I have been averse to IPv6 until recently,and used to disable IPv6 altogether. Couple of weeks back, the ISP silently shifted to CGNAT, and I could no longer forward ports. Out of sheer desperation, I gave IPv6 a try and was shocked to find that the demon which I had feared all along, was in fact the solution to most of the concerns.
A few things to note though:-
1. Default router settings - as configured by the ISP - defaulted to IPv4 only. I had to change it to enable IPv6 too in the WAN settings.
2. Had to lower Firewall security levels (which in fact makes sense).
3. In firewalld, had to enable ipv6-icmp protocol
4. Technologies such as IRC (to take an example), does not support IPv6, but many torrent clients do.
> Had to lower Firewall security levels (which in fact makes sense).
Sounds suspicious to be honest. If you get a direct IPv6 address to your computer (as opposed to an IPv4 behind a NAT), shouldn't you raise firewall instead of lowering?
This Tailscale blog [1] from 2020 has been posted on HN many times before I’m sure but is worth highlighting again as it does a great job outlining the technical complexities that CGNAT (and NAT in general) introduce.
I have my head in this space at the moment as I’m trying to implement NAT detection (as pioneered by Dublin traceroute [2]) into Trippy [3].
could you say a little bit more about the design and/or purpose of NAT detection in this context? i'm unfamiliar but see what the service generally does in lay terms. curious more about the technical necessity.
Maybe it's more like IPv6 is the solution we got, rather than the solution we want. Not unlike Wayland vs X11. Both over-corrections to the problems they set out to fix.
Then again, my code doesn't get good until the third time I rewrite it...
As someone with a small home lab, IPv6 feels much more complex compared to IPv4. And it's still in significant flux despite decades old, while IPv4 hasn't changed significantly since I deployed my own m0n0wall box back before y2k.
It also requires more infra. DNS for everything is non-optional due to long addresses and dynamic prefixes. DHCPv6 is needed for all configuration settings to be set on clients. And there's still software that doesn't play well with IPv6.
It's just too much hassle for my home lab for now. Maybe in another decade.
Every time I used IPv6 I found it solved more problems than it created. E.g. with v6 you can make sure a VPN addresses will not collide with the user's actual address. No more nats or port forwadings, etc.
The main problem is that v4 has not yet been retired and that means many times you have to support both.
over-corrections to the problems they set out to fix.
IPv4 space will—not a matter of if, it will eventually be exhausted. given that i don't know if IPv6 could reasonably be considered an 'over-correction' in the context of needing a larger address space, unless you strictly refer to complexity of the successor analogies (i.e. IPv6 and Wayland).
a comment elsewhere in this post makes some informed projections about when the transition will go from being gradual to necessarily fully (at least for IPv4) co-operational.
I vastly prefer CGNAT to IPv6, because CGNAT preserves my privacy by default, and IPv6 eliminates it by default. It’s that simple.
While it’s possible for an ISP to unmask me on CGNAT (Verizon and AT&T did in the early smartphone days)- and it’s possible for an ISP to NAT/Wildcard my IPv6 address for privacy - it’s the default in 99% of the cases; and I prefer default privacy to the ability to be directly addressable at home.
Well, I'm inside a CGNAT. It's like living in an apartment building with 20,000 other families. Maybe it's all fine when everything is normal, but one day, the water pipe on the top floor might go burst while no one is answering the door.
It is true that a NAT could give you some privacy, but the downside is also very obvious. For example, your network neighbor might rub some service in the wrong way, then the service ended up sanction/ban the shared NAT exit.
Then, you might be thinking, "just use a smaller CGNAT then". Well, then a smaller CGNAT will allow the website to track you more easily.
If I really really don't want to be tracked, I'd rather use Tor.
It's something I had said before in another thread, but oh well... Here goes again:
The so called privacy-presevation of CGNAT is a double edged sword. Other websites can't track you, simultaneously that also means other internet users can't reach you.
The most obvious consequence is that to host a server, you must purchase a VPS or rent an public IP address from your ISP, and the price for a public IPv4 address is getting higher and higher.
The less obvious consequence is that you're giving up control to the VPS providers (and other centralized services). Does your VPS provider allow you to host Tor services? Run BitTorrrent?
It's rather ironic that people on HN, a website whose name literally includes the term "hacker", would support things like CGNAT which hurt hackers/hobbyists/"privacyists" the most.
This article is two years old. I don't think things as as dire as they seem, just a bit more boring than people might like.
I can't see any sign that long-term IPv6 growth has stopped, it's just ceased to accelerate. Looking at Google's IPv6 traffic graph (https://www.google.com/intl/en/ipv6/statistics.html), this is entirely consistent with being the first half of a classic logistic curve, with growth now linear as it approaches the 50% point after 15 years. If this is actually a logistic growth curve, we will presumably see the end of IPv4 sometime around 2040. Even if we take a more optimistic view and assume linear growth continues, it will still take until about 2035.
