[HN Gopher] IPv4 Waiting List
___________________________________________________________________
IPv4 Waiting List
Author : Sami_Lehtinen
Score : 80 points
Date : 2021-12-09 19:58 UTC (3 hours ago)
(HTM) web link (www.ripe.net)
(TXT) w3m dump (www.ripe.net)
| jakub_g wrote:
| IPv6 adoption graph: 32.59% as of today, as measured by Google
|
| https://www.google.com/intl/en/ipv6/statistics.html
| mlyle wrote:
| "We are continuously measuring the availability of IPv6
| connectivity among Google users. The graph shows the percentage
| of users that access Google over IPv6."
|
| I'm not sure what this graph means. The first sentence implies
| it's the number of users with IPV6 connectivity. The second
| sentence implies it's the number of users that access over
| IPV6-- but a big subset of users with valid IPV6 connectivity
| might end up only connecting with IPV4 for various reasons.
| ratorx wrote:
| The first sentence is correct. It should be "that can access
| Google over IPv6".
| bostonpete wrote:
| The second sentence explicitly tells you what the graph is
| showing. The first sentence doesn't contradict that, it just
| seems to provide some context. (?)
| graton wrote:
| Makes me think I should figure out how to sell my /24 ARIN block
| I registered years ago. I wonder what it is worth...
| mrkurt wrote:
| We wrote about this! https://fly.io/blog/32-bit-real-estate/
|
| I'd hold them for 3+ years really. It seems very unlikely that
| IPs are going to lose value within 5 years. We're betting on
| 10+ years before the bottom falls out (you can see some of our
| math at the bottom).
| miki123211 wrote:
| I was wondering when I will see speculation on IP address
| blocks, and here we are.
|
| IP addresses truly were the first NFTs.
| umanwizard wrote:
| Seems to be around $10k-15k, according to
| https://auctions.ipv4.global/prior-sales .
| Maxburn wrote:
| Dang, that's more than I was thinking.
| moduspol wrote:
| I'd only do that if you think it's likely to decrease in value.
| Do you think it'll be more or less valuable in 5-10 years?
| judge2020 wrote:
| I imagine some critical mass will be reached where cloud
| providers start charging exuberant fees for IPv4 addresses
| and many businesses go IPv6 only (which wouldn't even be a
| big hit for mobile users[0]), and this news will be
| widespread enough to encourage ISPs to actually roll it out
| at a faster pace. Now, whether that's in 10 years or 20 is
| to-be-seen, but I agree with you and I doubt the rollout of
| IPv6 hits the point where people stop wanting IPv4 addresses
| all-together within 30 years.
|
| 0: most all cellular/5g networks already provide IPv6 since
| even CGNAT is expensive compared to assigning a /128 per-
| device. iPhone 13 (or ios 15 with iPhone 12) also has a 'data
| mode' switch, which will use 5G if it's faster than the local
| wifi - this likely opens up the device using cellular to
| allow access to IPv6-only sites when their WiFi doesn't
| support it.
| walrus01 wrote:
| about $45 an IP right now if you're eligible to transfer out,
| but if you only have one /24, I'd hold onto it.
| [deleted]
| lgierth wrote:
| I registered with RIPE this year, requested an IPv4 /24 in July,
| and got it immediately. I guess RIPE's last blocks depleted in
| November?
|
| Market prices on the other hand have exploded this year, $50 per
| address isn't uncommon anymore.
| jandrese wrote:
| According to the linked article there was no wait until about a
| month ago, except for a short blip at the end of 2019. But now
| the waiting list is growing rapidly and the wait is increasing
| by about three quarters of a day per day.
| jagger27 wrote:
| LIR = Local Internet Registry, for those wondering.
|
| Funny how their site has a handy pop-up definition when you hover
| over IPv4, but not for LIR.
| exabrial wrote:
| HN doesn't like to hear this, but the shortage crated is
| artificial, and there also is nothing wrong with NAT.
|
| First, running exactly one open port per IP (443 or 80) is the
| worst use of resources. The whole "crisis" could be solved with
| simple browser support of something like SRV records. This could
| be implemented with "here and now" technology, rather than
| adopting a new standard for the entire internet backbone.
|
| Next, widespread use of NAT provides plausible deniability for
| everyone on the internet. Google, Facebook, Comcast, Verizon, etc
| push ipv6 hard in order to enable causing tracking of individual
| traffic on the internet. These institutions have exactly 0
| business knowing how many physical devices are behind a firewall.
| No, ipv6 privacy extensions do not provide the same sort of
| anonymity that a NAT firewall does before you hit that downvote
| button and take away some of my fake internet points.
| jeroenhd wrote:
| SRV records could work for alternative ports, but those
| websites wouldn't be able to get Let's Encrypt certificates
| without talking to the API of their DNS provider. ACME does not
| allow alternative ports to be used for security reasons, so
| we'll need a solution for that.
|
| Many ports have also been restricted by the browser because you
| can format malicious HTTP requests to be an DoS vector for
| certain services, like IRC, which has been abused by
| malvertisers in the past. Because of this you'd still be
| working with a whitelist of ports, only extending the problem a
| bit longer.
|
| I'm not entirely sure what privacy your NAT guarantees for you.
| Individual devices can already be fingerprinted by their
| behaviour, so you'd need to run identical software on identical
| hardware to combat that. If you manage to do that, you're only
| one Set-Cookie away from unique identifiers anyway.
|
| Because of the refreshing nature of privacy extensions, you
| can't derive an exact number of devices active on a network.
