

Right. Which is why this is not a choice businesses should be allowed to make.

post-it 6 hours ago||

Of all the things to regulate why bother with this one? It's not like IPv6 is better for the environment or useful to the consumer.

dijit 6 hours ago|||

depends on how you look at it. Right now it's very much a tragedy of the commons.

IPv6 not being supported in many places means the internet is more centralised, less likely to use proper p2p tech- because it's a lot harder to make it work rather than throwing up a TURN box and relaying everything.

"The latency? Who cares? IPv6 sometimes breaks right now" - because nobody is testing it, so why should people be the first to support it? There's no easy upside.

The only real upside for businesses is not having to pay for increasingly expensive IPv4 allocations. But they don't really care, its not nearly expensive enough yet. Customers will get GCNAT, businesses will continue as normal.

All that will happen is that the internet gets slower and less equal.

Which is exactly the same thing that's happening with inefficient memory hungry software: people either have to buy a more expensive laptop or they have a shitty experience.. Nobody is advocating for them, they just feel things getting shittier year on year and many are just choosing to avoid technology instead.

gruez 5 hours ago|||

>IPv6 not being supported in many places means the internet is more centralised, less likely to use proper p2p tech-

Realistically nobody outside some devoted HN readers are going to self host their own content. At best you'd see something like netflix trying to offload their video hosting costs onto their customers.

inigyou 5 hours ago|||

Well yeah, because they can't. Maybe if they could, they would do it more. You probably wouldn't want to host a permanent website from home, although some people do, but you could share a file. It would be popular with game servers, too.

gruez 4 hours ago||

>You probably wouldn't want to host a permanent website from home, although some people do, but you could share a file.

bittorent has been around for decades and nobody used it. They emailed files to themselves instead, or used dropbox. This all happened before the ipv4 shortage and people getting moved to CGNAT.

miyuru 2 hours ago|||

internet is used by billions of people, not just you.

gruez 1 hour ago||

You sure you don't have this reversed? The average person uses the internet to watch tiktok videos and join zoom meetings, all of which is centralized. The people self hosting their NAS or minecraft server is a tiny minority.

dijit 51 minutes ago||

> join zoom meetings

no reason this has to be centralised.

in fact, Jitsi uses p2p with WebRTC until a third person joins the call: then migrates the call to be relayed.

A really nice latency win.

lazide 3 hours ago|||

Nobody used BitTorrent? LoL

ISPs had/have whole groups trying to stomp it out.

And it was a nightmare due to NAT even then.

It just got worse with CGNAT.

kortilla 52 minutes ago||

I think the commenter you’re replying to is pointing out that nobody used BitTorrent for legitimate cases. And that take is sadly correct. Despite having huge upsides, everyone just hosts on centralized CDNs, file syncing services (gdrive, Dropbox, etc).

Even Linux distros push you so direct downloads now rather than pointing to trackers.

BitTorrent only has healthy usage for content that’s untenable to host legitimately.

lazide 47 minutes ago||

That is because BitTorrent has been targeted so much.

Also, hey now - I have a lot of (actual) Linux disk images, and it works well for that!

dijit 5 hours ago||||

The sheer amount of times Airdrop has been the "best" way to share files takes away from your point a bit.

It's almost always faster than anything else available, and ipv6 would make that method of sending files closer to the default for most people.

Having VOIP in games or 1v1 lobbies is, in the strictest sense, "hosting" something in the same way.

FD: I work in video games so I speak from this bias.

inquirerGeneral 4 hours ago||

[dead]

LinXitoW 1 hour ago||||

Obviously I can't see the future, and I live in my own bubble....

Isn't self hosting, and small, private/semi-private communities the only way forwards for much of the internet? AI has made content extremely valuable, which in turn has started to destroy the openness of the web. Things are getting more and more siloed, with entry fees.

There's a world where self hosting comes back in a big way. AI ironically makes it much easier.

throw0101a 4 hours ago|||

> Realistically nobody outside some devoted HN readers are going to self host their own content.

How about Xbox/PS multiplayer/P2P gaming? Hosting a Minecraft server?

When Skype first came out it was P2P, but had to come up with the "supernode" concept (basically STUN/TURN/ICE) because of NAT: now all of our communication methods basically have to phone into the mothership.

Do we want the Internet to be more centralized (possibly given more power to the tech bros) or more decentralized?

kortilla 56 minutes ago||||

The p2p tech argument doesn’t work anymore. Most routers ship a stateful IPv6 firewall enabled by default now because IPv6 was resulting in people’s vulnerable shit getting popped.

