It's weird. Personally I've yet to make the jump to IPv6 because it seems too complex, doesn't make sense, so I don't want to spend the mental effort learning it when I have no need to switch.
However, looking decades back I realise I felt the same way when first learning about and working with networks. Nothing about it is intuitive. It's all complex, until it isn't through repetition and familiarity.
That said, I still don't want to spend the mental effort on IPv6 yet. I'll deal with it when I have a need for it.
That's because it's familiar and comfortable. Once you get hang of IPv6 you dislike the idea of fiddling with numbers as protocol takes care of most of things.
The protocol takes care of most things if default settings (e.g dynamic addressing, subnetting) suit you.
Predictable addresses are messy. Changing ISPs is a nightmare unless you run NAT. Firewalling being decoupled from NAT is a more complex experience. Memorising addresses becomes much harder. Old devices have varying support and common brand routers still have various IPv6 bugs.
I have IPv6 running at home and love it, but familiarity and comfort aren't the primary reasons it's less managable. Many existing configurations simply don't translate across very well.
This is quite a loaded question. You need some sort of IPv4 to access the IPv4 Internet. You need some sort of IPv4 if you have devices that don't support IPv6.
What you need in each case depends. If it's just to access the IPv4 Internet, you might get away with NAT64 and a single public IPv4 on the WAN interface.
> my static ip addresses are ipv4.
Ok? You can have static IPv6 addresses if you want.
Im kind of in the same boat, I'm on a CGNAT with a apartment community, they don't have IPv6 at all, matter of fact they barely VLAN the apartments / wifi apart. I've rick rolled the entire complex's chromecasts before
> With IPv4, when your router connects to your ISP, you get one public address for the WAN, and you use a picked private address like 192.168.0.0/24 for your LAN. With IPv6, since you want a globally routable address for hosts on your LAN also, you need to ask the ISP for a routable prefix.
jive with this:
> You want to use these ULA for all your LAN communication. If you want to reach your printer or a media server, put their ULAs in the DNS and not the globally routable one.
Why have globally-routable IPv6 addresses if you're not going to use them?
I was put off initially by the first quoted paragraph because while the hard-outside-chewy-center security model is not a strong model, it is easy to reason about especially when you have very heterogeneous devices on your home LAN, including ones you don't control the OS of. I like using private addresses for my home LAN and even if I had an IPv4 /24, I wouldn't give addresses from it to machines on my LAN.
I use wireguard to access things on my LAN, with a somewhat-janky split-horizen DNS setup where the DNS server is on my LAN, so I have to be connected to wireguard to even resolve the names.
> For your externally visible servers, use dyndns type service, and update it with the globally routable address. Residential internet will rotate the prefix over time (the prefix is dynamic), so this is the same as running a server on a residential dynamic IPv4.
> For firewall, drop all inbound packets by default. For externally visible servers, you can match the last 64 bits only, so that changing prefixes don’t affect the firewall rules.
Since I don't (currently) want anything at all to be generally externally accessible, it seems that I could just use ULAs for the LAN machines and not assign them globally-routable addresses..... but at that point I guess there's no reason to be configuring IPv6 at all (?), which is exactly the current state of my LAN. I guess if there were services that were better-accessible (or only accessible) over IPv6 that would be a reason.
> Since I don't (currently) want anything at all to be generally externally accessible, it seems that I could just use ULAs for the LAN machines and not assign them globally-routable addresses..... but at that point I guess there's no reason to be configuring IPv6 at all (?), which is exactly the current state of my LAN.
You can have ULA address and globally-routable addresses (GRA) at the same time: they are not mutually exclusive. IPv6 was designed to (possibly) have multiple addresses on the same interface, while with IPv4 this is a (bit of a) 'strange' configuration (to have multiple addresses/aliases).
So go ahead and assign a ULA if you wish, but your system will also just get an address which is globally addressable (but not globally reachable address because of firewalls).
I guess I mean, the gist only motivates the use of globally-routable addresses for externally accessible services. If a particular service/device isn't going to be accessed externally, there's no need to give it one.
A big part of why I see people talking past each other on this is, IMO, because the solution that seems ‘cleaner’ depends on one’s mental model of networks / IPv6. These can and do differ. One person’s “I need justification to have non-globally-routed addresses” is another person’s “I need justification to have anything else”.
There's a belief among some ipv6 proponents that the Internet should primarily be p2p services, meaning everything is globally accessible. This would imply it's not ok for NAT or default-deny firewalls to be common practice.
I've seen some of that - that said I can't figure out how I'm supposed to do DNS registration with GUA addresses. The only way I know to register addresses in DNS is with DHCP. Should I just have my IPv6 DHCP server advertise the GUA addreses? Is there some other way to do this?
I'm a home ipv4 admin. What I or someone similar would need is the last part that shows how you set up a basic network with some local addresses I care about and a few I want to expose publicly. It's nice that the guide includes the concepts, but the first thing anyone will want to do is just make it work.
Step 2 says to set up ULAs. Are these static or dynamic? It says "don't pick numbers." If dynamic, how does step 5 work? If static, what about visitors in my house?
Step 3 mentions a LAN DNS. Where do I set that up? I don't recall my router having that option somewhere, and I'd rather not rely on a machine for it.
Step 2 answer: To set up ULA, just assign ULA you want to your LAN interface. Default radvd.conf will now advertise that ULA prefix to the lan, and your hosts will auto configure. Are they static? Yes, in the sense that they don't change. Are they dynamic? Yes in the sense that you didn't have to configure the host manually, it just did slaac.
