Some Telcos and ISPs are Frustrating IPv6 Adoption

An anonymous reader writes: "There are indications that telecommunications operators and traditional ISPs in the country are frustrating adoption of Internet Protocol version six (IPv6) by other networks," reports Nigeria's Guardian newspaper, citing Nigeria CommunicationsWeek. The magazine found 32 networks with IPv6 addresses -- but only three which are using them. And the newspaper cites "a network engineer with a university who does not want to be named" frustrated that their ISP's network isn't IPv6-compatible, so the university can't use its own IPv6 address. "Mohammed Rudman, chairman, IPv6 Council Nigeria, said that most telecommunications operators and internet service providers in the country have not adopted IPv6 which raises the issue of compatibility with other networks."
Firefox has a fast-fallback-to-IPv4 option, which you can disable in about:config (as well as an option to disable IPv6 altogether). But "the Chrome browser supports IPv6 natively and doesn't allow users to decide which protocol to use," reports TechGlimpse.com.

How does your browser perform? Long-time Slashdot reader ourlovecanlastforeve shared a link to Test-IPv6.com, which detects whether "when given the choice, your browser decided it would prefer to use IPv4 instead of IPv6."

Isn't this good?

[Actually,+I+do+RTFA]

Doesn't IPv6 hide the anonymization about which device beyond the firewall is using a service. Do I really want people outside my home to know how many devices I have, or which is viewing what?

Re:Isn't this good?

[johnw]

See RFC4941. You can set up your devices (or device) so that they keep changing their IPv6 addresses, concealing both which is doing what and how many devices you have.

Re:Isn't this good?

[93+Escort+Wagon]

Your ISP probably assigned a /64 to your home - so you can always keep rotating IPv6 addresses on your computer(s) if you feel the need to confuse your enemies. But they’ll still be able to see what sort of requests flow to and from your cable modem (or whatever)... just like they could with IPv4.

Re:Isn't this good?

[Ramze]

Yes and No. With a proper firewall, no one can scan your network for devices as it should only allow incoming traffic through that is a reply to outgoing traffic. But, sites you visit from IPV6 devices would show their full IPV6 unique ID on your network -- so say... Facebook or Netflix might know exactly how many devices you have at your home that you use to connect to their services.... BUT, they really know this anyway because they scan for device IDs, browser fingerprinting, etc.

NAT is a hack and not a security feature. It has its own security issues as well.

https://www.internetsociety.or...

IPV6 is only bad if you have no proper hardware firewall between your ISP and your network... or if your ISP is spying on your traffic (in which case, you have bigger issues and need a VPN)

Re:Isn't this good?

[mark-t]

Not inherently. NAT is still entirely possible under IPv6 (and in some cases, where end-to-end communication is not needed, may even sometimes be preferable), but the nice thing about still using IPv6 is that you will have a greater freedom of choice on which machines are invisible to the outside and which are not.

Re:Isn't this good?

[Dagger2]

Note that most stuff ships with privacy addresses enabled, so your "IPV6 unique ID" used for outbound connections will change to a new, completely random ID every time you restart a device, reconnect one to the network, or in any case after 24 hours, which should limit its usefulness for tracking.

Of course, as you say, everybody is already tracking you via cookies and fingerprinting anyway.

Re:Isn't this good?

[Actually,+I+do+RTFA]

All that means is I can add an arbitrary number of phantom devices. I want to emulate only having one device.

Re:Isn't this good?

[Actually,+I+do+RTFA]

BUT, they really know this anyway because they scan for device IDs, browser fingerprinting, etc.

YOu mean all things my devices all self-report. Yeah, I get that. It's modestly annoying to solve, but not difficult. Hint, all my devices report what I tell them to.

By the by, I read your article. It argues, e.g. that geolocation will be aided by IPv6. Sign me up to stay on IP4! Yes, I get that it's not a security feature, but it's definitely an obfuscation feature.

Re:Isn't this good?

[LiENUS]

Properly implemented they have no way of telling if its a bunch of real devices, a bunch of phantom devices, or a single device. Everyones network looks the same, constantly changing suffices

Re:Isn't this good?

[johnw]

There's nothing to stop you doing that as well if you really want to - although you might want to stop and ask yourself why you want that. Is it for any other reason than, "I want things to be the same as they were before"?

Re:Isn't this good?

[unixisc]

Doesn't IPv6 hide the anonymization about which device beyond the firewall is using a service. Do I really want people outside my home to know how many devices I have, or which is viewing what?

Absolutely! Since the subnet size is fixed - 2^64, it's impossible for any service to know how many devices there are behind the firewall. Particularly if they are set up with security extensions, which is to have the interface IDs keep changing periodically so that not only can't a device's ID be nailed, but it would also be impossible to find out at the layer 3 level how many devices one has, or who's viewing what

Re: Isn't this good?

