In this video I show you how you can do NAT in a couple of different ways with IPv6. I also show you how you can get similar 'easy to remember' IPv6 addresses, just like you had in IPv4.
Thank you for the 10 mile high overview. I now understand a lot more about the parts of IPV6 I didn't know about and never could find the details of. I have no idea how to implement this but it's good to know it can be done and how it's all related. Someday I will have seen enough to attempt it but for now I'm really glad you did such a good job of explaining it. I do travel in a motor home a few times a year and use a couple of hotspots for internet connectivity. I understand kinda how you might have a fairly fixed IPV6 address from your ISP at home, but when you are on the road, I suspect you would have different addresses each time the hotspot connected to a different tower. I wonder how you might configure things to avoid reconfiguring things in that case? Cheers, Jim
That was good. Cleared up some problems I was having understanding the set up of an IPv6 network. Looks a lot more straight forward than I thought it was. Thanks.
The way it was explained to me is fe::123 addresses are similar to 169.254.x.x in ipv4 fd::123 addresses are similar to the class A,B,C LAN addresses in ipv4. Ie, 10.x.x.x 172.16.x.x 192.168.x.x When you do a mix of reserved static LAN addresses and dhcp where you want to create subnets and do routing behind NAT, it gets complicated. Mainly because we think in decimal not hexadecimal. I’m sure there are tricks for this that people have, but most still find very little reason to do local ipv6 and ipv6 NAT/DHCP.
But how do i connect to a server with "fe80::213:eaff:f35f:4cad"? "EASY", i just need to look up my network card identifier as the scope ID, in my linux it is: enp4s0 and then connect to: "fe80::213:eaff:f35f:4cad%enp4s0" Isn't that "Intuitive and nice"? No? You have to know which network interface card (NIC) to use for the outgoing connection **GRRRR** Because any network card will have an fe80:: adress space so the linux or windows or mac needs to know which network card it shall use even if only one is installed ...
@Henry-sv3wv fe80 addresses are link local. It's like using 169.254.x.x addresses in IPV4. Yes, if you're on the same subnet, you can connect to them, but fd should be used for manually assigned ipv6 addresses, routing, dhcp, etc...
While NAT behind a single wan IP maybe possible, the proper way to do NAT in V6 is NATPT. We should get people off the idea of masquerading behind 1 IP. The 1:1 method to swap public global /48 bits with private fd00:/8 48 bits its far better. However some things the application layer could break during translation. But thats true for any NAT. FD00:/8 will allow you to quickly swap providers whether you move provider or whether you need ISP fail overs without owning your own address space.
You know what... I should look at that one day. I really don't use Wi-Fi on the phone... or really look at the phone much in general. I'll check it out though, because I want to see what it's capable of.
That’s the point, you won’t need nat as it was a fix for the lack of address’ in ipv4 and thus giving restriction of isp giving only 1 ipv4 address per household. Natv6 is just something IT uses today to have better control of the local lan, like preventing someone from access to internet. ISP gives many address’ for ipv6 per household so shouldn’t be an issue unless one day they decide to lower that number, then natv6 for everyone.
NAT is still very useful for duel WAN setups that have different prefixes, or if your ISP changes your prefix often (otherwise every device on your network is responsible for properly setting up a new address). People who say NAT is obsolete with ipv6 don't really understand NAT
fd10::3 is indeed unique local, and its scope is global. That means it can be used as an address to reach other addresses in a global scope, although translation will be required.
@@TallPaulTech Just for completeness: not just translation. Any mechanism (such as translation or tunneling, and others also exist) can be used, as long as a ULA never appears outside of your network. That is, one should not expect such addresses to be successfully routed over the public IPv6 internet without using such a mechanism.
This video shows 2 things. What the author intended. And why IPV6 is not moving the needle. I really don't get the idea that people want to place the IP behind their firewall on their private LANs. While I will concede I am no guru, the ethos of running short of addresses (IP4) was meant to be solved by IP6. The device is meant to be one amongst the billions. But then we're back to it having no real better built in security over IP4, so before you know it, people want to wrap it in a FW and put it not on the net. But hey, lets start NATing. Honestly, my dumb interpretation is its not hard to see why people have not shifted to IP6. And I have to say, its hard to see it picking up any progress. Its basically had its time. Its not won out. The VHS has won over the BetaMax..