| More and more random new addresses become in use over time to
| the point where you'd need access to your router (which your
| ISP already has, unless you configure your own) to get a proper
| count. You can at best get guesstimations, but that's not much
| different from the result of NAT.
|
| In theory, I agree with you: pasdive fingerprinting IPv6 is
| easier than passive fingerprinting IPv4 on an ISP scale or
| larger. In practice, though, I don't think it matters. Someone
| who has access to all traffic from your network, probably has
| access to some kind of boundary as well.
|
| If you already install your own traffic collector to NAT
| everything through so your ISP modem doesn't see your devices,
| you can do the exact same for IPv6. NAT may be strongly
| discouraged, but it's still possible using the same techniques.
| zamadatix wrote:
| > SRV records could work for alternative ports, but those
| websites wouldn't be able to get Let's Encrypt certificates
| without talking to the API of their DNS provider. ACME does
| not allow alternative ports to be used for security reasons,
| so we'll need a solution for that.
|
| The security reasons would go away with the presence of the
| SRV record specifying the allowed port for the domain though.
| Well, at least as much as any other DNS challenged based
| method is secure.
| greyface- wrote:
| > First, running exactly one open port per IP (443 or 80) is
| the worst use of resources. The whole "crisis" could be solved
| with simple browser support of something like SRV records.
|
| TLS SNI[1] and the HTTP Host: header[2] already do this.
| Enabling multiple HTTP(s) serving ports with something like SRV
| wouldn't give us any additional capacity here.
|
| > These institutions have exactly 0 business knowing how many
| physical devices are behind a firewall.
|
| These institutions can already analyze TTL, source port, IPid,
| and other packet metadata to enumerate hosts behind NAT.[3]
|
| [1]: https://en.wikipedia.org/wiki/Server_Name_Indication
|
| [2]: https://en.wikipedia.org/wiki/Virtual_hosting#Name-based
|
| [3]: https://www.cs.columbia.edu/~smb/papers/fnat.pdf
| tehbeard wrote:
| > there also is nothing wrong with NAT
|
| Hahahaha....
|
| Oh.... The amount of bullshit I've dealt with over the literal
| decades, going back to secondary school, college and
| University, as a consumer, because of NAT (The joys of console
| gaming and "Strict NAT" or skype in the early days just falling
| straight over).
|
| The privacy implications I will however grant you.
| gm wrote:
| That's a very pre-emptively defensive statement... Why doesn't
| HN like to hear this?
| anonomousename wrote:
| NAT makes it significantly harder to self host things, and as
| a consequence limits decentralization.
| exabrial wrote:
| I've been downvoted in the past for pointing out what
| everyone says works in theory vs what actually happens in the
| real world.
| dang wrote:
| Ok, but please don't bait the community like that. Pre-
| emptive defensiveness puts a negative torque on
| conversation.
| Arnt wrote:
| NAT works for some use cases, not so well for others.
|
| I know a database that's updated every night via a server-
| to-server connection that passes five levels of NAT, and
| when that crontab broke someone had to fix it by finding
| and correcting a bug in a 1500-line NAT configuration on
| one important router where the consequences of a mistake
| would be very bad indeed.
|
| It works in the sense that the database is updated, but I
| cannot help thinking of Truth 3 in RFC1925.
| throw0101a wrote:
| > _there also is nothing wrong with NAT._
|
| Try hole punching for games through CGN:
|
| * https://en.wikipedia.org/wiki/Carrier-grade_NAT
|
| AFAIK there is no way to do it, so you're SOL if that's what
| your ISP uses.
| zamadatix wrote:
| IPv6 does not make it any easier or any harder to know the
| number of physical devices behind a firewall. Even if you sat
| directly in front of the handoff to the ISP with a packet
| sniffer counting the number of unique sources you'd still get
| the wrong number. Correlating source tuple with destination
| tuple and making inference would get you a more accurate number
| (though still not perfect) but that doesn't care about v4 vs
| v6.
| baggy_trough wrote:
| I wish Google Cloud Platform would support ipv6 (internally).
| judge2020 wrote:
| Or Azure: https://news.ycombinator.com/item?id=29327773
| zokier wrote:
| At least AWS is slowly creeping towards supporting IPv6:
|
| https://aws.amazon.com/blogs/networking-and-content-
| delivery...
|
| https://aws.amazon.com/about-aws/whats-
| new/2021/11/applicati...
|
| I guess we can thank US government partially for that:
| https://aws.amazon.com/blogs/publicsector/aws-enables-us-
| fed...
| jandrese wrote:
| All of the cloud providers and even VPS services have been
| dragging their heels on IPv6 for ages and it makes no sense to
| me. These services could all benefit from having IPv6 only
| options for people who don't need IPv4 addresses. V4 addresses
| are turning into real money, you would expect the services to
| try to optimize their use to save costs.
|
| Even worse is when someone deploys IPv6 but does it in a
| comically nonsensical way like Digital Ocean[1]. Yes, you read
| that right, they assign /124s even though the smallest
| allocation is supposed to be a /64. And if you think this means
| you're sharing the same IPv6 address with virtually every other
| droplet in a datacenter, you would be right. Welcome to every
| blacklist everywhere. It is kind of like hosting an entire
| datacenter off of a single IPv4 address.
|
| [1] https://docs.digitalocean.com/products/networking/ipv6/
| woofcat wrote:
| I'm really curious when this will change. In Canada, my home
| internet provider and cellular provider are both ipv4 only. I've
| asked about it in the past and the answer seems to constantly be
| "Meh".