[unixisc]

For the same reason that one uses dynamic addresses currently in IPv4: to prevent any attack vectors from pinpointing a device's IP address and then using that to break into the system. In fact, 'security extensions' (which is IPv6's term for dynamic addresses) is the default Microsoft way of assigning addresses to any device: they don't use EUI-64

Hard to support

[Billly+Gates]

Not every level 1 helpdesk jockey in India making $5/hr can do IPv6 subnetting in their heads to fix connectivity problems

Re:Hard to support

[Dagger2]

You are right, but v6 subnetting is a lot easier than v4 subnetting because of the way that hex lines up with binary more easily than decimal does, so this seems more like an argument in favor of v6 rather than against it.

Re:Hard to support

[sjames]

To be fair, most of the tier 1 people can't do anything that's not in the flip book. That is, they can guide you to reboot the router. They can giude you to reboot Windows. If you tell them you have Linux they'll tell you that Windows Linux reboots the same way as other Microsoft operating systems.

So no real difference there.

Tell them they have a routing failure in your network and they'll transfer you to premium Windows support to explain to you how to set up your email.

Re:Hard to support

[Koutarou]

What subnetting? Nearly everything in v6 is a /64.

Re:Hard to support

[Billly+Gates]

The latest Microsoft MCSA/E exams have lots of /96 vlan questions

C'mon Editors

[great+throwdini]

I typically refrain from calling out the staff supporting /., but is it really too much to postfix the submission title with "in Nigeria"? Or is that somehow at cross-purposes with what you all are trying to achieve on this site?

Re:C'mon Editors

[kenh]

Agreed, too many/most Slashdot readers simply read the headline and then try and blame some combination of the following:

a) Ajit Pai
b) Donald Trump
c) Republicans
d) Comcast, Verizon, etc
e) Windows/Microsoft

IPv6 is my preferred protocol now

[AlanObject]

I know it is cool here to hate on Comcast but my cable modem service supports it so easily now that I don't see any barrier's to adoption.

I used to use one of my Apple Time Capsules (so shoot me) for my router but when I needed better VPN service I got a $35 Mikrotik and made that the gateway router and the Time Capsules are now bridge-mode Wifi access points behind that.

Fast forward a couple of years and I hear about Comcast has IPv6. I found out that my Mikrotik needed an upgrade for IPv6 support but that was surprisingly painless. Once you have that and turn it on the router gets your IPv6 address assignment from the upstream DHCPv6 server Comcast runs. That gives you a 64-bit "address pool" (which is what Mikrotik calls it) and without doing anything else all your household devices get an IPv6 address according their own capabilities.

Comcast did it right, but you still need the right router software on your end. The Time Capsules didn't cut it but the Mikrotik router did. I can't speak for other products because the router worked and there was no need to try anything else.

Windows no problem. MacOS no problem. Smart phones, TV, cams and all the other junk no problem.

The only reason you need IPv4 at all is because there are still a LOT of servers and services out there that can't be reached by IPv6. But I have had no issue with Safari, Chrome, or Firefox or any other networking application.

The payoff for me is that I run a fair number of VMs out in the cloud. My co-location host is reasonably OK with giving me IPv4 addresses when I need them but now I don't even bother assigning an IPv4 address to a system unless it is for public access. IPv6 straight from my system at home to the VM out there.

Fringe benefit: The public IPv6 addresses, at least those that don't have well-known AAAA DNS records, don't get constantly assailed by bots with dictionary attacks.

Gripe: XenCenter doesn't support IPv6 for management. And it is a mess to try and install a mitigating tool like fail2ban in the XenServer hypervisor. What a pain.

That's my take anyway.

Re:IPv6 is my preferred protocol now

[Rick+Zeman]

Yep, Comcast did it right:

Between me and Comcast, we're predominantly doing ipv6:

        Your IPv4 address on the public Internet appears to be 73.187.x.y

Your IPv6 address on the public Internet appears to be 2601:982:8202:e17x:y:z:z

Your Internet Service Provider (ISP) appears to be Comcast Cable Communications, LLC

Since you have IPv6, we are including a tab that shows how well you can reach other IPv6 sites. [more info]

HTTPS support is now available on this site. [more info]

Your DNS server (possibly run by your ISP) appears to have IPv6 Internet access.
Your readiness score
10/10 for your IPv6 stability and readiness, when publishers are forced to go IPv6 only

**********

Dec 24 16:16:14 miniserv postfix/smtp[70877]: Untrusted TLS connection established to smtp.comcast.net[2001:558:fe21:2a::5]:587: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 24 16:16:14 miniserv postfix/smtp[70877]: 290D24BA85FD: to=, relay=smtp.comcast.net[2001:558:fe21:2a::5]:587, delay=3.7, delays=0/0.08/3.3/0.36, dsn=2.0.0, status=sent (250 2.0.0 TDcyeFggV3vQATDd0e9e13 mail accepted for delivery)

Re:IPv6 is my preferred protocol now

[TechyImmigrant]

Two days ago I got my wife's store provisioned with a Comcast business internet (there was no other provider) with 5 static addresses. They provided an envelope with the static address range hand written on it for *only for IPv4*. They also got the addresses wrong and the they had not set the routes up, so nothing can route to those addresses anyway.

