I spent a week without IPv4 to understand IPv6 transition mechanisms

Everyone always goes with the &quot;You don&#x27;t need NAT, everything is globally routable!&quot; argument, as if that&#x27;s something that anybody wants. Everything on my network is going to go through my firewall anyway. I don&#x27;t <i>want</i> anything on my network to be globally routable.<p>Of course, this is not a good reason to not use IPv6, don&#x27;t get me wrong. It&#x27;s a problem that&#x27;s easy to overcome, I just think it&#x27;s not a good way to get people excited about the transition.

I&#x27;ve given a try to IPv6 in a company with few tens on servers in a 2 DCs, an office + additional location, 3 ISPs in total. For me the real challenge is not just different way to write an IP address or doing NAT. The challenge is that IPv6 changes a lot of unexpected things:<p>- Our ISPs support IPv6 but routing quality is way worse than IPv4 including occasional inability to connect to some networks or greater latency than IPv4. I had to create tickets with such issues understood that most probably they just don&#x27;t have IPv6 BGP sessions to all their upstream providers they connect.<p>- How the VPN (an employee &#x2F; road warrior setup) should be configured since from the routing perspective you don&#x27;t need a VPN to connect from your home to the office? Assuming both have proper IPv6 connection and all devices in the office and your laptop have a globally addressable IP address. Employee can have IPv4 or dual stack at his home, where is dual stack in the office. Very confusing. Looks like Fortigate also don&#x27;t have an idea and decided to not support such case.<p>- You have to be careful with site-to-site VPN since even your internal services like database are now globally addressable. You really need proper firewall rules &#x2F; routing policies to not leak unencrypted packets over internet.<p>- SLAAC is cool but doesn&#x27;t provide DNS configuration. (there is RFC8106 but is it supported by all OSes?). You need DHCPv6 for that. You have to choose: use only DHCPv6 or SLAAC + DHCPv6 or just relay on the vast that DNS will be proviedd by DHCP IPv4 in a dual stack setup.<p>- The way of providing high availability gateway address in a network is different. You need router advertisement where you can provide priorities. That actually is much better than any other VIP mechanisms (no issue with MAC table updates, etc.) but you need to know that.<p>- OSPF works a bit differently. For example: there is no authentication in router communication in OSPF itself, you are supposed to use IPSec.<p>The list is longer unfortunately...

I&#x27;ve still got some misgivings about IPv6.<p>Biggest one for me personally is that my current ISP doesn&#x27;t give stable prefix. Power outages or firmware updates requiring a router reboot thus can cause the PD to be changed and potentially break firewall rules that are sensitive to the PD. In an absolute worst case, it also means that none of your hosts can reach the internet anymore if for whatever reason they&#x27;re not updated of the prefix change.<p>No, the ISP is not supposed to that. But I don&#x27;t see them changing this behavior any time soon. Yes there are ways to mitigate (ULA, mDNS, DNS, DHCPv6, etc) but now you&#x27;re introducing additional complexity that didn&#x27;t exist before into the network when I keep hearing how Ipv6 is supposed to reduce complexity. And IPv6 is complex enough to make my head spin without considering those workarounds.<p>Other issue I can think of off the top of my head is how to deal with an organization that would requires multi-WAN fail over or load balancing? The only solutions I&#x27;ve see thus far are far beyond my level of skill and budget. I assume also that there&#x27;s similar problems when asking about a load balancer between multiple gateways to the internet.

Question from a (relative) IPv6 newbie that wasn&#x27;t addressed in TFA:<p>Let&#x27;s say I have a very small home lab. I have a handful of hosts that get their IP addresses via DHCP from my router. In the router, DHCP and DNS are tightly coupled such that the router essentially always knows the MAC address, IP address and hostname of each device.<p>Now I want to run IPv6 on this network as a first-class citizen. Since DHCPv6 is apparently frowned upon by v6 purists, and not all devices on my network support it, that leaves SLAAC. My understanding of SLAAC is that each node essentially picks its own globally unique IP instead of asking a router for the IP. My question then is: is there some standard for the DNS server on the router to somehow know the v6 IPs of the hosts on the network so that it can automatically create the right A records?