So p2p stuff still doesn’t work without explicit configuration that rules out 99% of your users. It’s super annoying.

dijit 52 minutes ago||

Yeah, it's impossible to do anything about a stateful firewall to get p2p connections.

It's a shame because if we could only get over stateful firewalling we'd be one step closer to the impossible task of using voice chat in console video games.

Right now they don't have that of course and the only hurdle is "NAT Types" which, as we all know, is a much easier problem to solve for the average person...

(this was sarcasm, if it wasn't clear).

lwhi 5 hours ago|||

Maybe the solution is to make IPv4 prohibitively expensive.

lazide 3 hours ago||

Or even just expensive.

throw0101a 4 hours ago||||

> Of all the things to regulate why bother with this one? It's not like IPv6 is better for the environment or useful to the consumer.

If I'm with a small-time ISP that has to use CG-NAT because they don't have the cash to buy/lease enough IPv4 addresses to give one to each CPE WAN interface, then using things like Xbox/PS multiplayer/P2P gaming is no longer possible. Want to host a Minecraft server? Too bad.

Are those two use-cases "useful to the consumer"?

icedchai 4 hours ago|||

You are right, but ISPs will tell you that you're not allowed to host servers anyway. Most have it in the AUP.

jjmarr 3 hours ago|||

I did port forwarding in 2010 for a Minecraft server. Basically every router supports it.

It wasn't meaningfully more difficult than setting up the server.

IsTom 2 hours ago|||

You can't do that with CGNAT.

lazide 2 hours ago|||

Most isps, you can’t do that anymore as you no longer have a publically reachable IPv4 address. It moved the ‘just configure your router’ part to their equipment, as they now use CGNAT.

It’s gotten much worse.

inigyou 6 hours ago||||

It reduces the monopolization power of big cloud providers. This is especially relevant to countries that aren't the US, because it reduces reliance on the US.

It also just reduces resource waste (of labor time). Countries like China that have insufficient IPv4 addresses and political power have mandated it. One IP per home is manageable, for now, but CGNAT is really bad.

Hizonner 5 hours ago||||

Actually not as much point now.

The reason to regulate in maybe 2000 or so was that staying with IPv4 led to NAT. NAT led to it being impossible for users to receive incoming connections. Inability to receive incoming connections led to (a) horrendous protocol complexity, (b) probably some applications never even being invented, and, (c) everybody using ultra-centralized services. Ultra-centralized services led to advertising-driven distortions of service utility, concentration of political and economic power, and choke points. Choke points led to surveillance state bullshit that's just fully ripening today.

And, yes, this was (in broad outline) foreseeable in 2000. I wasn't the only one.

inigyou 5 hours ago||

The best time to plant a tree is 20 years ago...

lotsofpulp 2 hours ago|||

We are locked into apple and google backup services because of CGNAT. If ipv6, and symmetric fiber internet, was ubiquitous when smartphones came out, there could have been a competing option that backs up your own data to an appliance in your own home.

mlyle 48 minutes ago|||

We're finally getting there in the US, though. Top ASNs are >75% IPv6 capable.

It's Optimum Communications and Frontier (my provider) that are really holding the numbers down at ~15% each. The latter is improving very slowly, but not a lot of evidence of change in the former.

djantje 5 hours ago|||

In NL we have this one: https://heeftodidoipv6.nl

Their core network has IPv6, but not their customers, 17% market share in telecom in the Netherlands.

Are there more?

wolvoleo 4 hours ago||

They also got hacked recently and all their customer details were published.

PS: From the millions of customers' details leaked it sounds like their market share is a hell of a lot higher than 17%!

heresie-dabord 3 hours ago|||

After several decades, IPv6 has proven itself as a supplement to IPv4.

FireBeyond 1 hour ago|||

I finally managed to get Xfinity giving me a /60, and then figuring out a SLAAC setup that works across my layer 3 home network (mostly me realizing that SLAAC was the way to go versus trying to figure out DHCPv6 and Ubiquiti Edge stuff).

globular-toast 6 hours ago||

15 years is plenty of time to switch away from them. IPv6 is just one reason. It's a shit ISP. I ditched them as soon as I could and cited IPv6 as a reason, in case it made a difference (I also questioned my new ISP before I joined).

Virgin Media exist for two reasons: first they were given a monopoly by their Tory chums (Thatcher) and, second, all ISPs are allowed to make you sign absurdly long, anti-competitive contracts (18 months is common). If ISPs were treated the same as utility suppliers we'd probably be in a better place.

