I spent a WEEK without IPv4 to understand IPv6 transition mechanisms

I've started to go IPv6-first in my tutorials, hopefully it raises some awareness of how it's not hard to deploy on your own devices.
Currently none of my APs and only one of my switches supports IPv6 for management, but the APs are all between 3 and 8 years old at this point (mix of 802.11AC wave 1 and wave 2), so I guess I'd expect anything new to support IPv6 management. I'm not really happy with a lot of APs available anyway, though.
The NAT64 server is also useful to connect to legacy devices, typing [64:ff9b::192.168.1.1] totally works as long as the routing can handle it.

The main issue I have in my network

@@apalrdsadventures I've been lazy so far and not enabled IPv6 on the APs and switches here. I've been updating all hardware over the last three years with the goal of having at least SSH and TLS support on everything, IPv6 is easy in that regard.

@@apalrdsadventures I'm sad to see that 3-8 years old devices are considered old an therefore not blamed for not having v6 support, since ipv6 has existed for so longer... I wasn't even born when ipv6 was made and now I'm old enough to understand what it is and it's only starting to get adopted. A shame.

There's definitely a huge difference between networking equipment with no / broken v6 support and not having v6 support on the management interface but passing traffic correctly. In my case, my oldest AP seems to improperly handle VLAN segmentation for IPv6 RAs, but the rest of them are /just/ lacking IPv6 on the management interface.
All of my Mikrotik hardware has great IPv6 support, if only they made good radios as well.

IPv4 literals in protocols / old software still using IPv4-only sockets (Steam was brought up for perpetuating this problem across their platform) is really the problem, OS support is excellent for clients at least. So at least we're getting closer.

That you think this, is just because when this happens, you only notice when IPv6 has been misconfigurated.
You are probably running more IPv6 then you think. At least in when using your mobile phone.

This kind of thinking is the reason IPv6 is not getting adopted. People are afraid of the change, or they are lazy to do the work, do the research and actually try and troubleshoot the things. IPv6 is ready for mass adoption. The network admins pulling their weight and actually using it is the only things it's keeping it back.
Over the years, people got somewhat used to the hack-and-slash of NAT and now they don't even realize how simple and beautiful would the network troubleshooting be, if you suddenly didn't have 6 NATs in a row and you could clearly see both source and destination from any point on the network.

​​@@lamjeri what if I want to hide behind 6 nats , With all kinds of funky manually addressed subnetting in between‽ ...
I also miss jumpers and being only one or two layers of abstraction from the hardware...
Seriously though, if I don't want a public accessible IP address (as in, it don't exist, not relying on a third-party firewall) how is that done?

​@Pete Venuti Unique Local Addesses are a range in IPv6 for not having internet access. Specifically it is designed to be black holed not translated.

In Germany, the last of the big ISPs has finally started to offer IPv6 by default in 2021. Many of them have also migrated to native IPv6 for their backbone, so IPv6 actually gives you a better network experience than IPv4. The more CGNAT is pushed to customers, the more it is noticable. Already, IPv6 is the easiest way to actually get access to your home network and just working without tricks as long as you don't use some random guest Wi-Fi.
There will be no killer application for IPv6 because there is just way too much legacy compatibility equipment in place. That doesn't mean that a well-designed application won't try a direct connection in place of going via the usual proxy servers, just to name one example.
Concerning the running out of addresses: the pain is real, and the cost is growing. It's just not something a regular end user will see, as they have mostly been moved to CGNAT already. Various hosting companies have separate (lower) tariffs for IPv6-only deployment, just to name one example.

The thing is, it starts with you. You are a part of the Internet. Everyone and their homelab is part of it. If we all move this can be done, but with the mindset of: Yall have to do it first, before I do it is uttterly backwards.

IPv4 has been exhausted for a while now. The IPv4 internet is held together by NAT and evermore double NAT.
To be honest, NAT is fine, but it essentially killed most P2P and shaped the entire internet as client -> server.

@@espi742 It's worse. It forces centralization of services, it helps new oligopolies by increases the barrier of entrance for new services, it wastes tons of resources.

@@espi742 P2P is alive and well. If it is killed, it's probably only be the case in third world countries that got the internet late. In America, the only time I've ever encountered CGNAT in the wild is on phone networks and newer Satellite internet providers like Starlink.

Reminiscent of the python 2 -> 3 transition in a way. Or carbon nanotubes…

I agree with you. As I'm watching the video at the end. I'm thinking to myself. OK, but why? I understand the benefits that IPv6 brings, but if in your home network. Why go to all of the trouble and time when IPv4 works.

@@BrianThomas If I understand it correctly, and I'm a noob with ipv6 really so forgive me, but anyway, if you use ipv6 for everything you don't need NAT. Which means you could access all the devices in your home each on its own dedicated routable IP. Whether you're in the home or not. Obviously you would need firewall rules to specify that they only accept traffic from say, your office's IP. Yes, a VPN would allow this and be safer. But this is just an example.
Or you could run tons of separate servers on ports 80/443 all within your house.
Anyway really the primary reason is actually to learn! Because we are at least already at a point where *some* devices don't and won't have v4 addresses, and we should understand how this actually works.

