I gotta say don't sleep on this article thinking it's just another article about IPv6 adoption stats.
There's a lot of interesting thought in the second half about what the Internet fundamentally is and where it's going. The author argues that the use of TLS and SNI has fundamentally changed the internet from a number based routing network to a network based on DNS names and SNI where the numbers involved don't really matter anymore.
> Where is this heading in the longer term? We are pushing everything out of the network and over to applications. Transmission infrastructure is becoming an abundant commodity. Network sharing technology (multiplexing) is decreasingly relevant. We have so much network and computing resources that we no longer have to bring consumers to service delivery points. Instead, we are bringing services towards consumers and using the content frameworks to replicate servers and services With so much computing and storage the application is becoming the service, rather than just a window to a remotely operated service.
I have even implemented an IPv6-Only network. It fully works, including accessing IPv4 only websites like github.com via DNS64 and NAT64 at my router.
The only practically useful thing about my IPv6 enabled network is that I can run globally routable services on my lan, without NAT port mapping. Of course, only if the client is also IPv6.
Other than this one use case, IPv6 does nothing for me.
It doesn't work from most hotels, nor from my work lan, nor many other places because most "managed" networks are IPv4 only. It works better at Cafes because they are "unmanaged" and IPv6 is enabled by the most common ISPs, like ATT and Comcast and their provided routers.
Based on this experience, I think IPv6 is less valuable than us HN audience thinks it is. Private networks, NAT, Carrier Grade NAT are good enough, and internet really doesn't care about being completely peer-to-peer.
I think the adoption rate reflects this--it's a linear growth curve over the last 25 years. It should have been exponential.
I think cost of IPv4 reflects this--it is now below the peak, and has leveled off.
As surprising as it seems, IPv4 exhaustion has not been a serious problem. Internet marches on. IPv6 is still a solution looking for a problem, and IPv4 exhaustion wasn't one of them.
I recently moved to a 'cheap' ISP because I could get double the speed for half the price. They use CG-NAT and it's been awful.
I don't need to forward any ports but seemingly because I share an IP with a billion people I get Captchas everywhere (Google, Cloudflare etc.). I was even blocked from accessing Reddit without an account at some point.
The main problem I had when I was on CGNAT was not so much port forwarding (annoying, but solvable), but with being banned from all sorts of stuff. The address is shared with so many people and one person did something stupid or whatnot. Sometimes you don't even know if you're banned or not.
For better or worse, IP blocks are still very common. It's easy to complain about this, but there aren't really any good methods to deal with persistent abuse.
Have you tried using PCP to forward the port? I was under the (maybe-incorrect, and if so I would really like to learn) impression that most major CG-NAT setups supported it.
If it was a real problem, market pricing would reflect the increasing severity of that problem.
The truth is that people who care about port forwarding are such a small minority -- especially now that P2P file sharing has lost its hype -- that they don't make a visible dent in the rate of IPv4 exhaustion.
The market price is only something like 5 or 10 dollars a month, but anyone having to pay that to be accessible is an embarrassing failure of the system. It doesn't matter whether it's a big dent in the number of IPs or not.
There are billions of people out there who can access the internet, and make themselves accessible through the internet the way they want, just fine without a dedicated IP address.
Maybe you have a definition of "access" that is different from the usual one. That's fine, but let's be honest, it's not the usual definition.
The truth is that major cloud providers such as Amazon AWS have begun to charge [more] for static, routed IPv4 addresses.
Last I checked (a few years ago, I suppose), AWS APIs were incapable of using IPv6 internally, so a VPC still needed to dual-stack it in order to use AWS cloud features. That may have changed by now.
If they had increased prices in 2022 (or at least announced in 2022), then I could see some kind of correlation, but give it was 1.5-2 years after, I doubt there is a connection.
I had to reluctantly deploy ipv6 on my home network because of ISP requirements + will to use pihole.
Ipv6 is hard. I had to learn quite a bit to make it work and not only I see no value, but it is significantly more difficult to use dire to the address length.
I think IPv6 is a missed opportunity, it was probably designed by experts that did not take into account the population that will use it (not the one users who do not care, but the layer above them)
My ISP is the French "Free". They provide a router that is difficult to swap with my own (it is possible, but it is way easier to switch it to a bypass mode). With this router comes a TV box that requires IPv6 to work.
When I replace DHCP/DNS with Pihole I need to account for that. While this is not a complex setup once you understand IPv6 you still need to learn it.
I work in IT so I tried to get myself to IPv6 several times but never had any reason to do so (despite self-hosting a lot and generally being a nerd). I had to do that this time and my uninformed opinion is that it could have been done so that it is much simpler for advanced users (but not yet networking experts)
I struggled to get IPv6 running on my home network, then had issues with DNS dual stack once I got it going, so I turned it off.
That said, I think the difficulty of IPv6 is in the UI of the home routers that implement it, and a lack of sane defaults.
The ISP should give every SOHO/residential customer a /60. The router of a simple IPv6 should do prefix delegation. The router should default to SLAAC for local IP addresses, and configuring DNS with Router Advertisements. And residential routers can be set up to have an internal DNS server which populates the ".internal" domain with hostnames from the network.
As a network admin, you have to learn new things like the uses of IPv6 multicast, and ND, the lack of ARP, and some other things. Home users shouldn't have to care about that.
>The ISP should give every SOHO/residential customer a /60.
The ISP should give every residence 295 quintillion IPv6 addresses? I know there is an abundance of ipv6 addresses but that seems like a lot of waste.
Even assigning a /96 would provide 4.3 billion ipv6 addresses (which is the same number as all ipv4 addresses in existence)
And since available ipv6 space is basically 4.3 Billion^2, assigning an ipv6 /96 would be like assigning a /32 in ipv4 terms of total ipv6 space utilization.
Like other person said, /64 is the minimum subnet size. And submitting in ipv6 is best done 4 bits at a time. A /60 is overkill for residents, but because it gives 16 subnets, not because it gives excessive addresses.
> Private networks, NAT, Carrier Grade NAT are good enough, and internet really doesn't care about being completely peer-to-peer.
CG-NAT adds a cost that not everyone can easily afford:
> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.
> First off I despise both Apple and that other evil empire (house of mouse) I want nothing to do with either of them. Now with that said I am one of four individuals that suggested and lobbied 15 other tribal nations to offer a new AppleTV device in exchange for active ROKU devices. Other nations are facing the same dilemma. Spend an exorbitant amount of money to support a small amount of antiquated devices or replace the problem devices at fraction of the cost.
> internet really doesn't care about being completely peer-to-peer
Internet (I mean, the IETF) does care a lot about the end-to-end principle, however. It is true that "misbehaving" NATs break e2e badly. It is also true that IPv6 can also be put behind such NATs.
> I have even implemented an IPv6-Only network. It fully works, including accessing IPv4 only websites like github.com via DNS64 and NAT64 at my router.
What did you use to implement that? I found it surprisingly difficult to find software to do NAT64 on Linux.
Fun reasons why my home network is still on IPv4: IPv6 drains my girlfriend's phone battery :-)
Something to do with Router Advertisement intervals being too short, though I don't get why that only affects her ~5yo android phone. And IPv6 is so complex, I haven't figured out if the RA interval is something I can or should tweak, whether that comes from the PiHole or whether I'd have to flash OpenWRT on my router, or whether my ISP ultimately controls that upstream. Like, I can't figure out as easily where the boundary between me and "the internet" ends with things like the /64 prefixes and SLAAC and RDNSS and all the other acronyms.
Yeah, yeah, I should RTFM, and eventually I might figure out what makes a "good" home IPv6 network. But I can't be arsed to do that in my free time yet, and neither can most software companies cough cough Google/Android and that one guy causing IPv6 drama in the android team
Like.... Ehhh... I'll come back to it in a few more years. "Are we IPv6 yet?"
I have an Android on my IPv6 network with no issues, and this is across several different router vendors with different defaults for RAs. Maybe it's not an IPv6 issue and you're barking up the wrong tree?
CGNAT would cripple every customer I've ever had, going back to the beginning of broadband. Everyone one has had something on-premises that needs to be accessible. Nearly always, it's multiple things that are critical to operations.
However. if someone wants to forever keep 100% of their accessible data in someone else's silos...
and be forced to pay 3rd parties to access anything located on their own premises (ex:cameras)
then imprisonment behind CGNAT might feel 'good enough' to them.
No longer needing NATs in many situations, especially CGNATs, ISPs could give all customers static ip addresses, and peer to peer applications wouldn't need to use unreliable workarounds like STUN to traverse NATs
People posting have mentioned that IPv4 is working for what they use the internet for. But of course it is. When NATs has been required for your whole life, how could the internet have built features that needed p2p routing? Just convince businesses to build something that requires special router configuration? And still wouldn’t work on phones or with ISPs that require CG NAT? You got what worked out of the box. You obviously couldn’t use what didn’t exist.
Even if NAT will be gone one day, the stateful firewalls won't. Every every home router would still ship with "deny all incoming" by default, and every
corporate network would have the same setting as well.
Same as IPv4, IPv6 serving would still need registration with border device, either manual by user, or via UPnP-equivalent.
UDP hole punching works when you don't have symmetric NAT. So e.g. voice and video calls don't need a proxy and can be higher quality. You only need a third party to locate/signal your peer.
"everything gets a global IP, no more NAT headaches" was one of marketing talking points for IPv6. Not necessarily the case nor welcomed by everyone, but that was the intent.
Wide scale deployment of NAT (the "home router" that allowed you to connect multiple devices) was the greatest leap in internet security we ever made. I remember the days when we had "everything gets a global IP," and we do NOT want to go back to that. Look up Conficker, Code Red, Blaster, etc.
People naively assume the large IPv6 address space somehow hides your computer on the internet. That isn't true. Both because v6 host discovery is a solved-ish problem for attackers, and worms have near unlimited resources to throw at the wall.
I can do more with the Internet today than I could with a static /22 assigned over my ISDN BRI back in the mid-1990s. A lot of things I would do back then, I would do differently today; running a chat system by connecting directly out to 6667/tcp feels pretty silly now, for instance. It's rough to build protocols that work that way today, but you're not missing much. Things were not better before the advent of presumptive NAT.
China's IPv6 transition is 74% complete.[1] Conversion to IPv6 was specifically called out in China's 14th Five Year Plan, which gives the goal high visibility within the government and the Party. Conversion is quite far along. The current goal is everything IPv6 enabled by 2025, IPv4 turns off in 2030.
99% of the top 100 mobile applications in China are on IPv6.
China Mobile's backbone is now IPv6 only.
The IPv6 transition is a side effect of China building their own internal "internet" from the ground up that will not be connected to what we think of as the internet. "Turning off IPv4" is code for shutting off the DFZ and users only being able to reach other networks within the country.
We should absolutely not be pointing to this as a success or a model for other countries.
India is also around 75%. Both of them cover quite a bit of humanity. The regions where growth is going to happen don't own a lot of blocks so they will focus on IPv6.
The original “end-to-end” architecture of the Internet assumed that every device was uniquely addressed with its own IP address [...]