MYEUHD 9 hours ago||

Thread from two months ago (626 comments): https://news.ycombinator.com/item?id=47777894

dang 33 minutes ago|

Thanks! Macroexpanded:

IPv6 traffic crosses the 50% mark - https://news.ycombinator.com/item?id=47777894 - April 2026 (621 comments)

---

Other recent threads, if anyone would like a thousand more IPv6 comments:

The world in which IPv6 was a good design (2017) - https://news.ycombinator.com/item?id=47821429 - April 2026 (166 comments)

IPv6 is the only way forward - https://news.ycombinator.com/item?id=47680124 - April 2026 (339 comments)

IPv6 Adoption in 2026 - https://news.ycombinator.com/item?id=47083086 - Feb 2026 (21 comments)

IPv6 is not insecure because it lacks a NAT - https://news.ycombinator.com/item?id=46696303 - Jan 2026 (577 comments)

axus 6 hours ago||

When I set up a "pure" (not really) IPv6 server, was surprised that Github does not support it. Without the voluntary operations listed at https://nat64.xyz/ , they'd be unreachable from IPv6.

dapperdrake 6 hours ago|

And the Internet routes around a problem, yet again.

Good example of the 2020s on why there is practically truly only one Internet instead of many.

whatever1 3 hours ago||

I would love to stop paying AWS for public ipv4 addresses.

But simply it is impossible to go full ipv6, as many of isps of the clients do not support it.

Currently there is no pressure to the isps to move to ipv6. In fact the incentives are OPPOSITE! They love charging for static IPs.

budoso 1 hour ago|

To be fair if Google stopped supporting it that’d be a pretty good incentive for the ISPs to get in line.

ThePhysicist 9 hours ago||

Noooo, my /22 IPv4 subnet allocation is my personal 401k, I need this money to retire.

stymaar 7 hours ago||

You joke, but its exactly how society thinks about housing…

chung8123 2 hours ago|||

It is difficult to retire with house equity. Housing is just one element of what you need to have in retirement and after a certain point, and especially in retirement, once the house is what you plan to stay in forever it is better if it is worth less (all other social factors aside) so that you don't pay as much in taxes on it.

seba_dos1 23 minutes ago|||

You usually only need one house to have in retirement, just like you likely won't need a whole /22 in retirement.

nine_k 42 minutes ago|||

The point is usually to sell a big house in a desirable location, buy a modest house in a less posh an tax-lighter location, and invest the difference to have a steady stream of income.

heresie-dabord 3 hours ago|||

Be a good neighbour, the AI data centres need to live somewhere.

mimsee 9 hours ago|||

Time to cash in?

hdgvhicv 8 hours ago|||

Prices have been coming down for years in nominal terms, let alone real terms. Cg nat does everything that’s needed, there are no significant ip6 only services, there are plenty of ip4 only services, so you have to support ip4 anyway, so why bother with ip6

My company has just turned off all ip6 connectivity for its corporate laptops because it’s considered a security risk. I disagree, but I do agree that having 4 and 6 is a higher risk than 4 alone or 6 alone, and 6 alone sadly still doesn’t work reliably.

All the “promise” of ip6, direct connections etc, were lost when stateful firewalls became required and memory became cheaper than $20 a megabyte. Some bespoke old protocols don’t like ports changing, which can be a problem, but it’s a very small number and easier to work around with modern protocols than support a dual stack environment securely for the majority of places that struggle securing a single stack.

throw0101a 7 hours ago|||

> My company has just turned off all ip6 connectivity for its corporate laptops because it’s considered a security risk.

If your corporate laptops are running Windows, then you're going against the officially supported configuration of the vendor (Microsoft):

> Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions.

> We don't recommend that you disable IPv6 or IPv6 components or unbind IPv6 from interfaces. If you do, some Windows components might not function.

* https://learn.microsoft.com/en-us/troubleshoot/windows-serve...

> Cg nat does everything that’s needed […]

Except for making it convenient for end-user to, say, play P2P video games, or host Mindcraft servers, etc.

> […] and 6 alone sadly still doesn’t work reliably.

It's so unreliable that half of all Internet traffic uses it. It's so unreliable that Microsoft has been going IPv6-only in their corporate networks (a decade ago):

* https://labs.ripe.net/author/mirjam/ipv6-only-at-microsoft/

It's so unreliable that Google is now 99% IPv6-only/mostly on their corporate networks:

* https://www.youtube.com/watch?v=UTRsi6mbAWM

inigyou 7 hours ago||||

Everything that's needed besides letting computers talk to each other, that is.