So here's where the problem with your interpretation is - people are shifting to IPv6. In fact, there's been a huge shift over the past several years. The United States alone has gone up from single-digit IPv6 adoption several years ago to over 50% of users having IPv6, and that's still increasing geometrically. People have said for years that IPv6 adoption would slow down and plateau, but so far, it has not. If you look at the adoption graphs, they continue to grow. How has this shift happened when nobody is really talking about it? Providers are giving IPv6 to people who don't realize that they are getting it. ISPs offering retail services to home and business provide IPv6 with their routers, so anybody who uses the residential gateway provided by their ISP instead of installing their own has IPv6 without having to do anything. The largest cellular providers have moved to IPv6 only, providing IPv4 connectivity only through forms of NAT. Together, this is a huge user base who doesn't know they have IPv6 but are in fact using it. This ends up having a knock-on effect for businesses. Very often, the NAT being done by cellular providers to offer pseudo-IPv4 over IPv6 is not friendly with corporate VPNs, so there have been many cases of these providers' migrations causing end users to lose remote work capability through their cellular connection. In other words, the VPN's work fine going from an IPv6-only client to an IPv6 VPN server, but not an IPv6-only client to an IPv4 VPN server. The NAT being done to offer this pseudo-IPv4 to such users works with simple webpages but breaks VPNs. The result of this is that the companies these people work for have had to set up IPv6 at least at a minimum to get these end users connected to their VPNs who otherwise would not have any ability to remote work. The cellular providers have not been blamed for this, instead it's been the corporate IT's reluctance to adopt IPv6 that has been blamed for these users losing their ability to work, and a lot of them have been forced to adopt it at least on a minimal basis to support these VPN users. Furthermore, everybody who supports competition between service providers and options for users should want IPv6 to be adopted as widely as possible. The largest ISPs bought huge amounts of IPv4 space many, many years ago when it was plentiful. Now, smaller or startup ISPs have to spend a huge amount of money, hundreds of thousands of dollars to buy used IPv4 that is only suitable for a small number of customers. The result is that any smaller ISPs that want to grow or new ISPs that want to start cannot afford to buy public IPv4 for all of their users, end up having to share by doing solutions like CG-NAT (carrier grade NAT) where you basically do NAT twice and then users cannot port forward, and to end users, the lack of a public IPv4 when you can get a similarly priced connection from a huge telco means that they're probably going to go with the huge telco and the small provider doesn't have a chance. IPv6 is the only way to change this, because soon it will have enough adoption that these small providers who offer CG-NAT IPv4 but fully global IPv6 will not have a big disadvantage compared to the large telcos that can still give users public IPv4. If you really want only the biggest longest established telcos to be able to offer competitive Internet service, with no chance of smaller companies getting established, then by all means, call for abandoning IPv6 in favour of IPv4, and for supporting monopolies and preventing competition.
@@mjducharme Thank you for taking time to write your insightful feedback. I accept most of the above. I'll start off with this. I'm in my 50s. I believe I'll be dead before IP6 is the primary base for internet and networking. However --- I'm going to challenge you in the following. I've worked in IT since 1998. Its true that the space I work in is the smaller end of IT. SME, multiple customer MSPs and so on. So, I honestly don't sit at a telecom or ISP level where I'd see or work with certain technology like carrier grade NAT, or the gateways that translate IP6 to IP4 or vise versa. So that's on me. But - 50% of US users have an IP6. Here is my problem with statements. Its not that they are untrue. Its that they are made to make claim. I challenge that - with how many of those users know they have it, and make use of it. And I mean how many know their device IP and are making known changes to their systems and use it. Because Apple and Microsoft provide an IP6 device address -- but the device sits and does all its daily life workload in IP4 - does not mean IP6 is now up 50%. That's a gross miss statement of reality. And there is an area where IP6 take up is absolutely true. In areas like mobile, and in countries where IP4 is exhausted, IP6 drive has certainly taken place. But what happens on a giant phone network in - say Hong Kong, is that they are applying an IP6 device network to the phones, and having to use carrier grade NAT and are translating traffic back to real world IP4 locations, web services, and so on. Now, I'm guilty here of way over generalising - because for example, Google - one of the world advocates for IP6 - will have a deep hand in building and working towards IP6. So I have no doubt that for such users, they are probably direct Phone IP6 Google services/networks IP6. But outside of that, many things they do would have to translate back to IP4 traffic. Google claim that as of today -- This is the level of their customer traffic at IP6 - I'll call it 43%. www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption But given that they control an extra-ordinary level of devices services, this depending on how you view it may make you say 'great' or in my case its honestly 'meh'. Google are one of the deepest advocates for IP6. Its good they are. I'm glad they are laying ground work. It is not a reflection AT ALL -- on end user take up, usage, or understanding of IP6. IPv6 Adoption and the Growing Importance of DNS IPv6 was introduced over a decade ago, and still, adoption is slow. At the