That may indeed have been an assumption of the original architecture, but it's orthogonal to the end-to-end argument in Internet design, which is about moving logic out of the network entirely and into applications (more precisely, about recognizing that the boundary between network and application is productively debatable, and had, up to the point where Saltzer and Clark and Reed wrote the paper, been defaulting too much towards the network). An end-to-end-architected networking application can be oblivious to its addressing, or even the network layer below it.
If anything, my intuition is that the unreasonable effectiveness of CGNAT --- which is exactly what Huston is writing about --- is strong evidence that the end-to-end paper was deeply correct.
Isn't the encoded assumption here is that clients rarely act as servers? This may be either because that's outside the typical use case or because providers explicitly do not want them to, but this factor is the reason CGNAT can be viewed as "effective."
End-user retail endpoints can still act as servers, but the way you have them to that in 2024 is different (and yes, more complicated) than it was in 1996.
If the US had the same IPv4 scarcity as the rest of the world (specifically, if major US ISPs were using CGNAT), the IPv6 transition would be happening much faster.
That's probably true for consumers. For large, global corporations, IPv6 is a million miles away. I've worked with several, and they all have poorly managed kit, vulnerabilities everywhere, poor documentation/diagrams, poor performance, millions of firewall rules, tons of vendors to connect with, outsourced wireless vendors, remote access solutions that are a byzantine security mess, ... IPv6 is suicidal for most large organizations beyond ok we can speak IPv6 for a small part of the infrastructure. Add to this the recent deluge of VPNs everywhere (probably due to WireGuard) and container networking, IPv6 would be a recipe for disaster. Security is difficult in this scenario, in part due to the people implementing this stuff don't have a good handle on what they are doing.
> In 2024 it’s estimated that 20 billion devices use the Internet, yet the Internet’s IPv4 routing table only encompasses 3.03 billion addresses … sharing each individual IPv4 address across an average of 7 devices.
…but the graph below that text shows 40% of traffic is IPv6, so the v4 space is only shared across 12e9 devices?
In my experience the big holdouts these days are corporate networks. All my domestic ISPs (cell, home, data centre) provide IPv6 and most devices use it by default. Meanwhile at the office we’re struggling to bring up a new internal service because our v4 IPAM is a legacy mess where the most you can calve off is a “class A” /27.
The types aren’t exclusive. In the US most ISPs are dual stack. That 60/40 split pretty closely aligns with traffic stats a dual stack operator sees in their network.
Last time I called Virgin media to get from the loyal customer (extra high) rate to something closer to what new customers get they just said no.
I switched to Vodafone which is cheaper and double the speed and got me IPv6.
I think it might just be Virgin sitting on a large amount of IPv4 addresses and not wanting to spend any money on supporting v6 when they can just overcharge their loyal customers.
Virgin neé ntl: has always been complete trash. Are they representative of UK ISPs in general? BT and Sky completed their v6 rollout years ago and they account for over half the market.
When I was in Cambridge Virgin Media used to throttle to dial-up speeds at peak times. Meanwhile, I was still getting advertising leaflets from them through the door trying to sign new people up. Active fraud selling people a service you know you can't provide, and had no timeline to fix.
On the upside, a lot of the UK is getting small fibre companies rolling out 1G symmetric lines all over the place now. I've got that in my new place and it's been great (IPv6, CGNAT IPv4 by default but you can pay £5 for a static IPv4 too).
Both BT and Sky are fully IPv6, many altnets are too, it's actually Virgen Media that is the problem in the UK. In the case of Sky they are now running MAP-T and starting the transition to IPv6 only.
Weird that you have to do an extra step for IPv6. Other ISPs in Germany have enabled it for every customer at some point. Unless your router asks for IPv6 addresses, nothing really changes anyway. So maybe just enable IPv6 on your router and see what happens?
On a side note, there seem to be ways to get out of CGNAT when you got condemned to use it: It is sometimes an annoying source for client VPN instabilities and from what I heard, users can just ask to be switched over from DS-Lite to classic dual stack to improve application compatibility.
The internet stopped being a network of peers where everyone needed an address and is now a split into producers (a handful of large companies) and consumers (everyone else).
The consumers are not expected to need a public address where they can be reached - in fact, having a public address is actually a security and privacy risk.
> in fact, having a public address is actually a security and privacy risk.
I strongly disagree with this. Privacy (not that it's a big deal imo) is well handled by the temporary address extension, and security is not an issue if you run a firewall. And you should be running a firewall even if you use v4, because NAT is not an acceptable security measure.
Only CG-NAT provides any semblance of "privacy" from the perspective of the outside world, but is a hideous technology that shouldn't exist.
Normal NAT as seen with home internet routers provides zero privacy, because you still have a predictable public IP.
People also think that IPv4+NAT provides security, but IPv4 is such a tiny address space that all public IPs are scanned daily by various malicious bots. Meanwhile IPv6 is so enormous that unless you register your address in some public way, you're completely invisible to port-scanning bots by default!
I have a friend who works in the networking division of a telco in my country, their team had to spend significant time and effort educating a PM who was dead-to-rights convinced that IPv6 was “less secure” and seemed to think that IPv6 didn’t have subnets and that NAT’s were the same as firewalls and refused to be convinced otherwise.
People like that make any forward progress extremely difficult.
That was in fact one of the promises of IPv6: Restore the network of peers where every host is in principle a server and a client and communication between peers is unhindered unless a policy is enforced saying otherwise (on the machine, on a firewall, etc.).
> having a public address is actually a security and privacy risk.
Services can be turned off or a firewall instructed not to pass traffic from the internet (by default). That represents exactly the same attack surface as having a service enabled and nobody being able to get to it from the internet because of NAT.
The privacy risk is mitigated by RFC4941 "Privacy Extensions for Stateless Address Autoconfiguration in IPv6". Granted that does not deal with the (delegated) prefix staying the same and when there are only one or very few users in that prefix, some individual behavior could be inferred. Because of that at least in Germany we have the peculiar horror of getting the IPv6 address and all delegated prefixes changed on every redial. That eliminates all privacy concerns while also continuing to make residential internet connections useless for hosting any services.
Anyway. The internet is already way down the road of functioning only as the delivery conduit for a few cloud / service providers mediating all user communication and access to content.
> in Germany we have the peculiar horror of getting the IPv6 address and all delegated prefixes changed on every redial.
This is oh so very German.
In normal times it is massively overkill. I have to wonder if, heaven forbid, the things these sort of German things are meant to mitigate come to pass again if they will make any difference or if they are a largely symbolic act designed to demonstrate ideological opposition to such things.
This seem to be common. My RSP (ISP) only offers a fixed IPv6 address/prefix on request -- otherwise they will just allocate one out of their pool as they do for dynamic IPv4 (although both dynamic IPv4 and IPv6 is fairly sticky so normally DHCP/PPPoE connections will get the same address previously used as long as it hasn't been reallocated). I personally have a static IPv4 address and a static IPv4 address/prefix from my RSP for my home network.
> The consumers are not expected to need a public address where they can be reached - having a public address is actually a security and privacy risk.
100% of consumer routers and OS level firewalls deny new inbound connections by default. There are upsides and downsides to static vs dynamic ISP-provided addresses, but the only difference between IPv4 and IPv6 in this regard is that IPv6 has a vastly larger address space and offers an ISP far more capacity to randomize a customer's host address for a far lower cost than IPv4. CGNAT is available for 4 or 6 if such is desired.
When AWS started charging for IPv4 addresses I started switching to IPv6. I spent a few days getting it all up and running. I thought it was OK but my router kept crashing every day, then I noticed I can't get working from some places like my office. Gave up, never again its just not worth it. I moved to another hosting service that didn't charge.
Asus routers still ship with IPv6 disabled by default, to this day. It makes perfect business sense, as everything still works just as well with v4 but single stack is less complexity so less support costs, etc. I’ve been running my home LAN dual stack for close to a decade, so I have native v6, but then on the other hand I ignore it for my networking stuff, ie I only set an A record in my dynamic DNS and never bothered figuring out how to make phoning home from other networks work over v6. It’s just not a priority and my lack of deep v6 knowledge would make it likely less secure.
I’ve often wondered if going with 64-bit addresses with a dotted quad hex notation would have eased the roll-out. I remember a lot of resistance when IPv6 was first announced along the lines of “I can’t memorize/type in giant addresses and I don’t want to have to use DHCP and DNS everywhere.” It felt like IPv6 never recovered from a bad first impression.
I'm not sure I've ever heard this view expressed by serious, competent network engineers. I have heard it a lot from the home hobbyist though, but I'm not sure how much that demographic matters in the grand scheme of things.
I also find it really weird as the killer (only?) app for IPv6 is that home hobbyists can run servers with low overhead!
Additionally, like a sibling comment notes, a home hobbyist has full control over at least half, often more, of their addresses and can easily choose addresses for their network that are as short or shorter and easier to remember and organize vs a v4 network where you have no letters to work with much more strict subnet size rules, etc.
IPv6 is a dream for home hobbyists! The complaining from them about “unmemorable” addresses just makes no sense.
Serious, competent network engineers are not created in vacuum from platonic ideals and TCP fragments. They're home hobbyists who grew up hating ipv6, and won't magically learn it overnight when their previous networking guy quits and they get handed the keys to the server cage
In the real world, people who design and operate large networks are the very same people who staffed the working groups who designed IPv6. It's their design.
A key aspect of IPv6 is that the address space is big enough that 'carving it up' for subnets is dramatically simpler even at the largest scales. You don't need to be frugal with network sizes, and you don't need central coordination to avoid conflicts. This is huge!
E.g.: If I want to deploy a cloud VPC (or vNET), then I have to go find "the guy with the spreadsheet" and peel off a tiny(!) private IPv4 address space. If he's away from his desk or on holidays, my 1-minute automation script will now take 1-10 working days until he's back and responding to requests. With IPv6 this just disappears as a bottleneck.
The vast majority of ip4 only networks are enterprise, that’s where I hear the complaints from. The people who say autoconf (dhcp etc) is bad and that dns is bad.
I've mentioned this previously. Without government-mandated standards, implementation could take years. We apply this approach to numerous areas; why should IP be an exception?
While legislation would be way to actually make IPv6 transition happen, what is the justification for such legislation and cost it would impose on the industry?
And that is the point of this article, for most participants of the internet the benefits don’t presently justify the involved cost.
Peer to peer networking is important to rare users like me so I can do things like host a private Minecraft server from my house for my brothers and I to play on, but this is not yet a problem for me on IPv4.
Interestingly a few years back while I was moving and had no internet for a few weeks I temporarily moved the Minecraft server to my brother’s house and we discovered he was on CG NAT which was a total nonissue before then.
I sent an email to the ISP saying we wanted to expose a port and asked how to do so and they changed my brother’s account to be given a public IP no questions asked or extra costs. And I found this policy okay because probably 99.999% of internet users don’t do anything over the internet where a public IP would make any difference to their life.
I expect once enough of the internet is on IPv6 the cost benefit pendulum will swing the other way, but we're not there yet and it’s not clear when it might happpen.
There's plenty of justification around the value of IPv6, but it will be lost on most users. But the same scenario has played out before where things that folks don't understand were enforced, like leaded to unleaded gasoline or removing CFCs.