With ipv4 you have a two tier internet. Computers talk to servers, servers talk to servers, computers can't talk to computers so every video call must be routed through a server.

ghusto 7 hours ago|||

I hear this as a cited as a benefit of IPv6 a lot. Honest question: Isn't this at least a privacy issue, at most a security issue? SLAAC seems like what we already have with extra, breakable steps, which doesn't effectively address the privacy issue anyway.

TheDong 7 hours ago|||

Where's the privacy issue?

That the server can figure out that two computers in the same house are different since your laptop and phone no longer share the same ipv4 address but instead have two ipv6 address?

Your phone and laptop can just have multiple ipv6 addresses and rotate through them regularly... as apple does by default https://support.apple.com/en-ca/guide/security/seccb625dcd9/...

Security? NAT is not a firewall, you need a firewall, and switching to IPv6 does not remove your firewall.

Before IPv6: The server gets "1.2.3.4:56789" for your device. After IPv6: the server gets "1:2:3:4::56" or whatever for your device. In either case, if the server makes a connection to 1.2.3.4:56789 or 1:2:3:4::56, your router sees the packet and firewalls the connection. Cool.

Want to give me a concrete example of where IPv6 is hurting my privacy or security, because I've been using it for over a decade with zero mishaps, zero privacy issues, zero security issues (to my knowledge at least)

NitpickLawyer 3 hours ago|||

> NAT is not a firewall,

I've only read that on HN, I've never heard this anywhere else. Since it's been a good 20+ years since my CCNA (and haven't needed to renew it since), could you please offer a real-world example where NAT is not a firewall w/ practical examples relating to 99.9% of cases of home use? I just can't get why people say this a lot here.

NAT works and passes the grandma test. If grandma buys a crappy vulnerable 40$ printer and plugs it in, even if it accepts unauthenticated stuff on every local port, you will not be able to connect to it behind NAT. So what's the difference? The only way I could think this can apply is if the ISP is compromised or criminally mismanaged, in which case you probably already have bigger problems.

kstrauser 2 hours ago||

Grandma’s ISP can send RFC 1918 traffic to her router and likely be able to directly connect to every internal host. You should have learned in your CCNA training that NAT makes it harder to send inbound traffic to a system, but doesn’t by itself provide the filtering that a firewall does.

NitpickLawyer 2 hours ago||

Right, I get that. I can see the ISP angle. But my question was specifically for outside attacks. Tangible, real-world threats in existing ISPs, reachable from the outside.

mlyle 40 minutes ago||

NAT was not designed as a security boundary. Sure, it may block some kinds of incoming traffic accidentally and as a side-effect disrupt some attacks.

But why would you rather have an always-broken network that might block attackers instead of a deliberate "deny incoming" rule that does exactly what you want -- and that you can punch holes in if desired?

Instead we have apps circumventing this accidental barrier with STUN, uPNP, etc with little/no oversight and we also regularly encounter brokenness.

inigyou 7 hours ago|||

They used to recommend using the MAC address. This was ok 30 years ago when a computer sat in an office on a desk but it makes it very easy to fingerprint a moving computer as it moves across different networks.

Using a random address (Privacy Extensions) solves this problem though, but do we expect everyone to know what that is and check it's enabled? Mine wasn't enabled by default (on Linux) and I only noticed when a bittorrent site warned me.

throw0101a 7 hours ago|||

As mentioned by GP, Apple enables privacy extensions on all their OSes:

* https://support.apple.com/en-ca/guide/security/seccb625dcd9/...

As does Windows (since Vista), and Android (8+).

So why are we still talking about this?

frantathefranta 3 hours ago|||

Could you publicly shame the distro that had that issue? Pretty sure it should be the default (on NixOS at least it is).

doubled112 1 hour ago||

Fedora doesn’t enable privacy extensions by default, if I recall correctly.

TeMPOraL 7 hours ago|||

Everything useful is a security issue. Security is a trade-off, not a positive stat you maximize. Every security tightening removes some utility from a system; the hope is that this disproportionally disrupts the "bad actors" over "good ones".

(All of that hinges on the key question that people seldom ask: what is being protected, and from who. The "two-tier" Internet is, in a way, pointing out a case where regular users are seen as threat actors.)

ikari_pl 7 hours ago|||

And wasn't that THE POINT of the internet and it's decentralised design?

inigyou 7 hours ago||

Yes. Letting anyone talk to anyone was the point of the internet. It's been co-opted by these massive centralising forces and you know what? They're right. With IPv4 everything has to be centralised, we don't even have the faintest chance to avoid it. With IPv6 at least we have a chance to take it back.