| tempnow987 wrote:
| Just charge $5/year/ip to all existing holders. A fair bit of
| wasted space would free up fast.
| wmf wrote:
| IP Georgism.
| scandox wrote:
| At the General Meeting in November, RIPE proposed some
| substantial changes to the charging scheme, to be implemented
| from 2023 (1 year away), and one notable difference is that RIPE
| is considering charging a fair market value for IPv4 assignments,
| in addition, to set up and maintenance fees.
|
| That is the cause of the current spike/backlog.
| wmf wrote:
| But since IPv4 has run out there won't be any new assignments?
| Thorentis wrote:
| IPv6 is a pain in the ass to work with and think about. We should
| have added extra octets to IPv4 and been done with it.
| slivanes wrote:
| Am I right in thinking that IPv4 will only go away if all clients
| can support IPv6? For example, there are many embedded devices
| that will never be updated to have dualstack (including many home
| routers).
|
| Does anyone have IPv6 only facing servers for public consumption
| without any IPv4 alternatives?
| WorldMaker wrote:
| Home/consumer use is where IPv6 is at highest adoption. It's
| businesses that lag behind. Still amazing to see clear 9-to-5
| weekday difference between IPv4 and IPv6 traffic in graphs in
| 2021.
| ghshephard wrote:
| Home routers have a very short life-cycle. Most of them have a
| median life of < 10 years, and it's reasonable to expect that
| the majority of them will be upgraded every 20 years or so.
| It's the other embedded (manufacturing, utility, etc...)
| devices that have 20+ year median lives that will prevent IPv4
| from ever going away. Dual Stack (as the vast majority of
| Windows/MacOS/Linux/BSD systems are capable of) - creates a
| nice transition path - slowly but surely more and more IPv6
| creeps into DNS/Local Addresses. If you deployed a IPv6 only
| facing server today - then some 20-30% +/- of your potential
| customer base wouldn't be able to connect - but that number
| will go down by 1-2% each year for the next while, until, in
| 10-15 years, you'll be able to reach 98+% of your audience, so
| you'll say WTH and go for it.
| edgyquant wrote:
| I worked IT for years before switching to programming and
| I've almost never seen a home router last 10 years, let alone
| 20.
| Gigachad wrote:
| You probably want to upgrade sooner for faster wifi anyway.
| My router I only just got from my ISP caps out at 100Mbps
| while the ISP provides gigabit speeds.
| jeroenhd wrote:
| I don't think 20 years will happen but I've seen
| modem/router combos that lasted for ten years. Customers
| bought them way back when, and never considered buying
| replacements because they just worked. If all you do is
| read news and do taxes, you can still get away with 802.11g
| easily. You can pull about 10 to 20mbps down that, and for
| many people that's more bandwidth than their ISP provides
| then with.
|
| Why buy an 802.11ax capable router when the best connection
| you can get is an 8mbps DSL connection that drops out when
| it rains?
|
| Even at that price it was cheaper to rent a modem for a
| buck a month, but some people like to own things, I guess.
| unilynx wrote:
| > Does anyone have IPv6 only facing servers for public
| consumption without any IPv4 alternatives?
|
| well, kame.net will only give you a dancing turtle over ipv6..
| pablodavila wrote:
| Fly posted a sort of related blog post about IPv4
|
| https://fly.io/blog/32-bit-real-estate/
| geek_at wrote:
| Just yesterday I witched my office network to IPv6 and one
| thought kept creeping in regarding security.
|
| If I'm on IPv6 there is no NAT and it's basically security by
| obscurity (not really but port scans would take forever)
|
| What if I host a small web script on my machine and I surf the
| web with my IPv6. Couldn't all website owners do port scans on my
| address (because they obviously see my address) and then access
| my local site or even God forbid one of my staff is running an
| unpatched windows. How is it safe if it's basically (in ipv4
| terms) a 1:1 NAT for all my machines?
| jgeralnik wrote:
| IPv6 doesn't mean no firewall and NAT!=firewall
|
| You should still be blocking incoming requests for IPv6
| endpoints and only open ports you intend to serve publicly.
| geek_at wrote:
| I do understand that but NAT was acting like another layer of
| firewall because I could be sure that none of my devices
| behind the nat could be accessed without port forwarding.
| With IPv6 they can
| xnyan wrote:
| This is not exactly true. There are many tricks in the NAT
| traversal toolkit, depending on your configuration it can
| be fairly simple to work around. In every case where you
| use NAT, you also use a firewall.
|
| 100% of consumer IPv6-capible routers block unsolicited
| inbound IPv6 by default. It's not something you need to
| worry about unless you are hosting, and in that case your
| concerns are the same as if you're using IPv4.
| jeroenhd wrote:
| Not from a passive, receiving network, no. If anyone on the
| network uses a web browser, there's a good chance your
| network can be attacked by a malicious ad through NAT
| slipstreaming, through (https://samy.pl/slipstream/)
|
| NAT wasn't meant to be a security mechanism and because of
| that, the practical designs found in most devices don't
| treat it as such.
|
| On IPv4, NAT and firewalls are usually one and the same
| rule set. That rule set is slightly smaller with IPv6
| because of the lack of NAT, but the mechanisms are still
| the same. If your IPv4 firewall fails, NAT won't save you,
| because that's part of the system that failed.