@@dgpsf Roger that. You're right. It does remove NAT and the need to open ports. I don't mind that so for me learning is the only benefit I can see. NAT or really PAT is only used for inside outside translation, so you don't really need it for network traffic translation inside a home network. Unless you're super wealthy and you have a massive home network that span's from state to state, which I have seen by the way.
I know this might sound kinda goofy but I actually enjoy ipv4 over ipv6. I've spent so much time doing network segments by hand that it was fun. I tried ipv6. It gives me a headache 🤣. I think I need some whiskey and a little time before ipv6 starts to look good to me.

Sooner than later*

Apple's IPv6 support is really excellent, I wish other OSes cared this much.
I get a dynamic /60 but it hasn't changed in 2 years so it's basically static. I do wish it was a /56 though, but apparently the ISP who owns half of the US can't afford that.

The OS really has nothing to do with IP addresses, networking is a separate service in general purpose computers.(Though the software is often bundled with the OS) The app store requirement is purely about customer service and has no relation to the OS.
(Networking could be compiled directly into an OS kernel but it's not good practice outside of task specific embedded appliances like a router.)

The networking stack is deeply embedded in most modern OSes, Linux for example has a massive amount of kernel infrastructure for Netfilter and IP routing.
Apple's commitment to IPv6 led them to implement a very good CLAT system that is able to detect IPv6-only and IPv6-mostly networks and route IPv4 traffic over IPv6 transparently to applications. That's definitely not app-level code.

Same chicken and egg problem here. There is essentially no ISPs in Sweden that offer IPv6 connectivity. I am all in on Apple products, and could use IPv6 on my local network, but I really don't see the point, since all ISPs have IPv4 only addresses on the outside of the router. I don't have so many Apple devices either. Just a Mac, an iPhone, an iPad, an AppleTV and HomePod minis.
The real benefit would come if some ISP would support IPv6 on the WAN side. Then I would switch immediately. Not to end users. I've been complaining to my ISP about this for the past 15 years or so. I have been wanting IPv6 for a long time.
There are some ISPs that offer IPv6 in Sweden, but only to national authorities and big corporations.

Here in the US virtually all home ISPs support IPv6 to some extent, and it's the businesses which are behind the times on updating. But you're right - RIPE called out Sweden specifically for having awful IPv6 deployment ( labs.ripe.net/documents/295/RIPE_NCC_Internet_Country_Report_IPv6_in_Sweden_May_2022.pdf and a map of the Nordic region labs.ripe.net/documents/320/RIPE_NCC_Internet_Country_Report_2022_The_Nordics_December_2022.pdf )
So... big oof for Sweden I guess

Glad you enjoyed it!

The problem is those with their head in the sand, who refuse to see the problems caused by IPv4.

25 at this point... Or close to it

Nowadays with Happy Eyeballs running dual stack is basically painless.
IPv6 only is a load of trouble still. Mostly because so many websites, services and apps don't support it.

Hurricane Electric tunnels to get IPv6 into your router without ISP support.

No one come out and admit that IPv6 has been a failure. It does not replace IPv4. The engineering team designing IPv6 made a fundamental mistake. They did not design the IPv6 to be backward compatible. Implementation of IPv6 is an add-on. You need dual-stack. You can never take away the IPv4 support. IPv4 has been so pervasive that dual stack will be there forever. Since IPv4 is always there, there isn't very strong incentive to change to IPv6 only.

@@catchnkill 👆👆👆

I started a few years back with IPv6 for clients only - they can go out to the internet via v6 and nothing else - and that was a pretty easy middle ground to have IPv6-web accessibility without redoing my network.
So now I'm at the redoing my network point anyway (for other reasons).

I shall stick to IPv4 forever. There is really no incentive to use IPv6. The biggest ISP of my city does not assign IPv6 addresses to its subsribers. The largest mobile phone network also does not assign IPv6 addresses. Thus IPv4 can hang on forever. The largest stake holders do not assign IPv6 to their customers. They do not have any explanation on not assigning IPv6 addresses to their customers. Their action means a lot. IPv6 will never replace IPv4, never.

@@catchnkill Famous last words.

Glad you enjoyed it!

if only Nintendo supported ipv6 natively they wouldn't have to worry about NAT getting in the way

It's part of my existing monitoring using Telegraf and InfluxDB. I also use ntopng, but I didn't enable ntop on the vlan I used for this test.
To separate IPv4 and IPv6 traffic, I had an intermediate Linux router (running Jool) which sits on the test vlan, and two additional vlans back to OPNsense. By logging the byte counters on the two vlan interfaces in OPNsense and using one for IPv4-only and one for IPv6-only, I got a separate log of IPv4/6 traffic.

Apparently bitcoin really likes it.

Glad you enjoy it!

It's really unfortunate, but NAT became the way of doing things and we got used to all of the problems it causes

Those IPv6 designers have made a fundamental mistake. They assume that all users will migrate to IPv6 within a few years. They threw out backward compatiability in IPv6. Due to no backward compatiability devices must be dual stack. Since every computing devices, OS are dual stack nowaday, there isn't any real strong incentive to migrate to IPv6. IPv4 will work forever. As long as IPv4 still works, there will not be a complete migration to IPv6. IPv4 will co-exist with v6 forever.

I'm always mad when I see tech tutorials disable IPv6 because they don't want to deal with it, or they feel like NAT is a security method. Enterprise and tech users included. It should be the default at this point!

