Yup, the benefits don’t outweigh the costs.
personally, i’d have pretty big benefits for my homelab if i could use my own ipv6 range for everything. having only a singe public IP is just very limiting.
sadly, my ISP does give out ipv6 for home networks, but i cannot connect to any of them from my mobile phone with the same carrier. so that’s fun. they talked about rolling out ipv6 on mobile networks years ago, but i guess it’ll take a few more…
I use IPv6 exclusively for my homelab. The pros:
-
No more holepunching kludge with solutions like ZeroTier or Tailscale, just open a port and you are pretty much good to go.
-
The CGNAT gateway of my ISP tends to be overloaded during the holiday seasons, so using IPv6 eliminates an unstability factor for my lab.
-
You have a metric sh*t ton of addressing space. I have assigned my SSH server its own IPv6 address, my web server another, my Plex server yet another, … You get the idea. The nice thing here is that even if someone knows about the address to my SSH server, they can’t discover my other servers through port scanning, as was typical in IPv4 days.
-
Also, because of the sheer size of the addressing space, people simply can’t scan your network.
For individuals. There are tons of benefits for everyone collectively, but as is often the case, there’s not enough incentive for any one person to bother until everybody else does.
I’d be open to considering those but I never had a website break it down in a material way. At best 6 to me is shiny and side grade – if it results in major labor and time spent without reasonable benefit within a LAN then it’s not going to be a humdinger. Of course like I said if there are arguments to be made I’m happy to contemplate them.
YMMV, for me the juice hasn’t been worth the squeeze yet and I’m not sure it ever will.
what costs are there beyond just leaving it on in supported configurations?
YMMV. Time, energy, compat*ability problems, unforseen issues which cost time debugging.
Again, I’m speaking for me – there has to be a tangible real benefit and within networks even with 100 devices IPv4 does the job better than fine and better than IPv6 for some folks.
Not to mention its just plain easier to remember 4 octet sets of numbers running from machine to machine in an office than 6 or 8 or whatever.
maybe start with an adjustable setup:
- rent a cheap vm, i got one for 1€/month (for the first year,cancel monthly) from ovh currently
- setup 3 openvpn instances to redirect all routes through the tunnel, one with ipv4 only, one with ipv6 only and one with both
- setup the client on your mobile phone and your laptop both with all three vpns to choose from
- have the option to choose now and try out ipv6, standalone or dualstack depending on what vpn you switch on
- use this setup to blame services that don’t support ipv6 yet or maybe are broken with dualstack 🤣
- rise from under-the-stone (disabling ipv6 only) to in-sunlight (to a well-above-industry-standart-level !!! “quick” new network technologies adopting “genious”) 🤣
- improve your openvpn setup from above to be reachable “by” ipv6 too if you haven’t done it from the beginning, done: reach the pro-level of the-late-adopter-noob-group
(if you want, ask for config snippets)
btw i prefer to wait for ipv8😁 before “demanding” ipv6 from services i use 🤣
Ah, Dutch directness… Nothing says clear communication louder than the Dutch
It’s an edited image, but you are darn right. Proper communication is great
It is in the style of the original, where during Covid the page on “Migrating to the Netherlands” simply just started with “Do not migrate to the Netherlands”, before expanding on the Covid restrictions on place and what foreign nationals currently in the Netherlands are to do.
On one hand: Now that’s loud & clear communication. On the other hand, “Just don’t” really ties in to the stereotype of Dutch directness/rudeness.
I also know that I cannot tell the difference between two IPv6 addresses because they all merge into an indiscernible blur inside my head
Ahh i knew u can do some fancy tricks to spell words inside ur ipv6 addresses apalrd did a good video on migrating to ipv6
I had network speed issues and the solution was literally to disable ipv6… Fiber 1gbit network still had issues. https://www.reddit.com/r/youtube/comments/owbjdl/anyone_else_getting_buffering_when_using_ipv6/
Weird. Ipv6 and YouTube stats for nerds shows between 140mbit and 600mbit depending on what’s being watched and the time of day.
