[HN Gopher] Hetzner now provides IPv6 only dedicated servers
___________________________________________________________________
Hetzner now provides IPv6 only dedicated servers
Author : miyuru
Score : 335 points
Date : 2021-12-07 13:04 UTC (9 hours ago)
(HTM) web link (www.hetzner.com)
(TXT) w3m dump (www.hetzner.com)
| calpaterson wrote:
| I always think that too many web servers have IPv4 addresses.
| People don't seem to realise that CDNs - which everyone surely
| runs behind - will happily proxy IPv4 traffic to IPv6, so you
| don't need an IPv4 address to serve web traffic - only your CDN
| does.
| wongarsu wrote:
| Sure, but IPv4 just works. IPv6 mostly works, but isn't
| universally supported, is the less tested configuration, and
| "disable IPv6" seems to still be one of the best solutions for
| mysterious network problems. It just doesn't make sense to use
| anything other than IPv4 as long as you get a free IPv4 address
| with every server.
|
| Which is why I'm very happy over this move by Hetzner. More
| monetary incentive to move away from IPv4 is exactly what we
| need to break the cycle of "nobody uses IPv6, so nothing
| supports it, so nobody uses it"
| jeroenhd wrote:
| > and "disable IPv6" seems to still be one of the best
| solutions for mysterious network problems
|
| It's not really a solution to the problem, it's usually just
| ignoring the problem and hiding the symptoms.
|
| I'm surprised Hetzner is the first to do this, it's an
| obvious move with the sharp rise of IPv4 addresses. Most
| companies don't need IPv4 anyway, because their
| infrastructure usually ends up at a caching proxy or CDN
| regardless. Your backend API servers will usually also be
| talked to by other servers, which usually also run from a
| place with widespread IPv6 addresses.
|
| I can see a (bleak) future where consumers are all om CG-NAT
| and everything but the frontend is running IPv6 as a cost
| cutting measure.
| hansel_der wrote:
| > It's not really a solution to the problem, it's usually
| just ignoring the problem and hiding the symptoms.
|
| sounds like business as usual
| lazide wrote:
| Most of the world works by hiding symptoms until something
| forces the issue. Often it never happens, so we're all good
| (as it were). Sometimes it doesn't, then everyone starts
| pointing fingers.
|
| Many people are pretty adept at making sure the fingers
| don't point at them.
| detaro wrote:
| They are not the first. cheaper IPv6-only plans have been a
| thing with other providers for a while.
| anonymfus wrote:
| _> It just doesn't make sense to use anything other than IPv4
| as long as you get a free IPv4 address with every server._
|
| But you don't any more, and prices are increasing fast:
| https://docs.hetzner.com/general/others/ipv4-pricing/
| axelthegerman wrote:
| Agreed! For public access I'd still prefer IPV4 but if it's for
| myself or an internal service for one of my other servers, why
| not IPV6
| terom wrote:
| yay! Now the same for Hetzer Cloud servers as well. Could they
| get the price for an IPv6-only cloud instance down to
| 2-3EUR/month + VAT?
| miohtama wrote:
| Yes. IPv4 is actually a cost for Hetzner. You can see it
| already on some servers as an additional price tag.
| ozim wrote:
| Now price for IPv4 has to go really up so internet providers
| feel it and start rolling IPv6 to household routers.
|
| But they will probably just up prices for the end users.
|
| Though I think mobile providers are already having a lot of
| IPv6.
| withinboredom wrote:
| I just got ipv6 in my area the last week of November
| alias_neo wrote:
| My fibre provider in the UK has been IPv6 for a while, I
| have a /56.
|
| Unfortunately, they use CGNAT which is a nightmare for
| anyone who uses the internet.
|
| I pay them PS5 per month to lease an IPv4 address rather
| than sit behind the CGNAT sharing the IP with all of my
| neighbors.
| hackbinary wrote:
| Are you on hyperoptic?
| tw04 wrote:
| Most ISPs have just rolled out cg-nat. I doubt the price of
| v4 space will ever have any meaningful impact on ipv6
| adoption if it hasn't by now.
| yabones wrote:
| Any pricing info? I imagine they 'save' quite a bit by not having
| to take one of their IPv4 addresses out of the pool...
| cotillion wrote:
| In the server auction the price appears to drop by EUR2.13 when
| IPv6 is selected. Which I guess is affected by local VAT.
| Trellmor wrote:
| 2EUR/month/IP address. Ordering without and IPv4 address is
| 2EUR/month cheaper
| bennyp101 wrote:
| Looking at the FAQ[1] for it - seems to be 1.70, which is the
| same as they have on their pricing page[2] for additional IPV4s
|
| [1] https://docs.hetzner.com/robot/dedicated-server/ip/faq-
| prima...
|
| [2] https://docs.hetzner.com/general/others/ipv4-pricing/
| metafunctor wrote:
| Hetzner also recently added "placement groups" to influence the
| distribution of virtual servers in their data centers.
|
| Useful for HA clusters, mostly. Free, too.
| https://docs.hetzner.com/cloud/placement-groups/overview
| bennyp101 wrote:
| Ah, I got excited and thought I could order a dedicated server
| - but choose if I wanted them to be on the same isle/shelf or
| on a different one! That would be cool! (This is still cool
| too, though!)
| metafunctor wrote:
| You can already order two dedicated servers and request them
| to be on the same rack:
| https://docs.hetzner.com/robot/dedicated-
| server/faq/faq/#can...
|
| I'd assume you might be able to tell them to please put them
| on different racks for HA purposes, or something?
| bennyp101 wrote:
| Ah yea ok, thanks!
| [deleted]
| [deleted]
| curiousfab wrote:
| e.g. https://www.hetzner.com/dedicated-
| rootserver/px62/configurat...
|
| Looks like this will save you EUR2.02 a month.
| miohtama wrote:
| The cheapest Hetzner cloud server is also around 2-3 eur/month.
| tomudding wrote:
| They increased the prices recently, without any VAT a new
| instance of the CX11 is now EUR3.49 p/month.
|
| I do hope they will start providing cloud instances without
| IPv4 soon too (they say they are working on it).
| ab_testing wrote:
| What is the benefit of an IPv6 only dedicated server as compared
| to a normal server that has an IPv4 address.
| [deleted]
| wongarsu wrote:
| It's about $2/month cheaper
| throw0101a wrote:
| IPv6 prices aren't going up:
|
| * https://docs.hetzner.com/general/others/ipv4-pricing/
| bennyp101 wrote:
| If you have a few machines that are connected together, saving
| 1.70EUR on each kinda means you could get a floating IP, or put
| towards a vswitch or whatever
| Nextgrid wrote:
| You use one or two machines as load-balancers and connect them
| to your application servers over IPv6 only.
|
| If your app servers need to talk with external IPv4 services
| you can run a box with an IPv4 and an HTTP proxy.
| hashworks wrote:
| Also Hetzner offers pure Load Balancers.
| jeroenhd wrote:
| You don't need a HTTP proxy, you could make use of existing
| 6to4 technologies. Cloud providers can probably offer those
| for free at reduced speed as part of their IPv6 package.
| There are also public 6to4 routers available today, ur I
| wouldn't trust my company's data to flow through those.
| bullen wrote:
| Sadly nobody understands that central US is where your servers
| need to be.
|
| The only competition to GCP there is IONOS where you cannot
| easily change your instance type!
| k8sToGo wrote:
| Why would I, as a European, want my servers in US Central?