|
| If you're still insistent on using NAT then... use NAT. The
| core technique works on both protocols, you'll just have to
| set it up yourself because router vendors don't usually
| implement it.
| awestroke wrote:
| Why can you not have NAT when running the network on IPv6? I've
| never seen anyone explain this
| hvgk wrote:
| NAT is a workaround for the small amount of address space
| that was allocated originally. That's not the case on IPv6.
| I'm sure you can NAT stuff but why the hell would you want to
| do that and have to maintain all the stateful pain in the ass
| stuff required such as NAT tables which are going to be much
| larger.
| awestroke wrote:
| To prevent the machines in the network from being exposed
| publicly
| nybble41 wrote:
| If you have machines in the network which you don't trust
| to handle their own incoming connections securely you can
| block those connections at the firewall, without port or
| address translation. Ideally you'd put those on hosts on
| their own locked-down VLAN. NAT (or NAPT) doesn't add any
| security (see: NAT traversal) and having different
| internal vs. external addresses significantly increases
| the complexity of the system--not just the router but
| applications as well, which are forced to deal with their
| public addresses and ports differing from the ones they
| were assigned.
| makeworld wrote:
| You can, but the point is that you shouldn't have to because
| there are enough addresses. NAT only makes networking code
| for applications harder.
| warkdarrior wrote:
| NAT complexity is only marginally more than for a stateful
| firewall, and is probably lower than for an application
| firewall. And you still want a stateful firewall in IPv6
| networks!
| ArchOversight wrote:
| Not needing to do address translation is a large amount
| of code that you don't need to run to keep IP traffic
| flowing.
|
| Sure, you absolutely need a stateful firewall, but not
| needing address translation makes it easier to
| troubleshoot, makes it easier to establish end to end
| connectivity and no need to port forward or things of
| that nature so multiple clients can all use the same
| port.
| throw0101a wrote:
| With NAT you may need STUN, TURN, ICE, and probably a few
| more acronyms:
|
| * https://en.wikipedia.org/wiki/STUN
|
| * https://en.wikipedia.org/wiki/Traversal_Using_Relays_ar
| ound_...
|
| * https://en.wikipedia.org/wiki/Interactive_Connectivity_
| Estab...
|
| Not sure if that's more or less complicated than already
| knowing your IP address and 'just' using UPnP/PCP:
|
| * http://upnp.org/specs/arch/UPnP-arch-AnnexAIPv6-v1.pdf
|
| * https://en.wikipedia.org/wiki/Port_Control_Protocol
| edgyquant wrote:
| The whole point of a NAT is negated by a switch to IPv6
| x3n0ph3n3 wrote:
| No it's not -- maybe I'd prefer not to advertise how many
| devices I have on my network.
| easrng wrote:
| You want a firewall, not NAT.
| throw0101a wrote:
| > _If I 'm on IPv6 there is no NAT and it's basically security
| by obscurity (not really but port scans would take forever)_
|
| That's why firewalls exist. And they work with IPv6.
|
| My ISP gives out an IPv6 address to my Asus, which also picks
| up some prefixes for allocation via DHCP-PD. This causes my
| printer pick up an IPv6 address, but it is not accessible to
| the outside world.
|
| Statefull firewalls still exist with IPv6, so by default
| connections from the general Internal cannot connect to your
| 'internal' systems. Hole punching still needs to be done with
| UPNP/PCP (at least on residential systems; SMB may not want
| this)
|
| * http://upnp.org/specs/arch/UPnP-arch-AnnexAIPv6-v1.pdf
|
| * https://en.wikipedia.org/wiki/Port_Control_Protocol
|
| The advantage of IPv6 is that you no longer have to have things
| like STUN, TURN, etc. (Remember Skype super-nodes?) Your client
| knows its own IP(v6) address, gets the IP address of the other
| end, and then tells your firewall to allow connections between
| just those two addresses. Once your session is done the ACL is
| deleted and you're completely default-blocked from the outside
| again.
|
| Copy-pasting from a previous discussion a little while ago:
|
| ---
|
| An IP connection is started from the 'inside' to the 'outside',
| and the source-destination tuple is recorded. When an 'outside'
| packet arrives the firewall checks its parameters to see if it
| corresponds with an existing connection, and if it does it
| passes it through. If the parameters do not correspond with
| anything in the firewall's table(s) it assumes that someone is
| trying to create a new connection, which is generally not
| allowed by default, and therefore drops it.
|
| The main difference is that with IPv4 and NAT the original (RFC
| 1918?) source address and port are changed to something
| corresponding to the 'outside' interface of the firewall. With
| IPv6 the address/port rewriting is not done.+ Only state tables
| are updated and checked.
|
| New connections are not allowed past the firewall towards the
| inside with either protocol, and only replies to connections
| opened from the inside are passed through.++
|
| There's no magical security behind NAT: tuples and packet flags
| are read, looked up in a state table, allowed or not depending
| on either firewall rule or state presence. The security comes
| from the state checking.
|
| + It is possible to have private IPv6 addresses using ULA, and
| then the router/firewall uses NPTv6 to rewrite the prefix
| (leaving the /64 interface component alone).
|
| ++ Just like with IPv4 (NAT), to allow unsolicited 'new'
| connections in you have to do do firewall hole punching with
| (e.g.) UPNP. But by default things are blocked.
|
| ---
|
| No-NAT != access from the Internet.
| [deleted]
| kingcharles wrote:
| There was no NAT when I was a wee nipper. That's what your
| firewall is for?