Is it possible your isp has problems with their ipv6 setup?
IPv6 overheads should only have a marginal impact on max speeds.
I’ve heard of all sorts of issues with my fiber ISP (Verizon Fios) rolling out IPv6. It’s been years that they’ve been slowly rolling it out for testing in a few places. There’s virtually no useful documentation on their website about it. And it’s still not available where I am.
It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.
NAT still has its place in obfuscating the internal network. Also, it’s easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.
Obfuscation is not security, and not having IPv6 causes other issues. Including some security/privacy ones.
There is no problem having a border firewall in IPv6. NAT does not help that situation at all.
Given how large the address space is, it’s super easy to segregate out your networks to the nth degree and apply proper firewall rules.
There’s no reason your clients can’t have public, world routeable IPs as well as security.
Security via obfuscation isn’t security. It’s a crutch.
This article is biased to selling you more F5 equipment but is a reasonable summary:
https://www.f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?
The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.
I think you’ll find some ISPs will be reluctant to let go of CGNAT - they’re doing quite nicely by charging extra for ‘commercial’ services where it’s not in the way.
Fortunately, many of us know about cloudflare tunnelling and other services, so NAT really isn’t a problem to self hosters and even SMEs any more.
Hurricane Electric have a free tunnel broker that is super simple to set up if you really want to get on the bandwagon.
Though honestly I’d say the benefits of setting it up aren’t really worth the trouble unless you’re keen.
Yeah it’s a huge source of problems. If you are outside the US your IPv6 prefix is never gonna be correct in every GeoIP database, even if you send a request to have it corrected, so you sometimes get geoblocked and other sites just block you because it sometimes gets classified as VPN.
ipv6 in companies… ipv6 is not hard, but for internal networking no company (really) “needs” more than rfc1918 address space. thus any decision in that direction is always “less” needed than any bonus for (da)magement personnel is crucial for the whole companies survival…
for companies services to be reachable from outside/ipv6 mostly “only” the loadbalancers/revproxies etc need to be ipv6 ready but … this i.e. also produces logs that possibly break decades old regexes that no one understands any more (as the good engineers left due to too many boni payed to damagement personnel) while other access/deny rules that could break or worse let through where they should block (remember that 192.168. could the local part of ipv6 IF sone genious used a matching mech that treats the dot “.” as a wildcard as overpayed damagement personnel made them rush too fast), could be hidden “somewhere”. altogether technical debt is a huge blocker for everything, especially company growth, and if no customer “demands” ipv6, then it stays on the damagement personnels list as “fulfilling the whishes of engineers to keep them happy” instead of on the always deleted “cleaning up technical debt caused by damagement personnel” list.
setting up firewalls for ipv6 is quite easy and if you go the finegrained “whitelisted or drop/block” approach from the beginning it might take a bit for ipv6 specials to be known to you, but the much bigger thing is IMHO the then current state of firewall rules. and who knows every existing rule? what rules should be removed already and must not be ported to ipv6? usually firewalls and their rules are a big mess due to … again too many boni payed to damagement personnel, hindering the company from the needed steps forward…
ipv6 adoption is slow for reasons that are driving huge cars that in turn speed up other problems ;-|
i once had to look at a firefall appliance cluster, (discovered, it could not do any failover in its current state but somehow the decider was ok with that) but when looking at its logs, i discovered an rsh and rcp access from an ip address that belonged to a military organisation from a different continent. i had to make it a security incident. later the vendor said that this was only the cluster internal routing (over the dedicated crosslink), used for synchronisation (the thing that did not work) and was only used by a separate routing table only for clustersync and that could never be used for real traffic. but why not simply use an ip that you “own” by yourself and PTR it with a hint about what this ip is used for? instead of customers scratching their head why military still uses rcp and rsh. i guess because no company reads firewall logs anyway XD
someone elses ip? yes! becuase they’ll never find out !!1!
i really appreciate that ipv6 has things like a dedicated documentation address range and that fc00:/7 is nicely short.