| bullen wrote:
| Because if you want to make something there will be customers
| in the US.
|
| And if you are making something interesting that utilizes the
| internets USP, it will have real-time communication between
| your customers.
|
| And in the US if users from the east coast connect to
| something with the same latency as users from the west coast
| that evens out the advantages.
|
| If you are making a static homepage then of course it doesn't
| matter because what you are making could also be a book or
| even a stone tablet.
|
| The content always comes from the older medium until the new
| medium figures out it's own content at which point the old
| medium dies. See opera, theater, radio, television, youtube,
| twitch, etc. etc.
|
| The final medium is the open 3D action MMO, be it in VR or
| not.
|
| 5 years ago i decided to never work on something that could
| not be sold globally, it's a good decision because it leans
| into the future.
| withinboredom wrote:
| There are a multitude of reasons not to have servers in the
| US if you are doing anything privacy centric.
| speedgoose wrote:
| Our customers in Scandinavia are asking us to stop using
| American cloud providers for their sensitive data, even
| though the datacentres are Scandinavia.
| jonathantf2 wrote:
| What about my customers in Europe that will have worse
| latency than both US users?
|
| What if my website is for my business and I only expect UK
| users to visit?
| strzibny wrote:
| You don't.
| WorldMaker wrote:
| While not entirely on topic to the article/ISP at hand, if you
| really are looking for Central US competitors to GCP, Azure has
| it well covered: https://azure.microsoft.com/en-us/global-
| infrastructure/geog...
|
| Central US in Iowa / North Central US in Illinois / South
| Central US in Texas / West Central US in Wyoming. (Plus all the
| normal locations on the coasts.)
|
| (That's currently more Central US data centers than GCP which
| just has an Iowa and a Salt Lake City data center today. If you
| are keeping count.)
| [deleted]
| mgbmtl wrote:
| I don't know if others have experienced it, but I run a
| monitoring server from Hetzner and have daily issues with IPv6
| latency and packet loss (edit: Finland DC).
|
| I monitor 3 other IPv6 locations, the monitoring server will very
| randomly throw alerts, and only from Hetzner. Yet, when I opened
| a ticket, I was told it was the fault of the other providers,
| despite the mtr traces showing otherwise, and not having issues
| outside Hetzner.
|
| Hopefully more IPv6 users means that I won't be the only one
| impacted by those networking issues. I find IPv6 useful for
| servers that are not public-facing. They are firewalled of
| course, but it also means I can access them directly from home
| without hops or VPN (my home having a static IPv6 address).
| grafelic wrote:
| I have seen the same latency problem (100-250ms) in Finland DC,
| but with IPv4.
| RF_Savage wrote:
| Ah, so this is why my IRC shell in the Hetzner Helsinki DC
| had so much lag.
| celsoazevedo wrote:
| I wouldn't use their Finland DC for anything serious. Peering
| isn't good and they seem to route a lot of the traffic via
| their Germany network. Both DCs in Germany are way better.
| freeflight wrote:
| _> Peering isn 't good and they seem to route a lot of the
| traffic via their Germany network._
|
| Stuff like that always makes me wonder how much of it is down
| to the NSA being hooked straight into DE-CIX [0] via the
| German BND [1].
|
| [0] https://www.datacenterdynamics.com/en/news/german-court-
| thro...
|
| [1] https://en.wikipedia.org/wiki/Gehlen_Organization
| loufe wrote:
| Can somebody explain the government's defense in that case?
|
| "The court said DE-CIX could not cite article 10 of
| Germany's Basic Law, which guarantees the privacy of
| communications, because the company was not directly
| affected by the BND operations."
|
| I honestly don't understand how an argument like that holds
| water.
| cmer wrote:
| I assume this is common knowledge, but I personally find Hetzner
| to be exceptionally good.
|
| It's always been good to me when I was using their European data
| centers, but that was always a bit of a bummer because of
| latency. Now that they have a DC in the US, I just can't think of
| a single good reason to use other cloud providers for smaller
| deployments. They're pretty much the best bang for your buck you
| can get anywhere.
| lowwave wrote:
| not to mention free DDoS protection. In Amazon I read in one
| hacker news article that it costs them around $6000 for the
| custom AWS DDoS team. Why people still use AWS? Other than that
| it is a corporate police. Honestly would like to know.
| starptech wrote:
| Exactly! I use https://github.com/StarpTech/k-andy for most
| projects with a limited budget.
| gunapologist99 wrote:
| https://github.com/StarpTech/k-andy : "Zero friction
| Kubernetes stack on Hetzner Cloud", basically specialized k3s
| with some pieces customized for Hetzner, and automatic
| deployment on Hetzner cloud instances.
| blablabla123 wrote:
| I also have 2 servers there, one virtual with FreeBSD and one
| root server as Linux hypervisor. I run the guests from a tmux
| session because I was too lazy to create any systemd job for
| this. The guest works like this already more reliably than an
| instance from more well-known providers.
|
| Of course for larger deployments you'd have to take care of
| fail-over and all this, so it's not really an option unless you
| are up for setting this up all by yourself.
| pid-1 wrote:
| When running things that tolerate interruptions, AWS Spot
| Instances are way cheaper than Hertzner or any other VPS
| service.
| smarx007 wrote:
| I think AWS will be at least 10x more if you include the
| traffic charges.
| FDSGSG wrote:
| Do you have numbers to share? That sounds really hard to
| believe.
|
| Can AWS Spot Instances really beat this?
| https://www.hetzner.com/dedicated-rootserver/matrix-ax
| e12e wrote:
| Note that bandwidth is included for servers with gigabit
| uplink - for 10gb uplink "only" 30TB/month is included. How
| much is just 5TB/month egress on Amazon?
| dgudkov wrote:
| The beauty of Hetzner is its dedicated servers. You can get 8
| core, 64GB ECC, 1TB SSD server for mere 64 EUR/mo. AWS has
| nothing like that, AFAIK.
| elorant wrote:
| This. Plus some really cheap rigs with older hardware. For
| 30 euro you get a fourh gen i7 with 32 GB RAM and 3TB hdd.
| tetha wrote:
| Multiply that by 5 and you have our dirt cheap, extremely
| reliable elasticsearch cluster.
| welterde wrote:
| Can you name some instance types? I had a look at a couple
| random ones and the closest equivalent at hetzner was always
| significantly cheaper.
| api wrote:
| How is reliability these days?
| mythz wrote:
| I've only had 1 HDD failure since 2013 which their support
| was quick to resolve. I haven't noticed any network
| interruptions myself personally during that time.
|
| I've only had them for a few years but I've yet to experience
| any issues with their great value (e.g 2TB EUR9.90 /mo)
| storage box servers. https://www.hetzner.com/storage/storage-
| box
|
| Only issue I have with them is the latency of their Germany
| DC's from the US, if they end up offering dedicated servers
| in a US DC I'll be moving over my existing Hetzner and AWS
| (non RDS linked) App servers over.
| axelthegerman wrote:
| They announced their US datacenter recently! Welcome news
| for myself too
| mythz wrote:
| Yeah but it's only for their higher margin cloud servers
| products atm, they haven't committed to offering
| dedicated servers yet.
| vladharbuz wrote:
| I've been running various (small) servers with Hetzner for
| the past 9 years and I've never noticed any downtime or any
| issues of any kind.