time of this writing, only 17.49% of devices on the Internet are currently IPv6 capable, while a larger proportion of DNS resolvers-over a third-are capable of handling IPv6 addresses. Either way, most of the Internet is currently not IPv6 capable and therefore cannot leverage IPv6 DNS. Next, and I will be short and blunt here. If you dig into IP6, and name resolution, you will find that IP4 and IP6 name resolution has enormous challenges. Basically as it stands today, if you build IP6 - You have to also build the added baggage of IP4 gateway and translation. Why? Because the IP6 DNS structures are not yet fit for purpose. Many many people working in DNS don't have a scoobie how to setup IP6 naming. And even if they do, their ISP or partners may offer either no support for it, or only limited support for it. And that's before I even get into the area like in some work, lets say e-mail, if you don't have a PTR record - you ain't sending. So, just for an experiment, I said to myself, ok. I run a mail server. What do I need. A quick hunt - ok www.cloudflare.com/en-gb/learning/dns/dns-records/dns-ptr-record/ We can agree that cloud flare are up there, and its fair that I just grabbed them - assuming they would offer good info. Right? "In IPv6: IPv6 addresses are constructed differently from IPv4 addresses, and IPv6 PTR records exist in a different namespace within .arpa. IPv6 PTR records are stored under the IPv6 address, reversed and converted into four-bit sections (as opposed to 8-bit sections, as in IPv4), plus ".ip6.arpa"." If I wanted to throw off and leave a person with really no idea on what was just said to them, I'd write something like the above. So, I tried to dig a bit deeper. Common Cloudflare, you can do better- www.cloudflare.com/en-gb/learning/dns/glossary/reverse-dns/ Oh dear. I'm not talking here about academic build of IP addressing, or ISP top tier network build out. I'm talking about usage in the front line. And there are real cases - lets take google as a primary, where they are ready and built to be fully IP6. I don't dispute any of that. But at the coal face, the ordinary person is not building or making things in IP6. And when an ordinary person looks at IP6 *technically* - they are not nerds who can delve to work through the pain that is 6. They won't be able to understand that even if they did a ton of ground work that only one third of DNS resolvers can handle IP6, that won't work because of X. So, they will do what many people do, they will work with IP4 because its what they might know and its what most documentation, help, and knowledge sits at. According to Sucuri (I have no doubt going out there would see differing figures - but anyway) -- Out of the top 1000 internet sites - 16% support IP6. Out of the top 10000 sites - 11% support IP6. Out of the top 1M - 7% support IP6. I put it to you that large portions of the academic and high tier ISP, Network, Mobile networks ARE building out IP structure. But in reality, outside of the - lets say Google or Microsoft sphere, that network is translating its traffic to go do its daily work in IP4. It is not a growth or change to IP6. Its a sticking plaster. It is NOT "50%" of US users are now using IP6 as their daily driver. The majority of them don't know about it, and certainly don't know how to technically use it, and most won't understand that their carrier grade NAT to the IP4 world is how it works. Now - it is not fair that I just sit here blabbing. I will do my part here - whynoipv6.com/ The above site is helpful in trying to push IP6 - and has some nice resources - But one of its comments is "Alexa Top 1 Million Websites - tagged by IPv6-compatibility As a part of this shaming-strategy, we supply all interested parties with an updated list over Alexa’s top 1 million websites and their corresponding (lack of) IPv6 support clearly stated. Each of the listed websites (top 100) lack an AAAA-record. In addition the nameserver-support for IPv6 is displayed. Some statistics Out of the top 1000 Alexa sites, only 491 has IPv6 enabled, and 857 of them use nameservers with IPv6 enabled. Of the total 902708 sites only 36.7% of them have IPv6. This is a huge shame!" It is, but it reflects reality and not the fantasy. Information and an offer of free training - www.internetsociety.org/deploy360/ipv6/training/ Lastly, I'd say this. Don't get me wrong. I *wish* I understood IP6. I honestly wish more people did. I don't find any of it easy as some claim to do. I don't think its addressed the security problems of 4 *at all*, and I think that people who really understand it call it simple - and the rest of the human race looks at it and either says of things 'what the fuck are you talking about'. :( I mean, I took time out here, to come take a look at Paul's adventure on IP6 because like many of the times I've come to look at it, I'd like to have seen it work, ease of use, or success - right? I'm not here just to crap on things. I don't think the DNS space is ready or capable. I think most companies, orgs, people, training and so are unready for it, and I think saying it is a great success and ignoring the harsh reality does not help in the take up or growth towards IP6. A last personal note. My ISP gives me at IP6 address. Thats good. My router has the address. That's good! My router has an option to offer IP6 DHCP! That's great! I have no freaking idea what I need to setup there! DHCPv6 Server Configuration Enable Server Disable Server Start IPv6 Address End IPv6 Address DNS Server IPv6 Address Primary DNS Server Secondary DNS Server Static IPv6 Address configuration IPv6 Address / Prefix Length /
Current IPv6 Address Table And if I did, there is stone cold zero support from what I see in the FW or NAT areas for IP6 and securing kit. Perhaps if DHCP is setup, then a whole bunch of new admin pages might appear like magic. Or not.. I'm going to reach out to my ISP and ask some questions. But if I end up with my devices having internet routable IPs and I have no way of firewall or control - then guess where this goes? IP6 gets turned off? Right..