The installer who came said a couple of things that were obviously untrue about the address range available on the router's switch and then admitted to not understanding anything about networking.

>Comcast did it right

Bullshit. They can't even set up a static address range.

Re:IPv6 is my preferred protocol now

[Rick+Zeman]

>Comcast did it right

Bullshit. They can't even set up a static address range.

Don't confuse architectural design and their overall design with everyday low-level ineptness. Haven't you seen the ads for Comcast techs: "...no experience necessary?" You said it yourself, "...the installer who came" not "the network engineer who came....."
Don't confuse the two.

Re:IPv6 is my preferred protocol now

[Bert64]

We have all manner of confusion which arises from the multiple layers of NAT, which makes it painful to remember which internal addresses are mapped to which external addresses and ports.
With ipv6, everything would be much simpler. The DNS record points to the ip, and that ip identifies a single host.

Re:IPv6 is my preferred protocol now

[DarkVader]

Well, I'm not convinced they're doing anything right.

They used to have v6 provisioned on my business router. It's gone now. No idea why, I didn't tell them to do that.

Even when it was, they didn't seem to have v6 addresses provisioned as static for my business account. I need to call and yell at them, but that's such a pain in the ass.

Note that it's a business account, not a residential account. I needed v4 statics, still do. IPv6 is less critical for me right now, but it would be nice if it worked.

Re:IPv6 is my preferred protocol now

[Streetlight]

Comcast subscriber here. I use the IPvFoo extension for both Firefox 57 and Chrome Browser and it shows the IP version and other information for connected websites. Comcast handles IPv6 very well.

Re:IPv6 is my preferred protocol now

[TechyImmigrant]

>Running servers from your residential internet connection

It's a business account. They don't sell static on residential accounts.

> - that certainly is not what its intended for.

Says who? It's my business what my packets do.

Re:IPv6 is my preferred protocol now

[unixisc]

I have Comcast at home: it's the only carrier available at my residence. No IPv6

Re:IPv6 is my preferred protocol now

[unixisc]

I thought that all the mobile providers are now forced to do IPv6 simply b'cos of address exhaustion

The least common denominator

[SlaveToTheGrind]

has applications beyond elementary school math.

Next story.

NAT (IPv4 Address sharing) is not security.

[CraigCruden]

Stateful Firewalls Provide Security (Not NAT)

NAT does not provide any real network security, it actually prevents many security measures.

Consumer grade firewalls (most of them) built into the modems they get from their ISP -- are often almost useless when it comes to providing real security. Many of them don't even bother to force the administrator to have anything more than the default password.

By your argument -- you would be even happier if your ISP shares your IP address across many households (double NAT'd) -- which mine does.

Re: NAT (IPv4 Address sharing) is not security.

[AK+Marc]

Anyone who doesn't have a firewall of any kind might be better off with NAT, but it's more in the https://xkcd.com/463/ category. Theoretically better than without, but if you are using it as a security measure, you are doing something horribly wrong.

And even the cheapest consumer routers (or modems) have stateful firewalls built into them these days, Linux core and free firewalls and all.

NAT without a firewall is a network without a firewall. Any security benefit is an accident, not by good design.

Re: NAT (IPv4 Address sharing) is not security.

[Dagger2]

You need state tracking for NAT, not a stateful firewall. Yes, it just so happens that state tracking is also necessary for stateful firewalls, so it's quite common to find firewalling and NAT functionality combined into the same piece of software, but they're separate things. You can do NAT without having a firewall just fine.

...and if you do, then you'll find that anybody that can send packets to your router with the dest address set to the IP of a machine on your LAN will be able to connect to that machine. The good news is that if you're also using RFC1918 addresses on the LAN (which isn't a requirement!) then the set of people that can actually do that will be limited to only your ISP, and anybody that can gain either physical or remote access to your ISP's network, and anybody (such as the police or government) that can convince or coerce the first two sets of people into helping.

Re:NAT (IPv4 Address sharing) is not security.

[Actually,+I+do+RTFA]

I said obfuscation, not security. It seems better, from my point of view, not to have any security tied to IP address at all.

And yes, it seems better if my ISP shares my IP address across many households. Why would it harm me in the slightest?

Re: NAT (IPv4 Address sharing) is not security.

[Koutarou]

Trying to scan a v6 /64 subnet (what a consumer gets 98% of the time) is like trying to find a single machine in the entire public v4 internet.