| mhkool wrote:
| me too
| n3storm wrote:
| Me too
|
| Our first cloud server (supposedly to be a test) is runing
| since march 2018 We have managed more than 15 dedicated
| servers since 2012
|
| Never an issue
| leephillips wrote:
| I have one at the 6EUR/mo level, with 498 days of uptime as
| of today.
| hackbinary wrote:
| Do you not patch your kernel?
| leephillips wrote:
| Apparently not. Talk me into it.
| hackbinary wrote:
| While having a long uptime sounds cool it is a signal
| that you don't patch that often. Maybe you patch your
| other stuff, but I would bet on even odds that you don't.
| So then that is the rest of the stack, eg systemd which
| has some mega flaws IIRC.
|
| You're leaving yourself open to having something
| exploited. Have a look at your ssh logs where "people"
| are constantly trying to get in.
|
| https://www.whitesourcesoftware.com/resources/blog/top-10
| -li...
| leephillips wrote:
| I understand, and my uptime was just to show how reliable
| Hetzner has been. By "talk me into it" I meant please
| point out a real kernel security flaw that be exploited
| without already having access to the system. There very
| well might be some! I'm not well up on all of this.
|
| Yes, I check my logs and see the constant stream of
| breakin attempts. Basic security precautions seem to keep
| them out.
| Drybones wrote:
| As someone who does full patches every couple of weeks on
| my servers and reboots every several months, I agree,
| however there's stuff that can live patch the kernel
| these days like kernelcare and livepatch by Canonical and
| more.
|
| Another reason though to reboot every so often is for the
| server to do filesystem checks on the root partition(s).
| hackbinary wrote:
| Hot patching (kpatch) wasn't GE until earlier this year
| on Ubuntu.
| missedthecue wrote:
| I've been with Hetzner for about 400 days straight now with
| no unplanned downtime.
| aivisol wrote:
| I am running dedicated servers on Hetzner since 2008 (max I
| had was 10 root servers at a time). Outages were quite common
| back in a day, both sudden server reboots and HDD failures.
| However, for last 5+ years I haven't got any single outage.
| Support is always very quick to react and you could usually
| get HDD replaced same day.
| sneak wrote:
| I always assume (to be clear: this has not happened to me) that
| Hetzner's margins being what they are, any customer that causes
| an undue support burden (regardless of culpability) is probably
| unlikely to remain a customer for very long.
|
| I am extremely cautious of the sources of UGC I host publicly
| on my Hetzner machines. In addition to the fact that Germany
| lacks freedom of speech/publication (thus obligating a German
| organization like Hetzner to censor content that is legal to
| publish in most places, but not Germany), I imagine it wouldn't
| take many legitimate/normal UGC-related issues (e.g. properly-
| responded-to-by-the-box-customer DMCA takedowns) to make my
| customer relationship turn negative ROI for them.
|
| I wouldn't, say, run a social media site open to the public on
| Hetzner, even if I responded to DMCA and other legally-mandated
| takedowns in single-digit minutes, 24/7/365. I just can't
| imagine they'd accept the overhead of such a customer.
|
| That said, it's great for hosting big files that CloudFlare's
| TOS prohibits (video, podcasts, etc), just as long as you're
| certain nobody at Hetzner's going to get a call over one of
| your URLs.
| diffeomorphism wrote:
| > lacks freedom of speech.
|
| Freedom of speech is article 5 of the German constitution.
|
| What you mean is that it differs from the US version.
| sneak wrote:
| No, you're not allowed to publish gory video games or
| racist literature[1] in Germany, which is clearly prior
| restraint. It's not that the US has some crazy absolutist
| freedom of expression (it does not), it's that Germany
| simply lacks it.
|
| You can't have "mostly" free expression. It's either
| abridged or it isn't. Germany censors harmless digital art
| that the government deems inappropriate for adults to be
| able to see. It's a classic slippery slope (modern Germans
| defending their government's censorship and lack of free
| expression will usually cite Hitler/racist stuff, but
| that's not all that's banned).
|
| It doesn't really matter what the constitution says, if in
| practice you don't have those rights. It's sort of like how
| the 2A in the USA says that the people have the right to
| keep and bear arms, but I don't suggest attempting to
| exercise that right in Central Park, because you don't
| actually have it. Same goes for free expression in Germany.
|
| From
| https://scholarsbank.uoregon.edu/xmlui/handle/1794/19123 :
|
| > _Germany is one of the strictest censors of violence
| among the world's video game consumers. Due to its history
| and a cohesive national opinion, the legislature limits
| content severely, much more severely than the surrounding
| European nations. This results in international developers
| choosing not to market to Germany, creating censored titles
| specifically for the German market, or finding themselves
| on a list of banned titles illegal to buy or sell._
|
| [1]: there's also no indication that racist publications
| were responsible for WW2 (versus, say, Hitler himself),
| making this censorship-for-censorship's sake. Many other
| countries do not prohibit racist literature and have not
| committed a holocaust. So, of course, they banned violent
| video games too, because those don't cause violence either.
| cma wrote:
| > It's sort of like how the 2A in the USA says that the
| people have the right to keep and bear arms
|
| Why leave out the for the maintenance of a well-regulated
| militia part?
| sneak wrote:
| Because you asked, even though it's now way off-topic for
| this thread (and I will not respond further):
|
| Because the text of 2A does not indicate that the right
| is contingent upon participation in a militia (and indeed
| 10 USC 246[1] legally defines the US militia as _all_
| able-bodied male citizens of ages 17 to 44 inclusive, as
| well as all female citizens who are members of the
| National Guard, even if it did), as 2A actually specifies
| RKBA as a right of the _people_ (not "people of the
| militia", just "people").
|
| [1]: https://www.law.cornell.edu/uscode/text/10/246
| Frondo wrote:
| Heh, and where was this interpretation when the Black
| Panthers were arming themselves in California? Even the
| NRA supported gun control back then.
|
| > In contrast to the NRA's rigid opposition to gun
| control in today's America, the organization fought
| alongside the government for stricter gun regulations in
| the 1960s.
|
| https://www.history.com/news/black-panthers-gun-control-
| nra-...
| _dain_ wrote:
| stupid irrelevant gotcha, the nra is not the scotus
| GlitchMr wrote:
| Freedom of speech is not absolute in United States
| either, see https://www.uscourts.gov/about-federal-
| courts/educational-re....
| _dain_ wrote:
| Freedom of speech was also Article 125 of the Soviet
| constitution.
|
| The US First Amendment version is the only one that is
| worthy of the name.
| sneak wrote:
| Don't try to tell that to Julian Assange.
| na85 wrote:
| He's not a US citizen though. Their constitution only
| applies to them.
| lazide wrote:
| FYI - not according to the US constitution. It applies to
| everyone on US soil, and is supposed to bind the federal
| gov't in general in how it acts everywhere.
|
| De facto and de jure of course being completely different
| things.
| na85 wrote:
| > FYI - not according to the US constitution. It applies
| to everyone on US soil, and is supposed to bind the
| federal gov't in general in how it acts everywhere.
|
| Sure but that ship sailed years ago. Their constitution
| is also supposed to guarantee a right to a fair trial but
| obviously the legions of drone victims didn't get one.
| cycomanic wrote:
| I encourage you to read up on the J.E. Hoover and J.
| McCarthy on how much the US First Amendment is worth. Or
| maybe try running a pro ISIS webserver in the US, see how
| quickly you have the FBI knocking on your door. Let's not
| even talk about DCMA takedowns etc..