I started walking down the DHCP V6 route, and immediately found that Google/Android don't support/use it. Thats just taking the freaking buscuit. Next up, apparently my ISP routes its IP6 traffic over my IP4 connection, which is now really that takes the buscuit 2. I'll try RADVD which is my only other option than static addressing. And lastly, apparently even though they give me an address, and its allocated and seen at my router, I actually have to e-mail them to .... turn it on.. I've done that. Lets see... :/
@@AdmV0rl0n RADVD (SLAAC) is generally the way that you do IP address assignment on IPv6. DHCPv6 was always more of a secondary option, but Google has basically flat out said "DHCPv6 is stupid, we are never going to support it, period."
Like I pointed out before, using ULA addresses on your LAN is more or less pointless. Devices will use IPv4 in preference to ULA addresses so your IPv6 will only be used for outgoing connection to things that don't have IPv4, in other words IPv6 will as good as never used except during testing. I guess you could use ULA addresses with NPT for incoming connections but there is no point. You're going to need to know the actual routable public address so you can tell people how to connect in to you. You might as well not do NPT it and use the real address all the way through to the device. Finally, don't forget, if for some unfathomable reason you feel you must be able to memorise your ULA addresses and choose simple rememberable ones then you are ignoring the guidelines in RFC 4193 and going you own weird non standard way.
NPTv6 works both ways, it is a 1 to 1 lookup, all an outsider needs is the GUA involved. I'd personally avoid any translations unless needed, due possible user error in setup. Now if you do multi-WAN without PI space over some routing protocol, NPTv6 helps with the fact a machine has multiple wan paths and needs to use the right GUA on each WAN path.
"Devices will use IPv4 in preference to ULA" This is only sometimes true, though I concede it's more often true than not. Firefox for example prefers IPv4 over IPv6 ULAs, for Chrome it's the other way around (last time I checked). Firefox prefers IPv6 GUAs over IPv4 though. For me having ULAs on the local network means that I have a local addressing scheme that will be the same if and when I change ISPs and get a new GUA prefix delegation. My local DNS won't need updating in this case. All my network has both ULA and GUA addressing.
@@AaronHauck Certainly, but it something to be very much aware of as it is an RFC. It does depend on your OS and exactly how integrated the network stack is and how it be designed.
Another reason to use ULAs if you're using SLAAC for GUAs, is so that if you stop getting RA's from your ISP (because your Internet went down for some reason) your router will stop advertising your GUA prefix on your local network and your devices will lose their GUAs. For me ULAs are more about preserving local networking configuration independent of what is happening on the WAN.
People that think IPv4 NAT was only for solving "Running out Addresses" needs a History lesson. Most ISP for SOHO only ever gave 1 v4 address. Also many ISP expect 1 MAC per Account "in the old days" and Why Older Routers could Copy the MAC from a PC because a LOT of ISP had Very Long DHCP Lease or Worse so your Router Won't Connect without Spoofing the PC that created the account. Plus many people Do Not want everything seen by the ISP and Public like Printers that most still have little security. NAT on v6 is soon to be important to many because Some ISP data plans not only Cap but soon Restrict the Number of Devices.
Thank you for the 10 mile high overview. I now understand a lot more about the parts of IPV6 I didn't know about and never could find the details of. I have no idea how to implement this but it's good to know it can be done and how it's all related. Someday I will have seen enough to attempt it but for now I'm really glad you did such a good job of explaining it.
I do travel in a motor home a few times a year and use a couple of hotspots for internet connectivity. I understand kinda how you might have a fairly fixed IPV6 address from your ISP at home, but when you are on the road, I suspect you would have different addresses each time the hotspot connected to a different tower. I wonder how you might configure things to avoid reconfiguring things in that case?
Cheers,
Jim
Well it's only really needed if you're running servers, which I doubt you'd do in a motor home.