My experience with IPv6. I have option to enable full dual stack with my ISP. After doing this I noticed that YT&#x2F;FB&#x2F;Google were significantly faster, however my kids started to complaing that some games began to have connectivity issues. Minecraft have problems to start. On a number of sites load time was noticebly longer. Switching off IPv6 as a experiment on one of kids PC solved all issues. My conslusion is that it is not worth to enable IPv6 and spend time to diagnose constant issues with random pages and services.

Why should I spend the time and energy to deal with IPv6 when disabling it fix many issues ? The listed advantages are not worth the troubles in my experience.

&gt;There seems to be a lack of drive (judging by forum posts) to enable IPv6 on internet services by admins, either because they don’t care to, or it’s more work to manage a public IPv4 and public IPv6 presence<p>If you run a mailserver adding ipv6 support is far more risk to your domain&#x27;s mailserver reputation than it is worth. And if you&#x27;re just a human person and not a megacorp that new ipv6 address, even if it it doesn&#x27;t immediately hurt you, will take a very long time to get accept, longer than an ipv4.

My experience with IPv6 is that routing generally goes faster and the network breaks down less. The statelessness of it all just makes it work.<p>The fight between your average video game and NAT has caused me so many problems over the years (including port forwards to <i>receive traffic</i> because whatever NAT punching mechanism the game used didn&#x27;t work).<p>Running dual stack does cause some weird debugging (&quot;why can&#x27;t my laptop connect to github while everything else works? Oh, DHCP broke&quot;) but that&#x27;s mostly because of problems with the IPv4 part of the network.<p>I think going IPv6 only isn&#x27;t the way, not yet anyway. DS-Lite seems to be working fine as a replacement, though: CGNAT for IPv4 and normal IPv6 for real connectivity. Full fat dual stacks would be better, but realistically I don&#x27;t think that&#x27;s going to be brought to the masses.<p>For hosting stuff, not having to remember what SSH port maps to which server in my home lab is a nice addition. Being able to directly reach LXC containers is also quite useful, as is using separate addresses for individual hosted services.<p>I don&#x27;t know why everyone here has such terrible ISPs. Unstable IPv6 prefixes, broken routing, weird custom allocations, your ISPs all seem so cursed! No wonder people are so mad at IPv6, your ISPs are sabotaging your internet.

Microsoft&#x27;s GitHub Actions (continuous integration) runner machines do not have IPv6, and cannot be used for things like unit tests that require an IPv6 network interface for whatever thing they are testing.<p>Add that to the list of thousand cuts.

I am quite happy that all those shady IoT devices cannot be reached from the internet directly when I am using IPv4 and NAT - what would be the best way forward to keep it that way in a IPv6-only future?<p>The best idea I can come up with (at least right now) is: put all less trustworthy (read: Closed source) devices into a special legacy IPv4 network and only use IPv6 on my workstation and little Raspis?

I still think IPv6 can be safely ignored.<p>This articles section &quot;here are some reasons you should start using IPv6 within your own network&quot; seems to comfirm this. None of the 6 &quot;reasons&quot; speak to me.

Great idea. Now a question for the group.<p>What are the non-network team business benefits to IPv6 over v4? That is what drives adoption.

I&#x27;d love to embrace ipv6, but my ISP&#x27;s official line, for as long as I can remember, is &#x27;planning it, details to come&#x27;.<p>I don&#x27;t expect them to move forward on it until significant sites become ipv6 only as they&#x27;ve admitted that they have more than enough ipv4 addresses for their subscriber base, so there&#x27;s very little incentive for them to do anything atm.

&gt; You should stop thinking of NAT as a security mechanism and think of it as the emergency address exhaustion prevention that it is.<p>I hate this attitude. This is isomporphic to saying &quot;stop thinking of system call interfaces as a security mechanism and think of them as an address space sharing mechanism&quot;. It&#x27;s not <i>technically</i> wrong, but it&#x27;s wrong in practice.<p>Even the most naive NAT can&#x27;t misroute an inbound packet. If you have an internal host and it doesn&#x27;t talk to anything outside the firewall, then no one else can reach it. They have no name for it, the packets won&#x27;t go. You get this even if you don&#x27;t understand how it works. You get this even if the <i>router</i> has no idea about the host.<p>Give everything a unique address and now the router needs to know who is safe and who isn&#x27;t. That&#x27;s a decision point that requires configuration by human beings, and human beings get stuff wrong.<p>No, NAT is your friend. Use NAT. Use it even if you&#x27;re an IPv6 nut.