|
| The US ranks lower than Germany in the FH and RWB freedom
| of the press indices [1], which while not quite the same
| is highly related to freedom of speech.
|
| [1] https://en.wikipedia.org/wiki/Censorship_by_country
| throw10920 wrote:
| The First Amendment is stronger than any equivalent rule
| in any other modern country that I'm aware of. The fact
| that it's been undermined repeatedly, both in the past
| and the present (due to the recent wave of
| authoritarianism that has been sweeping US politics,
| which can be seen clearly on HN itself), doesn't have any
| bearing on its _relative_ ranking - so, it can suck (or
| just be a little suboptimal), but still be better than
| everything else.
|
| Moreover, how is DMCA relevant? Copyrighted works are
| outside the bounds of free speech.
| t0mas88 wrote:
| Wait, what? How does the fact that it's undermined not
| have an impact on how useful a US right is to me?
|
| DMCA, and in general the US legal system are extremely
| relevant to me as a user. If I have a theoretical right
| to free speech, but in practice any big US media company
| could kill it then I'm much better off in another country
| where maybe the theoretical right is 10% less but I can
| actually practically enjoy that right.
| _dain_ wrote:
| Those rankings just encode the political outlook of a
| certain leftist NGO.
|
| In the USA, Neonazi publications are allowed, while in
| Germany they are illegal. Therefore, the US has a freer
| press than Germany. Freedom House would disagree, and
| they are simply wrong.
| sneak wrote:
| > _Or maybe try running a pro ISIS webserver in the US_
|
| Bad counterexample? CloudFlare did just that, triggering
| a strangely pro-censorship round of hacktivism in the
| form of #OpISIS.
|
| https://www.theguardian.com/technology/2015/nov/19/cloudf
| lar...
| cycomanic wrote:
| That's not really running the website though is it? It
| seems like they run DDOS protection for them which is not
| really the same.
| adolph wrote:
| Good luck naming your baby "X AE A-XII" in Germany:
|
| https://www.iamexpat.de/expat-info/german-expat-
| news/german-...
|
| _An appropriate German name is one that is first
| recognised as a proper name. It cannot be associated with
| evil (e.g. Satan, Lucifer) or deemed religiously
| insensitive (e.g. Christus or Jesus). A name cannot be a
| product, brand, surname or a place name. Finally, German
| names have to indicate the child's gender and they are not
| allowed to cross (one exception is Maria, which can be used
| as a boy's second name). Neutral names (e.g. Alex, Kim)
| must be followed by a second name that indicates the
| child's gender._
| frenchyatwork wrote:
| You're right that German naming rules are overbearing,
| but you'd have trouble naming a baby "X AE A-XII" in a
| lot of places, including many US states, I believe.
| SahAssar wrote:
| If your definition of freedom of speech means being able
| to name your kid whatever you want then obviously the US
| first amendment is not working since most states have
| rules regarding naming too. For example:
| https://www.theguardian.com/us-
| news/2015/apr/11/california-b...
| sascha_sl wrote:
| Happy to provide an anecdote here. Had my home searched for
| user generated content on a Hetzner server around 2014. Some
| reports were also forwarded to me when the service was still
| alive. Hetzner provided a signed statement of me responding
| to abuse reports within a few hours of me asking.
| martin_a wrote:
| > to censor content that is legal to publish in most places,
| but not Germany
|
| We don't really like if somebody thinks Hitler was kind of a
| cool guy and that he should have continued "his work".
| Besides that you can say lots of things in Germany without
| getting too much trouble.
| kkjjkgjjgg wrote:
| Things have changed in recent years. Germany now has
| vaguely defined "hate speech" laws, meaning they can get
| you for any statement they don't like. It's not just about
| liking Hitler anymore.
| cycomanic wrote:
| Germany always had hate speech laws. To run afoul of
| those takes quite significant effort though.
| freemint wrote:
| Citation please?
| sneak wrote:
| https://en.wikipedia.org/wiki/Straftaten_gegen_die_%C3%B6
| ffe...
| cycomanic wrote:
| ? That article says there was an attempt to introduce a
| law banning violent video games. That attempt never was
| implemented, so what is this link supposed to prove?
| freemint wrote:
| I also read it that way.
| freemint wrote:
| That was literally 12 years ago and is not in effect and
| doesn't even have a German wikipedia page and the federal
| court would have nicked. Ist alles von der Kunstfreiheit
| gedeckt!
| sneak wrote:
| No, the censorship laws in Germany are definitely still
| in effect. The petition in protest against them was 12
| years ago.
| cycomanic wrote:
| You need to be more specific then, which law do you mean?
| Because the "Straftaten gegen die offentliche Ordnung" is
| a whole section of the StGB which covers all sorts of
| things ranging from the prohibition of running an illegal
| online trading platform, to trespassing or leaving an
| accident. The closest is the Paragraph 131 which
| prohibits showing violence for the purpose of glorifying
| violence or to degrade the "Menschenwurde" (not sure what
| a good translation is).
| sneak wrote:
| Please see the paper linked in my sibling comment above:
|
| https://news.ycombinator.com/item?id=29475379
|
| (tl;dr: Germany censors harmless depictions of gory
| violence in video games.)
| freemint wrote:
| Science disagrees on you with the harmless part. It is
| shown that violent video games desensitise people with
| regards to violence, just as violent movies do except
| there is a categorical difference interactiveness.
|
| I don't like that fact either but to ignore facts because
| they don't mesh with my politics is bad.
| rmbyrro wrote:
| That's troubling. Has it been enforced, however? Europe -
| and probably everywhere else too - has anacronic laws
| that are rarely if ever enforced.
| kkjjkgjjgg wrote:
| I'm not keeping track. Certainly a lot of things are
| being preemptively censored, especially on social media.
| People have also lost their jobs.
|
| It is not an "anachronistic law", it is a new law that
| came into being very recently.
| Sebb767 wrote:
| There are a few worrying cases. One person, for example,
| got his house raided for calling a politician a dick on
| Twitter [0]. There are also a few far-reaching laws, such
| as the NetzDG [1], which is being pretty harshly
| criticized. That being said, Germany has never been as
| pro-free speech as the US (holocaust denial, for example,
| is illegal for a long time already) and you can still
| state your opinion pretty openly, as long as you're not
| an extremist.
|
| [0] https://www.spiegel.de/panorama/pimmelgate-
| hausdurchsuchung-...
|
| [1] https://en.wikipedia.org/wiki/Network_Enforcement_Act
| #Critic...
| saynay wrote:
| Their dedicated stuff is dirt cheap, although if you are trying
| to put your own OS on it they are quite a pain (some ancient
| Java web plugin).
|
| Networking has been occasionally unstable for me, though. Their
| vlan stuff being 1400 mtu is also annoying.
| hansel_der wrote:
| > Their vlan stuff being 1400 mtu is also annoying.
|
| does this suggest that their networking gear is also dirt
| cheap or is this just an artifact of legacy compat and/or not
| wanting to wory about jumboframes?
| sleepydog wrote:
| 1500 mtu has been around for a long time. It's less likely
| their gear is cheap and more likely they're using that
| overhead for encapsulation.
| tlamponi wrote:
| Dirt cheap and you'll have issues with the network if you
| do anything meaningful, or rather slightly more complex,
| IME..
| cyberpunk wrote:
| I've had the opposite experience; OVH are much better, Hetzner
| support is absolutely awful and unskilled.
|
| I'm a big fan of OVH, they've never let me down.
| tinco wrote:
| So I take it your datacenter has never burned down?