Some people will mention stateful firewalls. They're pretty easy to holepunch through because you just need each side to send a packet to the other, then each firewall sees it as an outgoing connection and allows it. It's nothing like IPv4 NAT.

somat 6 hours ago||

The comparison between a statefull firewall and NAT is often because they feel like they are doing the same thing from a mechanical point of view.

For example here is how to achieve the same result in PF, note the single additional operator needed to specify nat.

block in on $EXT_IF

#NAT

pass in on $INT_IF to any rdr-to $EXT_IF

#statefullfirewall

pass in on $INT_IF to any

jampekka 7 hours ago|||

> My company has just turned off all ip6 connectivity for its corporate laptops because it’s considered a security risk. I disagree, but I do agree that having 4 and 6 is a higher risk than 4 alone or 6 alone, and 6 alone sadly still doesn’t work reliably.

I had a very concreteish security risk with IPv6 and openvpn. At least in Debian config openvpn tunneled only IPv4 by default. I only noticed this by being surprised I got results tailored to my origin country instead of the VPN out node country.

It's eternal (dual stack) paper cuts like this why just turning IPv6 off makes life a lot easier.

scandox 8 hours ago|||

About 2023 I think

jampekka 8 hours ago||

You'll be really screwed in around the year 2100!

spockz 9 hours ago||

Meanwhile T-Mobile/Odido in the Netherlands is still not supporting IPv6 despite promising to have been working on it for years.

Ubiquity gateways also seem to not support it sadly. It would be awesome if they supported something like Hurricane Electric’s tunneling.

jon-wood 8 hours ago||

  $ curl -v https://news.ycombinator.com
  * Host news.ycombinator.com:443 was resolved.
  * IPv6: 2606:7100:1:67::26
  * IPv4: 209.216.230.207
  *   Trying [2606:7100:1:67::26]:443...
  * ALPN: curl offers h2,http/1.1
  * TLSv1.3 (OUT), TLS handshake, Client hello (1):

Works fine through a Ubiquiti gateway here.

cge 8 hours ago|||

> It would be awesome if they supported something like Hurricane Electric’s tunneling.

HE tunnel IP space is now sufficiently penalized as non-residential/office that I’ve had to turn it off anyway. YouTube, for example, largely seems to block users in HE space unless they are logged in, and I frequently ran into neverending captchas.

kay_o 8 hours ago|||

It is entertaining that the situation becomes opposite in T-Mobile on States does not support IPv4 and only assigns IPv6 with 464xlat for "Fake-NAT" to IPv4.

throw0101a 4 hours ago|||

> Meanwhile T-Mobile/Odido in the Netherlands is still not supporting IPv6 despite promising to have been working on it for years.

While T-Mobile US has been IPv6-only since ~2018:

* https://www.youtube.com/watch?v=d6oBCYHzrTA

inigyou 7 hours ago|||

Every ISP has to pay Hurricane Electric for their tunnels, that's why it's free to you. If enough people start using HE tunnels, ISPs will get native IPv6.

But you can't use HE tunnels because every website you visit will block you. You also can't use them from CGNAT or if your home router doesn't have a DMZ.

gruez 5 hours ago|||

>Every ISP has to pay Hurricane Electric for their tunnels, that's why it's free to you.

Is there a law mandating this?

inigyou 5 hours ago||

Yes, it's called contract law. If you don't pay HE, you don't get a connection to them.

I forgot one detail: your ISP could pay a different tier-1 ISP, as they all interconnect. Nonetheless, your ISP pays top rates for that traffic - tier-1 routes are usually last-resort routes.

gruez 4 hours ago||

Are we talking about the same thing here? I was thinking of https://tunnelbroker.net/

Obviously if the ISP is buying transit from HE, they'd have to pay for it, but it'd be surprising if HE was strongarming their customers by adding a clause that's like "oh also, if any of your customers use our ipv6 tunnel, we'll charge you $x/user/month" or whatever.

mschulkind 2 hours ago||

It really depends on the peering contract. Most are not for transit, but rather just destinations, and generally the side that sends more pays, so that means more traffic to HE if tunnels are in use.

stingraycharles 7 hours ago|||

And wouldn’t it add a considerable latency?

toast0 5 hours ago|||

It won't add much if you pick an appropriate tunnel server.

All my packets go through Seattle, using a Seattle tunnel server adds negligble latency.