That was good. Cleared up some problems I was having understanding the set up of an IPv6 network. Looks a lot more straight forward than I thought it was. Thanks.
Indeed it is :)
Nice IPv6 video, Thank you!
The way it was explained to me is fe::123 addresses are similar to 169.254.x.x in ipv4
fd::123 addresses are similar to the class A,B,C LAN addresses in ipv4. Ie, 10.x.x.x 172.16.x.x 192.168.x.x
When you do a mix of reserved static LAN addresses and dhcp where you want to create subnets and do routing behind NAT, it gets complicated. Mainly because we think in decimal not hexadecimal. I’m sure there are tricks for this that people have, but most still find very little reason to do local ipv6 and ipv6 NAT/DHCP.
But how do i connect to a server with "fe80::213:eaff:f35f:4cad"?
"EASY", i just need to look up my network card identifier as the scope ID, in my linux it is: enp4s0
and then connect to: "fe80::213:eaff:f35f:4cad%enp4s0"
Isn't that "Intuitive and nice"? No? You have to know which network interface card (NIC) to use for the
outgoing connection **GRRRR** Because any network card will have an fe80:: adress space so the
linux or windows or mac needs to know which network card it shall use even if only one is installed ...
@Henry-sv3wv fe80 addresses are link local. It's like using 169.254.x.x addresses in IPV4. Yes, if you're on the same subnet, you can connect to them, but fd should be used for manually assigned ipv6 addresses, routing, dhcp, etc...
While NAT behind a single wan IP maybe possible, the proper way to do NAT in V6 is NATPT.
We should get people off the idea of masquerading behind 1 IP.
The 1:1 method to swap public global /48 bits with private fd00:/8 48 bits its far better.
However some things the application layer could break during translation. But thats true for any NAT.
FD00:/8 will allow you to quickly swap providers whether you move provider or whether you need ISP fail overs without owning your own address space.
At least he does say either is possible in the video.
Just be aware using ULA addresses will lead to v4 being used over v6 in dual stack environments.
Unless you change the precedence values in your OS.
@@thomasb1337 instead of fd00::/8, change it to dd00::/8 >> you just made OSs prioritize using IPv6 over IPv4
Awesome update, cuts through the FUD!
Have you got Dhcpv6 working with android devices ?
You know what... I should look at that one day. I really don't use Wi-Fi on the phone... or really look at the phone much in general. I'll check it out though, because I want to see what it's capable of.
Android doesn't support DHCPv6 NA_IA intentionally, so until Lorenzo Colliti changes his mind, it won't happen.
Is it possible to do this without a routable external IPv6 wan address but with a natted nat64 but everything routes through ipv4 on wan?
Yes. See my NAT64 video
I would prefer local ipv4 with ipv6 on routers wan interface. A kinda v4 to v6 NPT
LOL , and do you put static routes for VPN subnets on your default gateways ???
If we have random ipv6 address why Nat?
That’s the point, you won’t need nat as it was a fix for the lack of address’ in ipv4 and thus giving restriction of isp giving only 1 ipv4 address per household. Natv6 is just something IT uses today to have better control of the local lan, like preventing someone from access to internet. ISP gives many address’ for ipv6 per household so shouldn’t be an issue unless one day they decide to lower that number, then natv6 for everyone.
NAT is still very useful for duel WAN setups that have different prefixes, or if your ISP changes your prefix often (otherwise every device on your network is responsible for properly setting up a new address). People who say NAT is obsolete with ipv6 don't really understand NAT
At 4:30, FD10::3 is unique local, not global scope. Great video nonetheless!
fd10::3 is indeed unique local, and its scope is global. That means it can be used as an address to reach other addresses in a global scope, although translation will be required.
ULAs are depreferenced@@TallPaulTech
@@TallPaulTech Just for completeness: not just translation. Any mechanism (such as translation or tunneling, and others also exist) can be used, as long as a ULA never appears outside of your network. That is, one should not expect such addresses to be successfully routed over the public IPv6 internet without using such a mechanism.
This video shows 2 things. What the author intended. And why IPV6 is not moving the needle.
I really don't get the idea that people want to place the IP behind their firewall on their private LANs. While I will concede I am no guru, the ethos of running short of addresses (IP4) was meant to be solved by IP6. The device is meant to be one amongst the billions. But then we're back to it having no real better built in security over IP4, so before you know it, people want to wrap it in a FW and put it not on the net. But hey, lets start NATing.
Honestly, my dumb interpretation is its not hard to see why people have not shifted to IP6. And I have to say, its hard to see it picking up any progress. Its basically had its time. Its not won out. The VHS has won over the BetaMax..