Fastest way to get IPv6 going in the US is to mandate all government usage be IPv6 only by 20XX. Any supplier or vendor must work over IPv6. You'll see the industry fall in line very quickly, no one wants government money to be shut off.
Static IP here in Australia costs AUD 5 per month for residential users… I think it’s just a price signal to entirely disincentivise it to anyone who doesn’t need it.
In the US, if you want a static IP you often need to purchase a business connection, which is usually significantly more expensive (and residential connections are already expensive), and may not even be available if you live in a residential area.
As far as I know, the US federal government does have a mandate that agencies be ipv6-only by end of 2025. Systems that are not converted by then require justification for why they cannot do so along with a replacement plan. See https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-0...
A world of being told what to do was not the "dream" of freedom for the internet.
If you want the government to mandate standards, vote with your feet and move to China where it has been mandated.
I thought the point of the article is that perhaps IPv6 is ultimately unnecessary: worse is better?
Why are we engineers so attracted to authoritarianism? The idea of just telling everyone to use the new version seems attractive to me too. Then again I often deeply admire practical engineering compromises. (edited: clarified)
This seems like an extremely broad statement. You probably don't think all use of force is authoritarian, or not allowing any and all protocols to be used on the internet is force. Maybe, but not necessarily. Why specifically would retiring IPv4 be authoritarianism?
Seat belts have a reason. If I want to communicate with some computers using IPv4 or IPX, that’s my choice. Putting laws on what I can put inside of Ethernet is absolute stupidity
Being forced to use a seat belt isn't a standard, it's actually authoritarianism. And largely used as a pretense to pull people over without probable cause, rather than for any other purpose. Mandating that manufacturers have seatbelts in cars is the regulation of commerce. Mandating that ISPs provide ip6 is also the regulation of commerce. Ip6 itself is a standard.
A standard is something that people have to adhere to in order to measure things in a portable way, or for general interop. It's not anything that one is told to do by a government.
> This is the same as looking at a linear trend line placed over the data series used in Figure 1, looking for the date when this trend line reaches 100%. Using a least-squares best fit for this data set from January 2020 to the present day, and using a linear trend line, we can come up with Figure 2.
> This exercise predicts that we’ll see completion of this transition in late 2045, or some 20 years into the future.
Anyone willing to place a bet on this?
> While the design of IPv6 consumed a lot of attention at the time, the concept of transition of the network from IPv4 to IPv6 did not.
> Given the runaway adoption of IPv4, there was a naive expectation that IPv6 would similarly just take off, and there was no need to give the transition much thought. In the first phase, we would expect to see applications, hosts and networks adding support for IPv6 in addition to IPv4, transforming the internet into a dual stack environment. In the second phase we could then phase out support for IPv4.
I really don't understand this, how do you not make a transition plan the #1 requirement for selecting the next IP. (But the article goes on to say...)
Ill bet against it. The tail on this one is going to be super long.
There are embedded systems today that are shipping in things expected to last 30 years with IPv4 only.
The logistics of the bet are going to be hard. I do see a world where IPv6-only becomes the default for ISPs and IPv4 becomes an add-on you pay for either from your ISP or from another via a tunnel. Does that world mean v4 is dead yet?
The long tail doesn't matter. Once IPv4 traffic is a small fraction, the big transit providers will make it cost too much to bother with, and their customers (retail ISPs) will just cut it.
Only global IPv4 matters. If in fifty years there's still a device that insists on speaking IPv4 with the address 10.20.30.40 that will still work and it still won't matter to the Internet any more than it does now.
The appropriate comparison is leaded gasoline.
In my country this was never formally banned. You can't buy a new car which consumes it of course, they banned that, but the fuel itself is legal and for a while enthusiasts would travel to a retailer which still sold it, there might be one in the next town, or the next. Of course with fewer customers the price went up, further reducing customers and squeezing more retailers out, soon enough you might have an hour's drive to buy fuel. The wholesalers were next, if you sell a tanker of ordinary unleaded every five minutes, and a tanker of "high performance" unleaded every hour, why bother making the leaded fuel that shifts only one tanker per week across the whole market? It's not even worth reconfiguring your mixers to make it. So you mark it "No longer available" and gradually across the market the retailers can't buy more and there is no more leaded gasoline.
You can make your own leaded gasoline, but the volumes involved mean it no longer makes any meaningful difference, you could make your own lead paint too, if you're crazy, it doesn't make a noticeable difference to the world.
I'd like to use ipv6, if only to avoid having to pay for an ipv4 address for some private vpcs (with public address for reasons). I remember having issues with fly.io as well, because they're ipv6 by default if I remember correctly.
Currently Denmark has worse support than I expected:
> Liste over danske udbydere (List of Danish providers)
> Internetudbydere på listen: 41 (ISPs on the list)
> Internetudbydere med fuld IPv6-understøttelse: 17 (41%) (ISPs with full IPv6)
> Internetudbydere med delvis IPv6-understøttelse: 10 (24%) (ISPs with partial IPv6)
> Internetudbydere uden IPv6-understøttelse: 14 (34%) (ISPs with no IPv6)
All big German internet providers (DTAG, Telefonica, 1&1, Vodafone) are IPv6 Dual Stack or CGNAT'ed for many many years now. Same for all mobile providers.
So everybody is using IPv6 in their home networks without problems.
The premise is completely wrong here. IPv6 is not just an “incremental change” that would have represented an easy uptake. Instead, pretty much every practical detail of existing IPv4 infrastructure, both hardware and software, was broken. Massive swaths of extra management and security tools were rendered useless. It was a massive miscalculation.
In the meantime, we figured out how to make things work without the extra address space. And the dream of a point-to-point Internet turned out to be a terrible idea after all. IPv6 pushers love to hate on NAT, but it’s actually a really good design choice that’s fundamental to basic network security.
For my entire life, the networking nerds have been shaming us for not using IPv6. Back when I had a NeoPet in middle school, IPv6 was was "just around the corner." I'm now raising my own children and still listening to the same IPv6 talking points.
Every company I've ever worked for has completely disabled IPv6 on the corporate network. My own ISP still doesn't offer it. Disabling it is often the quickest fix for a variety of networking issues.
At some point we must admit failure. There is no conspiracy to limit IPv6 adoption. If the technology was truly useful, you'd see far more in our profession advocate for it.
Pardon if this is an ignorant question, but could the "backhaul providers" help expedite v6 by simply adding a small-but-annoying tax on carrying v4 traffic? I know it sounds ridiculous to want to pay more, but it might help "rip the band-aid" off if, in order to keep costs down, ISPs had to pay a little more for the deprecated protocol.
Does that change the point of the discussion? Because all of those ISPs are in multiple markets.
The point being that ISPs remain a primary stall-point of IPv6 adoption. There is eagerness to hand-wave that away - and that is part of the reason IPv6 stays underdeployed.
In spite of its wider adoption issues, it's valuable for my personal infrastructure: each of my services/machine has an IPv6 globally routable address.
Why bother, when I could just do TLS SNI reverse proxying via nginx?
* Some services don't use TLS, or even TCP.
* A reverse proxy is yet another intermediary in the chain.
* Plain IPv6 routing is simpler than reverse proxying, and I already need a network layer anyway.
There are downsides:
* some software doesn't support IPv6. I haven't experienced this on the Linux servers I run.
* If I'm in another country then I often don't have IPv6 connectivity. In this case I use any VPN that offers IPv6 (and have one available via my home, via Wireguard).
* Learning IPv6 takes time, but not much. It's one-off. It's not more complex than IPv4, but it is different. If anything, it's simpler. (SLAAC rather than DHCPv4; IP reachability rather than NAT/port forwarding).
The urgency of IPv6 adoption was predicated on the assumption that every connected device, both server and client, needs a unique and stable IP address. Back when IPv6 was first discussed, you couldn't even host two HTTPS sites on the same IP/port combination! That was such a colossal waste of IP addresses.
Another thing that changed on the server side was that, thanks to AWS and the like, it became trivial to set up a massive private network. Nowadays you can have a cluster of thousands of virtual machines that communicate with one another entirely within a VPC. Only machines that need to communicate with external entities get a public IPv4 address. This kind of setup not only frees up a /20, but also has the benefit of being more secure.
Meanwhile, on the client side, the rise of mobile internet means that devices can no longer assume that it will have any given address for any length of time. Even if we had plenty of addresses to go around, like with IPv6, what can we do when the device moves across the country? It's easier to assign a new address than to try to route the old address to an entirely different ISP. Reducing the complexity of the routing table was one of the goals of IPv6, after all. Insisting on a unique and stable IP address for each mobile device would defeat that purpose.
As a result, most new applications are being built with the assumption that the IP address doesn't matter. You rent a few ports on someone else's IP for a few minutes to fire off a bunch of requests, just like you'd rent CPU cycles on someone else's machine to run some functions.
> Another thing that changed on the server side was that, thanks to AWS and the like, it became trivial to set up a massive private network. Nowadays you can have a cluster of thousands of virtual machines that communicate with one another entirely within a VPC. Only machines that need to communicate with external entities get a public IPv4 address. This kind of setup not only frees up a /20, but also has the benefit of being more secure.
This is something that people who are too deep in the weeds of legacy networking don't realize. The future is to not use IP at all within enterprise and not use the Internet at all for B2B communication. In fact the future is to not use any networking abstraction at the application layer.
To start with every device can be in VPCs with the same private /16 because they can easily communicate securely within the cloud environment via services like VPC lattice or using S3/API gateway both within and across companies. Let the cloud provider handle the undifferentiated heavy lifting of figuring out how to get data from one device to another. In time third parties will establish cross provider bridges.
Then you can start to ask yourself why your applications need the "networking" abstraction at all. If you want to send some bits to an application either within or across companies it should be just a matter of putting the bits in some location the receiving application has access to and the cloud providers can figure out how to actually make the bits accessible to the other application. Think writing to an S3 bucket using a VPC endpoint but with less HTTP/TCP/IP cruft in the middle.
As a benefit the identities on both sides will be established by the cloud providers so you don't need to worry your devices are reachable by malicious actors. Then you can start to get rid of all this cyber security nonsense that has grown up around the ridiculously insecure protocols that were developed in the 70s for connecting trusted machines and somehow are still in use today.
Internet service providers and cloud providers may or may not use IPv6 but enterprises, schools, and end users certainly won't need to.
it is unfortunate that tcp and ip are as interlocked as they are, by which I mean, there is no way to keep your tcp connection while swapping out the underlying ip addresses.
This is not actually a real problem, we do just fine without it, it can be solved at higher or lower layers. But it would have been nice to have.
> it is unfortunate that tcp and ip are as interlocked as they are, by which I mean, there is no way to keep your tcp connection while swapping out the underlying ip addresses.
Multipath/homing, with different IP addresses, exists with TCP and SCTP:
MPTCP addresses this, Apple uses it (or used it, I haven't looked in a long time), and there's some way to enable it for applications on their OSes, but you also need to make it work on a server OS... I don't think it's been merged into anything but patches are around.
Yeah, it would have been nice to have, but that's all. Instead of requiring IPv6, the internet has evolved in a direction that tolerates disconnects and reduces its own IPv4 address consumption. It will probably work fine for the next 20 years at least.
