• Blaster M@lemmy.worldEnglish
    481·
    19 hours ago

    Skill issue

    IPv6 is easy to do.

    2000::/3 is the internet range

    fc00::/7 is the private network range (for non routing v6)

    fe80::/64 is link local (like apipa but it never changes)

    ::1/128 is loopback

    /64 is the smallest network allocation, and you still have 64 bits left for devices.

    You don’t need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.

    Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).

    Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don’t have to play the static ip game to connect to it after changing your router or net config.

    The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.

    • kieron115@startrek.websiteEnglish
      2·
      18 hours ago

      On my home network I make sure that my PDs are the same as my VLAN IDs so that I can at least know where a device is based on its IP. If I was smart I would also line them up with the IPv4 subnets as well.

  • LaLuzDelSol@lemmy.world
    311·
    19 hours ago

    Just my perspective as a controls (SCADA engineer):

    I work for a large power company. We have close to 100 sites, each with hundreds of IP devices, and have never had a problem with ipv4. Especially when im out in the field I love being able to check IPs, calculate gateways, etc at a glance. Ipv6 is just completely freaking unreadable.

    I see the value of outward-facing ipv6 devices (i.e. devices on the internet), considering we are out of ipv4s. But I don’t see why we have to convert private networks to ipv6. Put more bluntly: at least industry, it just isn’t gonna happen for decades (if it ever does). Unless you need more IPs it’s just worse to work with. And there’s a huge amount of inertia- got one singular device that doesn’t talk ipv6 at a given generation site? What are you supposed to do?

    • kieron115@startrek.websiteEnglish
      51·
      18 hours ago

      If you set up your DNS correctly then you don’t even need the IPs. Just give devices unique, human-readable names and maybe do separate sub-domains for each site or something.

        • kieron115@startrek.websiteEnglish
          4·
          17 hours ago

          Oh, now that you mention it I’ve never tried to map a static DNS entry to a device without DNS. Welp, time to get thousands of raspberry pi’s to act as IP KVMs!

          • inktvip@lemmy.dbzer0.com
            2·
            7 hours ago

            That would imply en existence of display/usb outputs…

            We’re essentially talking a bunch of embedded devices talking to each other. You can give them all the dns entries you want, but if they (or the programming environment) don’t support DNS lookup you might as well put your dns server in excel.

    • Captain_Faraday@programming.devEnglish
      1·
      2 hours ago

      I’m a protective relay settings engineer at a contractor for lots of power companies. I’m dipping my toes into my first substation automation project. Getting to design the device native files, IPs, and other networking parts from the drawings package of site and device manuals. It’s all SEL equipment with a gateway at the top and local powerWAN, RTAC, annunciators, and relays below. I live thousands of miles from the site, so local testing would be challenging but probably have to fly or something lol. I have been doing some research on how to emulate this is a lab setting when all you have is the RTAC and some relays. Is this something SCADA engineers have to do sometimes? Like if you need to test a scheme when you can’t build it physically first?

  • Frezik@lemmy.blahaj.zoneEnglish
    1894·
    22 hours ago

    I know it’s a joke, but the idea that NAT has any business existing makes me angry. It’s a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don’t notice too much. The Internet is more centralized and controlled because of it.

    No, it is not a security feature. That’s a laughable claim that shows you shouldn’t be allowed near a firewall.

    Fortunately, Google reports that IPv6 adoption is close to cracking 50%.

    • truthfultemporarily@feddit.org
      82·
      22 hours ago

      I think NAT is one reason why the internet is so centralized. If everyone had a static IP you could do all sorts of decentralized cool stuff.

      • Frezik@lemmy.blahaj.zoneEnglish
        62·
        22 hours ago

        Right, not the only reason, but it’s a sticking point.

        You shouldn’t need to connect to your smart thermostat by using the company’s servers as an intermediary. That makes the whole thing slower, less reliable, and a point for the company to sell your personal data (that last one being the ultimate reason why it’s done this way).

      • Creat@discuss.tchncs.de
        341·
        19 hours ago

        Everyone having a static IP is a privacy nightmare.

        There’s a reason the recommendation in the standard for ipv6 had to be amended (it whatever the mechanic was) so that generated local suffixes aren’t static. Before that, we were essentially globally identifiable because just the second half of your v6 address was static.

        • Frezik@lemmy.blahaj.zoneEnglish
          18·
          18 hours ago

          IPv4 centralization creates far more privacy issues than everyone having a static IP. The solutions are still things like VPNs and onion routing.

      • PacMan@sh.itjust.worksEnglish
        7·
        16 hours ago

        Which is why IPv6 was created. Everything used to get a public routable IP. Large company’s such as ATT and IBM got a whole /8 to themselves. NAT made it so we did not run out of IP’s in the 2000’s

    • iii@mander.xyzEnglish
      14·
      22 hours ago

      Fine, I won’t invite you to our bi-annual TURN server appreciation event.

