This is followed by reasonable reasons they struggled to unwind themselves from IPv4 (for the experiment) - but eventually got it worked out.
Conversely: When I hotspot from my phone, T-Mobile frequently makes that an IPv6-only experience.
I dont think any normal person thinks about IPv6 or IPv4 here.
I was previously with an ISP that support IPv6 and had zero problems.
In fact IPv6 worked "too well" at one point: I had put "facebook.com" in my /etc/hosts file pointing to 0.0.0.0 at one point to reduce tracking. I then noticed I got the little FB icons again at some point and couldn't figure out why things were 'broken' (i.e., not blocking).
Turned out that after IPv6 was enabled I had to add ::1. That blocked FB again. IPv6 made connectivity to FB work again.
Hurricane Electric (for one) offers IPv6 tunnels:
You can configure it on your router:
* https://openwrt.org/docs/guide-user/network/ipv6/ipv6_henet
* https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunn...
* https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.h...
Or an individual host:
* https://wiki.archlinux.org/title/IPv6_tunnel_broker_setup
* https://docs.rockylinux.org/guides/network/hurricane_electri...
* https://genneko.github.io/playing-with-bsd/networking/freebs...
1: I'd prefer to have stayed with the local ISP despite the lack of ipv6, but they wanted $8,000 to bring fiber to my new place and that was not worth it with at&t fiber being present.
That said, if it isn’t blocked for the services you use, I found it pretty straightforward to use.
NAT can be fine, but why would it be a feature? (I guess maybe some privacy by way of sharing a public IP?)
IPv6 requires a stateful firewall on the router to provide the same protection. Then if you turn that on, it kinda defeats the point.
So you don’t actually need anything different nor special to have the same level of security with IPv6 vs IPv4 + NAT.
If it’s for security then most of the actual security provided by NAT routing is actually just the routers firewall itself. So a good ipv6 firewall provides the same level of security.
If it’s just because you’re a bit of a control freak and like to manage the assignment of IP addresses (and I fall into that category too) then my understanding is that you can also do this with ipv6 as ISPs typically hand you a wider subnet range (unlike ipv4 where you get just 1 IP). However I’ve tried a couple of times to adopt ipv6 into my stupidly bespoke home networking stack and failed each time.
I really do want to adopt IPv6, if only because I like fiddling with tech, but, like yourself, I keep getting stuck on the “how do I integrate IPv6 into the infrastructure I already have” problem.
Edit: if anyone has any recommended guides to configuring IPv6 using ISC dhcpd and unknown addresses supplied by your ISP, then I’d be interested to read them.
In other words, you want things to work like this?
ISP-provided-PD-prefix 2001::/64 + Host address ::22 = Assigned address 2001::22
ISP-provided-PD-prefix 2001:1:/64 + Host address ::22 = Assigned address 2001:1::22
But -honestly- what I've done is just relied on SLAAC to handle the globally-routable addresses, and advertised a ULA prefix for stable addresses. These go into my local DNS, but you could just as easily use that for DHCPd.
I’m just using an off the shelf ASUS router because it’s actually surprisingly good at the basics. But I wanted PXE booting so set up ISC dhcpd on a home server.
To be fair, it might actually be possible to do this on my ASUS router. I’ve not actually checked. I’ve had the same setup up for years. Easily more than a decade. Only updating hardware when necessary. So I might be missing a trick with these latest ASUS routers.
That was not what I was describing. I was figuring that your DHCPv6 client (that talks to your ISP) and your DHCPd would be on the same machine, but maybe that's okay. How does your dhcpd server get its address? A DHCPv6 request to the router? If so, the following report might (might!) be useful to you:
So, while I DID find out about dhcp-eval(5), it doesn't look to me like ISC DHCPd will do what you want. I didn't see any parameters documented in the dhcpd.conf manual that looked like they were prefix-independent.
Probably your best bet is to template your dhcpd.conf and known_hosts files, then use your network manager's [0] "on address change" hooks to fill in the currently-assigned prefix, write out new files, and bounce dhcpcd.
[0] NB: NOT (neccessarily) NetworkManager (that nasty, wretched thing), but maybe like dhcpcd's run hooks.
Nitpicky, but I think this is not true. NAT's security is based on the router not knowing where to route the traffic and dropping it, where the firewall intentionally drops the traffic.
Agreed that it's functionally equivalent, though.
Advertising for example, was essential. Spewing garbage I don't want, absolutely critical to Microsoft's bottom line apparently. But registration so that I can turn off that advertising? Not important, so that was not available until I gave the machine IPv4.
It had very little benefits at the beginning, but having dedicated publicly routed addresses started to become really conevinent.
IPv6 with a regulary changing dynamic prefix still sucks though to this day ... :-(
The way I do this, my internal DNS resolves hosts to their fixed ULA addresses. For the handful that are accessible externally, public DNS resolves to their address on the current public prefix.
You just update the IP (or just the prefix) when the IP changes
Perhaps keep in mind that the interface id of the device the DNS entry should point is different for every device in the network.
Some use the router to update the IP and put the interface id of the router into the update url...
I can configure the ISC dhcpd for IPv6 but I wouldn’t know what prefix to use in any automated way. So whenever the modem disconnects/reconnects, for whatever reason, I then need to somehow manually update the DHCP server.
Not an issue for ipv4 with NAT. But enough of a problem with IPv6 that I gave up on it. However I do accept that this is a problem of my own making (ie not using ISP provided equipment).
If you need IPv6 on Android, your only option is SLAAC.
But I have to admit, that I ended up buying my own IPv6 block from a local ISP and tunnel to them. They have great interconnections, so bandwidth is not an issue, and latency penalty is less then 2 ms an average.
I’ll have a proper read of that tomorrow morning :)
The (occasionally, on Comcast) changing dynamic prefix was a pain for me too, when accessing things externally. For internal use I additionally set up a fixed ULA prefix.
So get out there and p2p
Like how 2-byte Unicode was struggling and UTF-8 saved it.
How would it be at all backward compatible other than what NAT64 already does?
8 versus 16 bytes barely matters for using the addresses, especially because if you're assigning IPs to your devices you can have the second half of the address start with 6-7 zero bytes and collapse them all with ::
And I challenge you to name a way to be "somewhat backward compatible" that would actually function and IPv6 doesn't already do.
Edit: And not only can you make your own addresses short, if I look up some IPv6 addresses meant to be said/remembered (public DNS IPs), none of them make you type more than 8 bytes (and that one repeats a cluster to make it easier) and some make you type as little as 4 bytes.
Remembering and communicating mildly complex byte sequences should be an issue which is solved already.
sybercecurity•2d ago