In the 19th century, New Yorkers worried that the city would soon be buried in horse shit because of increasing demand for transportation. The horse shit apocalypse never materialized, because transportation evolved in a way that stopped relying on horses. Now we have a different problem, of course.
One of my biggest issue is: how do you even detect exfil when ICMP is mandatory in IPv6 for the other protocols to even just work?
IPv6 looks so Rube-Goldbergy to my eyes that if I squint just a little tiny bit and put a very thin thinfoil hat on, I could nearly swear this complexity is there by design. For example so backdoors allowing exfil through ICMP are impossible to detect.
IPv6 is chatty. So chatty.
There are networks where a single unaccounted for packet means something abnormal is going on (and at the very least requires enquiry): how does that work with IPv6?
An issue with these big design-by-committee thinggies is that often one or two in the committees are little rats working for the man.
ICMP is required for IPv4 to work correctly, too. It's often completely blocked by cargo culting net admins who then wonder why their things fail that ICMP would have fixed.
These charts that show IPv6 adoption really don't mean shit. The thing is: every single device out there isn't being used directly by a human bean (and a real hero.) They include things like sensors, smart lights, fridges, washing machines, a huge huge number of mobile devices, company networks, ... apparently even tooth brushes? Look at another sector and the story is ((quite horrible.)) I'm talking a regular fixed home network.
Start by looking at routers for IPv6 support. And what do you see? Total crap across the board. Here's some of the issues I've seen. Routers that have no IPv6 support (common for ISP provided routers.) Routers that have NO FIREWALL for IPv6. Routers that crash every 3 minutes after assigning an address. Routers that don't support the exact combination of network details to setup IPv6 on your network (there are multiple ways to deploy IPv6.)
What about if you want to use features like UPnP with IPv6 (something that would probably be useful for some software given that IPv6 is supposed to give you public addresses but firewall it on the router.) What I've found is there's really just one UPnP library that every router uses even though it sucks. miniupnpd. This is a library that can barely manage to handle different types of addresses. It's really a mixed bag whether an IPv6 firmware will have miniupnpd enabled and if its built for IPv6 (and if anyone bothered to test it.) The odds go down dramatically.
If you manage to get a router with IPv6 at home working alongside other useful Internet standards made for it (since 2010) color me impressed. You probably buy a lottery ticket at that point. Because if testing IPv6 deployments for the past 2 years has taught me anything: its that no one really cares about this shit. Present day, present time. You still hear people telling others to turn IPv6 off for some vague reason ('security', 'bad', 'problems.') These people don't really have a clue. It's all just a massive cope because they tried to get it to work and failed. And after the shit I've said I can't say I blame them. But I also want to note that their conclusions are BS.
What’s funny is the last consumer router I bought had the opposite problem. It had a ridiculously low limit on DHCP leases, something like 32 devices. And one time, IPv4 routing just crashed completely and I had to reboot it. Meanwhile IPv6 was always rock stable. The crash was a weird one to debug at first since so many online properties work with IPv6, at first I blamed DNS
All routers I've ever encountered have a default deny rule for IPv6, replicating the port forwarding setup people have come to expect from NAT. Except you can use multiple Xboxes in the same network now, of course.
Even the mini router I bought for 15 bucks five years ago does IPv6 addressing just fine. Just announcing a prefix (or two, local network stuff over ULAs and all that) is enough to make SLAAC do its thing. Never had any problem with DHCPv6 PD for automatic subnetting either.
I haven't looked into UPnP on IPv6 much, but the ones that did UPnP all seem to do IPv6 fine after 2015 or so. I usually turn it off because I don't want random crap manage my firewall unauthenticated (and many router manufacturers have had vulnerable implementations that would accept UPnP packets from the internet so screw that).
Brands that I've successfully used IPv6 with without any hassle include TP-Link, D-Link (don't buy from them), AVM, Mikrotik, and Netgear.
The most annoying part I find about routers is actually that they don't let you disable ALGs anymore it seems. Every few years Samy Kamkar writes up a way to bypass most IPv4 firewalls by abusing the hackery we've accumulated around NAT and the easiest fix ("let FTP/SIP/H363/PPTP be broken on IPv4") doesn't seem to come with routers anymore.
It took a while, but router manufacturers seem to have realised that the world is moving towards "CGNAT or IPv6" and not having usable IPv6 breaks networks in those cases.
The most broken IPv6 deployments I've seen were from people who tried to turn it off though weird hacks like firewall rules which subsequently got IPv6 from their ISP. Had they actually disabled IPv6 they would've just been stuck OK IPv4 like regular, but their weird hacks made half the TCP connections need to time out before they could access the internet.
Strange, every router I've used in the last 10+ years has done IPv6 fine. Even the RSP/ISP supplied gear I've used at friends/family houses are all fine with IPv6. Where I live all fixed line RSP/ISPs (except for one) has IPv6 enabled and on request will sell RSP-supported routers with IPv6 enabled out of the box. I personally don't use RSP-supplied gear but I've used Ubiquiti, Microtik, Netgear, etc routers and they all work just fine with sane IPv6 defaults. I really have not come across a single case of a bad IPv6 routers -- even among RSP-supplied equipment.
They aren’t compatible. There is a device in the middle doing a translation for you.
That’s like saying HTTP can talk to FTP servers as long as there is an HTTP to FTP proxy.
The only thing that makes them seem compatible is there is a well formed address space in v6 that clients send v4 requests to. But it’s still v6 and a 64 proxy needs to have an actual IPv4 address to translate the source to before sending it via v4 to the actual destination.
> They aren’t compatible. There is a device in the middle doing a translation for you.
Which was true of all the IPng candidates, and not just the one that ended up being chosen for "IPv6".
There is no way to expand the addresses space (as found in IPv4) to something greater that 32-bits in a compatible: new API calls, data structures, DNS records, etc, were always going to be needed.
To list "not compatible" as a con of IPng/IPv4 is non-sensical.
I'm aware there's a middle box. My point is that the middle box is a compatibility layer which, by definition, has the effect of enabling compatibility (at least in one direction).
The usual "they should have designed it to be compatible" nonsense usually comes from the crowd with zero suggestions of how to have a 32-bit addressed device send to packets to something with an address outside its universe.
Point is that djb was as wrong then as they are now.
DJB point about the magic moment makes sense to me. What is the point of a separate network that has 33% adoption? It has virtually no impact to alleviate IP address exhaustion, and therefore there is no incentive.
The vast majority of that ~%40 of internet traffic is in direct disagreement with said prophecy though. Mobile carriers like T-Mobile, Verizon, AT&T, Telstra, Deutsch Telekom, Orange, (...you get the idea) all used pure IPv6 backbones with NAT64 edges to role out mobile telecommunications without needing double/CG-NAT or boatloads of public IPv4. Each connection made via IPv6 is transparently 1 less NAT session out a public v4 address and the IPv6 design greatly optimized the way the mobile network cores were built out. This is what has driven the growth of IPv6 on the internet (as more users switch to mobile) rather than an explosion of wireline and business users making the switch.
Where pressure is still lacking is in "small" enterprise type case (like most businesses, regional health systems, local government facilities, and so on) where the difference isn't really that much vs networks with 100 million or more clients riding). Only when corps get to the size of e.g. Microsoft do they really start seeing similar value at the moment. Everyone else can scrape by just getting that small bit of IPv4 and forgetting about it for now.
I gotta say don't sleep on this article thinking it's just another article about IPv6 adoption stats.
There's a lot of interesting thought in the second half about what the Internet fundamentally is and where it's going. The author argues that the use of TLS and SNI has fundamentally changed the internet from a number based routing network to a network based on DNS names and SNI where the numbers involved don't really matter anymore.
> Where is this heading in the longer term? We are pushing everything out of the network and over to applications. Transmission infrastructure is becoming an abundant commodity. Network sharing technology (multiplexing) is decreasingly relevant. We have so much network and computing resources that we no longer have to bring consumers to service delivery points. Instead, we are bringing services towards consumers and using the content frameworks to replicate servers and services With so much computing and storage the application is becoming the service, rather than just a window to a remotely operated service.
I have fully implemented IPv6 in my home network.
I have even implemented an IPv6-Only network. It fully works, including accessing IPv4 only websites like github.com via DNS64 and NAT64 at my router.
The only practically useful thing about my IPv6 enabled network is that I can run globally routable services on my lan, without NAT port mapping. Of course, only if the client is also IPv6.
Other than this one use case, IPv6 does nothing for me.
It doesn't work from most hotels, nor from my work lan, nor many other places because most "managed" networks are IPv4 only. It works better at Cafes because they are "unmanaged" and IPv6 is enabled by the most common ISPs, like ATT and Comcast and their provided routers.
Based on this experience, I think IPv6 is less valuable than us HN audience thinks it is. Private networks, NAT, Carrier Grade NAT are good enough, and internet really doesn't care about being completely peer-to-peer.
I think the adoption rate reflects this--it's a linear growth curve over the last 25 years. It should have been exponential.
I think cost of IPv4 reflects this--it is now below the peak, and has leveled off.
As surprising as it seems, IPv4 exhaustion has not been a serious problem. Internet marches on. IPv6 is still a solution looking for a problem, and IPv4 exhaustion wasn't one of them.
I recently moved to a 'cheap' ISP because I could get double the speed for half the price. They use CG-NAT and it's been awful.
I don't need to forward any ports but seemingly because I share an IP with a billion people I get Captchas everywhere (Google, Cloudflare etc.). I was even blocked from accessing Reddit without an account at some point.
Starlink uses CGNAT. It's awful, I'm regularly getting CAPTCHAs on random websites.
They now support IPv6 but only with dynamic address allocations so you don't get a lot of advantages from it.
I hadn’t put that quite together. I wonder how many people would value IPv6 if they knew it meant less CAPTCHAs.
NAT is mostly okay, but carrier grade NAT where you can't forward a port causes real problems.
IPv4 exhaustion is a real problem, it's just not enough to motivate people much.
The main problem I had when I was on CGNAT was not so much port forwarding (annoying, but solvable), but with being banned from all sorts of stuff. The address is shared with so many people and one person did something stupid or whatnot. Sometimes you don't even know if you're banned or not.
For better or worse, IP blocks are still very common. It's easy to complain about this, but there aren't really any good methods to deal with persistent abuse.
Have you tried using PCP to forward the port? I was under the (maybe-incorrect, and if so I would really like to learn) impression that most major CG-NAT setups supported it.
Nah, many carriers don’t support it. I’ve always had to resort to STUN
I suppose I can try that some time. I can find absolutely zero mentions of that for the ISP, just the option of buying a static IP.
If it was a real problem, market pricing would reflect the increasing severity of that problem.
The truth is that people who care about port forwarding are such a small minority -- especially now that P2P file sharing has lost its hype -- that they don't make a visible dent in the rate of IPv4 exhaustion.
The market price is only something like 5 or 10 dollars a month, but anyone having to pay that to be accessible is an embarrassing failure of the system. It doesn't matter whether it's a big dent in the number of IPs or not.
Almost nobody (far, far less than 1% of users overall) do pay this; the system is in this regard smashingly successful by econometric standards.
There are billions of people out there who can access the internet, and make themselves accessible through the internet the way they want, just fine without a dedicated IP address.