|
| Sorry, had to poke fun a little bit, obviously there's always
| a chance of having a bad experience. I've only had to
| interact with Hetzner support once, and it was positive, we
| determined that a consumer grade CPU was aggressively going
| into some sleep mode the Linux kernel wasn't waking up from,
| and the Hetzner support guy agreed that was the problem and
| determined it was possible to disable that feature in the
| BIOS, and went ahead and did that for us.
|
| And of course the fact that that was necessary was on us for
| running our production on their consumer grade CPUs.
|
| I believe Hetzner and maybe also OVH have a much bigger role
| to play in the deployments of the future. The big cloud
| players are overplaying their hands, and it's becoming more
| and more attractive to run on bare metal as devops tooling
| improves.
| rmoriz wrote:
| Fun story: Hetzner lost a colocation due to overheating
| like almost 20 years ago. Everyone has to learn over time
| that eventually adds up to deep domain knowledge. Both
| Hetzner and OVH have built custom solutions for buildings,
| climate and energy monitoring.
| amenod wrote:
| Not only that, but for some deployments it is actually
| preferable to limit the amount of money you can pay. In
| other words, better for the service to be down than for the
| company or person to be bankrupt. Last I checked, that
| simply wasn't possible with AWS (no, alerts are not the
| same thing).
| p1necone wrote:
| Imo that's a must have feature for any cloud hosting
| provider - I don't want to bankrupt my company/myself
| because I misconfigure something or write a bug.
|
| I recall there being discussion about it on HN before and
| a lot of people being confused as to why anyone needs it
| though.
| cyral wrote:
| OVH does have great value, but they recently lost an entire
| DC to a fire: https://www.reuters.com/article/us-france-ovh-
| fire/millions-...
| tetha wrote:
| I cannot share that experience with the hetzner support. We
| currently do have some weird problems with an hcloud-
| dedicated joined vlan and the network topology and support is
| a bit weird there. I'm hoping that'll improve, because then
| hetzner might become a prod leg for us.
|
| But besides that, both the cloud and dedicated support are
| very good. Last 10 - 20 HDDs we needed swapped were swapped
| in under 30 minutes each, and in some of the more complex
| issues, they were able to guide our engineer wherever they
| needed to be quickly. I've dealt with much, much worse
| hosters at multiples of that price.
| comboy wrote:
| I tried OVH a few times and ran away every time.
|
| Currently have 10+ dedicated boxes at Hetzner and I'm taking
| time to write this comment because I like them that much. I
| only contacted support a few times during my 10+ years there
| but it was immediate response and to the point. I remember
| waiting 24h+ for OVH support with my service down (it was 5+
| years ago though) and for Hetzner it was always in minutes.
|
| Can you elaborate why do you think they are unskilled?
| celsoazevedo wrote:
| I recently moved from OVH to Hetzner as I could get better
| hardware for the same price.
|
| No issues so far, but OVH's network seems to be better,
| especially for people in other continents.
|
| Edit to add:
|
| - I'm using their Germany DCs, not the Finland one (which is
| cheaper but peering is worse).
|
| - Using a CDN does improve the latency/speed for users
| outside Europe, but it still influences performance as CDN
| exit point often connect directly to the origin to fetch
| uncached content.
|
| - I lost a VPS with OVH's DC fire, but I had backups
| somewhere else and fixed it quickly. A good thing about the
| lower prices is that I can have backups on multiple services
| (also cheap - Backblaze B2, for example) and still save money
| compared to AWS, Google Cloud, etc.
| cyanydeez wrote:
| ovh changed their login system, froze me out of payment and
| refused to respond to email.
|
| They're as on fire as their datacenters
| gibsonf1 wrote:
| We've been using Hetzner since the last article about their VA
| service appeared last month on HN and are truly impressed in
| all respects with the performance and cost. We plan to move all
| our servers over to Hetzner from AWS, however continue using S3
| (We didn't see a comparable service on Hetzner for S3)
| xrd wrote:
| Run Minio yourself? It's amazing, and easy to setup using
| dokku (for great backup/restore options).
| martin_a wrote:
| Also: Get one of their managed webhosting packages (starting
| from 1,90 EUR/month) and you'll get a domain with it. You can't
| get your own mail hosted for much cheaper.
| na85 wrote:
| Don't the big players penalize mail coming from hosts without
| ipv4?
| martin_a wrote:
| I've not yet found this to be an issue with personal mails.
| If you're planning on setting up whatever system that needs
| to send _lots_ of mails, something else might be better
| indeed.
| amenod wrote:
| > Don't the big players penalize mail coming from hosts?
|
| Ftfy. :)
|
| Yes, they do, unfortunately. I am still hoping for some
| regulation / fine to put an end to this.
| MaKey wrote:
| Me too! You're in for a lot of pain, especially in the
| beginning, when trying to host your own mail server. Big
| players just dropping mails (Microsoft), local
| authorities refusing your mails (even on the postmaster
| inbox) and if your mail goes through it might still go
| straight to the spam folder. Granted, I'm using an .xyz
| domain, but I'm not sure how big of a role this really
| plays. Interestingly I didn't have problems with Google's
| mail servers so far.
| seanw444 wrote:
| I remember hearing that Google really downgrades the
| search rankings of .xyz domains. Not sure how it goes for
| email though.
| 6jQhWNYh wrote:
| You can: buy a cheap 4EUR/year domain at OVH and you'll get
| your own mail with their free 10M web hosting plan.
| martin_a wrote:
| That's cheaper indeed. I would hold against that the 24
| EUR/year from Hetzner get you 10 GB of space for whatever.
| Personal website, small NextCloud, something like that. I
| think it's a good deal with a well known hoster.
| brnt wrote:
| Thats just a single inbox and no aliasses, right?
| XCSme wrote:
| Does it come with SMTP?
| hansel_der wrote:
| what does that even mean? (i.e. how would an email service
| work w/o smtp)
| dkjaudyeqooe wrote:
| Some hosts block port 25 (SMTP) and you have to use
| another server to send emails.
| martin_a wrote:
| I think so, yes, see here:
| https://docs.hetzner.com/konsoleh/account-
| management/email/s...
| synthmeat wrote:
| For non-dedicated in the US? I can think of at least 2 reasons
| why not:
|
| - crappy network (advertised 300-500mbps, usually lower)
|
| - crappy cpus ("benchmarked" several providers, hetzner was
| lower end on cpu-bound loads)
|
| Dedicated ones are baller though, unfortunately no US.
| adventured wrote:
| I've started using Hetzner's Virginia cloud offering. So far
| their AMD processors are matching DigitalOcean's comparable
| product and I'm getting a lot more for my money. I've seen
| zero evidence of supposed crappy CPUs in Hetzner's cloud.
| tinco wrote:
| Anyone know why dedicated is just not a thing in the US? I
| looked for a Hetzner alternative in the US and it's just
| crazy to me that it doesn't exist.
|
| I think Hetzner's dedicated servers product started from the
| consumer demand for Counter-Strike servers, maybe it's
| because Counter-Strike wasn't as popular in the US? Not 100%
| that's why Hetzner has been succesful with dedicated servers
| but I don't have another explanation.
| lazide wrote:
| It's definitely a thing, every major metro has tons of data
| centers doing it to various degrees of success. For the
| most part it's for small/medium folks, as larger buy and
| staff their own equipment, and many smaller do VPS or cloud
| for various reasons.