But as someone else said, being connected with an he.net tunnel gets you marked as undesirable traffic these days, so that's annoying.

stingraycharles 5 hours ago||

Yeah ok if you already live near one of their locations, then it makes sense. But in my case it would have to go through an entirely different country, which would be fairly inconvenient.

sleepydog 5 hours ago||||

HE has a lot of points of presence in North America and Europe: https://pop.he.net/ , so latency should be negligible there. Elsewhere, yes you might see higher latency.

inigyou 7 hours ago|||

Possibly. They let you pick your nearest server, and HE is a tier-1 ISP which a lot of your packets may traverse already.

mtucker502 9 hours ago|||

They support it. I have it enabled with Spectrum. No file modification necessary; all configurable from the UI.

kuschku 9 hours ago|||

Huh? Ubiquity has dropped support? I can't believe that, even the older EdgeRouter series supported it.

mkj 9 hours ago||

Old Nanostations as a client need to do proxy arp or something, which doesn't handle ipv6. That said it's probably 15 year old hardware. I ended up using a wireguard tunnel across it instead.

newsclues 8 hours ago||

https://help.ui.com/hc/en-us/articles/36378535649687-Configu...

throw0101a 7 hours ago||

Specifically on weekends, which seems to indicate that it's the corporate/business network side of things that is not bothering with implementing it.

xacky 6 hours ago||

The real milestone is when it's over 50% all the time.

Scroll_Swe 7 hours ago||

You frame "not bothering" as if its a checkbox with "enable IPv6" to check and all done...

Put all work into reorg, for what? Some numbers to change? Why when IPv4 works?

calgoo 6 hours ago||

The corporate world tend to be easy to do, just put a gateway to IPv6 on their zScaler (or similar) exit points and done. However, that is not really needed as they are "only" consuming a few IPs around the world (for that purpose). No one in the corporate world wants to go back to the days of Public IPs on all devices. Internally the enterprises have no reason to switch as it just complicates their setups.

katbyte 4 hours ago||

I wouldn’t want a public ip for all the devices and computers on my home network either. Seems like a huge security risk.

throw0101a 4 hours ago||

> I wouldn’t want a public ip for all the devices and computers on my home network either. Seems like a huge security risk.

The real security risk is thinking that just because you have an internal RFC 1918 address space your security has improved.

It's been a decade+ since a firewall being considered a castle/moat of security being best practice. Any IT person that thinks that if they see a device with an 10/8 (or 172.16/12 or 192.168/16) IP and think you're safe you should be fired: it's lazy thinking.

At least if you had a GUA address it would force you to pay more attention to the rest of your security controls. Just recently a co-worker retired some systems that were accessible to the outside via DNAT—but forget to clean up the firewall rules. So he then—for some fucking stupid reason—decided to re-use those same IPs, even though we had so many fucking other IPs available, and one of the boxes got compromised because it happened to have a simple, guessable password on the initial image install.

katbyte 4 hours ago||

Home networks are usually, nearly always, not run by anyone who is capable of “paying attention to the rest of their security controls”

throw0101a 2 minutes ago|||

Home networks have the same security whether IPv4 or IPv6: CPEs with a default deny rule, and hopefully folks install patches regularly.

jpc0 2 hours ago|||

Home networks are almost exclusively secure by default on any reasonable hardware.

The bigger issues is not remembering hostnames vs IP addresses.

Unless you have explicitly changed it what is the hostname of your mobile device? How about your PC?

The reality is with an even mildly competent DNS+DHCP implementation that is all you would need...

And mDNS otherwise but it seems only Apple ever bothered with that being default.

anonymouscaller 42 minutes ago||

https://www.google.com/intl/en/ipv6/statistics.html

I've never seen this chart before, was taking a peek from the link in the article. Does anyone with networking knowledge know why IPv6 usage peaks on Saturdays and dips during the middle of the week? (something related to mobile ISPs?)

coldstartops 9 hours ago||

Google hits 50% IPv6, very good for accessing websites.

But my TP-Link router blocks by default inbound IPv6 connections, without any option to configure it, still bad for pure IPv6 bidirectional streaming, gaming or services on home networks.