Maybe you have a definition of "access" that is different from the usual one. That's fine, but let's be honest, it's not the usual definition.
Someone being able to connect to their device is the definition I use. What's your definition?
Being able to relay through a third party is a different thing.
The truth is that major cloud providers such as Amazon AWS have begun to charge [more] for static, routed IPv4 addresses.
Last I checked (a few years ago, I suppose), AWS APIs were incapable of using IPv6 internally, so a VPC still needed to dual-stack it in order to use AWS cloud features. That may have changed by now.
Yep, lots of AWS apis don't work over ipv6, and many require making requests outside the VPC, so you need to have at least one ipv4 address for a NAT.
IPv4 prices peaked during the Covid pandemic, presumably because of sudden high demand. Amazon took this as an opportunity to increase prices.
Now IPv4 prices are returning to pre-Covid long-term trends. But of course Amazon won't reflect that in their pricing table.
> Amazon took this as an opportunity to increase prices.
IPv4 prices peaked in early 2022; AWS started charging for public IPv4 in 2024 (announced in 2023):
* https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address...
If they had increased prices in 2022 (or at least announced in 2022), then I could see some kind of correlation, but give it was 1.5-2 years after, I doubt there is a connection.
Doesn't CGNAT also mess up things like Nintendo Switch online multiplayer?
Nintendo should really enable IPv6 on the Switch to help with this
I had to reluctantly deploy ipv6 on my home network because of ISP requirements + will to use pihole.
Ipv6 is hard. I had to learn quite a bit to make it work and not only I see no value, but it is significantly more difficult to use dire to the address length.
I think IPv6 is a missed opportunity, it was probably designed by experts that did not take into account the population that will use it (not the one users who do not care, but the layer above them)
What requirement could an ISP impose on you for you to be forced to migrate the intranet to IPv6 (because of PI-hole)?
You could always place a small NAT-enabled router between your ISP's device and your home network.
The only problem I could see would be the lack of a (semi-)static public IPv4 address, which one could solve by renting a VPS.
My ISP is the French "Free". They provide a router that is difficult to swap with my own (it is possible, but it is way easier to switch it to a bypass mode). With this router comes a TV box that requires IPv6 to work.
When I replace DHCP/DNS with Pihole I need to account for that. While this is not a complex setup once you understand IPv6 you still need to learn it.
I work in IT so I tried to get myself to IPv6 several times but never had any reason to do so (despite self-hosting a lot and generally being a nerd). I had to do that this time and my uninformed opinion is that it could have been done so that it is much simpler for advanced users (but not yet networking experts)
I struggled to get IPv6 running on my home network, then had issues with DNS dual stack once I got it going, so I turned it off.
That said, I think the difficulty of IPv6 is in the UI of the home routers that implement it, and a lack of sane defaults.
The ISP should give every SOHO/residential customer a /60. The router of a simple IPv6 should do prefix delegation. The router should default to SLAAC for local IP addresses, and configuring DNS with Router Advertisements. And residential routers can be set up to have an internal DNS server which populates the ".internal" domain with hostnames from the network.
As a network admin, you have to learn new things like the uses of IPv6 multicast, and ND, the lack of ARP, and some other things. Home users shouldn't have to care about that.
>The ISP should give every SOHO/residential customer a /60.
The ISP should give every residence 295 quintillion IPv6 addresses? I know there is an abundance of ipv6 addresses but that seems like a lot of waste.
Even assigning a /96 would provide 4.3 billion ipv6 addresses (which is the same number as all ipv4 addresses in existence)
And since available ipv6 space is basically 4.3 Billion^2, assigning an ipv6 /96 would be like assigning a /32 in ipv4 terms of total ipv6 space utilization.
/64 is needed for SLAAC to work and is basically the default.
Anything larger (usually /56, sometimes even /48) gives the customers a chance to segment their LAN.
Like other person said, /64 is the minimum subnet size. And submitting in ipv6 is best done 4 bits at a time. A /60 is overkill for residents, but because it gives 16 subnets, not because it gives excessive addresses.
> Private networks, NAT, Carrier Grade NAT are good enough, and internet really doesn't care about being completely peer-to-peer.
CG-NAT adds a cost that not everyone can easily afford:
> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.
> First off I despise both Apple and that other evil empire (house of mouse) I want nothing to do with either of them. Now with that said I am one of four individuals that suggested and lobbied 15 other tribal nations to offer a new AppleTV device in exchange for active ROKU devices. Other nations are facing the same dilemma. Spend an exorbitant amount of money to support a small amount of antiquated devices or replace the problem devices at fraction of the cost.
* https://community.roku.com/t5/Features-settings-updates/It-s...
* "Roku devices don't support IPv6 in 2023 and it's costing ISPs", https://news.ycombinator.com/item?id=35047624
> internet really doesn't care about being completely peer-to-peer
Internet (I mean, the IETF) does care a lot about the end-to-end principle, however. It is true that "misbehaving" NATs break e2e badly. It is also true that IPv6 can also be put behind such NATs.
> I have even implemented an IPv6-Only network. It fully works, including accessing IPv4 only websites like github.com via DNS64 and NAT64 at my router.
What did you use to implement that? I found it surprisingly difficult to find software to do NAT64 on Linux.
Fun reasons why my home network is still on IPv4: IPv6 drains my girlfriend's phone battery :-)
Something to do with Router Advertisement intervals being too short, though I don't get why that only affects her ~5yo android phone. And IPv6 is so complex, I haven't figured out if the RA interval is something I can or should tweak, whether that comes from the PiHole or whether I'd have to flash OpenWRT on my router, or whether my ISP ultimately controls that upstream. Like, I can't figure out as easily where the boundary between me and "the internet" ends with things like the /64 prefixes and SLAAC and RDNSS and all the other acronyms.
Yeah, yeah, I should RTFM, and eventually I might figure out what makes a "good" home IPv6 network. But I can't be arsed to do that in my free time yet, and neither can most software companies cough cough Google/Android and that one guy causing IPv6 drama in the android team
Like.... Ehhh... I'll come back to it in a few more years. "Are we IPv6 yet?"
I have an Android on my IPv6 network with no issues, and this is across several different router vendors with different defaults for RAs. Maybe it's not an IPv6 issue and you're barking up the wrong tree?
Never would have guessed that ipv6 could be a battery drain
> Grade NAT are good enough
CGNAT would cripple every customer I've ever had, going back to the beginning of broadband. Everyone one has had something on-premises that needs to be accessible. Nearly always, it's multiple things that are critical to operations.
Well there are serious network effects at play.IPv6 would be a lot more valuable if it was more broadly deployed.
What do you see as the key points that create a lot more value?
No longer needing NATs in many situations, especially CGNATs, ISPs could give all customers static ip addresses, and peer to peer applications wouldn't need to use unreliable workarounds like STUN to traverse NATs
This was true 25 years ago and is still as true today.
People posting have mentioned that IPv4 is working for what they use the internet for. But of course it is. When NATs has been required for your whole life, how could the internet have built features that needed p2p routing? Just convince businesses to build something that requires special router configuration? And still wouldn’t work on phones or with ISPs that require CG NAT? You got what worked out of the box. You obviously couldn’t use what didn’t exist.
Why do people assume IPv6 means "easy p2p"?
Even if NAT will be gone one day, the stateful firewalls won't. Every every home router would still ship with "deny all incoming" by default, and every corporate network would have the same setting as well.
Same as IPv4, IPv6 serving would still need registration with border device, either manual by user, or via UPnP-equivalent.
UDP hole punching works when you don't have symmetric NAT. So e.g. voice and video calls don't need a proxy and can be higher quality. You only need a third party to locate/signal your peer.
"everything gets a global IP, no more NAT headaches" was one of marketing talking points for IPv6. Not necessarily the case nor welcomed by everyone, but that was the intent.
Wide scale deployment of NAT (the "home router" that allowed you to connect multiple devices) was the greatest leap in internet security we ever made. I remember the days when we had "everything gets a global IP," and we do NOT want to go back to that. Look up Conficker, Code Red, Blaster, etc.
People naively assume the large IPv6 address space somehow hides your computer on the internet. That isn't true. Both because v6 host discovery is a solved-ish problem for attackers, and worms have near unlimited resources to throw at the wall.
I remember those days too. They had nothing to do with computers not being behind a NAT.
I can do more with the Internet today than I could with a static /22 assigned over my ISDN BRI back in the mid-1990s. A lot of things I would do back then, I would do differently today; running a chat system by connecting directly out to 6667/tcp feels pretty silly now, for instance. It's rough to build protocols that work that way today, but you're not missing much. Things were not better before the advent of presumptive NAT.
China's IPv6 transition is 74% complete.[1] Conversion to IPv6 was specifically called out in China's 14th Five Year Plan, which gives the goal high visibility within the government and the Party. Conversion is quite far along. The current goal is everything IPv6 enabled by 2025, IPv4 turns off in 2030.
99% of the top 100 mobile applications in China are on IPv6. China Mobile's backbone is now IPv6 only.
[1] https://www.china-ipv6.cn/#/
The IPv6 transition is a side effect of China building their own internal "internet" from the ground up that will not be connected to what we think of as the internet. "Turning off IPv4" is code for shutting off the DFZ and users only being able to reach other networks within the country.
We should absolutely not be pointing to this as a success or a model for other countries.
India is also around 75%. Both of them cover quite a bit of humanity. The regions where growth is going to happen don't own a lot of blocks so they will focus on IPv6.
Vietnam (pop. 98M) has mandated moving to IPv6, with goals for migration between 2025 and 2030:
* https://www.theregister.com/2024/10/14/vietnam_digital_infra...
Meanwhile in Australia I called my ISP to enable IPv6 and they asked me to justify why I needed it.
Because "it's the Internet" and has been a standard since the year 2000 doesn't seem to be sufficient reason to bother...
If it's NBN, Aussie Broadband and Superloop/Exetel have good IPv6 support with prefix delegation giving you a /56.
That is a wild response to give a customer. I'm surprised they are still in business if that's how they treat fairly reasonable customer requests.
The original “end-to-end” architecture of the Internet assumed that every device was uniquely addressed with its own IP address [...]
That may indeed have been an assumption of the original architecture, but it's orthogonal to the end-to-end argument in Internet design, which is about moving logic out of the network entirely and into applications (more precisely, about recognizing that the boundary between network and application is productively debatable, and had, up to the point where Saltzer and Clark and Reed wrote the paper, been defaulting too much towards the network). An end-to-end-architected networking application can be oblivious to its addressing, or even the network layer below it.
If anything, my intuition is that the unreasonable effectiveness of CGNAT --- which is exactly what Huston is writing about --- is strong evidence that the end-to-end paper was deeply correct.
Isn't the encoded assumption here is that clients rarely act as servers? This may be either because that's outside the typical use case or because providers explicitly do not want them to, but this factor is the reason CGNAT can be viewed as "effective."
End-user retail endpoints can still act as servers, but the way you have them to that in 2024 is different (and yes, more complicated) than it was in 1996.
If the US had the same IPv4 scarcity as the rest of the world (specifically, if major US ISPs were using CGNAT), the IPv6 transition would be happening much faster.