Re:NAT (IPv4 Address sharing) is not security.

[unixisc]

Stateful Firewalls Provide Security (Not NAT) NAT does not provide any real network security, it actually prevents many security measures. Consumer grade firewalls (most of them) built into the modems they get from their ISP -- are often almost useless when it comes to providing real security. Many of them don't even bother to force the administrator to have anything more than the default password. By your argument -- you would be even happier if your ISP shares your IP address across many households (double NAT'd) -- which mine does.

That's tangential to the argument the GP appeared to be making

The GP was expressing concern about a telco, or anyone else, being able to know how many devices you're hooking up to the internet using your service. In other words, if you are paying Comcast $50 a month for a service, it's none of their business how many devices are hooked on to it. Under IPv4, it's somewhat trivial for them to find out. Under IPv6, if security extensions are being used, it no longer is.

Same thing about who's watching what: if Tamara is on Twitter on the laptop, Rick is watching porn on the Android tablet and Kayla is playing Pokémon Go on the iPhone, nobody watching from outside would be able to tell who's doing what if security extensions are used

Re: NAT (IPv4 Address sharing) is not security.

[unixisc]

No, security involves blocking/dropping hostile packets from a target node. It's the firewall part of the NAT that does that. If the NAT in question does not drop packets, but simply reroutes addresses, then it's not a security feature.

And how does a load balancer - something that divvies up the services being used - even begin to serve as a security device, w/o a firewall being involved?

Re: NAT (IPv4 Address sharing) is not security.

[unixisc]

It would be a billion times more, not as much. The entire IPv4 network is something like 3.2 billion addresses. An IPv6 subnet would be 2^64 addresses. It would take forever to scan one IPv6 subnet, compared to the entire IPv4 internet

Re:NAT (IPv4 Address sharing) is not security.

[unixisc]

I'd imagine that from an ISP's POV, it's more useful to assign one subnet to a single household, and keep it simple. If the guy who's bought the service is a techie, and is running, say, a server of some type at home, it lets him manage the whole thing. If you split it b/w households, that would no longer be feasible, w/o him having to contact every other family on the subnet

Part of this I blame on the design decision to make every subnet 2^64 instead of 2^32. I mean, which subnet needs to have even 4 billion, let alone 18,446,744,073,709,551,616 nodes? Now, that 2^64 is de-facto hardcoded into routers, and one can't have set-ups where much smaller subnets would do.

Re: NAT (IPv4 Address sharing) is not security.

[Brockmire]

If packets destined for a private IP arrives on the WAN and gets to your LAN PC, YOU FUCKED UP.

Re: NAT (IPv4 Address sharing) is not security.

[Dagger2]

My point was merely that it is still possible to commit this particular fuckup even if you're using NAT. (In fact the NAT probably makes it more likely you'll do it, because it may lull you into a false sense of security,)

Re:US Government should tax/fee per IPv4 address

Why? The problem is not in America but in Nigeria. America is the #2 country in IPv6 adoption, just behind Belgium, so we're not exactly lagging behind the world. Or, are you suggesting that Americans need to pay more to help out Nigerian 419 scammer princes?

It makes NAT overload option rather than mandatory

[raymorris]

> anonymization about which device beyond the firewall is using a service.

You're not really hiding anything. Between user agent strings, cookies, etc., the trackers know one device from another. In fact since most web access is from mobile devices these days, and mobiles get new IPs all the time, IPs aren't used much for tracking anymore anyway.

Because IPv4 lacks enough addresses, you're pretty much forced to use only one IP for all of your devices. That's a hack and while it works well enough most of the time, for most people, it does have some problems.

You *can* still do that with IPv6; you aren't forced to. As mentioned above, it doesn't do you much good anyway. You can also have your devices randomly switch between millions of IPs. That's as effective as IPv4 NAT. Of course neither do anything when there are cookies involved and sch.

Static or dynamic; that's the question.

[knorthern+knight]

> Your ISP probably assigned a /64 to your home - so you can always keep rotating
> IPv6 addresses on your computer(s) if you feel the need to confuse your enemies.

That does *NOT* necessarily help anonymization. A static /64 (or /56) is still a CIDR. You can dick around with the MAC ID ("privacy extensions") and jump around in your CIDR all you want. But once someone identifies a static /64 or /56 with you, you're marked permanently. The big privacy battle with IPV6 will be for dynamic /64 or /56 allocation versus static allocation.

Re:Static or dynamic; that's the question.

[93+Escort+Wagon]

My point is: this issue is nothing new... it's the same thing we already have with IPv4. You only get one address from your cable company, and (at least with Comcast) it doesn't seem to change much, if at all. In practice, the only time my cable modem's external IPv4 address ever changed was after extended power failures.

Re:Static or dynamic; that's the question.