Leonard_of_Q 8 hours ago||

Put OpenWRT on the thing and you'll be able to do what you want. Experience the joy of adding not port forwarding rules for IPv4 but more or less identical (same ports) access rules for IPv6.

newsoftheday 3 hours ago|||

> But my TP-Link router blocks by default inbound IPv6 connections

I selfhost web and email over my Wireguard VPN using a free VPS (at OCI but I did it with AWS Lightsail too, though it wasn't free but cheap). This can work for you too or you can use easier to configure solutions like Tailscale. This way, your home isn't exposed directly to the Internet.

ddtaylor 4 hours ago|||

Not that it really matters because almost all the consumer roiter manufacturers are pretty bad, but TP-Link is really, really bad. I would highly recommend not using any of their hardware.

p1mrx 3 hours ago||

TP-Link hardware is decent, if you buy one with OpenWrt support.

jmyeet 9 hours ago||

All these systems are a reflection of the time that they were designed. IPv6 is 30 years old. At that time a lot of threats just didn't exist. One of my favorite is the decision to default to /64 blocks. There was a time when the designers believed that you'd use your 48 bit MAC address as part of this. Now we know that's a PII nightmare and nobody does it. Yet we're still stuck with the 128 bit addresses that came from that.

To your point, IPv6 sought to replace NAT with just having enough addresses but interestingly, that created a problem. If you used NAT and had a service on your computer request a port for incoming connections, that showed intent on behalf of the owner of that service. IPv6 doesn't have that intent, which forces home router makers do block addresses by default because you don't want most PCs on the Internet such that an external agent can scan your PC. You may end up with an unintended service on the open Internet.

So is the bigger address range better? Technically, maybe? But you have to consider defaults and intents of users. And that can take a good technical solution to a bad solution or at least create a whole bunch of problems.

BadBadJellyBean 8 hours ago|||

I don't think this is inherently a problem. It's good for home routers to have sensible defaults. Blocking incoming IPv6 connections is such a thing. Opening a port in the firewall shows the same kind of intent as forwarding a port with NAT. The burden is on the router manufacturers to expose these options in a sensible way. My router for example has a similar UI to forwarding a port with IPv4 and opening the port for IPv6.

Using NAT as a firewall might work but it brings it's own problems. I find the IPv6 way better.

lxgr 7 hours ago||

> I don't think this is inherently a problem. [...] My router for example has a similar UI to forwarding a port with IPv4 and opening the port for IPv6.

Glad to hear that you don't have a problem with your router, but how does that relate to GPs problems with theirs?

BadBadJellyBean 7 hours ago||

It isn't. But It's also not an answer to GP.

The solution for them is "get a better router" because the problem is not the IPv6 protocol. Opening a port is not harder than creating a NAT forwarding and if your hardware can't do it then it's bad.

lxgr 7 hours ago||

Exactly, and “there are a lot of bad v6 implementation CPEs out there” is an important data point worth acknowledging.

gucci-on-fleek 8 hours ago||||

> There was a time when the designers believed that you'd use your 48 bit MAC address as part of this. Now we know that's a PII nightmare and nobody does it.

Nobody includes their MAC address in their public IPv6 addresses anymore, but every IPv6 setup that I've seen still gives every device a unique globally-routable IPv6 address, with no NAT at all.

> One of my favorite is the decision to default to /64 blocks.

The nice thing is that a /64 is big enough that clients can just randomly pick any address, and it will almost certainly be available, meaning that you don't need DHCP. This is actually widely implemented, and is known as SLAAC [0].

> Yet we're still stuck with the 128 bit addresses that came from that.

The extra address space only adds 16 bytes to every packet, and it ensures that we will never run out of addresses like we did with IPv4.

[0]: https://en.wikipedia.org/wiki/IPv6#Stateless_address_autocon...

inigyou 7 hours ago|||

With current addressing scheme we only have 2^13 times more site addresses than IPv4, which is plenty in absolute numbers, but not necessarily enough for more coarse aggregation, and definitely not infinitely future proof.

Crucially though, if we change it, we just have to change how addresses are allocated, not change the protocol again.

gucci-on-fleek 6 hours ago||

> Crucially though, if we change it, we just have to change how addresses are allocated, not change the protocol again.

Yup, and only less than an eighth of the total IPv6 address space has been allocated [0] [1], so there's still plenty of room to expand, even if we have to throw every current address out and start from scratch.

[0]: https://www.iana.org/assignments/ipv6-address-space/ipv6-add...

[1]: https://datatracker.ietf.org/doc/html/rfc3513#section-4

DaiPlusPlus 6 hours ago|||

> but every IPv6 setup that I've seen still gives every device a unique globally-routable IPv6 address, with no NAT at all.

Mine all have link-local addresses (I do have a real static IPv6 address block from my ISP, at great expense…) - so I’m not sure what I did wrong in my Ubiquiti gear.

gucci-on-fleek 6 hours ago||

A link-local address is required with IPv6, so your devices probably just have that in addition to a globally-routable IPv6 address. This isn't a problem though, since devices have no problem having lots of different addresses on the same interface [0].