From my POV, IPv6 overshot and tried to solve too many non-problems while addressing the only real issue with IPv4, the address space. That fact alone explains the relentless failure to adopt IPv6, because it’s not just a matter of adopting IPv6. Nearly every assumption about networking changes, all the tooling is different, and the risks and concerns are all changed. There was an easier path to follow, but we missed that chance 20 years ago, and now we’re likely stuck with a dual stack mess for the rest of our careers.

&gt; There seems to be a lack of drive (judging by forum posts) to enable IPv6 on internet services by admins, either because they don’t care to, or it’s more work to manage a public IPv4 and public IPv6 presence<p>Yup. I work at a large, complicated infrastructure organization. Our firewall guy has a lot on his plate. Having him manage the security concerns for IPv4 and IPv6 is a bad idea when considering the tasks we have and the labor available. Similarly, having the networking team implement IPv6 on top of their already significant projects results in less time available to do other things.<p>I look forward to the day when IPv6 is easy and universal, but I can completely understand why many admins aren&#x27;t bothering.

The IPv6 transition is challenging because it requires coordination and cooperation from many different stakeholders, including site admins, CDNs, network designers, and device manufacturers. However, as the author realized, IPv6 is ready for prime time and offers significant benefits over IPv4. Looking forward to the transition to IPv6 for unlock its full potential for a more secure, efficient, and connected internet.

I have built a couple of dual stack Kubernetes clusters already and they work much better to be honest. Most of the problems are solved and especially for node-based-ranges it works really well. Even in ipv6 only mode calico will manage amazingly and so do my OpenWRT routers.<p>HOWEVER,<p>My ISP regularly messes up with its ipv6 routing (deutsche Telekom (so as big as it can get for me) and if that&#x27;s not the problem, the mesh networks on my (current gen) fritz networking equipment (very widely used in de) eats itself and sometimes just routes my traffic to nirvana.<p>This is especially bad with online gaming services like xbox live, who for the love of themselves don&#x27;t have a fallback to ipv4 implemented, once ipv6 drops. &quot;i have an ipv6 so I&#x27;m gonna use it no matter what&quot;.<p>Therefore I have dual stack vpns hooked up to my office network which connect to the datacenters I am using. My private network is ipv4 and sadly will remain like that for a while.

We should just make an IPv5 which takes a current address: 216.3.128.12 and makes it 0.0.0.0.216.3.128.12<p>So any address of the current length you just treat it as if it has zeroes in front, otherwise you use the longer length which allows for many more addresses. Problem solved.

I think ipv6 could happen if subsidized for long enough.<p>Something like, I&#x27;ll-sell-you-my-v4-blocks-at-a-later-date-forfreeipv6-bandwidth-today-as-a-service ...<p>Re-Send them nostalgic AOL CDs as the advertising...

It&#x27;s been ~10 years since IPv6 became &quot;ready for prime-time&quot; and I wouldn&#x27;t touch it unless I absolutely have no other choice. In practice you are going to run into bugs and problems at every level, from client software to the OS networking, your router, your ISP, their ISP, their router, their server and so on and so forth. I absolutely support other people using it to iron out all the kinks, so that I can finally do it without headaches in 10 more years.

<p><pre><code> ping6 news.ycombinator.com ping6: news.ycombinator.com: Address family for hostname not supported </code></pre> And it&#x27;s not even the worst possible example. Try github.com.

I recently upgraded my lab and network to support IPV6. I wish I had waited two weeks so I could have read this first.

&gt; The biggest hurdle to implementing IPv6 on your own isn’t usually ISP support, router support, or client support.<p>I&#x27;m fully ready to start using IPv6 but my packets won&#x27;t get past my antiquated ISP. That seems like a pretty big hurdle, no?

There&#x27;s a reason most haven&#x27;t moved to ipv6. ipv6 is a solution looking for a problem. What we really need is an ipv7 that takes the best of ipv4 and ipv6 instead of trying to force ipv6 down a reluctant user group.

My #1 gripe with IPv6 is that it is too big. You never ever will use all the octets.