|
| Dedicated is starting to make more sense as cloud prices
| are kinda nuts + tooling is better now, so 'roll your own
| cloud' is becoming more feasible.
|
| It just doesn't get as much press as the big cloud
| offerings, and most of them are relatively local players
| specializing in their region (and associated
| network/property). OVH has several large DCs selling
| dedicated hardware for rent here in the US.
| gnufx wrote:
| > 'roll your own cloud' is becoming more feasible
|
| https://opennebula.io is worth looking at for that sort
| of thing (not that it's new). You don't have to do it
| that way, but its "edge" support for simple provisioning
| on bare metal providers doesn't include Hetzner; I think
| it assumes you can get instances on demand. That sort of
| solution isn't complex or expensive enough for my site,
| and doubtless others, though. Especially when you just
| want compute, I can't see the point in the pain (which
| surprised us) and expense of AWS et al.
| tinco wrote:
| Do you have an example of being able to rent a single
| bare metal node, with the cost of the rack already priced
| in? I've never seen it, especially not like Hetzner where
| it can cost as little as $50/mo all inclusive for a full
| server.
| samcrawford wrote:
| Also check out
| https://www.webhostingtalk.com/forumdisplay.php?f=36 .
| That has plenty of US hosts at around that price range
| too
| bserge wrote:
| https://www.ionos.com/servers/amd-servers
|
| Among dozens of others...
| kube-system wrote:
| I'm not sure what it is that you're not finding. I can
| just search 'dedicated server' and the first page has
| several examples of places that will rent you a single
| bare metal server in the US. There are dozens and dozens
| of options.
|
| The first one I clicked on has options around $50 too:
| https://www.namecheap.com/hosting/dedicated-servers/our-
| pric...
| tinco wrote:
| Woops, sorry last time I checked was a couple years ago,
| I don't know why I failed then, seems there's plenty
| options now. Thanks!
| t0mas88 wrote:
| Leaseweb, they're a European company but with several US
| datacenter locations. They offer monthly priced dedicated
| servers, but are more expensive than Hetzner.
| Drybones wrote:
| It's not as common, I agree, but I work for a data center
| company that does almost exclusively bare metal servers and
| colocation. We have a VPS part of our company but it's a
| different brand name and you won't find it on the main
| company's website.
|
| I still have Hetzner for a dedicated server in Europe, and
| it's fine. I've had it for several years now with no
| issues.
|
| Before getting this job, I noticed that most dedicated
| servers in America are from smaller companies that re-sell
| their dedicated servers or colocated servers from companies
| like my work's or other data centers (who mainly specialize
| in colocation services instead of selling their own
| hardware.
|
| I suppose in America, the main people companies target are
| for simple cheap VPS servers or "cloud scaling" services.
| You can also make a lot more imo by stuffing as many
| customers onto 1 server instead of dedicated hardware for
| each customer. Also a lot less management and support
| needed. At work 99% of our maintenance and support is for
| individual dedicated servers. The VPS side of the company
| requires very little intervention on our end.
| smarx007 wrote:
| I "benchmarked" the network across a few big VPS providers,
| they all seem to do 400Mpbs+ within the continent and
| 100-200Mpbs when you go across the ocean (iperf3, I assume
| you also meant heavy sustained traffic). It also aligns with
| what the creator of PHP found out:
| https://toys.lerdorf.com/low-cost-vps-testing. Did you find a
| provider where the network would allow you to go 300Mbps+
| across the ocean on a cheap VPS?
|
| Re: CPU, if you were comparing them with the VMs from "the
| big 3", you should look under the "Dedicated vCPU" tab:
| https://www.hetzner.com/de/cloud
| synthmeat wrote:
| Yeah, heavy sustained, and DO came up on top (even your
| link says so). Admittedly, I haven't tested across the
| pond. I've tested dcpu ones only AND only for my load
| (node.js with a worker). That's why "benchmarked" is in
| quotes. :)
|
| Linode/Vultr/DigitalOcean/Hetzner/Terrahost
|
| I can easily imagine cost savings on Hetzner could benefit
| certain loads, of course. It's always "depends".
| freemint wrote:
| How did you come to those numbers? I did my own
| benchmarks and Hetzner definitely came on top of Vultr.
| https://github.com/freemin7/discount-cloud-geekbench-5
| synthmeat wrote:
| I don't see Hetzner dedicated vCPU's on there? I did
| mention "dcpu" ones. But thank you for your benchmark,
| it's very useful for shared-cpu comparison.
|
| How did I come to it? Measuring performance of my node.js
| service I need to run on it, iperf, speedtest.
| freemint wrote:
| Yeah after finding no difference in performance between
| dcpu and the normal hetzner offerings in my benchmarks I
| didn't benchmark all instances
| Kaibu wrote:
| My 7 Euro hetzner cloud instance in Falkenstein easily does
| about 5Gbit (inter-europe).
|
| From my experience, at Hetzner you are very rarely limited
| by their network. Usually only by poor peering from
| transits. Peerings with all the big names are great tho, so
| no reason to complain for me.
|
| And from what I know from someone near Hetzner, they don't
| cheap out on peering at all.
|
| 10G speedtest to a swedish telco provider I ran just now:
| https://i.imgur.com/9ARZqOP.png
| rlex wrote:
| Sadly i have quite opposite experience. Back in the day hetzner
| was my first dedicated server provider (after i grew up from
| shared hosting). I had some issues with HDDs and they replaced
| faulty one with another that failed shortly after, then another
| heavily used hdd. I migrated to OVH then. After some years i
| bought another server from them and it was okay, apart from
| couple of downtimes. Some time ago i got interested in k8s and
| decided to setup personal cluster. So i tried to register
| account with them again, because when you don't have any
| services they delete your account completely (really?)
|
| I failed. They silently suspended my account after i made
| payment for verification. I tried to register again, they asked
| for scan of my passport, i sent it, and they suspended my
| account again. No replies from support regarding that issue
| too. Funny, because i went through validation process 2 times
| already (when i rented dedicated servers from them) and now i
| can't create account to use their cloud offering (and dedicated
| servers too)
| t0mas88 wrote:
| The account deletion when not having any services is a result
| of their privacy policy. Most European companies should do
| that but I think it's rare in practice. What they didn't do
| very well is that it's of course better to email you before
| deleting.
|
| The HDD thing is (was?) definitely an issue with Hetzner. I
| had the same experience some years ago. Best option was to
| get hardware raid and SAS disks, those were datacenter
| quality instead of consumer and worked great.
| bserge wrote:
| Very German of them. Do something they don't like once and
| they ghost you forever lol.
| vog wrote:
| From the announcement:
|
| > "We will continue to improve this new solution and are already
| working on an IPv6 only solution for cloud servers, too."
|
| I'm eagerly waiting especially for this! The cloud servers are
| pretty cheap, but costs for IPv4 addresses make a significant
| part of the monthly cost. The Hetzner cloud server would be much
| more interesting if they weren't each tied to a public IPv4
| address.
| geenat wrote:
| Warning, Rootless Docker doesn't support the ability to see the
| users source IP yet with IPv6.
|
| * https://github.com/rootless-containers/rootlesskit/issues/25...
|
| * https://github.com/rootless-containers/slirp4netns/issues/25...
|
| This has repercussions if you need to be able to see the user's
| IP for throttling, banning, etc.
| mrweasel wrote:
| Docker and IPv6 is a major pain in general.
| goodpoint wrote:
| Docker and IPv6 are major pains in general.