​@@apalrdsadventuresI have wondered the same thing, I would like to actually know once and for all what to do with it. 😂

It's a bit of a struggle on OPNsense since FreeBSD's pf doesn't natively do NAT64, and there's no out of tree module for it on FreeBSD like Jool on Linux.
The only method on OPNsense is Tayga via a plugin, but Tayga doesn't do the full process - it just does 1:1 stateful NAT address translation from an IPv6 pool to a smaller IPv4 pool and relies on the kernel to further normal masquarade address + port translation. You end up translating the entire IPv6 internal space into an RFC1918 private IPv4 space and then relying on the kernel to translate those IPs to a public IP/port, and doing it via a fake tun interface. Makes it easier on Tayga but is a bit of a hack imho. Tayga is also fairly abandoned, although it appears to still work fine.
Jool does the full process (IPv6 address pool -> single IPv4 public address) and also has a lot more features (like static translation entries for 4->6 port forwarding and per-user assignments for CGNAT), so I installed Jool on a VM for this. That also gave me an easier way to setup logging without interrupting everyone else who relies on the network. Unfortunately it means I don't have a feel for how well Tayga works.
I feel like OPNsense is a bit held back by pf vs netfilter on Linux. I like OPNsense a lot, but also wish it could do things that Netfilter can do.

Glad you liked it!

You and literally everyone else.

Glad you enjoy it!

Still working on testing different software for documentation, but I'll probably have it figured out in the next month or so

I'm not sure of any open source options that can run as a container since all of them are pretty tightly integrated to kernel networking, even Tayga which isn't in-kernel still depends on creating kernel tun adapters.

@@apalrdsadventures Target is mostly to run it on Mikrotik routers. Although you're right, and I am skeptical whether that's actually possible.

I'm not sure if Mikrotik will let you configure a tun interface for the container to use with Tayga, it's a bit more complex than just setting it up on a normal Linux system. Although I agree it would be nice if Mikrotik supported Jool natively.

What's really sad to me is when public servers don't have IPv6 assigned because someone didn't care to assign it. Some cloud providers now have more nodes than they can fit in the entire RFC1918 10/8 block, so they have to be all-IPv6 on their network (even if they tunnel / transit IPv4 for customers), so running your stuff in AWS and not having IPv6 is definitely not an ISP problem.

you can do DHCPv6 with less than a /64. Caveat: Android doesn't support DHCPv6. Android only uses SLAAC. And SLAAC doesn't work with anything other than a /64.

You can create subnets still, it's just "recommended" to do that

It's on the list for sure

FTP has problems even with normal IPv4 NAT already lol

FTP passive is already needed in many IPV4 networks, and they simply did not bother adding active mode to IPv6.

FTP is among the absolute worst protocols IMO

FTP has to be passive with NAT too. I learned this back in the 90s, when I got a cable modem and put a firewall on it.

From what I can tell, there are 3 different methods that can be used on IP networks to identify when 464xlat should be used - a RA flag, a DHCPv4 server which responds basically 'don't look here', and the well-known dns name ipv4only.arpa returning a quad-A record of a well-known IPv4 address in the NAT64 prefix. I setup the last one, and that seemed to please macOS. Windows (and possibly Android also) enables 464xlat on wwan interfaces only, so you can't force it on other interface types, which seems like a bare minimum kind of implementation to me.

@@apalrdsadventures Yep, Android will happily use the 464xlat if you configure an "IPv6 mostly" network. I forget exactly which option is necessary to enable it. But we have a building on campus setup for IPv6 mostly which has the DHCP ipv6 only option enabled, DNS64, NAT64, and the RA flag all enabled. That seems to cover all devices that support it, such as the last two Mac OS versions, all recent iphones and android phones.

It's the next part in the hyperconverged cluster video, with a focus on networking, migration, ...

A lot of ISPs are going to CGNAT on IPv4, which means that you can't do inbound connections over IPv4 at all (other than via NAT hole-punching). IPv6 completely fixes this, but as you've seen there are a lot of businesses that aren't IPv6-capable on their WiFi even though they should be by now

If your home ISP is T-Mobile, you might have issues with a small prefix (or only one subnet).
In general, since IPv6 is entirely publicly routable with no NAT, we need to get a routing prefix from someone who owns public address space. It's dirt cheap to buy your own /48 prefix directly compared to buying a few public IPv4s yourself, but residential ISPs won't peer with you over BGP to advertise your own prefixes (or public IPv4s). Instead, they will give you a block of their public prefix space using DHCPv6-PD. Usually they give you something from /60 (16 subnets) to /56 (256 subnets) for you to break up into individual subnets as you choose, and pfsense/opnsense both support this well.
Mobile ISPs though tend to not support DHCPv6-PD and are designed for clients to directly connect to the radio / baseband processor without an intermediate router, so they usually provide a single /64 (one subnet). OPNsense can pass this along to a single LAN subnet, but then you can't do further subnetting.

@@apalrdsadventures I have Comcast residential ISP so pretty much limited to what I can do without going commercial. I did setup DHCP6 in pfsense with /56 prefix so I can assign IPv6 to my VLANs. That was a fun learning experience on how to make it all work. It mostly did work but had weird routing issues.

In general, the DHDP6-PD you get from Comcast should be all you need. Plenty of space for subnets, no need for BGP or owning your own prefix.
The only downside is you're tied to their prefix, so moving or switching ISPs means renumbering any static addresses.