That's probably true for consumers. For large, global corporations, IPv6 is a million miles away. I've worked with several, and they all have poorly managed kit, vulnerabilities everywhere, poor documentation/diagrams, poor performance, millions of firewall rules, tons of vendors to connect with, outsourced wireless vendors, remote access solutions that are a byzantine security mess, ... IPv6 is suicidal for most large organizations beyond ok we can speak IPv6 for a small part of the infrastructure. Add to this the recent deluge of VPNs everywhere (probably due to WireGuard) and container networking, IPv6 would be a recipe for disaster. Security is difficult in this scenario, in part due to the people implementing this stuff don't have a good handle on what they are doing.
The addresses were allocated equally geographically, and then sold. The US will hit ipv4 scarcity when the US stops being the richest country.
GitHub is still not accessible on the IPv6-only internet: https://isgithubipv6.live/
> In 2024 it’s estimated that 20 billion devices use the Internet, yet the Internet’s IPv4 routing table only encompasses 3.03 billion addresses … sharing each individual IPv4 address across an average of 7 devices.
…but the graph below that text shows 40% of traffic is IPv6, so the v4 space is only shared across 12e9 devices?
In my experience the big holdouts these days are corporate networks. All my domestic ISPs (cell, home, data centre) provide IPv6 and most devices use it by default. Meanwhile at the office we’re struggling to bring up a new internal service because our v4 IPAM is a legacy mess where the most you can calve off is a “class A” /27.
The types aren’t exclusive. In the US most ISPs are dual stack. That 60/40 split pretty closely aligns with traffic stats a dual stack operator sees in their network.
FWIW, domestic ISPs in the UK are lagging on IPv6; I'm with Vrigin Media and, afaict, there is no immediate plan to deploy it either.
Last time I called Virgin media to get from the loyal customer (extra high) rate to something closer to what new customers get they just said no.
I switched to Vodafone which is cheaper and double the speed and got me IPv6. I think it might just be Virgin sitting on a large amount of IPv4 addresses and not wanting to spend any money on supporting v6 when they can just overcharge their loyal customers.
Virgin neé ntl: has always been complete trash. Are they representative of UK ISPs in general? BT and Sky completed their v6 rollout years ago and they account for over half the market.
When I was in Cambridge Virgin Media used to throttle to dial-up speeds at peak times. Meanwhile, I was still getting advertising leaflets from them through the door trying to sign new people up. Active fraud selling people a service you know you can't provide, and had no timeline to fix.
On the upside, a lot of the UK is getting small fibre companies rolling out 1G symmetric lines all over the place now. I've got that in my new place and it's been great (IPv6, CGNAT IPv4 by default but you can pay £5 for a static IPv4 too).
Anecdata: having switched between Vodafone, Virgin and Sky as my last three ISPs, Virgin was by far the best.
Both BT and Sky are fully IPv6, many altnets are too, it's actually Virgen Media that is the problem in the UK. In the case of Sky they are now running MAP-T and starting the transition to IPv6 only.
Germany, Vodafone. They support it, so I could get v6, but chances are that that'll switch me to CGNAT for v4, so I'm not willing to risk it.
Weird that you have to do an extra step for IPv6. Other ISPs in Germany have enabled it for every customer at some point. Unless your router asks for IPv6 addresses, nothing really changes anyway. So maybe just enable IPv6 on your router and see what happens?
On a side note, there seem to be ways to get out of CGNAT when you got condemned to use it: It is sometimes an annoying source for client VPN instabilities and from what I heard, users can just ask to be switched over from DS-Lite to classic dual stack to improve application compatibility.
No, I have to ask customer service to enable it, my EdgeRouter X supports IPv6.
Must be an old contract, all new contracts appear to be CGNAT/native IPv6 across ISPs
The internet stopped being a network of peers where everyone needed an address and is now a split into producers (a handful of large companies) and consumers (everyone else).
The consumers are not expected to need a public address where they can be reached - in fact, having a public address is actually a security and privacy risk.
> in fact, having a public address is actually a security and privacy risk.
I strongly disagree with this. Privacy (not that it's a big deal imo) is well handled by the temporary address extension, and security is not an issue if you run a firewall. And you should be running a firewall even if you use v4, because NAT is not an acceptable security measure.
Whilst I agree with you, I rather depressingly suspect a lot of people equate NAT with “security”.
Only CG-NAT provides any semblance of "privacy" from the perspective of the outside world, but is a hideous technology that shouldn't exist.
Normal NAT as seen with home internet routers provides zero privacy, because you still have a predictable public IP.
People also think that IPv4+NAT provides security, but IPv4 is such a tiny address space that all public IPs are scanned daily by various malicious bots. Meanwhile IPv6 is so enormous that unless you register your address in some public way, you're completely invisible to port-scanning bots by default!
Yeah exactly.
I have a friend who works in the networking division of a telco in my country, their team had to spend significant time and effort educating a PM who was dead-to-rights convinced that IPv6 was “less secure” and seemed to think that IPv6 didn’t have subnets and that NAT’s were the same as firewalls and refused to be convinced otherwise.
People like that make any forward progress extremely difficult.
That was in fact one of the promises of IPv6: Restore the network of peers where every host is in principle a server and a client and communication between peers is unhindered unless a policy is enforced saying otherwise (on the machine, on a firewall, etc.).
> having a public address is actually a security and privacy risk.
Services can be turned off or a firewall instructed not to pass traffic from the internet (by default). That represents exactly the same attack surface as having a service enabled and nobody being able to get to it from the internet because of NAT.
The privacy risk is mitigated by RFC4941 "Privacy Extensions for Stateless Address Autoconfiguration in IPv6". Granted that does not deal with the (delegated) prefix staying the same and when there are only one or very few users in that prefix, some individual behavior could be inferred. Because of that at least in Germany we have the peculiar horror of getting the IPv6 address and all delegated prefixes changed on every redial. That eliminates all privacy concerns while also continuing to make residential internet connections useless for hosting any services.
Anyway. The internet is already way down the road of functioning only as the delivery conduit for a few cloud / service providers mediating all user communication and access to content.
> in Germany we have the peculiar horror of getting the IPv6 address and all delegated prefixes changed on every redial.
This is oh so very German.
In normal times it is massively overkill. I have to wonder if, heaven forbid, the things these sort of German things are meant to mitigate come to pass again if they will make any difference or if they are a largely symbolic act designed to demonstrate ideological opposition to such things.
This seem to be common. My RSP (ISP) only offers a fixed IPv6 address/prefix on request -- otherwise they will just allocate one out of their pool as they do for dynamic IPv4 (although both dynamic IPv4 and IPv6 is fairly sticky so normally DHCP/PPPoE connections will get the same address previously used as long as it hasn't been reallocated). I personally have a static IPv4 address and a static IPv4 address/prefix from my RSP for my home network.
> The consumers are not expected to need a public address where they can be reached - having a public address is actually a security and privacy risk.
100% of consumer routers and OS level firewalls deny new inbound connections by default. There are upsides and downsides to static vs dynamic ISP-provided addresses, but the only difference between IPv4 and IPv6 in this regard is that IPv6 has a vastly larger address space and offers an ISP far more capacity to randomize a customer's host address for a far lower cost than IPv4. CGNAT is available for 4 or 6 if such is desired.
When AWS started charging for IPv4 addresses I started switching to IPv6. I spent a few days getting it all up and running. I thought it was OK but my router kept crashing every day, then I noticed I can't get working from some places like my office. Gave up, never again its just not worth it. I moved to another hosting service that didn't charge.
Asus routers still ship with IPv6 disabled by default, to this day. It makes perfect business sense, as everything still works just as well with v4 but single stack is less complexity so less support costs, etc. I’ve been running my home LAN dual stack for close to a decade, so I have native v6, but then on the other hand I ignore it for my networking stuff, ie I only set an A record in my dynamic DNS and never bothered figuring out how to make phoning home from other networks work over v6. It’s just not a priority and my lack of deep v6 knowledge would make it likely less secure.
I’ve often wondered if going with 64-bit addresses with a dotted quad hex notation would have eased the roll-out. I remember a lot of resistance when IPv6 was first announced along the lines of “I can’t memorize/type in giant addresses and I don’t want to have to use DHCP and DNS everywhere.” It felt like IPv6 never recovered from a bad first impression.
I'm not sure I've ever heard this view expressed by serious, competent network engineers. I have heard it a lot from the home hobbyist though, but I'm not sure how much that demographic matters in the grand scheme of things.
I also find it really weird as the killer (only?) app for IPv6 is that home hobbyists can run servers with low overhead!
Additionally, like a sibling comment notes, a home hobbyist has full control over at least half, often more, of their addresses and can easily choose addresses for their network that are as short or shorter and easier to remember and organize vs a v4 network where you have no letters to work with much more strict subnet size rules, etc.
IPv6 is a dream for home hobbyists! The complaining from them about “unmemorable” addresses just makes no sense.
> I also find it really weird as the killer (only?) app for IPv6 is that home hobbyists can run servers with low overhead!
Well, the non-trivial percentage of large orgs that have literally run out of RFC 1918 space would disagree.
But yes, you're right. There's a weird Stockholm syndrome thing some people have with NAT.
Yes, companies run out of RFC 1918 addresses, but no, they will continue to use public ranges for their internal networks.
Serious, competent network engineers are not created in vacuum from platonic ideals and TCP fragments. They're home hobbyists who grew up hating ipv6, and won't magically learn it overnight when their previous networking guy quits and they get handed the keys to the server cage
These people are neither competent nor serious.
In the real world, people who design and operate large networks are the very same people who staffed the working groups who designed IPv6. It's their design.
A key aspect of IPv6 is that the address space is big enough that 'carving it up' for subnets is dramatically simpler even at the largest scales. You don't need to be frugal with network sizes, and you don't need central coordination to avoid conflicts. This is huge!
E.g.: If I want to deploy a cloud VPC (or vNET), then I have to go find "the guy with the spreadsheet" and peel off a tiny(!) private IPv4 address space. If he's away from his desk or on holidays, my 1-minute automation script will now take 1-10 working days until he's back and responding to requests. With IPv6 this just disappears as a bottleneck.
The vast majority of ip4 only networks are enterprise, that’s where I hear the complaints from. The people who say autoconf (dhcp etc) is bad and that dns is bad.
Couldn't anyone in that position use 2xxx:yyyy:zzzz:ww::1, 2xxx:yyyy:zzzz:ww::2, etc. and get the same effect?
I've mentioned this previously. Without government-mandated standards, implementation could take years. We apply this approach to numerous areas; why should IP be an exception?
While legislation would be way to actually make IPv6 transition happen, what is the justification for such legislation and cost it would impose on the industry?
And that is the point of this article, for most participants of the internet the benefits don’t presently justify the involved cost.
Peer to peer networking is important to rare users like me so I can do things like host a private Minecraft server from my house for my brothers and I to play on, but this is not yet a problem for me on IPv4.
Interestingly a few years back while I was moving and had no internet for a few weeks I temporarily moved the Minecraft server to my brother’s house and we discovered he was on CG NAT which was a total nonissue before then.