And that's fine. Old technlogies tend to wither away, not go out with a bang.
The issue with looking at IPv6 adoption from that point of view is that it only shows half of the picture. It shows the percentage of IPv6-enabled clients, which has been growing steadily.
On the other side there are still major services that are IPv4-only, and growth is not uniform.
This means the combined situation is not as cheerful. It's hard to arrive at definitive conclusions, but IPv6 traffic(1) may be as low as 15% when considering this mismatch.
Without stronger incentives, IPv6 may be an eternal runner up. At least it looks like it will take quite a few decades more to make IPv4 obsolete.
(1) By connections or requests. By bytes transferred, IPv6 might have already overtaken IPv4 for all we know (I'm not aware of a broad enough study on this, so I'm open to this possibility). The largest streaming providers are IPv6 enabled.
very well said about legacy technologies, plus estimated projections based on actual current adoption at least to me informative. thanks for sharing your thoughts.
Or at least it should be illegal to advertise a CGNAT service as an "Internet connection". It's not an Internet connection, you can't use it to send or receive arbitrary IP packets, only TCP/UDP.
Yeah, I like to compare it to the old "Party Line" phone lines people used to have, where you shared a single phone line with multiple houses and only one person could talk at a time. Sure, it gives you some of the functionality of a phone line, but it is not a phone line, and shouldn't be sold as the same thing.
Honestly, I'm genuinely surprised no ISP has started doing "gamer" marketing as it seems to be so effective elsewhere, "We give you real public IPs so you can connect directly to your opponents for lower latency, get on the internet fast lane!".
Or refuse to implement IPv6. (At least here in Indonesia with only 14% adoption rate)
Why? Because for residential user that want low latency internet & low packet drop (CGNAT increase both), ISP can charge "business price" for dedicated IPv4 that aren't behind CGNAT. With IPv6, CGNAT is not needed.
Considering ISP/Telco in here is very scummy (they even perform MITM to inject ads, use Class 0 message / AMBER Alert for ads, etc.) I won't be surprised if that's the only reason why they didn't rolled out IPv6.
I could easily access my computer from the internet when I'm not home back in the days... all the ISPs in my country have moved to CGNAT and there is no v6 support, probably because of lack of demand and ridiculous "static IP" pricing.
Result: I'm constantly checked by Cloudflare etc. and sometimes blocked altogether by some hosts as I'm probably in the same public facing IP with many non-savvy people whose devices are infected with botnets.
[+] [-] canistel|1 year ago|reply
A few things to note though:-
1. Default router settings - as configured by the ISP - defaulted to IPv4 only. I had to change it to enable IPv6 too in the WAN settings.
2. Had to lower Firewall security levels (which in fact makes sense).
3. In firewalld, had to enable ipv6-icmp protocol
4. Technologies such as IRC (to take an example), does not support IPv6, but many torrent clients do.
[+] [-] getwiththeprog|1 year ago|reply
Then I also get millions of IPv6 addresses that are not CGNAT, so it is a real win as far as I am concerned.
[+] [-] notpushkin|1 year ago|reply
Sounds suspicious to be honest. If you get a direct IPv6 address to your computer (as opposed to an IPv4 behind a NAT), shouldn't you raise firewall instead of lowering?
[+] [-] birdiesanders|1 year ago|reply
[+] [-] seba_dos1|1 year ago|reply
[+] [-] LargoLasskhyfv|1 year ago|reply
[+] [-] FujiApple|1 year ago|reply
I have my head in this space at the moment as I’m trying to implement NAT detection (as pioneered by Dublin traceroute [2]) into Trippy [3].
[1] https://tailscale.com/blog/how-nat-traversal-works
[2] https://dublin-traceroute.net/
[3] https://github.com/fujiapple852/trippy/issues/1104
[+] [-] mcmcmc|1 year ago|reply
[+] [-] nickburns|1 year ago|reply
[+] [-] magicalhippo|1 year ago|reply
Then again, my code doesn't get good until the third time I rewrite it...
As someone with a small home lab, IPv6 feels much more complex compared to IPv4. And it's still in significant flux despite decades old, while IPv4 hasn't changed significantly since I deployed my own m0n0wall box back before y2k.
It also requires more infra. DNS for everything is non-optional due to long addresses and dynamic prefixes. DHCPv6 is needed for all configuration settings to be set on clients. And there's still software that doesn't play well with IPv6.
It's just too much hassle for my home lab for now. Maybe in another decade.
[+] [-] jcarrano|1 year ago|reply
The main problem is that v4 has not yet been retired and that means many times you have to support both.
[+] [-] nickburns|1 year ago|reply
a comment elsewhere in this post makes some informed projections about when the transition will go from being gradual to necessarily fully (at least for IPv4) co-operational.
