So what is IPv6 and why should you care? IPv6 is intended to be the successor of IPv4 and most people know it for the very large address space. However, it has many other benefits as well and is worth learning for self hosting purposes.
IPv6 features
Huge address space
With IPv6, you no long need to be concerned with the limited address space of IPv4. In IPv6 land devices can have many different IPv6 addresses. You can have a different IPv6 address for each service and with the privacy extensions you can have a different IPv6 addresses for each outgoing connection on your computer.
Simplified subnetting
In IPv6 land everything is done via prefixes. An IPv6 prefix is simply the first half of the address which is used in routing to send traffic where it needs to go. A prefix is typically assigned to a vlan and the prefix is then delegated to all devices in that vlan. Because each device can have multiple addresses you can have each device get a public address and also a private address. A prefix is a /64 and if you want multiple prefixes you can get something like a /56, /48 or /32. (CIDR notation) To get a prefix from an ISP you use something called DHCPv6-PD. This is a lot like normal DHCP but it requests one or more prefixes from your ISP.
SLAAC (Stateless address autoconfig)
With SLAAC, devices pick an address and then verify it isn’t duplicated. From there a router will send out a RA (router advertisement) which tells the device what prefix to use. The device then drops the link local prefix and replaces it will a public prefix. The major benefit of this is that you no longer need to keep track of DHCP leases. SLAAC allows networks to self assemble without much setup.
IPv6 security and privacy
IPv6 still needs a firewall to be secure. You should not expose things to the internet without properly securing them and anything that is publicly accessible can be compromised. IPv6 also can create major privacy issues since each device has a public IP. SLAAC and the privacy extensions help a lot as they randomize IPs which makes tracking harder. However, devices still share a public prefix so there still could be privacy issues.
NAT64 to eliminate IPv4
One of the technologies to help eliminate the need for IPv4 is NAT64. NAT64 works by mapping IPv4 address to IPv6 ones by setting a prefix that fills in the upper space of the address. To delicate this prefix to devices you can either use Pref64 or DHCPv6 opt 108. On the device applications see a working IPv4 address since the operating system translates IPv4 to IPv6 before it goes onto the network. You can absolutely keep using IPv4 and NAT64 is only for those who want to be IPv6 exclusive networks.
I think I’ll die using IPv4 behind NAT along with VPN. 😂
Why?
Because I have to learn, understand what you wrote, probably more, and especially internalize its security implications. I currently understand all that for IPv4 and I’m confident I’m not leaving holes open when I self-host services. But of course it’s probably a good idea to learn and use IPv6. It’s just not free and when you have existing infrastructure and muscle memory on IPv4, there’s that much more work. If I was starting anew, I’d probably do it. It’s similar with SaltStack. If I was starting anew I’d use Ansible instead.
Likely because they’re old and resist change like me?
Seriously though it’s such a shift from what I understand I’m very reticent to even start the process. I have a lab at work though that I should really start playing with it at no real risk to anything production. You know what, I’m going to do that next week! Yeah, progress.
First docker and now IPv6. I’m so cutting edge 🤣
What is the impetus for change?
The things you listed are nice but not game changing for most people.
I was excited for IPv6 in the 90s.
I took the networking TCP/IP fundamentals class for my first MCSE in 99, and the instructor wouldn’t shut up about how IPv4 would be replaced within 5 years.
It took a lot of time to mature
We made progress after the engineers excepted NAT and firewalls
Thanks for posting this. The idea of individual services having their own IP address had never occurred to me and would solve so many issues.
I always thought it’s kind of odd how frivolous we are with IPv6 addresses given the problems that gave us with IPv4. US DoD has like 200 million IPv4 addresses and they probably only use a tiny fraction of that. There’s also a bunch of old companies like HP, IBM, and Apple, that have entire /8s, so that’s 16 million IPs each. I know IPv6 is ridiculously bigger but we’re talking about giving IP addresses to our lightbulbs now at a time we’re also looking to inhabit other planets.
You may know IPv6 is ridiculously bigger, but you don’t know it.