I sent an email to the ISP saying we wanted to expose a port and asked how to do so and they changed my brother’s account to be given a public IP no questions asked or extra costs. And I found this policy okay because probably 99.999% of internet users don’t do anything over the internet where a public IP would make any difference to their life.
I expect once enough of the internet is on IPv6 the cost benefit pendulum will swing the other way, but we're not there yet and it’s not clear when it might happpen.
There's plenty of justification around the value of IPv6, but it will be lost on most users. But the same scenario has played out before where things that folks don't understand were enforced, like leaded to unleaded gasoline or removing CFCs.
Fastest way to get IPv6 going in the US is to mandate all government usage be IPv6 only by 20XX. Any supplier or vendor must work over IPv6. You'll see the industry fall in line very quickly, no one wants government money to be shut off.
Static IP here in Australia costs AUD 5 per month for residential users… I think it’s just a price signal to entirely disincentivise it to anyone who doesn’t need it.
In the US, if you want a static IP you often need to purchase a business connection, which is usually significantly more expensive (and residential connections are already expensive), and may not even be available if you live in a residential area.
As far as I know, the US federal government does have a mandate that agencies be ipv6-only by end of 2025. Systems that are not converted by then require justification for why they cannot do so along with a replacement plan. See https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-0...
The DoD mandated v6 a few years back. The US government could easily dictate that all of their supplied software had to support it.
A world of being told what to do was not the "dream" of freedom for the internet.
If you want the government to mandate standards, vote with your feet and move to China where it has been mandated.
I thought the point of the article is that perhaps IPv6 is ultimately unnecessary: worse is better?
Why are we engineers so attracted to authoritarianism? The idea of just telling everyone to use the new version seems attractive to me too. Then again I often deeply admire practical engineering compromises. (edited: clarified)
The government has more levers to pull than just a mandate requiring adoption.
For example:
- require support for ipv6 in order to qualify for government grants to ISPs to build or expand
- Require ipv6 support from any SaaS sold to the government
- require government websites to be served on ipv6, possibly exclusively on ipv6 by a certain deadline, although that might be too aggressive.
- grant tax exemptions on costs to upgrade equipment to support ipv6
- levy a tax on ipv4
None of those removes your freedom to use ipv4, they just provide incentives to use ipv6.
Pick up the benefits of ending IPv4 development sooner.
One less thing to ship with every bit of network software.
One less learning outcome taught in every networking course.
One less piece of organisational complexity in every ISP.
Fewer rent seekers in the IP address space.
But these benefits are network effects and we only achieve them once IPv4 is relegated to the archaics of the internet tech stack.
Agreeing on a common standard is not authoritarianism.
You said "government-mandated" - do you think your words matter?
That doesn't sound like agreement.
Agreement is how we have arrived at the imperfect solution we have now... Agreement between various technical and non-technical parties.
We have agreed on a common standard. It’s IPv6.
Forcing people to use it is authoritarianism.
This seems like an extremely broad statement. You probably don't think all use of force is authoritarian, or not allowing any and all protocols to be used on the internet is force. Maybe, but not necessarily. Why specifically would retiring IPv4 be authoritarianism?
You are also forced to use a seat belt. Calling it authoritarianism when we want to enforce a standard is absurd.
Seat belts have a reason. If I want to communicate with some computers using IPv4 or IPX, that’s my choice. Putting laws on what I can put inside of Ethernet is absolute stupidity
I fail to see how mandating ISPs to implement and use IPv6 is equivalent to "putting laws on what you can put inside of Ethernet"
Being forced to use a seat belt isn't a standard, it's actually authoritarianism. And largely used as a pretense to pull people over without probable cause, rather than for any other purpose. Mandating that manufacturers have seatbelts in cars is the regulation of commerce. Mandating that ISPs provide ip6 is also the regulation of commerce. Ip6 itself is a standard.
A standard is something that people have to adhere to in order to measure things in a portable way, or for general interop. It's not anything that one is told to do by a government.
Governments _mandating_ it sure is.
> This is the same as looking at a linear trend line placed over the data series used in Figure 1, looking for the date when this trend line reaches 100%. Using a least-squares best fit for this data set from January 2020 to the present day, and using a linear trend line, we can come up with Figure 2.
> This exercise predicts that we’ll see completion of this transition in late 2045, or some 20 years into the future.
Anyone willing to place a bet on this?
> While the design of IPv6 consumed a lot of attention at the time, the concept of transition of the network from IPv4 to IPv6 did not.
> Given the runaway adoption of IPv4, there was a naive expectation that IPv6 would similarly just take off, and there was no need to give the transition much thought. In the first phase, we would expect to see applications, hosts and networks adding support for IPv6 in addition to IPv4, transforming the internet into a dual stack environment. In the second phase we could then phase out support for IPv4.
I really don't understand this, how do you not make a transition plan the #1 requirement for selecting the next IP. (But the article goes on to say...)
> Anyone willing to place a bet on this?
Ill bet against it. The tail on this one is going to be super long.
There are embedded systems today that are shipping in things expected to last 30 years with IPv4 only.
The logistics of the bet are going to be hard. I do see a world where IPv6-only becomes the default for ISPs and IPv4 becomes an add-on you pay for either from your ISP or from another via a tunnel. Does that world mean v4 is dead yet?
The long tail doesn't matter. Once IPv4 traffic is a small fraction, the big transit providers will make it cost too much to bother with, and their customers (retail ISPs) will just cut it.
Only global IPv4 matters. If in fifty years there's still a device that insists on speaking IPv4 with the address 10.20.30.40 that will still work and it still won't matter to the Internet any more than it does now.
The appropriate comparison is leaded gasoline.
In my country this was never formally banned. You can't buy a new car which consumes it of course, they banned that, but the fuel itself is legal and for a while enthusiasts would travel to a retailer which still sold it, there might be one in the next town, or the next. Of course with fewer customers the price went up, further reducing customers and squeezing more retailers out, soon enough you might have an hour's drive to buy fuel. The wholesalers were next, if you sell a tanker of ordinary unleaded every five minutes, and a tanker of "high performance" unleaded every hour, why bother making the leaded fuel that shifts only one tanker per week across the whole market? It's not even worth reconfiguring your mixers to make it. So you mark it "No longer available" and gradually across the market the retailers can't buy more and there is no more leaded gasoline.
You can make your own leaded gasoline, but the volumes involved mean it no longer makes any meaningful difference, you could make your own lead paint too, if you're crazy, it doesn't make a noticeable difference to the world.
I'd like to use ipv6, if only to avoid having to pay for an ipv4 address for some private vpcs (with public address for reasons). I remember having issues with fly.io as well, because they're ipv6 by default if I remember correctly.
Currently Denmark has worse support than I expected:
> Liste over danske udbydere (List of Danish providers)
> Internetudbydere på listen: 41 (ISPs on the list)
> Internetudbydere med fuld IPv6-understøttelse: 17 (41%) (ISPs with full IPv6)
> Internetudbydere med delvis IPv6-understøttelse: 10 (24%) (ISPs with partial IPv6)
> Internetudbydere uden IPv6-understøttelse: 14 (34%) (ISPs with no IPv6)
source: https://ipv6-adresse.dk/
My ISP is only couple years old. And yet, surprisingly to me, they don't support IPv6, only ipv4.
All big German internet providers (DTAG, Telefonica, 1&1, Vodafone) are IPv6 Dual Stack or CGNAT'ed for many many years now. Same for all mobile providers.
So everybody is using IPv6 in their home networks without problems.
Our local German teledata internet provider uses CGNAT, and it is a mess of random timeouts.
Legacy account on Vodafone (from Kabel Deutschland days), no v6, no CGNAT.
The premise is completely wrong here. IPv6 is not just an “incremental change” that would have represented an easy uptake. Instead, pretty much every practical detail of existing IPv4 infrastructure, both hardware and software, was broken. Massive swaths of extra management and security tools were rendered useless. It was a massive miscalculation.
In the meantime, we figured out how to make things work without the extra address space. And the dream of a point-to-point Internet turned out to be a terrible idea after all. IPv6 pushers love to hate on NAT, but it’s actually a really good design choice that’s fundamental to basic network security.
For my entire life, the networking nerds have been shaming us for not using IPv6. Back when I had a NeoPet in middle school, IPv6 was was "just around the corner." I'm now raising my own children and still listening to the same IPv6 talking points.
Every company I've ever worked for has completely disabled IPv6 on the corporate network. My own ISP still doesn't offer it. Disabling it is often the quickest fix for a variety of networking issues.
At some point we must admit failure. There is no conspiracy to limit IPv6 adoption. If the technology was truly useful, you'd see far more in our profession advocate for it.
Pardon if this is an ignorant question, but could the "backhaul providers" help expedite v6 by simply adding a small-but-annoying tax on carrying v4 traffic? I know it sounds ridiculous to want to pay more, but it might help "rip the band-aid" off if, in order to keep costs down, ISPs had to pay a little more for the deprecated protocol.
It's ridiculous how slowly it goes.
Fiber providers here are incapable of providing IPv6.
Frontier, Optyx, Sumo, Evolution, Intellipop, Starlight, Legacy, Yandoo, Voonami, Infinity all serve this area. Zero have IPv6.
Should probably clarify the location of ‘here’
Does that change the point of the discussion? Because all of those ISPs are in multiple markets.
The point being that ISPs remain a primary stall-point of IPv6 adoption. There is eagerness to hand-wave that away - and that is part of the reason IPv6 stays underdeployed.
In spite of its wider adoption issues, it's valuable for my personal infrastructure: each of my services/machine has an IPv6 globally routable address.
Why bother, when I could just do TLS SNI reverse proxying via nginx?
* Some services don't use TLS, or even TCP.
* A reverse proxy is yet another intermediary in the chain.
* Plain IPv6 routing is simpler than reverse proxying, and I already need a network layer anyway.
There are downsides:
* some software doesn't support IPv6. I haven't experienced this on the Linux servers I run.
* in a dual stack network, now you have two networks! I use NAT64/PREF64 like https://labs.ripe.net/author/ondrej_caletka_1/deploying-ipv6... to have most clients only be on IPv6. They get IPv4 connectivity over IPv6 via NAT64.
* If I'm in another country then I often don't have IPv6 connectivity. In this case I use any VPN that offers IPv6 (and have one available via my home, via Wireguard).
* Learning IPv6 takes time, but not much. It's one-off. It's not more complex than IPv4, but it is different. If anything, it's simpler. (SLAAC rather than DHCPv4; IP reachability rather than NAT/port forwarding).
I think the article's diagnosis is spot on.
The urgency of IPv6 adoption was predicated on the assumption that every connected device, both server and client, needs a unique and stable IP address. Back when IPv6 was first discussed, you couldn't even host two HTTPS sites on the same IP/port combination! That was such a colossal waste of IP addresses.
Another thing that changed on the server side was that, thanks to AWS and the like, it became trivial to set up a massive private network. Nowadays you can have a cluster of thousands of virtual machines that communicate with one another entirely within a VPC. Only machines that need to communicate with external entities get a public IPv4 address. This kind of setup not only frees up a /20, but also has the benefit of being more secure.