[rtb61]

They are crippling IPv6 for one reason and one reason only. They have an existing investment in IPv4 addresses that they rent for profit or can sell, IPv6 simply reduces IPv4 addresses from being worth hundreds of millions of dollars to sweet fuck all. The longer they can keep out IPv6 the more money they can make out of IPv4. Straight up greed.

Re:Static or dynamic; that's the question.

No, they're just lazy and cheap. It costs a lot to ensure all of the devices and software involved work properly with IPv6. Telcos are full of legacy gear and apps.

Re:Static or dynamic; that's the question.

[unixisc]

> Your ISP probably assigned a /64 to your home - so you can always keep rotating > IPv6 addresses on your computer(s) if you feel the need to confuse your enemies.

That does *NOT* necessarily help anonymization. A static /64 (or /56) is still a CIDR. You can dick around with the MAC ID ("privacy extensions") and jump around in your CIDR all you want. But once someone identifies a static /64 or /56 with you, you're marked permanently. The big privacy battle with IPV6 will be for dynamic /64 or /56 allocation versus static allocation.

That may be true, but it's only useful if one wants to block your devices from accessing their sites. However, if one wants to attack any of your devices, the /64 ain't enough: one needs the entire /128 address. If they were to try a brute force method of attack, they'd either take forever to exhaust all 2^64 addresses, or they'd need some algorithm to randomly pick addresses and hope that they match

Re:Static or dynamic; that's the question.

[Agripa]

They are crippling IPv6 for one reason and one reason only. They have an existing investment in IPv4 addresses that they rent for profit or can sell,

No, they're just lazy and cheap. It costs a lot to ensure all of the devices and software involved work properly with IPv6. Telcos are full of legacy gear and apps.

AT&T went out of their way to block IPv6 tunnels before they started charging for IPv6 "upgrades". One of the justifications they gave was that otherwise their customers could get static IPs without paying.

Re:US Government should tax/fee per IPv4 address

[Average]

Government is way overkill for this.

Want to improve AAAA adoption? Easy. Google gives you a ~5% PageRank boost for working dual-stack on your server. Like they already do for SSL, ARIA accessibility, and mobile-friendliness.

Nothing would move the IPv6 needle faster.

Re:It makes NAT overload option rather than mandat

[mark-t]

You *can* still do that with IPv6; you aren't forced to.

This. Exactly.

Also, with IPv6's extension header system, you can theoretically even route right through a NAT, completely neutralizing its most significant disadvantage, as long as the NAT in the middle recognizes and handles the extension, and the session layer on the remote machine that may need to be able to route a raw IP packet to an otherwise undetectable IP address knows to add the extension to the appropriate outgoing packets.

just need a truck and tools to be an 1099'er for c

[Joe_Dragon]

just need a truck and tools to be an 1099'er for comcast in the past they did even do background or DMV checks.

Why are there so few ipv4 addresses?

[Frampis]

Were there actual technical limitations to enabling a larger address space or was it just a lack of foresight?

Re:Why are there so few ipv4 addresses?

[Cardcaptor_RLH85]

A bit of both. First, back when the Internet Protocol was created, there weren't 4 billion people on Earth let alone 4 billion devices that needed to be connected to a network. Secondly, handling and transmitting 128-bit identifiers would have been a bit much for the computers and networks of that era.

So, as I said, very few (if any) people thought the internet would get as big as it is and systems 30 to 40 years ago wouldn't have been able to handle IPv6 the way systems now can.

Re:Why are there so few ipv4 addresses?

[ELCouz]

40-bit is enough (XXX.XXX.XXX.XXX.XXX)...who need 128-bit addressing space?

Re:Why are there so few ipv4 addresses?

[AHuxley]

Re 'who need 128-bit addressing space?"
Products within a company. Everything gets a ip so it can be scanned and more product arrives just in time.

Re:Why are there so few ipv4 addresses?

[Dagger2]

The internet does.

Actually, 64 bits might be enough for the internet, especially if you were willing to put up with some degree of increased costs and admin headache (and oh boy are we willing to do that), but "might" isn't good enough. If you're going to do an incredibly difficult protocol switchover to increase the address size, you really want to get it big enough the first time.

"Whoops. Tehee. It's still not big enough. We need to make it bigger again." is just not going to cut it.

Re:Why are there so few ipv4 addresses?

[Tim+the+Gecko]

First, back when the Internet Protocol was created, there weren't 4 billion people on Earth let alone 4 billion devices that needed to be connected to a network.

It was pretty close. World population was estimated to cross 4 billion in April 1974, while the paper describing IP was published in May 1974. Vint Cerf has apologized for choosing 32 bits, saying "The problem is the experiment never ended".

Re:Why are there so few ipv4 addresses?