​@@apalrdsadventures There's a solution to changing IPv6 prefixes on your local network: unique local addresses (fd00 range). It's pretty much the same as IPv4 private addresses. Give your hosts public addresses so they can talk with the outside world and use a ULA for everything within your network.

I've used ULAs a lot, but there are some quirks about multiple IPs on the same device that some software isn't ready for, even if it's otherwise IPv6-ready. Proxmox for example has no issues running with many IPv6s on one interface, but the network configuration GUI will keep reverting that bit every time you edit any network configuration from the GUI. Other software just has a textbox for IPv6 address along with IPv4 address.
I was trying to see how OS support for route advertisements is to see if I could reliably have two routers (one for GUAs and one for ULAs) on the same L2 domain, and only macOS, Windows, and iOS picked up the fd...::/48 advertised route in addition to the local subnet's fd...::/64 on-link route and added it to their routing table. Everyone else went to the GUA default gateway, which means it's not reliable to have two routers for GUA/ULA and all of the traffic still needs to go via the default router or on-link. I was hoping to push ULAs to a managed switch (which has much more limited firewall ability) and GUAs via OPNsense, but inconsistent routing would break stateful firewalls along the path.

OPNsense is BSD based, which honestly has pretty terrible network adapter support in general (not just wifi). OpenWRT is probably what you are looking for, it's designed to replace firmware on WiFi hardware, although it's not quite as easy to use as a firewall/router as OPNsense it's certainly capable of it.

I don't think it's a Windows bug since I'm using macOS. I did make sure the switch isn't configured to pass any VLAN traffic to devices which shouldn't be handling VLANs, so it must be caused by a device on the network which is expected to handle VLANs. That leaves OPNsense itself, Proxmox, and my WiFi APs.
The built-in CLAT on macOS is wonderful, I don't see why Android (and Windows) can't enable it for all interfaces.

@@apalrdsadventures Any TP-Link gear? They had a problem with multicasts.

Dual stack tends to 'just work', since most client software and OSes will transparently find out if a given server should use IPv6 or IPv4 with basically no delay to the user. Old devices will stay IPv4-only and new ones will prefer IPv6.
Going further than dual stack is where you start to see issues with clients who can't handle IPv6.

Old devices usually only be used internally in your local network. They can use a private network, but not reach Internet.

I paid for a IPv6 vps and honestly that was no problem because cloudflare is able to handle the IPv4 side of things, you just run the webserver and connect it up with cloudflare and it all just worked.

If your ISP doesn't provide IPv6, you can always use a 6in4 tunnel from Hurricane Electric. They provide a /48 for free.

@@James_Knott For some reason I was under the false impression that they had discontinued that service. I played around with it on my microserver years ago but IIRC it stopped working and I never investigated. My biggest problem with the service is they provided your personal info in the public WHOIS for the block. Lying is an option but I'd rather not do that.

A lot of ISPs provide both IPv4 and IPv6 connectivity, so I get a prefix via DHCP6-PD from my ISP. At this point they *should* all provide IPv6, the larger ones tend to be IPv6-focused (i.e. mobile ISPs were very quick to go all-IPv6 and make phones do 464xlat) and small ones tend to be behind the times.

@@apalrdsadventures do you run this on a residential service or you purchase through like level3 or something. I believe cox and Comcast do ipv4

Comcast definitely does IPv6 if your router supports it

@@apalrdsadventures okay thanks I will look into this, do they support both ipv4 and ipv6 on the same device?

Yeah, it's very common to run both IPv4/IPv6 together. That would be a 'dual stack' configuration, but you have to manage both, hence the desire to get to IPv6-only eventually.

In general if you just put everything in DNS clients will pick and use IPv6 automatically, typing the addresses manually has a few quirks (especially in Windows)

In general if software uses the name-based protocol agnostic APIs then it shouldn't care, unless it's extremely old or poorly written. Some programs have poor string processing (looking for a.b.c.d instead of passing IP validation to the OS, for example) but it's improving a lot.

@@apalrdsadventures A surprising number of programs can't properly handle multiple addresses for a given DNS entry and properly fallback to the 2nd or 3rd entry on connection failures. That's what is hurting dual stack networks worst. Ironically, it also means that those programs generally are a lot more fragile.

In this case, they aren't on the same L2 since I have a separate VLAN for IPv6-only LAN vs my normal LAN. So clients on the IPV6-LAN should be able to go through the NAT64 server to the normal LAN, which does work correctly if I type the address in with the prefix.
Even on the same L2 though, the 64:ff9b prefix goes to the default v6 route -> NAT64 server -> normal IPv4 routing tables, so it can make its way back to the LAN even if the request originated from the LAN via v6. NAT64 doesn't need to physically sit in-between, since a v6-only client can't talk to v4 clients even if they are on the same L2 network, it will route packets via v6 to the NAT64 and the NAT64 will separately route packets via v4.
The only issue is that Unbound is not synthesizing quad-A's for static leases and host overrides which result in only A-records, only synthesizing external addresses which result in only A-records. I'm not sure if other DNS resolvers / forwarders do the same, but I'm going to try CoreDNS going forward and see how that goes.

@@apalrdsadventures Easiest is probably to just run 2 Unbounds or any other DNS resolver combination.