If you want to test to see if you&#x27;re successfully sending out IPv6 traffic, I have an endpoint for that:<p><a href="https:&#x2F;&#x2F;httpbin.dmuth.org&#x2F;ip&#x2F;v6" rel="nofollow">https:&#x2F;&#x2F;httpbin.dmuth.org&#x2F;ip&#x2F;v6</a>

He also has a video for the topic <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=e-oLBOL0rDE">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=e-oLBOL0rDE</a>

Many cell phone networks are always ipv6 using xlat

Whenever i read these ipv6 discussions, i cant help to think there is a huge disconnect between users and designers of ipv6:<p>- Designers think globally routable internet is a huge achievement<p>- Users just want to hide their devices from the hellscape that is modern internet, with all its threats<p>These are fundamentally different approaches

Is there any risks of nodes assigning same IP if there&#x27;s no central DHCP?

Hahahaha! &#x27;d69:beef:cafe:feed:face:6969:0420:0001&#x27;

&quot;although software support is virtually a requirement these days&quot;<p>Who&#x27;s fault is this again?<p>-------------<p>&quot;- IPv6 is absolutely ready for prime-time and has been for awhile<p>BUT<p>&quot;- About half of the internet sites I rely on support IPv6 natively, so there needs to be more pressure on site admins and CDNs to support IPv6 natively&quot;<p>That is a contradiction.<p>-----------<p>&quot;There seems to be a lack of drive (judging by forum posts) to enable IPv6 on internet services by admins, either because they don’t care to, or it’s more work to manage a public IPv4 and public IPv6 presence&quot;<p>Again, who&#x27;s fault is it that its so hard? What is the payoff for the extra work?<p>-----------<p>- Networks should be designed IPv6-first instead of IPv4-first, and this design approach largely solves most of the major issues<p>K thanx, but that&#x27;s not the way virtually every company works. Mayyyyybe a startup? This is unrealistic.<p>-----------<p>&quot;Other operating systems are bit of hit or miss&quot;<p>so... IPV6 is NOT NOT NOT ready for prime time, is that what you are saying?<p>-----------<p>What dream world are the ipv6 people living in?<p>I love this. Who should be implementing ipv6 stacks in OS&#x27;s? Probably ipv6 people, but ... where are they again? The amount of blame is crazy.<p>A protocol switchover of this magnitude is about outreach and assistance. The ipv6 crowd has NEVER displayed that, just arrogance, dismissal, and waited for things to get &quot;so bad&quot; in ipv4 that it transferred.<p>Which is why ipv6 people HATE HATE HATE NAT. It has delayed their grand moment by decades.<p>...<p>In an ideal world, the ip++ protocol would have been easier, not harder. BLog posts wouldn&#x27;t be victim blaming, throwing around NAT64, 464XLAT, DNS64<p>DNS64 kills me. WHy is there a totally different service for ipv6? Isn&#x27;t DNS just a key-value store? People put all types of crap into DNS, including, I believe, ipv6 addresses.<p>Why isn&#x27;t there a DNS record type that basically lists both an ipv4 and ipv6 for a name, along with negotiation information? Might that make transition a lot easier? Maybe it does, but it isn&#x27;t in this article.<p>Just ... all the same problematic attitudes, no progress on issues, my way or highway, and denial.

&gt; Addresses are 128 bits long and written as 8 four-letter hex blocks separated by colons (i.e. fd69:beef:cafe:feed:face:6969:0420:0001)<p>I suspect you mean &quot;e.g.&quot; rather than &quot;i.e.&quot;

&quot;Apple has excellent IPv6 support on their devices, fully supporting automatic configuration of 464XLAT on devices with NAT64, and overall an excellent attitude to forcing IPv6 support from developers&quot;<p>Other operating systems are bit of hit or miss&quot;<p>My iPhone works, what&#x27;s wrong with the rest of you for not doing this??!!<p>But in all seriousness, I think this will be a security nightmare for quite a while if there is some forced conversion to ipv6. I realize IPv6 wasn&#x27;t created yesterday, but I assume it&#x27;s got plenty of security holes waiting to be discovered until I see otherwise. The only way you are going to see it be used by end-users is if the various *nix distros roll out IPv4-less images. Same for Windows&#x2F;etc. Otherwise you are begging for a security nightmare of epic proportions with software that is accidentally using the wrong stack by default, firewalls not filtering anything as expected, etc.<p>And who thinks it&#x27;s a good idea to make all the things globally accessible? It&#x27;s an internet of shit out there already, this would make it even worse.