| makeworld wrote:
| You can still have an NAT with IPv6. But ideally you don't, and
| you just put all traffic through a firewall. You can still
| block incoming connections or whatever you relied on that NAT
| for before.
| labcomputer wrote:
| They thought of that already.
|
| One of the differences between IPv6 and IPv4 is that the v6
| address space is enormous and stack assumes your interface will
| have multiple addresses.
|
| In particular, on each interface you normally have:
|
| * A link-local IPv6 address (non route-able). This is used for
| neighbor discovery and router solicitation, among other things.
|
| * A static-ish cryptographically generated address (often
| called a secured address). This is used for incoming
| connections.
|
| * One or more temporary addresses with relatively short
| lifetimes. These are preferred for outgoing connections. The
| lifetime of these addresses often overlap because any the OS
| has to maintain the address for any open connections.
|
| Note that these addresses can be generated automatically using
| SLAAC, and you would normally have a set of secured and
| temporary addresses for _each_ upstream router that is sending
| router advertisements. You may also have another set of secured
| and temporary addresses in the IPv6 private range (equivalent
| to 10.0.0.0), if your router is advertising that (useful for
| internal services like DNS, where you want to configure the
| server address in the DHCPv6 config). So it's not unusual for a
| given host on a simple home network to have a dozen addresses
| in 2 or 3 subnets (on one Ethernet interface).
|
| The bottom line is that your server should be listening on the
| secured address and your web browser should be using temporary
| addresses for outbound connections.
| exabrial wrote:
| > Relatively short lifetimes
|
| If it's not a unique address for every request, it's
| unfortunately too long.
| labcomputer wrote:
| It's no worse than IPv4, which tends to maintain the same
| address until you reboot your CPE.
|
| You can always change the configuration to reduce the
| address refresh interval for your OS.
| mmh0000 wrote:
| Please DO NOT rely on a NAT for any sort of security. "Getting
| around" a NAT is so common today that Wikipedia even has a
| fairly comprehensive article dedicated to it [0].
|
| Whether IPv4 or IPv6 does not negate the need for a firewall at
| the ingress/egress.
|
| [0] https://en.wikipedia.org/wiki/NAT_traversal
| azdle wrote:
| Wouldn't those all apply to a simple stateful firewall too?
|
| I mean, clearly OP doesn't need to worry about the lack of
| NAT, but not having gone through all of the things listed on
| that list, I would assume that they all require an active
| participant behind the NAT/firewall, and would still be
| required for just a plain old stateful firewall (assuming you
| don't have the ports open) when you want to communicate with
| some other endpoint behind another firewall.
| Gigachad wrote:
| Basically all consumer routers block incoming connections by
| default. It works almost the same as NAT except you can allow
| the same port on multiple machines in the network now.
| [deleted]
| jaywalk wrote:
| In addition to all of the comments mentioning that a firewall
| accomplishes what you're looking for (and it is almost
| certainly built into your router) I'm curious as to what
| exactly you mean by "switching" your office network to IPv6.
| Are you just saying that you enabled it? Because you'd hit more
| than a couple speedbumps browsing the web if you completely got
| rid of IPv4.
| josho wrote:
| Of potential interest is that IPv6 also has the concept of link
| local addresses. These are automatically assigned and not
| routable.
|
| But, yeh, I went through the same moment of fear that you did
| when I first turned on ipv6.
| [deleted]
| ghshephard wrote:
| At some point, some low-hanging companies are just going to start
| running IPv6 only applications and deal with the fall-out of some
| nn% of their customer not being compatible. Those customers will
| complain to their ISPs, which will provide incentive to get IPv6
| deployed (should have been done 10 years ago honestly at any
| credible ISP). Getting the number closer to 100% will make it
| easier for new companies to deploy IPv6 only, until we get to the
| point that IPv4 is seen as some legacy thing that isn't relevant
| but used to be important in the dark ages of Web Deployments.
|
| I'm very surprised at work and at home how often most of my
| Internet communications is running over IPv6. There are some
| surprising exceptions though [1].
|
| I'd be willing to place a wager that there will be a $100mm
| company that is only IPv6 by 2030. And that the "Default IPv6
| only on the Internet unless there is some weird edge case" will
| occur by 2040.
|
| IPv4 as a protocol, though, will never, ever, go away - we'll see
| it widely deployed for the next 100 years.
|
| [1] $ dig news.ycombinator.com AAAA
| ; <<>> DiG 9.16.1-Ubuntu <<>> news.ycombinator.com AAAA ;;
| global options: +cmd ;; Got answer: ;; ->>HEADER<<-
| opcode: QUERY, status: NOERROR, id: 46616 ;; flags: qr rd
| ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
| ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp:
| 65494 ;; QUESTION SECTION: ;news.ycombinator.com.
| IN AAAA ;; Query time: 176 msec ;;
| SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Thu Dec 09
| 15:21:09 EST 2021 ;; MSG SIZE rcvd: 49
| mdaniel wrote:
| > Those customers will complain to their ISPs, which will
| provide incentive to get IPv6 deployed
|
| Your experience with huge ISPs has obviously been different
| from mine. I am deeply grateful that I've benefited from two
| "first world" advantages: Comcast has (surprisingly) been very
| proactive about IPv6 support, and here in the Bay Area I have
| actual competition available for me to switch to. But in other
| parts of the country, that's for sure not true
|
| ---
|
| to address the dig portion of your comment, the AAAA record
| (err, or lack of it) for github.com likely is a _lot_ more
| impactful than HN
|
| It's not that I think major users are going to switch, but I'll
| point out that GitLab actually does have AAAA records
| walrus01 wrote:
| fun fact: comcast have been proactive about ipv6 because
| their management network grew so large and unwieldy, through
| various acquisitions and long term inefficient use of space,
| that ipv4 RFC1918 10/8 (and 192.168 etc) was no longer
| sufficient to address all of their individual netblocks.