So here's where the problem with your interpretation is - people are shifting to IPv6. In fact, there's been a huge shift over the past several years. The United States alone has gone up from single-digit IPv6 adoption several years ago to over 50% of users having IPv6, and that's still increasing geometrically. People have said for years that IPv6 adoption would slow down and plateau, but so far, it has not. If you look at the adoption graphs, they continue to grow.
How has this shift happened when nobody is really talking about it? Providers are giving IPv6 to people who don't realize that they are getting it. ISPs offering retail services to home and business provide IPv6 with their routers, so anybody who uses the residential gateway provided by their ISP instead of installing their own has IPv6 without having to do anything. The largest cellular providers have moved to IPv6 only, providing IPv4 connectivity only through forms of NAT. Together, this is a huge user base who doesn't know they have IPv6 but are in fact using it.
This ends up having a knock-on effect for businesses. Very often, the NAT being done by cellular providers to offer pseudo-IPv4 over IPv6 is not friendly with corporate VPNs, so there have been many cases of these providers' migrations causing end users to lose remote work capability through their cellular connection. In other words, the VPN's work fine going from an IPv6-only client to an IPv6 VPN server, but not an IPv6-only client to an IPv4 VPN server. The NAT being done to offer this pseudo-IPv4 to such users works with simple webpages but breaks VPNs. The result of this is that the companies these people work for have had to set up IPv6 at least at a minimum to get these end users connected to their VPNs who otherwise would not have any ability to remote work. The cellular providers have not been blamed for this, instead it's been the corporate IT's reluctance to adopt IPv6 that has been blamed for these users losing their ability to work, and a lot of them have been forced to adopt it at least on a minimal basis to support these VPN users.
Furthermore, everybody who supports competition between service providers and options for users should want IPv6 to be adopted as widely as possible. The largest ISPs bought huge amounts of IPv4 space many, many years ago when it was plentiful. Now, smaller or startup ISPs have to spend a huge amount of money, hundreds of thousands of dollars to buy used IPv4 that is only suitable for a small number of customers. The result is that any smaller ISPs that want to grow or new ISPs that want to start cannot afford to buy public IPv4 for all of their users, end up having to share by doing solutions like CG-NAT (carrier grade NAT) where you basically do NAT twice and then users cannot port forward, and to end users, the lack of a public IPv4 when you can get a similarly priced connection from a huge telco means that they're probably going to go with the huge telco and the small provider doesn't have a chance. IPv6 is the only way to change this, because soon it will have enough adoption that these small providers who offer CG-NAT IPv4 but fully global IPv6 will not have a big disadvantage compared to the large telcos that can still give users public IPv4. If you really want only the biggest longest established telcos to be able to offer competitive Internet service, with no chance of smaller companies getting established, then by all means, call for abandoning IPv6 in favour of IPv4, and for supporting monopolies and preventing competition.
@@mjducharme Thank you for taking time to write your insightful feedback. I accept most of the above. I'll start off with this. I'm in my 50s. I believe I'll be dead before IP6 is the primary base for internet and networking.
However --- I'm going to challenge you in the following.
I've worked in IT since 1998. Its true that the space I work in is the smaller end of IT. SME, multiple customer MSPs and so on. So, I honestly don't sit at a telecom or ISP level where I'd see or work with certain technology like carrier grade NAT, or the gateways that translate IP6 to IP4 or vise versa. So that's on me.
But - 50% of US users have an IP6. Here is my problem with statements. Its not that they are untrue. Its that they are made to make claim. I challenge that - with how many of those users know they have it, and make use of it. And I mean how many know their device IP and are making known changes to their systems and use it. Because Apple and Microsoft provide an IP6 device address -- but the device sits and does all its daily life workload in IP4 - does not mean IP6 is now up 50%. That's a gross miss statement of reality.
And there is an area where IP6 take up is absolutely true. In areas like mobile, and in countries where IP4 is exhausted, IP6 drive has certainly taken place. But what happens on a giant phone network in - say Hong Kong, is that they are applying an IP6 device network to the phones, and having to use carrier grade NAT and are translating traffic back to real world IP4 locations, web services, and so on. Now, I'm guilty here of way over generalising - because for example, Google - one of the world advocates for IP6 - will have a deep hand in building and working towards IP6. So I have no doubt that for such users, they are probably direct Phone IP6 Google services/networks IP6. But outside of that, many things they do would have to translate back to IP4 traffic.
Google claim that as of today -- This is the level of their customer traffic at IP6 -
I'll call it 43%.
www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption
But given that they control an extra-ordinary level of devices services, this depending on how you view it may make you say 'great' or in my case its honestly 'meh'. Google are one of the deepest advocates for IP6. Its good they are. I'm glad they are laying ground work. It is not a reflection AT ALL -- on end user take up, usage, or understanding of IP6.