I've been playing with CoreDNS and it does quad-A synthesis further down the processing chain that local lookups (via zone files or hosts files), so they get DNS64'd as well. It's just a quirk of Unbound I guess.

If the ISP would provide a NAT64 prefix, it would resolve the need for clients to go 6->4 on their own network followed by 4->6 in the CPE and 6 across the ISP network.
Mobile ISPs do this - the NAT64 prefix is advertised to clients over an IPv6-only network, and if the phone needs IPv4 it will enable its CLAT automatically

One alternative that some ISPs deploy is called MAP-T. This is basically a set of 464XLAT deployments (one per customer). Each customers' CPE is a CLAT, and the ISP has fleet of stateless PLATs on the edge of their IPv6 cloud in order to talk to the IPv4 world. What makes the PLATs stateless is that they have a shared fixed mapping (hence the name MAP) between [IPv4 address, TCP/UDP port number] ranges and IPv6 prefixes, and each CPE is assigned one such prefix via DHCPv6-PD or the like. The CLAT on the CPE is stateful, keeping track of the NAT masquerading it does between [IPv4 address, TCP/UDP port number] values on the LAN and [IPv6 address, TCP/UDP port number] values on the WAN, in the manner of traditional NAT44, but it's NAT46 Instead.
IMO, it's the best transition mechanism out there, and one of its advantages is that it doesn't rely on the customers' devices having 464XLAT built in. It's all well and good having an up-to-date MacBook or iPhone, but what about older devices or different brands? The main thing that I simultaneously do and don't like about MAP-T is that it still results in the LAN being dual-stack; 464XLAT as intended definitely has the single-stack thing going for it.

@@JivanPal This indeed very nifty!
Last month I switched to another ISP. These guys provide full IPv6 to their CPE. Complete with Prefix Delegation! Now every device internal has a global scope IPv6 address!
Unfortunately the CPE does not provide access to the IPv6 firewall. Are all my devices now unprotected on IPv6?🤔 Does every device needs local security rules?
Anyhow these guys are way better than my last provider and my hosting provider. Both come without IPv6... How is that possible in the first quarter of the 21st century?

@@ReinierKleipool > Unfortunately the CPE does not provide access to the IPv6 firewall.
If your ISP has any sense, they will have given you a CPE whose firewall's default behaviour is to only allow outbound connections to be initiated. The easiest way to test this is to try to connect to your devices from the WAN side / public internet. If you can't connect, try a traceroute (Linux `traceroute` command lets you specify whether to trace the route using ICMPv6, UDP, or TCP; Windows `tracert` only uses ICMPv6) to see where the packets get dropped. If it's at your CPE, you're good.
If you'd like more assurance or control, I highly recommend deploying your own router/firewall directly behind your CPE on the LAN side. In most cases, you will even be able to replace the CPE with that entirely; you just need to know how to establish a connection with your ISP. Some are still old school and use PPPoE usernames and passwords, for example.

@@ReinierKleipool > Both come without IPv6... How is that possible in the first quarter of the 21st century?
ISPs need to deploy IPv6-capable layer-3 equipment (routers and multilayer switches) to replace or work alongside their existing IPv4-capable deployments. Businesses almost always fail to see any benefit to the associated costs. Change is mostly pushed by customers demanding IPv6 features from their vendors, and switching to different vendors if their current vendor says "no."
On the residential consumer side, the situation is much the same; home users are simply ignorant of IPv6 and don't have a specific use-case for it compared to IPv4. Their internet connectivity "just works", until it doesn't, e.g. "hey, ISP, I want to host a Minecraft server but I'm behind double-NAT", or "hey, ISP, I'm trying to play this multiplayer Xbox game but my Xbox is complaining that you use something called 'CGNAT'. Fix it please."
Until customers continue to vote with their wallets to persuade change (which is extremely hard in places where there are monopolies, e.g. most of the USA; you only need to look at ARIN's IPv6 delegation sizes to American ISPs to see this; lots of American ISPs are giving people /64s rather than /56s or /48s, compared to Europe where RIPE routinely gives /28s to ISPs so that they can give customers /48s, and routinely asks for more address space from IANA), change simply will not happen.

Yeah, definitely a pretty awful solution by MS, but just using DNS names is the way to go really. Even mdns names for home networks.

Discord doesn't use Cloudflare for their voice relays, so that part breaks in IPv6 but the rest of Discord works fine

@@apalrdsadventures That's so odd why they would make only half of their service IPv6 ready? They probably used the CloudFlare cache in front of their service which happens to support it and called it a day. But wouldn't they have more customers in Asia where IPv6 supposedly is more prevalent? Who knows. Thanks for the reply!

They probably didn't intend to make any of it IPv6-ready, but CloudFlare did it for them

Depending on your ISP, if they are carrying IPv4 as a service (over an IPv6 core) you should have lower latency since it avoids the NAT64 service. If they are not carrying IPv4 as a service it won't make a difference.

I'm working on a video showing both sides of my setup, Jool (the NAT64) and clatd (a CLAT daemon for Linux), but Jool can also be setup as a 464xlat CLAT and it's possible to make OpenWRT do this.

Matter hubs will act as v6 ULA routers if there isn't functional v6 already, but eventually the devices will just stop doing v4 entirely and at least your LAN will need v6 to talk to everything.