[unixisc]

A bit of both. First, back when the Internet Protocol was created, there weren't 4 billion people on Earth let alone 4 billion devices that needed to be connected to a network. Secondly, handling and transmitting 128-bit identifiers would have been a bit much for the computers and networks of that era.

So, as I said, very few (if any) people thought the internet would get as big as it is and systems 30 to 40 years ago wouldn't have been able to handle IPv6 the way systems now can.

Actually, when the Internet Protocol was first created, it was only created for the US Department of Defense and their clients: there was never any intention for this to be used by the entire civilian population of the US, let alone the world. Once it became clear that it was catching on, the IPv6 (then IPng) started.

Also, at the time IPv4 came about, most computers were 8 or 16 bit, much less 32, so having a 128 bit address would have really slowed things down

Re:128 bit addressing completely unworkable

[WaffleMonster]

Nobody can remember all those hex digits.

You control at least the last 64-bits. This doesn't have to be unworkable if you don't want it to be. Add in zero compression, representations as hex and factor in ability to get creative with your 64-bits.

I found it somewhat more difficult to remember prefix but not significantly more.

Easier to derive hostnames from rest of the bits available to you if you use a consistent/creative numbering scheme.

For those who work at large shops/ISPs it's likely even easier because you likely control the last 96-bits.

Extreme example of IPv6 not being difficult to remember is Sprints website... 2600 Hz... http://2600/

Re:128 bit addressing completely unworkable

[WaffleMonster]

Extreme example of IPv6 not being difficult to remember is Sprints website... 2600 Hz... http://2600/

Why does ./ have to butcher everything? http : // [2600::]

What's the benefits of v6?

[seoras]

I just checked that test URL. 10/10. Nice xmas surprise. I run a couple of popular websites (Amazon EC2's running Ubuntu) so I could add IPv6 easily. But why?
What's the upside to IPv6 for a website? Better Google page ranking? Security? Faster page load? Others?
It's been years since I've worked on IPv6, I was one of the small team who wrote the IPv6 stack for Cisco's high end routers.
So I know the protocol - sort of. It was still in flux back then (15 years ago) with the IETF.
Can someone bring me up to date? As a website master, why do I need it?

Re:What's the benefits of v6?

[Dagger2]

Facebook have done measurements that show v6 as giving ~10-15% faster page loads compared to v4. On some specific ISPs the difference will be even higher (for instance T-Mobile in the US backhaul all of their v4 traffic across the country to the datacenters that host their NAT64 infrastructure, while routing v6 more directly).

Re:What's the benefits of v6?

[WaffleMonster]

I just checked that test URL. 10/10. Nice xmas surprise. I run a couple of popular websites (Amazon EC2's running Ubuntu) so I could add IPv6 easily. But why?
What's the upside to IPv6 for a website? Better Google page ranking? Security? Faster page load? Others?

The tangible benefit I know of for websites ATM is faster page loads for those stuck behind IPv4 CGNs.

Re:What's the benefits of v6?

[unixisc]

Websites need routable addresses, so address exhaustion is a real problem that NAT cannot resolve. Neither can virtual hosting. In which case, they'd be forced into IPv6, and then they may or may not take advantage of other IPv6 features. Also, virtual hosting would be a thing of the past, as foo.bar.com would map into 2001:db8:dead:beef::1 while foobar.bar.com would map into 2001:db8:dead:beef::2. No more need for the IP address to be shared

apps should PREFER IPv6

[WindBourne]

Seriously, at this time, it would be better if apps would prefer IPv6 and start running massive traffic through it.
If IPv6 is not available, so be it. BUT, by moving Chrome, Firefox, etc to 6, it will only hasten the move.

Re:apps should PREFER IPv6

[Dagger2]

They do. If you take a dual-stack network and measure the traffic on it, you'll find that about half of it by volume already goes via v6.

Technically the priority is usually set by the OS/system resolver library, which sorts DNS results by an algorithm that is roughly "v6 first if you have a public v6 address, otherwise v4 first". Some software does override the ordering, and other software (like Firefox) has ADHD and will try to connect over v4 if the first connection attempt hasn't finished within 300ms, but as a rule v6 will be preferred if you have it.

Lord a-mercy!

[kenh]

How will the Nigerian economy keep up with the western world without a timely shift to IPv6! /sarcasm

Seriously, it's Nigeria...

Re:A tale of two Verizonâ(TM)s

[kenh]

Please, turn off smart punctuation - http://lmgtfy.com/?q=disable+s...

Re:News flash: itâ(TM)s like this in Australi

[kenh]

Please take a moment and disable smart punctuation - http://lmgtfy.com/?q=disable+s...

Re:A problem everywhere

[kenh]

Please turn off "Smart Punctuation" on your iPhone. Google it. It's Slashdot, I shouldn't have to spoon-feed you a URL, should I?