|
| turns out that if you allocate a private /24 to every POP you
| can absolutely exhaust 10/8 in a big last mile ISP.
|
| they started with ipv6 for their own management network
| before any public netblocks started getting rolled out to
| customers.
| ArchOversight wrote:
| The issue is that each set top box, cable modem and
| everything else gets a management IP address on the network
| as well for allowing configuration changes/validating
| status/all that fun stuff.
|
| The large push for IPv6 was started so that management of
| set top boxes/cable modems no longer required large islands
| of RFC1918 space where they had to deploy multiple NAT's to
| get traffic in/out of those environments.
| walrus01 wrote:
| yes, from what I've heard, they specified full ipv6 as a
| non-negotiable "must have" with their CPE vendors (and
| CMTS) almost 16, 18 years ago. Comcast gets a lot of shit
| for its poor customer service practices, as does any huge
| cable company, but the people who run the core IP network
| knew, and still do know what they're doing.
| hackbinary wrote:
| Does that mean they will need to deploy IPv8 with 256 bits
| of address space?
|
| Or will IPv8 go straight to 1024 bits?
|
| ;)
| marbu wrote:
| I wonder when (or if) we will see new IPv6 only ISPs. That
| would be an indication that the transition is actually
| happening. Even though you note that most of your internet
| communications are done over IPv6, I doubt that you would be
| willing to go for IPv6 only ISP.
|
| Lack of IPv4 addresses is a problem for new ISPs trying to
| enter the market, as even with levels of NAT, you need some
| minimal address space to serve your customers, which is harder
| and more expensive to get. So on one hand starting with IPv6
| only stack would avoid these problems, but on the other hand it
| also means that every potential customer will be unhappy and in
| the end, you won't get many customers willing to pay you for
| IPv6 only connection.
| throw0101a wrote:
| > _I wonder when (or if) we will see new IPv6 only ISPs._
|
| If you have a mobile device on US T-Mobile you only get a
| IPv6 address on it:
|
| * https://www.youtube.com/watch?v=nNMNglk_CvE
|
| * https://pc.nanog.org/static/published/meetings/NANOG73/1645
| /...
|
| * https://www.internetsociety.org/resources/deploy360/2014/ca
| s...
|
| Any access to IPv4 is through a proxy.
| jandrese wrote:
| As long as your ISP supports 6 to 4 tunneling it is really
| no problem.
| cogman10 wrote:
| The big hold up, IMO, is ISPs. They seem completely unmotivated
| to upgrade their infrastructure to support IPv6. Until a
| majority of them do that, I don't think any 100mm company will
| do a "IPv6 only" thing.
|
| The cost of IPv4 addresses is slowly creeping upward, but
| hasn't hit a point of being prohibitive for a company. Once
| they hit near the $1k level, that's when I think things will
| start to change.
| jandrese wrote:
| Maybe someday Verzion FiOS will support native v6. When I set
| up a Hurricane Electric tunnel _over a decade ago_ I never
| thought I would still be using it in the 2020s.
| miki123211 wrote:
| I wonder if it would be commercially viable for Amazon to offer
| discounts to customers who connect over IPV6.
|
| Amazon spends a _lot_ of money on IPV4 blocks for AWS. They
| would directly benefit from wider IPV 6adoption.
|
| This would be a great way to get regular people to care about
| this technology. That, in turn, would make ISPS care much more
| than they currently do.
| mr_mitm wrote:
| How will large corporate networks transition? I've recently
| seen a large organization using the 5.0.0.0/8 address space.
| The decision to use these addresses was made a long time ago
| and they still didn't switch to an actual private address space
| and choose to deal with all the issues instead.
| merb wrote:
| just use 64:ff9b::/96 first if you own a subnet? if not just
| buy a good firewall that supports v6 (sadly cisco meraki does
| not work well, tough)
| ghshephard wrote:
| Dual Stack. Start off with by deploying IPv6 across the
| network without touching the IPv4 environment. Most modern
| operating systems will just automatically detect they have an
| IPv6 router and auto-configure. Big advantage of IPv6 is that
| address autoconfiguration is built _into the protocol_ itself
| - no need for DHCP, Static Configuration, etc...
| wmf wrote:
| They mostly won't.
| aidenn0 wrote:
| I think a lot of SMBs are the holdouts for IPv6; their entire
| IT infrastructure is IPv4, and switching will be expensive
| because every router, subnet, VLAN, &c. must be upgraded. Small
| home networks are comparatively easy once all clients support
| IPv6: switch from a single subnet in the private range to a
| single /64 and add a stateful firewall. Since SMBs can run a
| lot of clients with very few (or even one!) public IP, IPv4
| addresses will need to become _much_ more expensive (or
| critical remote services will need to switch to IPv6 only)
| before it 's cheaper to upgrade internal infrastructure to
| IPv6.
|
| Note that NAT64/464XLAT solve the reverse problem. NAT-PT was
| the theoretical solution, but see RFC 4966 for all the reasons
| why that was a failure.