| mfontani wrote:
| Unfortunately only a /64 per server :/
| RexM wrote:
| Is that not enough? I was curious how many IPs that'd give you,
| and it is 2^64
|
| Genuinely curious what you might need more for (for a single
| server).
| momothereal wrote:
| It's about having multiple continuous ranges of addresses.
|
| Think of it in IPv4 terms, it's like having the range
| 192.168.0.0 to 192.168.0.255 (192.168.0.0/24) assigned to
| your host. 256 addresses should be plenty of addresses, but
| you can't cleanly segment them into multiple ranges, like you
| could with 192.168.0.0/16: because you can have
| 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24.
|
| By having multiple, complete blocks of /24, you can easily
| assign them to different classes of IP interfaces on your
| host.
| nightpool wrote:
| Why not? Couldn't you just assign e.g. 192.168.0.0/26,
| 192.168.0.64/26, 192.168.0.128/26, 192.168.0.192/26?
| ISO-morphism wrote:
| Yes, you can, but there's a bit more mental math involved
| for a human looking at it, and more truthfully it's just
| less aesthetically pleasing.
| igjeff wrote:
| Nothing in IPv6 says you have to stop dividing at the /64
| level.
|
| There has been some hardware that takes a bit of a
| performance hit when doing route lookups that are longer
| than /64 in the past, but if you're doing this all in
| software on an end host, that's not an issue.
|
| Go ahead and divide up that /64 to smaller blocks for your
| classification purposes, you'll still have plenty.
| w7 wrote:
| IPv6 SLAAC will not work on subnet smaller than a /64
| hackbinary wrote:
| I don't thing that is true.
|
| The client obtains the network prefix from the RA, and
| then the client tries to generate unique host address.
|
| "" The IPv6 stateless autoconfiguration mechanism
| requires no manual configuration of hosts, minimal (if
| any) configuration of routers, and no additional servers.
| The stateless mechanism allows a host to generate its own
| addresses using a combination of locally available
| information and information advertised by routers.
| Routers advertise prefixes that identify the subnet(s)
| associated with a link, while hosts generate an
| "interface identifier" that uniquely identifies an
| interface on a subnet. An address is formed by combining
| the two. In the absence of routers, a host can only
| generate link-local addresses. However, link-local
| addresses are sufficient for allowing communication among
| nodes attached to the same link. ""
|
| https://datatracker.ietf.org/doc/html/rfc4862
| w7 wrote:
| Yes, all implementation that I'm aware of use EUI-64,
| which requires a /64
|
| https://datatracker.ietf.org/doc/html/rfc7421 is helpful
| in understanding this.
|
| Basically it explains that SLAAC RFC itself does not
| define the /64 limitation, but other RFCs that are
| relevant to network operation do.
|
| """ The addressing architecture [RFC4291] [RFC7136] sets
| the IID length at 64 bits for all unicast addresses and
| therefore for all media supporting SLAAC. An immediate
| effect of fixing the IID length at 64 bits is, of course,
| that it fixes the subnet prefix length also at 64 bits,
| regardless of the aggregate prefix assigned to the site
| concerned, which in accordance with [RFC6177] should be
| /56 or shorter. """
| progval wrote:
| You get one /64 per server. How often do you need to
| divide a range within a server _and_ run SLAAC for one of
| these subdivisions?
| hansel_der wrote:
| > Nothing in IPv6 says you have to stop dividing at the
| /64 level.
|
| but as you mentioned, there are a few roadblocks that
| say: you shouldn't
| [deleted]
| sneak wrote:
| That's normal/standard for a whole LAN, and is more than enough
| for all of your VMs/containers on the box.
| xnyanta wrote:
| No, it's not enough because you end up needing Proxy NDP for
| your traffic to reach other subnets smaller than a /64 (e.g.
| a /80) if you have the /64 on your wan interface and carve it
| out. Normally, you'd have a /64 on your wan, then another /64
| for your containers or multiple /64s for different container
| deployments or virtual machines. Then traffic would route
| properly between your networks with ipv6 forwarding enabled.
| sneak wrote:
| > _is more than enough for all of your VMs /containers on
| the box_
|
| > _you end up needing Proxy NDP for your traffic to reach
| other subnets smaller than a /64 (e.g. a /80) if you have
| the /64 on your wan interface and carve it out_
|
| It sounds like we are in full agreement.
| WesolyKubeczek wrote:
| What would you do with all those addresses? Could you please
| elaborate about each one?
| edm0nd wrote:
| First thing I can think of is spam and abuse
| formerly_proven wrote:
| Good luck sending emails with IPv6.
| profmonocle wrote:
| It works fine with Gmail. And since G Suite is so widely
| used, tons of domains can send/receive mail over IPv6
| just fine.
| vaylian wrote:
| Why should that be an issue?
| erinnh wrote:
| Some mail-admins will downgrade IPv6-only MX servers
| reputation-wise, due to the limiting/cost-increasing
| factor of IPv4 Addresses.
| BenjiWiebe wrote:
| I do it already. Well, both IPv4 and IPv6. There's a
| decent number of IPv6 capable MX's out there, the most
| prominent being GMail.
|
| If you were meaning IPv6-only then yes that would be
| pretty bad.
| profmonocle wrote:
| If an IPv6 spam filter is working on a per-address basis,
| it's never going to work. The smallest allocation you can
| get from a RIR is a /48. Even residential ISPs give at
| _least_ a /64. You could use a different address for every
| email and never run out.
| fuzzy2 wrote:
| A /56 + prefix delegation would enable IPv6 VMs without any
| dirty hacks.
| detaro wrote:
| ... giving each VM one IP out of the /64 is not a "dirty
| hack". I guess if you want to do complex networks between
| the VMs it'd help a bit? Still, /64 is IMHO a good default
| for single machines.
| fuzzy2 wrote:
| Traffic for any of the addresses in the /64 arrives at
| your server's "external" network interface. Is there any
| non-hacky way to forward this traffic to an internal
| virtual network?
| profmonocle wrote:
| You just create a route for it, same as you would with
| any size network. Linux allows you to create routes for
| IPv6 prefixes longer than /64 without any issue. On AWS I
| have a VM with a /80 routed to it, which I have divided
| into multiple /96's internally. It works fine.
| profmonocle wrote:
| Typically, a /64 in IPv6 is one subnet. You're not really
| supposed to subdivide networks beyond that point. The first
| 64 bits identify the network, the last 64 bits identify the
| host. Under this design, if you only assign a /64 per server,
| that would mean you couldn't have multiple networks on that
| VM (which you'd want for something like Docker.)
|
| However, this principle isn't really enforced on a technical
| level. Only some standards such as SLAAC actually _require_
| the network to be a /64, and since SLAAC isn't really
| relevant for servers, most cloud providers have been
| relatively stingy with their IPv6 allocations - at least
| compared to what RFCs actually recommend. (Which would
| probably be a /48 per customer, per region.)
| mindslight wrote:
| I appreciate the push to expand address allocations a bit,
| so that providers aren't charging a monthly fee for every
| /128 and the like. But /64 seems like ridiculous overkill.
| Even for a premises network connected to an ISP, the
| optimal thing to do is to continue NATting to hide
| information about your network. Privacy wise I'd rather
| have 2^16 separate /128's scattered throughout a provider's
| address space, than a single /64, which will inevitably be
| treated as a single address by the surveillance industry.