[+] [-] beagle3|1 year ago|reply
While it’s possible for an ISP to unmask me on CGNAT (Verizon and AT&T did in the early smartphone days)- and it’s possible for an ISP to NAT/Wildcard my IPv6 address for privacy - it’s the default in 99% of the cases; and I prefer default privacy to the ability to be directly addressable at home.
[+] [-] nirui|1 year ago|reply
It is true that a NAT could give you some privacy, but the downside is also very obvious. For example, your network neighbor might rub some service in the wrong way, then the service ended up sanction/ban the shared NAT exit.
Then, you might be thinking, "just use a smaller CGNAT then". Well, then a smaller CGNAT will allow the website to track you more easily.
If I really really don't want to be tracked, I'd rather use Tor.
[+] [-] orangeboats|1 year ago|reply
The so called privacy-presevation of CGNAT is a double edged sword. Other websites can't track you, simultaneously that also means other internet users can't reach you.
The most obvious consequence is that to host a server, you must purchase a VPS or rent an public IP address from your ISP, and the price for a public IPv4 address is getting higher and higher.
The less obvious consequence is that you're giving up control to the VPS providers (and other centralized services). Does your VPS provider allow you to host Tor services? Run BitTorrrent?
It's rather ironic that people on HN, a website whose name literally includes the term "hacker", would support things like CGNAT which hurt hackers/hobbyists/"privacyists" the most.
[+] [-] miyuru|1 year ago|reply
[+] [-] 0xDEADFED5|1 year ago|reply
[+] [-] seanlinmt|1 year ago|reply
[+] [-] nickburns|1 year ago|reply
at least i have my edge firewall until you let me know.
[+] [-] allarm|1 year ago|reply
This comment. Every single time. No it doesn't. NAT doesn't add privacy. NAT doesn't add security. Use firewall with IPv6. This is it.
[+] [-] lambdaone|1 year ago|reply
I can't see any sign that long-term IPv6 growth has stopped, it's just ceased to accelerate. Looking at Google's IPv6 traffic graph (https://www.google.com/intl/en/ipv6/statistics.html), this is entirely consistent with being the first half of a classic logistic curve, with growth now linear as it approaches the 50% point after 15 years. If this is actually a logistic growth curve, we will presumably see the end of IPv4 sometime around 2040. Even if we take a more optimistic view and assume linear growth continues, it will still take until about 2035.
And that's fine. Old technlogies tend to wither away, not go out with a bang.
[+] [-] CrLf|1 year ago|reply
On the other side there are still major services that are IPv4-only, and growth is not uniform.
This means the combined situation is not as cheerful. It's hard to arrive at definitive conclusions, but IPv6 traffic(1) may be as low as 15% when considering this mismatch.
https://blog.cloudflare.com/ipv6-from-dns-pov/
Without stronger incentives, IPv6 may be an eternal runner up. At least it looks like it will take quite a few decades more to make IPv4 obsolete.
(1) By connections or requests. By bytes transferred, IPv6 might have already overtaken IPv4 for all we know (I'm not aware of a broad enough study on this, so I'm open to this possibility). The largest streaming providers are IPv6 enabled.
[+] [-] nickburns|1 year ago|reply
[+] [-] hlandau|1 year ago|reply
Or at least it should be illegal to advertise a CGNAT service as an "Internet connection". It's not an Internet connection, you can't use it to send or receive arbitrary IP packets, only TCP/UDP.
[+] [-] patrakov|1 year ago|reply
[+] [-] Latty|1 year ago|reply
Honestly, I'm genuinely surprised no ISP has started doing "gamer" marketing as it seems to be so effective elsewhere, "We give you real public IPs so you can connect directly to your opponents for lower latency, get on the internet fast lane!".
[+] [-] nickburns|1 year ago|reply
[+] [-] IvanAchlaqullah|1 year ago|reply
Why? Because for residential user that want low latency internet & low packet drop (CGNAT increase both), ISP can charge "business price" for dedicated IPv4 that aren't behind CGNAT. With IPv6, CGNAT is not needed.
Considering ISP/Telco in here is very scummy (they even perform MITM to inject ads, use Class 0 message / AMBER Alert for ads, etc.) I won't be surprised if that's the only reason why they didn't rolled out IPv6.
[+] [-] can16358p|1 year ago|reply
Result: I'm constantly checked by Cloudflare etc. and sometimes blocked altogether by some hosts as I'm probably in the same public facing IP with many non-savvy people whose devices are infected with botnets.
[+] [-] anonym29|1 year ago|reply
[deleted]
[+] [-] James_K|1 year ago|reply
[+] [-] sambazi|1 year ago|reply
a solution to get public v4 on the cpe could be a deeply burried "advanced-expert iknowwhatiamdoing" checkbox in the isp portal