Using DNS64 requires NAT64 to function, which has roughly all of the issues with latency, stability, single point of failure, speed, etc. that CGNAT gatways have in IPv4.
So if an ISP isn't doing CGNAT (they are doing public IPs all the way), it's a box in their network that stores a lot of state and becomes a single point of failure (but only for v4 traffic, not all the traffic).
If they are already doing or planning on going to CGNAT, there are no downsides, and using NAT64 for the CGNAT function (464xlat / map-t to translate back to v4 at the client) means their core can be v6-only, using the NAT64 function both as a v4 cgnat and v6 nat64. This is the preferred model for mobile devices, who can rely on the phone to do NAT46 ('CLAT'). For fixed providers it depends on if their network vendor can do CLAT on the customer modem / router and if this means customers can't use their own router, or they have to do CLAT on their provider edge routers (cable modem headend / fiber OLT).

That sucks. All providers I've used (in The Netherlands) have provided /48 to their customers as recommended by the IPv6 RFCs. Even getting a /56 would be acceptable, but a /64?! Which exec thought that was a good idea?...

@@Yggdrasil42 sometimes not even that. If you want an ipv4 with that isp they drop v6 entirely and you have to do 6to4

I have two - a rode videomic go II, and a DJI Mic set.

If you have a single public IPv4, you can 'port forward' using NAT64 - Jool supports a method of port forwarding where a public IPv4+port maps to an internal IPv6+port. As to actually setting up Jool.... I'm working on a decent tutorial for that, it's Linux only and the options for open-source firewalls tend to be BSD based.
If you have no IPv4 (CGNAT), I'm not sure exactly which companies offer this, but a layer 4 load balancer *should* work for most TCP based applications - they will terminate the TCP socket, open a new one to you, and pass bytes between. Not quite the same as port forwarding, but for most applications that use TCP it should be acceptable. If you're doing HTTP(S) in particular this is an easy option.
A last option is to run a generic virtual private server to get public IPv4, then run NAT64 on the VPS to port forward back home. No need for a VPN to be involved, the server would purely do NAT to the publicly exposed IPv6. This would be similar to you running Jool on your own router, just not on your own router. I'm sure it'll come up in a video of mine eventually, but not soon.

You could try to use Teredo, which is a IPv6 tunnel protocol supported e.g. by Microsoft out of the box.

With V6 you get random privacy addresses which give you as much anonymity as NAT did (you'd previously have a single outgoing IP for NAT, now you have a single outgoing prefix for the router and the suffixes are random).

@@apalrdsadventures you are assuming a private NAT here, while privacy arguments are usually about carrier grade NAT.

It should have been simple math, for example we assign a block to IP4 say:
100:0
so for example if we have an IP4 address of 192.168.2.5 then we convert each to hex: 192 = C0, 168 = A8, 2 = 2, and 5 = 5 and we mash these together in sextets leaving us with: C0A8 and 0205 giving us a translated address of 100:0:C0A8:205
A piece of equipment can then just take the address, shove the bits into the right places, and you don't need to fix what doesn't need fixing. Now as the assigning authorities allocate new addresses, they would just need to avoid that 100:0 block, and it would take less then 1 hour for network software developers to write the translation block. Now you could also allocate a fixed block, say 100:1 for NAT.
Because they made it so hard to do, and confusing, many networks have not moved to it.

That translation prefix exists - 64:ff9b::/96 - for IPv6 to IPv4 translation. Software usually allows you to write it as 64:ff9b::192.168.1.1 even. It's not allowed to be used for RFC1918 addresses since it's presumed to only route to the public internet. However, networks can also designate their own prefix for this purpose.
It's one-way though, 6->4, you can't map the entire IPv6 internet into IPv4 space.

@@paulschmidt7473 I recommend researching IPv6 a bit more. There are multiple prefixes and ways to map IPv4 into IPv6, however, a host that doesn't have an IPv4-address still can't talk to another IPv4-host, solely because he wouldn't have a source address to provide to the recipient, which in turn couldn't answer the connection. Should be logical.
That's where NAT64 comes into play, it provides a valid IPv4-address and bridges between the host.
In addition, routing for both protocols is completely independent. It's not just a few more bits in the address, it's a whole new protocol, otherwise some of the drawbacks couldn't have been fixed.

dear god I just read the Roku forums and it's absolutely wild that they are running a Linux based thing and don't support IPv6 sockets on their devices. What is wrong with them??
It looks like HDHomeRun added support for IPv6 on their end in a firmware update some time last year, covering the last 2 generations of devices, so it's not great but they've also fixed the issue already going forward.

Very unfortunate that they can't use DNS names for their own servers then

It looks like the smart home stuff I have is a mixed bag, but the video was already too long to get into every single thing I own. But it's a good idea for a follow-up.
A lot of devices are using IPv6 link-locals + multicast discovery or mDNS to communicate with their own ecosystem (i.e. Nest does this, Apple will also auto-discover things over IPv6 a lot)

With (modern) IPv6 implementations the address suffix is randomized at some interval (i.e. daily), so the prefix could be tracked similarly to the public IP used by NAT. So to the level of a single ISP connection or small group of connections, but not to individual users behind a router, same as IPv4 + NAT.
As to Tor, the relay nodes have about the same amount of IPv6 compatibility as the internet as a whole (~50%), and exit nodes have significantly less, but Tor itself is smart enough to mix IPv4/IPv6 along the path as needed.