IPv6 Adoption and the Growing Importance of DNS
IPv6 was introduced over a decade ago, and still, adoption is slow. At the time of this writing, only 17.49% of devices on the Internet are currently IPv6 capable, while a larger proportion of DNS resolvers-over a third-are capable of handling IPv6 addresses. Either way, most of the Internet is currently not IPv6 capable and therefore cannot leverage IPv6 DNS.
Next, and I will be short and blunt here. If you dig into IP6, and name resolution, you will find that IP4 and IP6 name resolution has enormous challenges. Basically as it stands today, if you build IP6 - You have to also build the added baggage of IP4 gateway and translation. Why? Because the IP6 DNS structures are not yet fit for purpose. Many many people working in DNS don't have a scoobie how to setup IP6 naming. And even if they do, their ISP or partners may offer either no support for it, or only limited support for it.
And that's before I even get into the area like in some work, lets say e-mail, if you don't have a PTR record - you ain't sending.
So, just for an experiment, I said to myself, ok. I run a mail server. What do I need. A quick hunt - ok
www.cloudflare.com/en-gb/learning/dns/dns-records/dns-ptr-record/
We can agree that cloud flare are up there, and its fair that I just grabbed them - assuming they would offer good info. Right?
"In IPv6:
IPv6 addresses are constructed differently from IPv4 addresses, and IPv6 PTR records exist in a different namespace within .arpa. IPv6 PTR records are stored under the IPv6 address, reversed and converted into four-bit sections (as opposed to 8-bit sections, as in IPv4), plus ".ip6.arpa"."
If I wanted to throw off and leave a person with really no idea on what was just said to them, I'd write something like the above. So, I tried to dig a bit deeper. Common Cloudflare, you can do better-
www.cloudflare.com/en-gb/learning/dns/glossary/reverse-dns/
Oh dear.
I'm not talking here about academic build of IP addressing, or ISP top tier network build out. I'm talking about usage in the front line. And there are real cases - lets take google as a primary, where they are ready and built to be fully IP6. I don't dispute any of that. But at the coal face, the ordinary person is not building or making things in IP6. And when an ordinary person looks at IP6 *technically* - they are not nerds who can delve to work through the pain that is 6. They won't be able to understand that even if they did a ton of ground work that only one third of DNS resolvers can handle IP6, that won't work because of X. So, they will do what many people do, they will work with IP4 because its what they might know and its what most documentation, help, and knowledge sits at.
According to Sucuri (I have no doubt going out there would see differing figures - but anyway) --
Out of the top 1000 internet sites - 16% support IP6.
Out of the top 10000 sites - 11% support IP6.
Out of the top 1M - 7% support IP6.
I put it to you that large portions of the academic and high tier ISP, Network, Mobile networks ARE building out IP structure. But in reality, outside of the - lets say Google or Microsoft sphere, that network is translating its traffic to go do its daily work in IP4. It is not a growth or change to IP6. Its a sticking plaster. It is NOT "50%" of US users are now using IP6 as their daily driver. The majority of them don't know about it, and certainly don't know how to technically use it, and most won't understand that their carrier grade NAT to the IP4 world is how it works.
Now - it is not fair that I just sit here blabbing. I will do my part here -
whynoipv6.com/
The above site is helpful in trying to push IP6 - and has some nice resources -
But one of its comments is
"Alexa Top 1 Million Websites - tagged by IPv6-compatibility
As a part of this shaming-strategy, we supply all interested parties with an updated list over Alexa’s top 1 million websites and their corresponding (lack of) IPv6 support clearly stated.
Each of the listed websites (top 100) lack an AAAA-record. In addition the nameserver-support for IPv6 is displayed.
Some statistics
Out of the top 1000 Alexa sites, only 491 has IPv6 enabled, and 857 of them use nameservers with IPv6 enabled.
Of the total 902708 sites only 36.7% of them have IPv6. This is a huge shame!"
It is, but it reflects reality and not the fantasy.
Information and an offer of free training -
www.internetsociety.org/deploy360/ipv6/training/
Lastly, I'd say this. Don't get me wrong. I *wish* I understood IP6. I honestly wish more people did. I don't find any of it easy as some claim to do. I don't think its addressed the security problems of 4 *at all*, and I think that people who really understand it call it simple - and the rest of the human race looks at it and either says of things 'what the fuck are you talking about'. :(
I mean, I took time out here, to come take a look at Paul's adventure on IP6 because like many of the times I've come to look at it, I'd like to have seen it work, ease of use, or success - right? I'm not here just to crap on things.