There are enough IPv6 addresses that you could give 10^17 addresses to every square millimeter of Earth’s surface. Or 5×10^28 addresses for every living human being. On a more cosmic scale, you could issue 4×10^15 addresses to every star in the observable universe.
We’re not going to run out by giving them to lightbulbs.
You may know IPv6 is ridiculously bigger, but you don’t know it.
“Space is big. You just won’t believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it’s a long way down the road to the chemist’s, but that’s just peanuts to space.”
No matter whether we are talking about real space or IPv6 address space, Douglas Adams’ quotes always come handy.
Okay, but to be fair you should divide that by at least 2^64 because ISPs are throwing out huge blocks left and right. My home plan with Swisscom gives me a single dynamic IPv4 address and an entire /64 IPv6 prefix, and I’m pretty sure it was /60 at one point.
But it’s 2⁵² addresses for each star in the observable universe. Or in other words, if every star in the observable universe has a planet in the habitable zone, each of them got 2²⁰ more IPs than there are IPv4 addresses.
Going to other planets would require a total re-architecting of our communications infrastructure anyway. There’s such distance too it’s not really viable to have a shared internet. Even Mars would have up to 22 minute latency at peak. So I don’t think it makes sense to plan our current internet around potential future space colonization.
Even so, IPv6 is truly massive. We could give a /64 to every square centimeter of the Earth’s surface and still have IPs to spare. Frankly, I think the protocol itself will be obsolete before we run out.
You thought so, but in year 2525 they will still be complaining about TCP congestion mechanisms
Wha??
I reject the notion that a shared prefix raises privacy concerns because the alternative is they all share a single IP address as they do in v4.
Anyway, been v6 for years. Love it. It’s just easier to work with, to be honest. It took me a while to get it, but once I rotated my brain a little and stopped thinking in v4 logic then it all clicked. My ISP is insane and gave me a /48, so I have a lot of addresses.
I know my prefix by head, something everyone is still telling me is too hard for them (skill issue). You also don’t have to remember 8 hextets, just your prefix. In my case that’s only 3, but for you it won’t be more than 4. It’s not that hard. I zero out all the hextets between my prefix and the last so my v4 and v6 addresses just look like this
192.168.78.160and2a05:f6c7:8321::160respectively. Don’t have to remember two addresses when dualstacking.Giving a /48 is spec, but a lot of ISPs are too stingy :/
It is spec, but so is /56 and even /64. It’s kind of crazy to give me, a residential costumer, a /48
I appreciate it, though. I like my 3 hextet prefix!
Only giving a /64 breaks stuff, but some ISPs do it anyway. With only a /64 you can’t subnet your network at all.
With this huge ranges we’ll have the same problem with IPv6 in a few years that we already have with IPv4.
I really doubt it. We could give everyone on Earth their own /48 with less than 1% of the IPv6 address space.
The ranges will become larger over time because “we have it”, and companies will get thousands of sections with figuratively unlimited IP addresses in them each.
They can just allocate more IPs. The IPv6 range is barely even used.
Also I imagine that there will be a secondary market for IPv6 at some point.
The IPv6 range is barely even used.
Yet.
Also I imagine that there will be a secondary market for IPv6 at some point.
Like there already is one for IPv4 addresses?
I stand by my point:
No-one will ever need a /48 range.
My ISP only used 6rd ಥ_ಥ
I believe the privacy concerns are made moot if all consumer level routers by default blocked incoming untracked connections and you need to poke holes in the firewall for the ports you need.
Having said that, even knowing the prefix it’s a huge address space to port scan through. So it’s pretty secure too with privacy extensions enabled.
But for sure the onus is on the router makers for now.
Cool, thx!
For me to switch, I’d need a simple tutorial on how to do it. Something that I could learn and solve first problems within a day or weekend. I hope it’s not grub level difficult
Its really not that hard. Sadly, my ISP doesn’t offer IPv6 yet, but for my vServer, enabling IPv6 was just a checkbox during creation. Then, you need to make sure that the service (e.g. webserver) also listens on the IPv6 address and maybe tweak the configuration of the webserver to actually serve websites via IPv6. Also, check your firewall settings. Lastly, you need to set the DNS AAAA records and you’re done.