Oh wait, I forgot, I DO need to spoon-feed you a URL - well, here you go: http://lmgtfy.com/?q=disable+smart+punctuation+ios

Re:US Government should tax/fee per IPv4 address

[kenh]

The US government should facilitate the move from IPv4 to IPv6 by starting to tax or apply a fee for each IPv4 (with no IPv6 address) address in usage -- and increase that fee each year until it encourages the movement off of IPv4.

That is among the dumber things I've read today, but granted I haven't spent that much time on-line today.

The tax code shouldn't be used as a cudgel to control behavior, it is a tool designed to fund the operation of the [Federal|State|Local] government. To what purpose would the proceeds of this tax be applied? Buying IPv6-complaint routers for public K-12 schools? Subsidize Internet connections for low-income/inner-city residents? What?

Re:2018

[kenh]

NIGERIA, not America, but hey, cool you were able to work Trump AND Linux into your contribution, we all got just a little bit dumber after reading your comment.

Nigeria

[kenh]

"There are indications that telecommunications operators and traditional ISPs in the country are frustrating adoption of Internet Protocol version six (IPv6) by other networks," reports Nigeria's Guardian newspaper, citing Nigeria CommunicationsWeek. The magazine found 32 networks with IPv6 addresses -- but only three which are using them. And the newspaper cites "a network engineer with a university who does not want to be named" frustrated that their ISP's network isn't IPv6-compatible, so the university can't use its own IPv6 address. "Mohammed Rudman, chairman, IPv6 Council Nigeria, said that most telecommunications

I've considered it

[kilodelta]

Here in the U.S., New England region with Cox and Verizon. I know Cox offers IPv6 and my router can handle it. But I've been loathe to do so as the 255^3 addresses using only three octets that I have available are plenty. And the NAT works perfectly.

Re:IPv6 sucks ass

[Dagger2]

That wasn't a mistake, it was a necessity. v4 only has space for 32 bits in its src/dest address header fields, and v6 addresses are longer than that, so you can't fit them in. It's v4 that's incompatible with v6, not the other way around.

That said, you can accept both v4 and v6 connections on a single v6 socket, so I'm not entirely sure what you're on about for that. On Linux the behavior is controlled by net.ipv6.bindv6only or a socket option, with the default being to permit v4 connections to v6 sockets.

Re:US Government should tax/fee per IPv4 address

[Bert64]

That may work on the server side of things, but most end users don't have ipv6 connectivity...

What's needed is for the likes of google and facebook etc to start offering desirable features to ipv6 users first, perhaps as a form of beta... If hundreds of customers start calling isps demanding ipv6, or switching to other providers that already offer it then adoption will increase pretty quickly.

For now it's only a few of us asking for ipv6, so we get ignored by the major isps.

Re:IPv6 sucks ass

[WaffleMonster]

The biggest mistake the IPv6 inventors made was making it incompatible with IPv4 by creating a completely different address space.

This ship sailed when IPv4 was placed into production. By time IPv6 came around it was already too late. You can't unfix a fixed address space without forklift change no matter what.

You would think the people behind standards like this are brains trust IQ 200. In truth they are often arrogant and short sighted and refuse to accept criticism.

Only arrogance here is in failure to understand the problem space and basic precepts of reality (e.g. pigeonhole principal)

This required stupidity like having applications which want to support IPv4 and IPv6 open two different ports for incoming connections. Dumb. Dumb. Dumb.

Most operating systems offer dualstack socket options to avoid this.

There is simply no grand conspiracy or obvious path unexplored because everyone but you must be stupid to see it.

Look at what all of these well intentioned transition schemes turned out to be worth. They actively hindered adoption of IPv6 because the operators demand a production quality network at least as reliable and performant as IPv4. This means NATIVE IPv6 not amateur hour crack-pottery involving the use of IPv4 as an overlay for IPv6.

Restoring the Internet to a network of PEERS is way more important than any annoyance or inconvenience felt in deploying IPv6.

Re: Disabled ipv6...

[jandrese]

No my experience at all. The v6 version of a site iften loads faster according to my browser extension. The only problem thus far is Netflix, which blocks video streams to Hurricane Electric addresses. That and Windows store which stops working if you disable IPv6 support on a network that otherwise does support v6.

Re:It makes NAT overload option rather than mandat

[Actually,+I+do+RTFA]

If I'm the kind of person who is worried about the lack of NAS leading to people tracking me more effectively, why don't you think I'm the kind of person who can handle user-agent-strings (and other browser fingerprinting) and cookies?

IPv6 seems dedicated to preventing me from hiding. Even if my device is randomly hopping among IPv6 addresses, they're all on the same subnet (does that term still apply) meaning they can all be used to id me.

9,007,199,254,740,991 is greater than 1

[raymorris]

> Even if my device is randomly hopping among IPv6 addresses, they're all on the same subnet (does that term still apply) meaning they can all be used to id me.