[0]: https://news.ycombinator.com/item?id=44773981

lxgr 7 hours ago||||

The point of local networks of a minimum size of 64 bit isn't only to have MAC-based addresses (48 bit would have been enough for that, fwiw), but in general to support non-coordinated/probabilistic self-assignment schemes with negligible collision probability.

Picking a random local address (which is very important for privacy, as you've mentioned) is much easier if you don't have to do an elaborate dance of listen, announce, listen for collisions etc. first (practically that still happens, but collisions are the absolute exception).

> So is the bigger address range better?

Yes, because consider the alternative of re-doing all of this again in a future in which IP usage for some reason jumps by a few orders of magnitude again.

Due to hardware getting better over time, the per-packet cost of a few extra bits is going down all the time, while the cost of rolling out a future IPv7 increases with every new deployed host.

inigyou 7 hours ago||

The best thing about SLAAC is that it forces your ISP to give you at least 64 bits. Otherwise you know Comcast would only give out a /128 and charge you for more, so you'd use NAT at home just like IPv4.

jlokier 4 hours ago||

Unfortunately SLAAC doesn't force upstream to provide a /64 universally.

Some ISPs are reportedly giving out a /128, and SLAAC works adequately with a router performing IPv6 NAT, so those ISPs don't see a problem.

Mobile phone as WiFi access point is another common way people access the net nowadays. I've occasionally seen permanent installations, with a phone taped to a window. I've never seen a mobile phone AP offer IPv6 to clients, but if they do they have to use SLAAC-compatible IPv6 NAT in that situation.

inigyou 3 hours ago||

Well, my phone as access point grants an IPv6 public IP without NAT. There's a stateful firewall somewhere in the chain though.

fc417fc802 8 hours ago||||

> Now we know that's a PII nightmare and nobody does it. Yet we're still stuck with the 128 bit addresses that came from that.

Randomizing the local address doesn't mean it isn't useful. You can't scan a /64 so that's already a major improvement. The fact that randomly selecting a number is effectively never going to collide greatly simplifies automatic network configuration.

The major issue is that the /64 isn't mandatory from a technical perspective. Being merely a subset of the larger address it's nothing more than a convention. In the end not all providers make it available to you even though supposedly they ought to.

If we're going to complain about anything it should be the godawful notation that so easily breaks parsers. Or the fact that the width is massively excessive which creates a usability nightmare due to normal humans not being able to readily recall 128 bit numbers (let alone how long it takes to type them in).

throw0101a 7 hours ago|||

> IPv6 doesn't have that intent, which forces home router makers do block addresses by default because you don't want most PCs on the Internet such that an external agent can scan your PC. You may end up with an unintended service on the open Internet.

Every residential router already has PCP (RFC 6887) and UPnP IGD to deal with the NAT44 non-sense that is the status quo, and both protocols support IPv6 hole punching, so IPv6 default deny as a policy is hardly an issue in the residential space.

MiniUPnPd, which many Linux-based CPEs use, has supported IGDv2 (needed for IPv6) since 2012 (as well as PCP).

CrLf 8 hours ago|

Cloudflare sees over 40%, and it hasn't gone up in the last year even with the overall traffic increase. Personally, as the APNIC article also says about their own observations, I guess the overall adoption is somewhere in between.

https://radar.cloudflare.com/adoption-and-usage#ipv4-vs-ipv6

But we have to remember that this reflects the adoption on the client side. With many high profile services still IPv4-only, the fraction of IPv6 flowing on the public Internet might be much lower.

I wonder what incentives are needed to push this forward, because it's not the same incentives as years ago for sure. We've long since exhausted new IPv4 allocations.

Fabricio20 2 hours ago||

I believe one big anti-incentive is rate limiting, especially nowadays. With IPv4 getting a range ban is somewhat effective, way less effective on ipv6 (theres a reason HE tunnelbroker is marked bad nowadays, discord bots doing music load balance over ips on tunnelbroker for pulling youtube audio data.. they ban a /64 but you balance over a /48 or bigger). I believe this was the main reason Discord disabled IPv6 (not sure if thats still the case, but it was back in the day since bans and api rate limiting was ip based).

kalleboo 5 hours ago||

If we're looking at the portion of traffic, most of the big bandwidth heavy services (the video streaming sites and CDNs) are on IPv6, the long tail of IPv4-only services tend to be lower bandwidth stuff.

More comments...