      • Mitch Effendi (ميتش أفندي)@piefed.mitch.scienceEnglish
        41·
        21 hours ago

        I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that’s the big, big, big networks — peering groups that connect large swaths of the Internet with other nations’ municipal or public infrastructure.

        These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I’ve seen, IPv6 addresses very real logistical problems you only see with IPv4 when you’re already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.

        However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.

        Imo there’s not much to be done besides go forward with IPv6. It’s there, it’s tested, it’s basically ready for primetime in terms of NIC chip support… I just wish it weren’t so obtuse to learn. :/

        • drosophila@lemmy.blahaj.zoneEnglish
          2·
          6 hours ago

          However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.

          Its kind of interesting to me how conservative the IT industry is with stuff like this.

          The industry loves to say “move fast and break things” or “innovate and disrupt”, but that generally only applies to things that can be shat out in a two week long Python project (or shat out in 2 weeks after publicly funded universities spent years figuring out the algorithm for you). For anything foundational, like CPU architecture, operating systems, or the basic assumptions about how UI should work, they’re terrified of change.

      • Frezik@lemmy.blahaj.zoneEnglish
        22·
        22 hours ago

        There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn’t work very well. It needs to be treated as its own thing.

        • drkt@scribe.disroot.org
          9·
          17 hours ago

          I couldn’t figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just “bigger IPv4” - it’s not. It’s so much more, and better.

      • deur@feddit.nl
        227·
        20 hours ago

        Nah. You’re just too stupid to understand the internet is designed to be used with DNS. The people who design these protocols and operate the networks that form the internet have no issues with DNS and don’t care that you don’t understand.

    • Auli@lemmy.caEnglish
      2·
      3 hours ago

      Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.

    • IrateAnteater@sh.itjust.works
      47·
      22 hours ago

      We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.

        • IrateAnteater@sh.itjust.works
          52·
          19 hours ago

          This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.

        • socsa@piefed.socialEnglish
          7·
          17 hours ago

          The one thing you can’t do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.

        • Hotzilla@sopuli.xyz
          11·
          12 hours ago

          Good luck trying to find industrial stuff that supports IPv6, hell most of it is still serial.

          I have legit heard that serial is security mechanism because it cannot communicate long distance like ethernet.

          Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.

  • NuXCOM_90Percent@lemmy.zip
    492·
    22 hours ago

    In my personal life I will probably “never” intentionally use ipv6.

    But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than “it’s hard”

    • Nightwatch Admin@feddit.nl
      246·
      22 hours ago

      It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/

      Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.

      • NuXCOM_90Percent@lemmy.zip
        17·
        22 hours ago

        And I would consider a detailed argument on why it is more secure to disable it to be a good reason.

        Personally? I consider an IT team who don’t know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.

        • Nightwatch Admin@feddit.nl
          10·
          21 hours ago

          Yeah, I run dual stack without much trouble myself. I believe it is mainly difficult for people because eyeball diagnostics are impossible with 6.

        • TexasDrunk@lemmy.world
          5·
          18 hours ago

          My detailed explanation at my old job is that the dev team was full of idiots who hardcoded ipv4 addresses into their fucking code. Seriously. When we migrated from data center to cloud they had to go patch everything. The CTO wouldn’t do shit about it and the director was just there riding things out until retirement.

          • Auli@lemmy.caEnglish
            1·
            3 hours ago

            It does not have less eyes on and it’s 50% of Google traffic.

    • NaibofTabr@infosec.pubEnglish
      131·
      21 hours ago

      Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There’s no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.

      Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.

      • Olap@lemmy.world
        112·
        20 hours ago

        If you don’t have ipv6 internally, you probably can’t access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.

        And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix

        • The_Decryptor@aussie.zoneEnglish
          3·
          10 hours ago

          If you don’t have ipv6 internally, you probably can’t access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.

          I’m pretty sure stateful gateways do exist, but it’s a massive ball of complexity that would be entirely avoided if people just used native v6.

  • Domi@lemmy.secnd.me
    46·
    19 hours ago

    My favorite thing to use IPv6 for is to use the privacy extension to get around IP blocks on YouTube when using alternative front ends. Blocked by Google on my laptop? No problem, let me just get another one of my 4,722,366,482,869,645,213,696 IP addresses.

    I have a separate subnet which is IPv6 only and rotates through IP addresses every hour or so just for Indivious, Freetube and PipePipe.

  • thejml@sh.itjust.works
    41·
    22 hours ago

    I use IPv6 every day and everywhere I can. It solves so many issues in large corporate and ISP network setups. And yes 10. Wasn’t big enough, and NATing is a PitA.

    Honestly we just keep pushing it off when it’s not that bad. Workaround after workaround just because people are lazy.

    • palordrolap@fedia.io
      101·
      20 hours ago

      How much slack did you have in your 10.* network? Or was it literally 16.7 million devices?