I don't think the DNS space is ready or capable. I think most companies, orgs, people, training and so are unready for it, and I think saying it is a great success and ignoring the harsh reality does not help in the take up or growth towards IP6.
A last personal note. My ISP gives me at IP6 address. Thats good.
My router has the address. That's good!
My router has an option to offer IP6 DHCP! That's great!
I have no freaking idea what I need to setup there!
DHCPv6 Server Configuration
Enable Server Disable Server
Start IPv6 Address
End IPv6 Address
DNS Server IPv6 Address
Primary DNS Server
Secondary DNS Server
Static IPv6 Address configuration
IPv6 Address / Prefix Length
/
Current IPv6 Address Table
And if I did, there is stone cold zero support from what I see in the FW or NAT areas for IP6 and securing kit.
Perhaps if DHCP is setup, then a whole bunch of new admin pages might appear like magic. Or not..
I'm going to reach out to my ISP and ask some questions. But if I end up with my devices having internet routable IPs and I have no way of firewall or control - then guess where this goes? IP6 gets turned off?
Right..
That was a read and a half
I started walking down the DHCP V6 route, and immediately found that Google/Android don't support/use it. Thats just taking the freaking buscuit. Next up, apparently my ISP routes its IP6 traffic over my IP4 connection, which is now really that takes the buscuit 2. I'll try RADVD which is my only other option than static addressing.
And lastly, apparently even though they give me an address, and its allocated and seen at my router, I actually have to e-mail them to .... turn it on..
I've done that. Lets see... :/
@@AdmV0rl0n RADVD (SLAAC) is generally the way that you do IP address assignment on IPv6. DHCPv6 was always more of a secondary option, but Google has basically flat out said "DHCPv6 is stupid, we are never going to support it, period."
Like I pointed out before, using ULA addresses on your LAN is more or less pointless. Devices will use IPv4 in preference to ULA addresses so your IPv6 will only be used for outgoing connection to things that don't have IPv4, in other words IPv6 will as good as never used except during testing.
I guess you could use ULA addresses with NPT for incoming connections but there is no point. You're going to need to know the actual routable public address so you can tell people how to connect in to you. You might as well not do NPT it and use the real address all the way through to the device.
Finally, don't forget, if for some unfathomable reason you feel you must be able to memorise your ULA addresses and choose simple rememberable ones then you are ignoring the guidelines in RFC 4193 and going you own weird non standard way.
NPTv6 works both ways, it is a 1 to 1 lookup, all an outsider needs is the GUA involved.
I'd personally avoid any translations unless needed, due possible user error in setup.
Now if you do multi-WAN without PI space over some routing protocol, NPTv6 helps with the fact a machine has multiple wan paths and needs to use the right GUA on each WAN path.
"Devices will use IPv4 in preference to ULA"
This is only sometimes true, though I concede it's more often true than not. Firefox for example prefers IPv4 over IPv6 ULAs, for Chrome it's the other way around (last time I checked). Firefox prefers IPv6 GUAs over IPv4 though.
For me having ULAs on the local network means that I have a local addressing scheme that will be the same if and when I change ISPs and get a new GUA prefix delegation. My local DNS won't need updating in this case. All my network has both ULA and GUA addressing.
@@AaronHauck Certainly, but it something to be very much aware of as it is an RFC.
It does depend on your OS and exactly how integrated the network stack is and how it be designed.
Another reason to use ULAs if you're using SLAAC for GUAs, is so that if you stop getting RA's from your ISP (because your Internet went down for some reason) your router will stop advertising your GUA prefix on your local network and your devices will lose their GUAs.
For me ULAs are more about preserving local networking configuration independent of what is happening on the WAN.
People that think IPv4 NAT was only for solving "Running out Addresses" needs a History lesson. Most ISP for SOHO only ever gave 1 v4 address. Also many ISP expect 1 MAC per Account "in the old days" and Why Older Routers could Copy the MAC from a PC because a LOT of ISP had Very Long DHCP Lease or Worse so your Router Won't Connect without Spoofing the PC that created the account. Plus many people Do Not want everything seen by the ISP and Public like Printers that most still have little security. NAT on v6 is soon to be important to many because Some ISP data plans not only Cap but soon Restrict the Number of Devices.
My man never heard of firewall...
Also wtf is wrong with those ISPs... If you have a choice go for a proper ISP with /48 or /56 prefix and no NAT.
Nah man that's bs... Worked for an ISP myself and /56 is default across Europe.... Youre just clueless and prob never heard of a Firewall....