| wmf wrote:
| Many SMBs should probably go full cloud and once that's done
| they can "downgrade" the office network to zero-trust and
| maybe deploy IPv6 at the same time.
| alerighi wrote:
| IPv6 is a disaster. It's too difficult to understand or
| configure properly, and it's too different from IPv4. There is
| a ton of software that breaks with IPv6, and a ton of system
| administrators that doesn't understand it (and for a reason,
| it's too complicated for nothing).
|
| I would have preferred an IPv4 version 2, and extension to the
| address space of IPv4, possibly in a backward compatible way,
| so that applications, routers and equipment not built for the
| new protocol can continue to work, of course considering only a
| part of the address (e.g. if the network passes trough some old
| routers, it's not a problem since they only have to look at the
| most significant part of the address that is in the same place
| of the IPv4 address) and can ignore the extension.
|
| Having a dual stack network is also a mess, and I don't get how
| it was considered a good idea. IPv4 this way will never go
| away, and we will always have two network stacks on every
| computer. And if you have to choose between two, you will
| choose the easier one, or the one you know, that is IPv4. A
| simple extension would have been far more easier to rollout.
| zamadatix wrote:
| IPv6 isn't all that difficult, insomuch as IPv4 is not basic
| itself. In fact it's probably easier to teach someone with no
| prior knowledge IPv6 instead of IPv4. "What's the netmask"
| isn't a question for user endpoints, it's /64. You can still
| DHCP, you can still hardcode, but the replacement for ARP can
| also assign you an IP without having to configure external
| services to make that happen.
|
| The IPv4 header and the way routers work wouldn't allow for a
| variable address. The source/destination sit in front of
| variable length extensions and the actual payload. Not to
| mention it'd be god awful to implement that kind of thing in
| non programmable level hardware. You could always implement
| it as an option header but then you've basically invented "v6
| over v4" which is already a thing. Of course there is always
| NAT which v4 endpoints are already used to so this is a non-
| problem anyways, I've run v6 only at home for years at this
| point.
|
| A lot of applications break on it sure but that's because a
| lot of applications are hardcoded with the assumptions about
| how big the address is not because the address gets put into
| a container named "v6" instead of "v4 version 2" by the OS.
| throw0101a wrote:
| > _possibly in a backward compatible way_
|
| Pre-IPv6 all IP code had 32 bits reserved for addresses. For
| more addresses, you would need >32 bits.
|
| How do you squeeze >32 bits of data into 32 bit data
| structures?
|
| You would need to touch every bit of IP code out there to
| expand the corresponding address filed (e.g., in a _struct
| in_addr_ )--which is what had to be done for IPv6.
| patentatt wrote:
| I'd argue that that's in essence what NAT (especially
| CGNAT) does by abusing the 16 bit port number: extend the
| 32-bit assessing space to ~48 bits. And it pretty much
| works just fine for many many use cases.
| Arnavion wrote:
| I'm just a programmer with a tiny homelab, and it took me
| less than a week to understand enough to be able to set up an
| IPv6 LAN. This included learning enough to be diagnosing and
| fixing routing issues within my router OS and all the LAN
| machines, implementing prefix-delegation to one of the LAN
| machines to make it a subrouter for Docker containers, and
| setting up NAT64 and DNS64 on the router so that the LAN
| machines could even disable IPv4 entirely. And those latter
| two were just me flexing because it was a homelab; a regular
| LAN wouldn't go that far.
|
| I'm not sure what this "ton of system administrators that
| don't understand it" is having difficulty with.
| jandrese wrote:
| IPv6 is no more difficult to understand than IPv4. In many
| ways it is easier since there are fewer legacy RFCs
| pertaining to it. System administrators don't understand it
| because they have not been forced to learn about it yet the
| same way they were forced to learn about IPv4.
|
| Backwards compatibility would have made it far more complex.
|
| If you sit down to look at IPv6 it's really quite
| straightforward. I think a lot of network admins are secretly
| hoping to retire before they have to learn a new technology
| though.
| iknowstuff wrote:
| For home users and non-professionals, IPv6 is simpler than
| IPv4. Every device autoconfigs selecting its own address via
| SLAAC. No DHCP needed. No need to understand NAT and no
| dealing with subnets.
|
| Especially when mDNS is in the mix and every device gets its
| own .local domain, which already happens with iOS, macOS and
| Windows devices (plus Linux with avahi), it is dead simple to
| have a very reliable local network.
| ghshephard wrote:
| Ditching Ethernet broadcast that hit _every single
| interface on a network_ when you only wanted to communicate
| with a _single device on a specific protocol_ is a big win.
| Getting rid of Subnets by making the smallest possible
| subnet infinitely large eliminated 90% of network confusion
| around subnets. Privacy based IP addresses also a nice
| addition. After working with IPv6 for 10 or so years, you
| really grew to appreciate what an architectural advantage
| it has over IPv4. As for deploying it? I dunno - I just
| plug my Ubuntu laptop into a WiFi Network and it just seems
| to work. I 'm pretty sure the comcast routers I've
| connected to have had zero configuration beyond what they
| can pick up connecting to comcast. In the future - people
| (other than say Network Engineers working for IT) probably
| won't even discuss things like "IP" addresses.
| nikanj wrote:
| That's an easy bet to make, as today $100m is late-seed, pre-
| launch valuation for any company that promises both AI and
| blockchains.
|
| Assuming company valuations continue to inflate, by 2030 $100m
| goes to any team who manage to agree on a business card design
| nly wrote:
| Virgin here in the UK, with 20% of broadband residential market
| share, one of the top 3, don't seem to give a fuck. Still ipv4
| only.