@@apalrdsadventures What would be an interesting test: multiple IPv6 Internet connections (each device gets 2 global IPv6 addresses) and testing what happens when one goes down

@@apalrdsadventures Also, the IPv6 address space is so sparse, it's hard to find a device to attack.

@@autohmae IPv6 is designed for that and routers can be given priority. However, to work properly, you really need to own your addresses and use a routing protocol, so that fall over happens automagically.

[2001:aaaa:bbbb:cccc::123]:8443 is valid notation in most cases to type the address literally. Otherwise you can add it to your DNS server the same way you would in IPv4

@@apalrdsadventures thank you for answering 👍
I tried IPv6 for my homelab but I really don't want to type those longs addresses, I want to reach my hosts by their name.
Should I use DHCPv6 so the routeur can handle the resolution ? Or isn't there any simple solution to find hosts by their name 🤔

DNS is still the right solution. Are you running any sort of DNS forwarder / resolver on your router that you can add host overrides to?

@@apalrdsadventures yes so I may don't have to use SLAAC to autoconfigure my servers so they have to do DHCPv6 and get registrated in the DNS server

You don't need to use DHCP to get addresses in to DNS, most DNS servers will let you add addresses directly

Discord is pretty bad at v6 in general

AFAIK they do support 464xlat though, which should tunnel IPv4 for you across their IPv6 network

Well that's an oversight on their part, not surprised they refuse to fix it though.

@@apalrdsadventures An even bigger mess is trying to use mDNS hostnames that resolve to link-local IPv6, i.e. the dream of plug-and-play IPv6 networking without a router. I'd written a longer comment about the many wonderful ways in which this is broken (mainly in Chrome) but it seems youtube didn't like the comment and silently shredded it.

Not sure how Firefox deals with mDNS on link-local addresses either, but it shouldn't be a terribly difficult problem to solve...

@@apalrdsadventures It shouldn't be, and it works fine in programs that use getaddrinfo() in a straightforward way. The problems occur
1. when programs try to be clever (chrome, nodejs) and use a custom representation of socket addresses that fails to consider the scopeid of link-local ipv6
2. when you run into the decade old glibc bug 16826 that causes scopeid to be missing when doing IPv6-only resolution (AF_INET6 instead of AF_UNSPEC) because the latest version of the internal name resolution call (the only version that supports scopeid) inexplicably omits the address family parameter, so when people complained that it was always doing both A *and* AAAA lookups even when only one family was requested (glibc bug 14505) they fixed it by downgrading to the previous internal api for family-specific lookups.
3. when Windows 11 decided to classify routerless ethernet networks as "Public Network" causing it to disable mDNS resolution in the exact situation where it is most critically needed

If only everyone used getaddrinfo() and stopped being smart. There are a few programs (Steam) that restrict themselves to AF_INET sockets, which breaks NAT64 / DNS64 for no good reason. Pass the user input with AF_UNSPEC and use what it returns, in order.

T-mobile is purely IPv6, so they definitely wouldn't be blocking it. But they'll end up passing traffic to the MVNO for egress to the internet, so maybe they are the ones who don't support IPv6 properly?

@@apalrdsadventures The MVNO is Calyx who goes through Mobile Citizen. I have no idea how much control they have over how the traffic is handled. It's the only reasonable internet I can get in the rural area I'm in. Thanks for the reply. Your channel is interesting, and seems like you're touching on topics few seem to really address.

In this case, it's actually not stateless either, and I don't think most implementations are - since it has to do both 6->4 translation as well as source address and port translation. If you were purely going from a pool of servers to a pool of IPv4s 1:1 you can do that statelessly, it's called SIIT.
Tayga implements by only doing the 6->4 translation nearly-statelessly (they keep a table of IPv6 to IPv4 hosts, and randomly assign IPv6 hosts to an RFC1918 intermediate address) and relying on the Linux kernel to do the NAT part using normal SNAT / masquarade. Jool implements this statefully by doing the whole transition process at once - mapping an IPv6 + port pair to the public IPv4 + port. Jool's method also allows you to insert manual entries into their mapping table for IPv4 -> IPv6 'port forwarding', and is also significantly faster than Tayga's approach.

@@apalrdsadventures ahh, yes, silly mistake, stateless is basically datacenter only. I had a look around and didn't see much complaining about Windows AD/etc. with IPv6-only, that's a good sign.

Microsoft recommends IPv6 dual stack for most of their products, and they run IPv6-only on many of their own networks now as well

they *do* though, but restrict it to wwan interfaces only. Apparently Android also did this for a long time (not sure which versions), which is why my Android phone didn't work in the test but it still supports mobile networks which require it.