| Ultimately discrete public addresses are really only needed
| for services, and the services I want to share are few and
| enumerable. At this point I do more work making sure
| individual nodes _aren 't_ fully connected (eg Internet of
| Shit) than making services reachable.
| profmonocle wrote:
| > /64 seems like ridiculous overkill
|
| The idea behind the /64 minimum was to make auto-
| configuration easier - you could just stick the layer 2
| ID (i.e. the MAC address) in the second half and not have
| to worry about collisions or stateful assignment system
| like DHCP. Remember that IPv6 was designed in the
| mid-90's, so both of these decisions seem silly now -
| using the MAC would be a serious privacy issue (modern
| operating systems use a random ID which changes
| frequently) and DHCP is very mature.
| nightpool wrote:
| Sure, but as the ancestor comment mentions, SLAAC has no
| relevance for the use-cases people in this thread _want_
| more then 64-bits for (e.g. Docker sub-networks). Since
| your Docker containers don 't have "MAC addresses",
| there's no reason that you need to use 64 bits
| specifically to configure them. Your container runtime is
| perfectly positioned to assign IP addresses and subnets
| however it chooses to. Assigning a /72 to each container
| is perfectly fine.
| mindslight wrote:
| Yeah I was going to touch upon that. I understand where
| they were coming from design wise (apenwarr's post is
| fantastic for that - https://apenwarr.ca/log/20170810).
| Privacy extensions mainly seems like doubling down on an
| unworkable idea. I can see the hypothetical benefit on a
| shared network, where say a coffee shop has a /64 and you
| can have every single app looking like a separate device
| on that network to an outside observer. I just foresee
| the inevitable future where IP surveillance databases
| contain information like "this /48 hands out /64 to each
| end user, so treat it as one entity", rendering those
| extra bits as a mere liability to be mitigated.
| daneel_w wrote:
| _> "You're not really supposed to subdivide networks beyond
| that point."_
|
| Why not? Does it result in technical problems? I know very
| little about IPv6 (but I know that a /64 is an absurdly
| large network).
| sumtechguy wrote:
| I know you are being funny. However, it does make me think
| hmmm... Is there any advantage/disadvantage to not handing
| out something like a /120? Or is there something else at play
| like in the way auto discovery is working? I am not familiar
| enough with it to say.
| detaro wrote:
| Yes, various pieces kind of assume that smaller networks
| than /64 are not a thing, e.g. SLAAC, one of the mechanisms
| to distribute IPs.
| davidmurdoch wrote:
| I have a /64 from my ISP and I want to run a few VLANs on my
| home network but I can't subdivide the /64 any further using
| my business class (TP-Link omada) router's controller. Maybe
| there are similar limitations in place here?
| tejohnso wrote:
| The announcement doesn't indicate _why_ I would want this. Is it
| for politically motivated people who want to help push IPv6
| forward? Is it to simplify configuration?
|
| I had to click through to the FAQ to read about additional cost
| for IPv4, but there the difference isn't specified, so it led to
| more questions, but I gave up.
|
| Reminded me of this other front page item:
| https://gds.blog.gov.uk/2013/07/25/faqs-why-we-dont-have-the...
| Havoc wrote:
| Cost. It's a common request among the low end budget vps crowd.
| tyingq wrote:
| If you go through the order process, you'll see this item:
|
| >Primary IPv4 EUR1.70 monthly
|
| Hetzner didn't used to let you drop that item off. Now they are
| letting you do that if you don't need a primary IPv4, and are
| happy with just IPv6.
| pxeger1 wrote:
| Awesome, I asked for this on Twitter recently and now we've got
| it!
|
| edit: this is only for dedicated servers, not VPS's :(
| petre wrote:
| Do they still ask for a copy of your ID as part if the sign up
| process?
| tn890 wrote:
| Yes. Or business registration.
| throw0101a wrote:
| Their IPv4 prices are going up in January:
|
| * https://docs.hetzner.com/general/others/ipv4-pricing/
|
| Prices for IPv4 addresses went from US$30/IP in May to about
| $50/IP now:
|
| * https://ipv4.global/reports/
| bionade24 wrote:
| Oh god in 20 years reverse NAT (reverse as in reverse Proxy) will
| be a thing because IPv6 still won't be supported by all network
| providers.
| DenseComet wrote:
| Why wait 20 years? Take a look at NAT64 (although its in the
| opposite direction of what you mentioned)
| justinclift wrote:
| Unfortunately, the firewall offering that Hetzner provides for
| their dedicated servers is IPv4 _only_.
|
| So, if you're using software on the server which mucks around
| with firewall rules (eg using OS provided firewall on the server
| isn't good enough), then you're sad out of luck.
|
| And their current IPv4 firewall has a 10 rule limit per server,
| which can't be raised. Mind boggling. :(
|
| I've asked Hetzner if they have any plans to extend their
| firewall to include IPv6 support, or raise the # of firewall
| rules, but they have no plans to at this stage. :( :( :(
| krageon wrote:
| What software that anyone actually uses does this, except for
| docker (which has well documented ways of using it properly
| that are tragically not the default)?
| Croftengea wrote:
| To be clear, these weird firewall limitations are not related
| to cloud firewalls. Cloud limits are much more generous.
| simon83 wrote:
| For this reason I've setup a OpnSense VM on my dedicated
| Hetzner server where all inbound and outbound IPv4/IPv6 traffic
| has to go through, it acts as a gateway for the host itself and
| my other VMs. OpnSense itself is a pretty powerful firewall
| with tons of other features.
|
| Of course you'll lose access to your server if the OpnSense VM
| breaks or doesn't boot up for whatever reasons after an update
| or so, but after 2 years I haven't had any problems. But in
| case something goes wrong Hetzner offers some nice recovery
| options, even if you don't have internet access to you server
| you can access your volumes in some kind of VM and get access
| to it via a VNC like interface (I had to use this feature a few
| times during the initial setup which consisted of a lot of
| trial and error I locked myself out a few times).
|
| I wouldn't run this setup for anything mission critical of
| course, it's way too hacky and an official firewall solution
| would be better, but for my personal purposes as a "home lab"
| like setup it works perfectly fine so far.
| sgt wrote:
| Seems like an edge case. 99% will be happy with the OS
| firewall.
| Croftengea wrote:
| Not quite. It's easier to define one set of rules for the
| entire server group (Projects in Hetzner terminology) and
| forget about it than to manage OS firewalls individually.
| k8sToGo wrote:
| Until they learn that Docker adds iptable rules on their own
| and open every port automatically.
| tinco wrote:
| I've been bitten by this, was a pain in the ass to figure
| out that something was messing with the iptables rules.
| tfehring wrote:
| Every port on the machine, or every port on the container?
| remram wrote:
| The container's ports that you explicitly expose.
|
| E.g. `docker run -p 8080:80 nginx` will expose the
| container's port 80 as port 8080 on the host. That port
| will be open whether or not the host has a firewall
| configured to block 8080.
|
| You can do `docker run -p 127.0.0.1:8080:80 nginx` to
| only have the port on the host accessible on the loopback
| interface (for example if you have a reverse proxy on the
| host, proxying to 127.0.0.1:8080).
| piaste wrote:
| There's also the option to spin up a tiny VM with
| pfSense/OPNsense and have it act as a bastion, is there not?
| Or would it introduce too much latency?
| k8sToGo wrote:
| From my experience their cloud offerings are much slower
| network wise than the dedicated ones.
___________________________________________________________________
(page generated 2021-12-07 23:02 UTC)