Meanwhile, on the client side, the rise of mobile internet means that devices can no longer assume that it will have any given address for any length of time. Even if we had plenty of addresses to go around, like with IPv6, what can we do when the device moves across the country? It's easier to assign a new address than to try to route the old address to an entirely different ISP. Reducing the complexity of the routing table was one of the goals of IPv6, after all. Insisting on a unique and stable IP address for each mobile device would defeat that purpose.
As a result, most new applications are being built with the assumption that the IP address doesn't matter. You rent a few ports on someone else's IP for a few minutes to fire off a bunch of requests, just like you'd rent CPU cycles on someone else's machine to run some functions.
> Another thing that changed on the server side was that, thanks to AWS and the like, it became trivial to set up a massive private network. Nowadays you can have a cluster of thousands of virtual machines that communicate with one another entirely within a VPC. Only machines that need to communicate with external entities get a public IPv4 address. This kind of setup not only frees up a /20, but also has the benefit of being more secure.
This is something that people who are too deep in the weeds of legacy networking don't realize. The future is to not use IP at all within enterprise and not use the Internet at all for B2B communication. In fact the future is to not use any networking abstraction at the application layer.
To start with every device can be in VPCs with the same private /16 because they can easily communicate securely within the cloud environment via services like VPC lattice or using S3/API gateway both within and across companies. Let the cloud provider handle the undifferentiated heavy lifting of figuring out how to get data from one device to another. In time third parties will establish cross provider bridges.
Then you can start to ask yourself why your applications need the "networking" abstraction at all. If you want to send some bits to an application either within or across companies it should be just a matter of putting the bits in some location the receiving application has access to and the cloud providers can figure out how to actually make the bits accessible to the other application. Think writing to an S3 bucket using a VPC endpoint but with less HTTP/TCP/IP cruft in the middle.
As a benefit the identities on both sides will be established by the cloud providers so you don't need to worry your devices are reachable by malicious actors. Then you can start to get rid of all this cyber security nonsense that has grown up around the ridiculously insecure protocols that were developed in the 70s for connecting trusted machines and somehow are still in use today.
Internet service providers and cloud providers may or may not use IPv6 but enterprises, schools, and end users certainly won't need to.
it is unfortunate that tcp and ip are as interlocked as they are, by which I mean, there is no way to keep your tcp connection while swapping out the underlying ip addresses.
This is not actually a real problem, we do just fine without it, it can be solved at higher or lower layers. But it would have been nice to have.
> it is unfortunate that tcp and ip are as interlocked as they are, by which I mean, there is no way to keep your tcp connection while swapping out the underlying ip addresses.
Multipath/homing, with different IP addresses, exists with TCP and SCTP:
* https://en.wikipedia.org/wiki/Multipath_TCP
* https://en.wikipedia.org/wiki/Stream_Control_Transmission_Pr...
MPTCP addresses this, Apple uses it (or used it, I haven't looked in a long time), and there's some way to enable it for applications on their OSes, but you also need to make it work on a server OS... I don't think it's been merged into anything but patches are around.
Yeah, it would have been nice to have, but that's all. Instead of requiring IPv6, the internet has evolved in a direction that tolerates disconnects and reduces its own IPv4 address consumption. It will probably work fine for the next 20 years at least.
In the 19th century, New Yorkers worried that the city would soon be buried in horse shit because of increasing demand for transportation. The horse shit apocalypse never materialized, because transportation evolved in a way that stopped relying on horses. Now we have a different problem, of course.
Exactly this… which raises the question- do we need ipv6 at all?
One of my biggest issue is: how do you even detect exfil when ICMP is mandatory in IPv6 for the other protocols to even just work?
IPv6 looks so Rube-Goldbergy to my eyes that if I squint just a little tiny bit and put a very thin thinfoil hat on, I could nearly swear this complexity is there by design. For example so backdoors allowing exfil through ICMP are impossible to detect.
IPv6 is chatty. So chatty.
There are networks where a single unaccounted for packet means something abnormal is going on (and at the very least requires enquiry): how does that work with IPv6?
An issue with these big design-by-committee thinggies is that often one or two in the committees are little rats working for the man.
ICMP is required for IPv4 to work correctly, too. It's often completely blocked by cargo culting net admins who then wonder why their things fail that ICMP would have fixed.
These charts that show IPv6 adoption really don't mean shit. The thing is: every single device out there isn't being used directly by a human bean (and a real hero.) They include things like sensors, smart lights, fridges, washing machines, a huge huge number of mobile devices, company networks, ... apparently even tooth brushes? Look at another sector and the story is ((quite horrible.)) I'm talking a regular fixed home network.
Start by looking at routers for IPv6 support. And what do you see? Total crap across the board. Here's some of the issues I've seen. Routers that have no IPv6 support (common for ISP provided routers.) Routers that have NO FIREWALL for IPv6. Routers that crash every 3 minutes after assigning an address. Routers that don't support the exact combination of network details to setup IPv6 on your network (there are multiple ways to deploy IPv6.)
What about if you want to use features like UPnP with IPv6 (something that would probably be useful for some software given that IPv6 is supposed to give you public addresses but firewall it on the router.) What I've found is there's really just one UPnP library that every router uses even though it sucks. miniupnpd. This is a library that can barely manage to handle different types of addresses. It's really a mixed bag whether an IPv6 firmware will have miniupnpd enabled and if its built for IPv6 (and if anyone bothered to test it.) The odds go down dramatically.
If you manage to get a router with IPv6 at home working alongside other useful Internet standards made for it (since 2010) color me impressed. You probably buy a lottery ticket at that point. Because if testing IPv6 deployments for the past 2 years has taught me anything: its that no one really cares about this shit. Present day, present time. You still hear people telling others to turn IPv6 off for some vague reason ('security', 'bad', 'problems.') These people don't really have a clue. It's all just a massive cope because they tried to get it to work and failed. And after the shit I've said I can't say I blame them. But I also want to note that their conclusions are BS.
What’s funny is the last consumer router I bought had the opposite problem. It had a ridiculously low limit on DHCP leases, something like 32 devices. And one time, IPv4 routing just crashed completely and I had to reboot it. Meanwhile IPv6 was always rock stable. The crash was a weird one to debug at first since so many online properties work with IPv6, at first I blamed DNS
All routers I've ever encountered have a default deny rule for IPv6, replicating the port forwarding setup people have come to expect from NAT. Except you can use multiple Xboxes in the same network now, of course.
Even the mini router I bought for 15 bucks five years ago does IPv6 addressing just fine. Just announcing a prefix (or two, local network stuff over ULAs and all that) is enough to make SLAAC do its thing. Never had any problem with DHCPv6 PD for automatic subnetting either.
I haven't looked into UPnP on IPv6 much, but the ones that did UPnP all seem to do IPv6 fine after 2015 or so. I usually turn it off because I don't want random crap manage my firewall unauthenticated (and many router manufacturers have had vulnerable implementations that would accept UPnP packets from the internet so screw that).
Brands that I've successfully used IPv6 with without any hassle include TP-Link, D-Link (don't buy from them), AVM, Mikrotik, and Netgear.
The most annoying part I find about routers is actually that they don't let you disable ALGs anymore it seems. Every few years Samy Kamkar writes up a way to bypass most IPv4 firewalls by abusing the hackery we've accumulated around NAT and the easiest fix ("let FTP/SIP/H363/PPTP be broken on IPv4") doesn't seem to come with routers anymore.
It took a while, but router manufacturers seem to have realised that the world is moving towards "CGNAT or IPv6" and not having usable IPv6 breaks networks in those cases.
The most broken IPv6 deployments I've seen were from people who tried to turn it off though weird hacks like firewall rules which subsequently got IPv6 from their ISP. Had they actually disabled IPv6 they would've just been stuck OK IPv4 like regular, but their weird hacks made half the TCP connections need to time out before they could access the internet.
> I haven't looked into UPnP on IPv6 much
Added as an appendix in 2011:
* https://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1....
Strange, every router I've used in the last 10+ years has done IPv6 fine. Even the RSP/ISP supplied gear I've used at friends/family houses are all fine with IPv6. Where I live all fixed line RSP/ISPs (except for one) has IPv6 enabled and on request will sell RSP-supported routers with IPv6 enabled out of the box. I personally don't use RSP-supplied gear but I've used Ubiquiti, Microtik, Netgear, etc routers and they all work just fine with sane IPv6 defaults. I really have not come across a single case of a bad IPv6 routers -- even among RSP-supplied equipment.
> They include things like sensors, smart lights, fridges, washing machines,
Now you gave me an excellent reason to make my home network v6-only.
https://cr.yp.to/djbdns/ipv6mess.html still as relevant as the day it was written
Time has not been kind to this article. It's basically a compete list of fallacies that people believe about ipv6.
Oh, is IPv6 now backwards compatible with IPv4? No? I guess not a complete list of fallacies.
I can route to v4 endpoints on my v6-only network just fine. Shrugs
They aren’t compatible. There is a device in the middle doing a translation for you.
That’s like saying HTTP can talk to FTP servers as long as there is an HTTP to FTP proxy.
The only thing that makes them seem compatible is there is a well formed address space in v6 that clients send v4 requests to. But it’s still v6 and a 64 proxy needs to have an actual IPv4 address to translate the source to before sending it via v4 to the actual destination.
> They aren’t compatible. There is a device in the middle doing a translation for you.
Which was true of all the IPng candidates, and not just the one that ended up being chosen for "IPv6".
There is no way to expand the addresses space (as found in IPv4) to something greater that 32-bits in a compatible: new API calls, data structures, DNS records, etc, were always going to be needed.
To list "not compatible" as a con of IPng/IPv4 is non-sensical.
I'm aware there's a middle box. My point is that the middle box is a compatibility layer which, by definition, has the effect of enabling compatibility (at least in one direction).
The usual "they should have designed it to be compatible" nonsense usually comes from the crowd with zero suggestions of how to have a 32-bit addressed device send to packets to something with an address outside its universe.
Point is that djb was as wrong then as they are now.
> They aren’t compatible. There is a device in the middle doing a translation for you.
The same could be said of the awful mess we have currently with IPv4 NAT almost everywhere on the current IPv4 network (and CG-NAT as well).
Which is to say, not.
DJB point about the magic moment makes sense to me. What is the point of a separate network that has 33% adoption? It has virtually no impact to alleviate IP address exhaustion, and therefore there is no incentive.
The vast majority of that ~%40 of internet traffic is in direct disagreement with said prophecy though. Mobile carriers like T-Mobile, Verizon, AT&T, Telstra, Deutsch Telekom, Orange, (...you get the idea) all used pure IPv6 backbones with NAT64 edges to role out mobile telecommunications without needing double/CG-NAT or boatloads of public IPv4. Each connection made via IPv6 is transparently 1 less NAT session out a public v4 address and the IPv6 design greatly optimized the way the mobile network cores were built out. This is what has driven the growth of IPv6 on the internet (as more users switch to mobile) rather than an explosion of wireline and business users making the switch.
Where pressure is still lacking is in "small" enterprise type case (like most businesses, regional health systems, local government facilities, and so on) where the difference isn't really that much vs networks with 100 million or more clients riding). Only when corps get to the size of e.g. Microsoft do they really start seeing similar value at the moment. Everyone else can scrape by just getting that small bit of IPv4 and forgetting about it for now.