Unfortunately it's an issue a lot of games (and other peer-to-peer programs) have. Sometimes it's an easy fix for the devs and they don't care, sometimes it's not. Sometimes the devs are just dumb. Any devs that have mobile versions should have already solved this by now, since Apple forces them to.
-Frontend UI assumes 1.2.3.4 notation and doesn't understand [::] or :: notation so it rejects it as invalid, even if the rest of the code would work fine with an IPv6 address
-Backend code stores IPs as 32-bit numbers, where it should use a string to properly deal with DNS names or ascii-typed IPs. If they passed the string typed by the user straight to the OS, the OS would deal with IPv6 and they would never know.
-Backend code is forcing AF_INET sockets inetead of AF_UNSPEC (Steam did this for a long time, even for DNS-resolved names, causing DNS64 to break for no good reason)
-Matchmaking code is passing 32-bit numbers around to do NAT traversal, something that IPv6 doesn't need but legacy code be legacy (Steamworks does this *still*, so anything that relies on Steam's matchmaking will be stuck with IPv4 even if the game supports IPv6 via manual addressing)
Overlay networks like zerotier / VPN are the most commonly deployed way, but if both sides support 464xlat it's possible to setup static routes between each other in a way that creates the appearance of an RFC1918 private IPv4 network without any networks in between carrying IPv4 outside of the local hosts

I actually explain that one here - czcams.com/video/nVi8g2fGNTw/video.html

@@apalrdsadventures LOL that’s pretty funny - deserved!!

I've been mentoring VIQC / VRC for nearly a decade now, and also run events in the SE michigan region

I think there's a huge population of network administrators who are either scared of change or see no reason to change because NAT works well enough for them, and therefore don't learn and disable IPv6 on their networks. I've definitely gotten that sentiment from a lot of small and medium business admin types, the 10/8 space is big enough for them so why should they change.
On the flip side, a lot of regular people are starting to look at IPv6 now as a way to bring back peer to peer connectivity (especially for gaming) where NAT has already broken it and CGNAT without port forwarding has broken it even more. But smaller applications and sites aren't IPv6-ready since the corresponding businesses didn't consider IPv6 deployment and never tested their apps with it (or made rookie mistakes in socket programming).
So as long as we keep bending over backward to keep IPv4 relevant the medium businesses won't bother changing and everyone else will be worse off. Apple has really done a lot to push this by mandating IPv6 compatibility to be listed on the app store, hopefully this trickles down into more industries eventually.

Because IPv6 works more easily for anyone trying to host services.

Uhh that doesn't make sense, if you're using "IPv6 on the WAN side" then you want to be able to connect to IPv6 hosts on the WAN, which an IPv4 client cannot do.

@@MatthijsvanDuin No the servers etc. are IPv4 it's just that networks inbetween are IPv6.

@@burnstick1380 How would an IPv4 server respond to an IPv6 client? IPv6 address's can't fit in IPv4.

@@arvinderdhanoa6634 it doesn't but that's why you would need NAT64 (you need NAT anyway for IPv4). Just change from IPv6 to IPv4 and it's that simple.

I don't game daily, but it seems like the macOS built-in CLAT is handling Steam without issues (going 4->6 within the OS)

It's very unfortunate really, especially when they are IT professionals doing it for major client networks

@@apalrdsadventures Yup, to make matters even worse there are a lot of idiots running around spreading their BS about "ipv6 insecure because it lacks nat so everything is globally reachable!"..... 🤦‍♂

Oh they've been sliding into my comments section too....

UK ISPs that provide service over DSL using the Openreach infrastructure are only sharing the copper PSTN cables. The rest of the infrastructure that a given DSL ISP uses is largely their own; all such ISPs have their own distinct IPv4 allocations and ASNs.
BT and Sky both do dual-stack just fine on Openreach on both their ADSL and VDSL2 (FTTC) plans, and yet the likes of Plusnet (subsidiary of BT) and TalkTalk for some reason do not (thought Plusnet briefly rolled out IPv6 before BT did, then did a U-turn). Why? Beacuse they each have their own hardware; it's not shared despite it all being served to the home using Openreach's infrastructure.
The FTTP altnets (Community Fibre in London, CityFibre outside of London, which operates under many local brandings; and other networks) pretty much all do dual-stack IPv6, with an array of transition mechanisms.
Virgin Media (DOCSIS3) insists on saying "we'll get around to IPv6 eventually" with no actual forecast date, despite them being in basically the same position as the true-fibre altnets that do dual-stack using NAT or CGNAT for IPv4 connectivity (such as Community Fibre).

@@JivanPal I live in Kingston Upon Hull. Our local monopoly is Kingston Communications, and they use all their own. It's about as disconnected from BT as you can get, because KC had been their own rival company for over a hundred years.
Their current move is to go copper-free, even the phone lines will be over fibre.
More recent developments have seen new telegraph poles going up all over time as Connexin and somebody else, Open Fibre I think, are also offering Fibre services over most of the city.

It's only recommend to disable IPv6 if you aren't deploying it at all (dual stack or v6-only), since enabled but unused IPv6 provides a way for nodes to communicate directly with each other which may bypass your IPv4-only firewalls.

On the Windows OS side, you lose all support from Microsoft if you disable IPv6 even if the device runs in an IPv4 only network. That matters way more in a business context though it goes to show the practice of disabling it is outdated.

​@@apalrdsadventurescan you explain in layman's terms this vulnerability with the nodes

In general, most operating systems will be looking for IPv6 routers by default, so an attacker could setup themselves as an IPv6 router and communicate with other nodes on the same network. In general, networks which are not using IPv6 do not have any IPv6 firewall rules or monitoring setup, so this can be a path for attackers to evade detection and travel through a network.
A properly setup IPv6 network will have a configured router and firewall like in IPv4, so it's only a concern if you don't have v6 setup.

@@apalrdsadventures so dual stack is better at the current state of affairs