If you need IPv6, you can get a free tunnel from Hurricane Electric. They will give you a /48 if you request it. I used it for years since my old ISP didn’t have IPv6. I am close to one of their servers, so the latency was very low.
I used HE for ages until my isp gave native ipv6. I also used sixxs back then too. Both provided good connectivity for the few sites that were around using it at the time.
You’re right, that’s an option. I could set this up at my router, this way it would be almost indistinguishable from IPv6 via my ISP.
What network hardware do you have?
I have no idea. Speedport from vodafone, ipv6 is enabled but I don’t use it 😅 I’m not behind some NAT
I’ve considered using v6 as I host a lot of services from my homelab and it would be great if each had its own address. The question I have is, is v6 prevalent enough that all the clients out there are ready to go and I can just switch my lab servers to v6 and swap my A records with AAAA records, or will I still need to serve up v4 (and therefore, may as well just stick with the topology, reverse proxies, etc. I’ve already got.)
You start by adding ipv6 and serving both. One side needs to move first. Content providers or isps.
The big tech companies are using ipv6. In the UK the isps are mostly offering it too.
Host both and help us move towards dropping Ipv4 some day. It’s not going to happen in a day.
You just need a network that is capable of IPv6
I still haven’t figured out how to make a firewall rule with slaac on pfsense, with an ISP that hands out addresses at random. It’s my understanding’s slaac is the “right” way to do things, not dhcp and reservations.
Granted, it’s been a minute since I tried so I don’t remember the issues, but as I recall, when ipv6 prefix changes, device gets new IP (and it seems not just the prefix part. I can get the firewall to register IPs into DNS and use a dns based firewall rule, but unbound restarts and blows out its cache when a device joins the network. And there another part to it but it’s all gone fuzzy.
Actually how is your ISP giving out IPs to you? Mine uses IPv6 PD to give me a /48. And I then use SLAAC locally on the first /64 prefix on my LAN. Plus another /64 for VPN connections.
If you mean receiving RA/ND packets from your ISP (which are used to announce IPv6 prefixes) then you need to allow icmpv6 packets (if you don’t want to be able to be pinged, just block echo requests, ICMP in v4 and v6 carry important messages otherwise).
If your ISP uses DHCPv6 Prefix delegation you will need to allow packets to UDP port 546 and run a DHCPv6 client capable of handling PD messages.
If you have a fixed prefix, then you probably don’t need to use your ISPs SLAAC at all. You could just put your router on a fixed IP as <yourprefix>::1 and then have your router create RA/ND packets (radvd package in linux, not sure what it would be on pfsense) and assign IPs within your network that way.
If you have a dynamic prefix… It’s a problem I guess. But probably someone has done it and a google search will turn up how they handled it.
EDIT: Just clarified that the RA/ND packets advertise prefixes, not assign addresses.
This is my biggest bugbear about a lot of UK isps. They are dynamically allocating ipv6 prefixes for absolutely no good reason.
I’ve only ever done ipv6 using Linux directly as a firewall or a mikrotik router. So cannot help with pfsense I’m afraid.
You probably need private addressing
SLAAC shouldn’t be used with static IPs
The “correct” way to handle “static” addresses with dynamic prefix is using tokenized network interfaces (which is pretty much just the lower 64 bits of the IPv6 address). That will then be used for SLAAC in addition to the randomly generated address. The support for dynamic prefixes in firewalls on Linux and Mikrotik is however still pretty dire (obviously, as it’s not an enterprise feature). No clue about BSDs/pfSense
Isn’t sharing a prefix the same as sharing a v4 /32, privacy wise?
That is because of the child safety act
Nothing I can do
This looks like some kind of weird AI slop, sorry.
I’m a chat bot and I’m here to serve
No need to put some AI slop in here.
None of this is AI generated