Once a host picks a ULA (prefix + id), you can get that from the host. It's the same as getting a mac address of a machine, but instead you get the ULA, and add it to your firewall rules.
ULAs are generally static, almost all IPv6 unicast addresses are static though sometimes you may have "temporary" addresses via privacy extensions on hosts, those should only be for egress traffic out to the internet, intra-lan traffic should use ULAs.
Your ISP can change your prefix delegation, in practice this shouldn't happen often, but if your in a situation where you need to deal with it frequently on the same network (running a service with a short lived delegation) DDNS still works for IPv6.
Huh, whether these addresses are static or dynamic shouldn't depend on that. I just have a typical router at home with a web portal, is that insufficient?
> After your router connects to your ISP, the router can ask for prefix delegation.
Some providers (eg: Starlink, when I last checked and a Calyx WiFi hotspot) will only advertise a prefix. I was forced to figure out a way to bring the /64 that is in front of my router (Linux iptables) and expose it to a LAN behind my router. It looks something like [1]
Depending on your setup, there may be an easier solution.
It sounds like you're talking about running a router behind a router which you should try to avoid. If you want to run your own router you should try to put your modem/dish in passthrough mode. Once you do that Starlink works fine.
This assumes your ISP provided modem isn’t straight up user hostile and provides a pass through mode. I’m convinced t-mobile’s awful home internet modem/router is intentionally designed to make using your own router difficult and specifically only provides a /64 prefix delegation to prevent any router-behind-router setups from getting globally routed IPv6 addresses. Not to mention no port forwarding capabilities.
My blogpost shows how to get around that using an ndp proxy. All my hosts have global IPv6 behind my own router+firewall with only an advertised /64 in front of it. :)
I would except I have multiple networks that I keep isolated from each other. Also, you can’t pass through from a WiFi connection to an Ethernet network as was my setup with Calyx and Starlink before I had an Ethernet connection.
2. Then you have your router advertise that prefix.
3. Then you have your DNS server pick a non-temporary address within that prefix (either manually set it, or let the OS pick one).
4. Then you tell your router to advertise that address as the DNS server in the RA.
Depending on how you have your network set up, your DNS server will have probably four IPv6 addresses: A link-local one; one on the ULA prefix you created; a non-temporary address on the prefix delegated by your ISP; and one or more temporary addresses on the prefix delegated by your ISP.
Outgoing connections (for recursive resolving) will be on one of the temporary addresses from the PD prefix. The DNS server listens on the static ULA address.
You need to configure your firewall such that traffic from the delegated prefix can get to the ULA one, and vice versa. This usually just means blocking traffic from the WAN port to the ULA prefix.
I also couldn't figure out to how to get that working. It's seems you need both DNS via RA (RFC6106) and (stateless) DHCPv6.
Then there was a bug in CoreDNS that wouldn't bind link local. What I learned from the text is that I should have probably generated a unique address for the DNS.
It is not only confusing theoretically but also the ISP router config makes it even more confusing.
If you want to run authoritative DNS on your home network and have AAAA lookups for local machines, how do you go about this? Assign the DNS entry just to the ULA of each host?
Returning both the ULA and global addresses should be okay. This is what my OpenWRT router does without any special setup. wk1 is one of my local machines.
I believe the point the post is making is that there are some runs of zeros that can't be condensed, not that you can condense multiple runs in a single address.
To be clear, I think the technicality the author is alluding to is that it is not all runs, because some runs of zeroes are significant, you can't condense the zeroes in "ff00:..." for example, for obvious ambiguity reasons. I believe using "some" was just a way to allow for that while not describing the rules in detail.
For a given prefix, the interface will always pick the same identifier, (in fact, the eui-64 algorithm will pick the same identifier across multiple prefixes)
How does the algorithm typically work? Is there a loss of privacy since identifiers are reused across prefixes? If I replace my NIC or install a different OS on my machine will the address change?
EUI-64 uses the NIC MAC to derive an address. Linux by default uses it, and it's fine for servers.
There are other more privacy sensitive ways to generate obfuscated addresses.
But none of these matter, because RFC 4941 says a new random address is used for each request. If you surf the web on a server with a static address, it'll create hundreds of temporary, random addresses to make requests from. The server is reachable by the static address, but outgoing requests come from a random address.
I know, weird, right? Concept 2: IPv6 uses multiple addresses.
Yes, if you replace the NIC, the address will change. Different OS won't, if it uses EUI-64.
I've just got back into building a homelab after a multiyear break. I think I last worked on such a project in 2017. In the time between then and now, I still don't know why I would want to utilize IPv6 on my home network. And my network is necessarily more complicated than most users by extension of the homelab (switches, hypervisors, VM's, etc).
I imagine I might be able to go looking for an answer to why I'd want this, but I would have expected the case to have been made casually by now if it had any utility in my home. I never stopped reading technology and computing sites during my sabbatical, though they did become more mainstream. Yet I still have no clue why I'd want this on a home network. This seems like a solution in need of a problem (in the home – I'm not discounting the utility on a global scale).
However, looking decades back I realise I felt the same way when first learning about and working with networks. Nothing about it is intuitive. It's all complex, until it isn't through repetition and familiarity.
That said, I still don't want to spend the mental effort on IPv6 yet. I'll deal with it when I have a need for it.