| dane-pgp wrote:
| The obligatory link for that is:
|
| https://havevirginmediaenabledipv6yet.co.uk/
|
| > Answer: No [crying face emoji]
|
| > We've been asking since March 2010.
| moelf wrote:
| >deployed for the next 100 years
|
| bold for you to assume we will have active internet for 100
| more years /s...
| bee_rider wrote:
| IPv4 is perfectly sufficient for your bunker community's LAN.
| Hamuko wrote:
| > _deal with the fall-out of some nn% of their customer not
| being compatible_
|
| Most of their customers in pretty much everywhere. Global IPv6
| adaptation is at like 33% and only a couple of countries pass
| the 50% mark.
| CrLf wrote:
| Well, even when ISPs are dilligent in deploying IPv6, they
| still have to deal with troublesome end-user hardware that
| can't just be replaced overnight.
|
| For example, here in Portugal the largest ISP (MEO) has had a
| wide deployment of IPv6 for many years. However, it's (up to
| very recently) main end-user router supplier
| (Thomson/Technicolor) has also had chronic IPv6 bugs in its
| firmware(1). MEO enables IPv6 by default nevertheless, but if
| you're an advanced user you'll have a hard time overlooking the
| random connection failures to IPv6 destinations.
|
| (1) Specifically, it resets the flow label field randomly when
| it is non-zero (the case with most recent versions of Linux,
| macOS and, I guess, Windows). Turns out the flow label is taken
| into consideration by many load balancers so, if it changes
| mid-connection, your packets may end up in a server that has no
| knowledge of you and you get a connection reset.
| wmf wrote:
| You can run a whole company on one IPv4 address (or zero if you
| use a CDN) so there's no reason to go IPv6-only.
| rilindo wrote:
| > I'd be willing to place a wager that there will be a $100mm
| company that is only IPv6 by 2030.
|
| And at 60 percent usage, it will probably be India[1]
|
| [1]
| https://www.google.com/intl/en/ipv6/statistics.html#tab=per-...
| jesterpm wrote:
| The trend on the "IPv6 Adoption" tab is fascinating. It looks
| like the inverse of the usual "high traffic during the week,
| low traffic during the weekend" pattern that I'm used to
| seeing in traffic graphs.
|
| I wonder why? Is IPv6 adoption significantly higher for
| residential internet connections vs. corporate networks?
| excalibur wrote:
| I mean yes, people who don't know what an IP is use
| whatever their ISP gives them, and ISPs have mostly rolled
| out v6 by now (albeit imperfectly). Businesses actually
| manage their networks actively, and they use what they
| know, which is almost always v4.
| dijit wrote:
| Mobile Network operators have been quite forerunning with
| regards to ipv6. That is primarily the driver for ipv6- iOS
| forcing apps to have an ipv6 backend was a huge driver too
| for services.
| tialaramex wrote:
| Yes, residential users have a lot more IPv6, a lot more of
| almost anything modern (but somewhat regardless of whether
| it's necessarily better).
| jandrese wrote:
| Corporate customers are very slow to transition to IPv6.
| Most of them aren't feeling pressure on the IPv4 space the
| way ISPs are and corporate security appliances are
| notoriously slow to adopt IPv6.
| jl6 wrote:
| Strictly limited supply... check.
|
| Tradable... check.
|
| Has some inherent usefulness... check.
|
| Price is rising rapidly... check.
|
| IPv4 is going to live forever as a non-crypto coin!
| Thorentis wrote:
| IPv4 NFTs will surely become a thing soon.
| jayflux wrote:
| > Tradable... check.
|
| I know you're joking but it's not tradable (by home users). I
| can't just sell my IP address to someone else. ISPs.. maybe,
| but I can imagine they make more money continuously leasing
| them out than selling them for a one off payment.
| nerdponx wrote:
| It looks like there was a big increase in the size of the waiting
| list in November. Is this bigger than any past increase?
| jakub_g wrote:
| Previous big spike at beginning of chart was also in November,
| in 2019. Can someone knowledgable explain why is this the case?
| w3ll_w3ll_w3ll wrote:
| "Since the RIPE NCC began operations in 1992, we have been
| responsible for distributing IP addresses and AS Numbers in
| our service region. In November 2019, we exhausted our
| remaining IPv4 pool. This means that networks in Europe, the
| Middle East and parts of Central Asia are no longer able to
| receive "new" IPv4 addresses from us that haven't previously
| been used by another network."
| teaearlgraycold wrote:
| Black Friday subnet prices are hard to ignore.
| Maxburn wrote:
| It would certainly be nice if the chart scrolled and went back
| further.
| zauguin wrote:
| The graph starts in November 2019 because that is when the
| waitlist system was introduced. There's not point in going
| back further because further back the waitlist didn't exist.
| nerdponx wrote:
| So this really big increase in November 2022 is a brand new
| phenomenon, and the waiting list has been sitting at 0 for
| the entire time since the 2019 increase.
|
| What's causing the big increase now?
| ajb wrote:
| RIPE ran out of spare addresses at the end of 2019. After
| the queueing system was instituted some organisations
| must have returned some address blocks, which were used
| during 2020 and 2021, and my guess is that these have now
| run out. (it could just be that the return rate is below
| the request rate, but IMO the graph looks too straight
| for that).
___________________________________________________________________
(page generated 2021-12-09 23:01 UTC)