      • drkt@scribe.disroot.org
        141·
        16 hours ago

        IPv6 isn’t just a larger IPv4. There are features inherent to it, like link-local actually functioning and being predictable, unlike APIPA in v4 which was grafted on as an afterthought and breaks more than it works.

        It also functions router-less. You can grab 30 10-port switches and just stick them together and start plugging computers in. It will work without configuration or an authority.

        I am all v6 internally, but that’s not because I have a splatillion devices, but rather it’s just better and easier to manage.

      • Frezik@lemmy.blahaj.zoneEnglish
        4·
        18 hours ago

        16M devices on one network would almost certainly have major scalability problems all its own. SMB chattiness alone . . . shudder.

  • nonentity@sh.itjust.works
    38·
    16 hours ago

    The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.

    My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.

    • Bytemeister@lemmy.worldEnglish
      26·
      15 hours ago

      My favorite feature of IPv6 is that there are so many addresses available. Every single IPv4 address right now could have its own entire IPv4 range of addresses in IPv6. It’s mind-boggling huge.

      • gnuplusmatt@reddthat.com
        14·
        10 hours ago

        you could assign every square meter of the planet an ip and use it for location, and still have addresses left over

        • Zink@programming.dev
          7·
          5 hours ago

          Oh it’s way more than that!

          After looking up some numbers, I note we could give every single square MILLIMETER on the planet its own entire IPv4 address space.

          …And then every one of those IPv4 addresses could have its own entire copy of the IPv4 address space!

          …And that would just be a drop in the bucket compared with IPv6! One good comparison I’ve seen is that you could assign an address to every atom on the surface of the earth (but not inside it) and have enough left over for 100+ more earths.

          Rough math for the square millimeters:

          The surface area of the earth is roughly 510 trillion square millimeters. Let’s round that up to a quadrillion or 1015.

          The number of IPv6 addresses is 2128 or 3.4x1038. To be conservative again, let’s just round that down to 1038.

          1038 / 1015 = 1023 IPv6 addresses per square mm of earth.

          IPv4 address space is 232 or around 4 billion. let’s round up to 10 billion or 1010.

          So then 1023 / 1010 = 1013 IPv6 addresses per IPv4 address per square mm of earth.

          1013 / 1010 =

          1,000 IPv6 addresses per IPv4 address per IPv4 address per square mm of earth.

          And that was with the conservative estimates along the way. I think it would actually be tens of thousands.

  • socsa@piefed.socialEnglish
    331·
    17 hours ago

    Meh, the idea of having every address be globally routable makes a lot of sense. NAT is a great bandaid but it’s still a bandaid. It still limits how peer to peer and multicast applications function, especially on larger networks.

    • Korhaka@sopuli.xyzEnglish
      16·
      16 hours ago

      NAT444 is shit. I can’t even host a web server without routing it through a VPN, and my ISP can’t work out how to provide an IPv6 addresses yet. Give it to me and I will work out how to use it.

      Slight update - Just looked and apparently they had a goal of rolling out IPv6 addresses to all customers by earlier this year. I’ll check my router config tomorrow and who knows. Maybe I will be able to get one now? Would be pretty sweet.

      • cepelinas@sopuli.xyz
        3·
        5 hours ago

        I am sorry to interrupt, my ISP gave me an ipv6 address, but I just can’t access anything through it even when I specify it in the firewall, maybe they are blocking this functionality because they sell static ips.

  • MissingGhost@lemmy.ml
    25·
    19 hours ago

    I’m surprised by the comments here. I use 90% IPv6. For me v4 is only present for retro compatibility. The transition was hard however.

  • Voyajer@lemmy.world
    21·
    21 hours ago

    CGNATs suck ass though, I had to buy a vps just to access my own network outside my home.

    • atotalblank@lemmy.world
      5·
      19 hours ago

      I’ve recently changed isp and am now hitting CGNAT problems. I have been running Nextcloudpi for years and now I can’t access it from outside. I’ve trying to understand if I can fix the problem using IPv6 but from what you’ve said I’m now wondering if a vps is the solution?

      • Voyajer@lemmy.world
        4·
        18 hours ago

        My ISP doesn’t properly support IPV6, otherwise it should work. I use wireguard to route just my server traffic to the vps.

      • couch1potato@lemmy.dbzer0.com
        21·
        17 hours ago

        I deal with cgnat on my 2 isps at home. Install tailscale on your vps and your router at home and then on your router you can share subnet devices over your tailscale network. Install a reverse proxy on your vps.

        If set up correctly you can route a human readable web address (jellyfin.example.com) to your vps static ip address and then to, for example, a docker container with local address 192.168.100.1:8096, via reverse proxy.

    • A Wild Mimic appears!@lemmy.dbzer0.com
      1·
      1 hour ago

      Yeah, had the same issue with my ISP, but at least they switched me back to ipv4 after a support call. Didn’t want to pay extra for the privilege of not being reachable from the outside anymore.