Yes they will be chosen from a range of 9,007,199,254,740,991 addresses or so. Some ISPs will assign you 32 times that many addresses, some a bit fewer, but roughly 9 quadrillion addresses. Compared to your ONE IPv4 address. As someone who has developed security systems which use IP addresses as one indicator of whether it's the same person, I'll tell you it's much easier to track your single IPv4 address than to figure out which 9, or 288 quadrillion, or 18 quadrillion, or whatever might be assigned to the same customer.

> you think I'm the kind of person who can handle user-agent-strings (and other browser fingerprinting) and cookies?

To be 100% completely honest with you, based on your posts I'd guess you're the type of person who thinks they kinda get it, so they make some attempts to hide stuff, and therefore stick out like a sore thumb in the sea of people who present standard, default profiles. When you're the guy who mucks with his iPad's user agent, but of course it still shows iPad resolution, you're the only hot on the whole site reporting 2048Ã--1536 on "Windows" and it makes you very easy to spot.

Re:It makes NAT overload option rather than mandat

[johnw]

Even if my device is randomly hopping among IPv6 addresses, they're all on the same subnet (does that term still apply) meaning they can all be used to id me.

Just like when you were on IPv4, all your devices were behind one IPv4 address, providing precisely the same facility.

IPv6 seems dedicated to preventing me from hiding.

You've yet to provide a single example supporting this contention.

Re:It makes NAT overload option rather than mandat

[WaffleMonster]

If I'm the kind of person who is worried about the lack of NAS leading to people tracking me more effectively, why don't you think I'm the kind of person who can handle user-agent-strings (and other browser fingerprinting) and cookies?

And TLS session caching, DNS fingerprinting and port range mapping (CGN).

IPv6 seems dedicated to preventing me from hiding.

IPv6 really does make it easier to track individual systems on a network of more than one user. Even with privacy addresses short term correlation is probably still useful.

Even if my device is randomly hopping among IPv6 addresses, they're all on the same subnet (does that term still apply) meaning they can all be used to id me.

IPv6 customers are generally assigned subnets rather than single IP addresses. Whether you get a single IPv4 address or a single IPv6 prefix your "network" can just as easily be tracked in either case.

Options here are same for both IPv4/IPv6 use a VPN/tunnel/proxy/Tor-like overlay or regularly convince your ISP to grant you a new address (dump lease / change MAC / reconnect) unless of course they are in cahoots with trackers.

Re:IPv6 sucks ass

[johnw]

The biggest mistake the IPv6 inventors made was making it incompatible with IPv4 by creating a completely different address space.

They didn't - the IPv4 address space is embedded within the (vastly larger) IPv6 address space. The IPv4 address 1.2.3.4 is ::ffff:1.2.3.4. Any IPv6-only application can thus reference any IPv4 address (although some residual NAT is obviously needed to allow the IPv4 server to reply).

Re:A problem everywhere

[Tim+the+Gecko]

Itâ(TM)s a problem everywhere.

You're posting this on a site that can't deal with either smart quotes or IPv6. Any plans, Slashdot?

Based on Googleâ(TM)s stats, less than a quarter of google users are IPv6. https://www.google.com/intl/en...

That's a pretty good upward trend.

Re:Still waiting for IPv6

[fyonn]

tell me about it. I've been bitching on the forums about this for years now. they even promised it would be with us this year but so far, no dice. Ideally I'd like more than a /64 too...

and I use modem mode and my own pfsense router, so I'm not beholden to their kit either...

Re:It makes NAT overload option rather than mandat

[unixisc]

But cookies would have to use something like your MAC addresses, or some other physical (read layer 2) info in order to have a count of your devices. In layer 3 - the IP layer - IPv4 can be used to track how many devices you are using, but IPv6 can't, due to the security extensions. So IPv4 vs IPv6 is no longer an argument if a foreign host, like Facebook or Twitter, is using something outside layer 3 to track everything about you

Re:It makes NAT overload option rather than mandat

[unixisc]

If I'm the kind of person who is worried about the lack of NAS leading to people tracking me more effectively, why don't you think I'm the kind of person who can handle user-agent-strings (and other browser fingerprinting) and cookies?

IPv6 seems dedicated to preventing me from hiding. Even if my device is randomly hopping among IPv6 addresses, they're all on the same subnet (does that term still apply) meaning they can all be used to id me.

If somebody outside knows your /64 and they run a website, they can use their knowledge of your /64 to block you from getting into their site. But if they want to attack any of your devices, they need to know your entire /128 address, not just your subnet address, and that's where your device hopping b/w the addresses in your range helps.

Or a random number

[raymorris]

Mac addresses aren't needed, a random number does just fine. The whole idea of cookies, the definition of a cookie, is that the device returns back the same value that was previously set. So the server sets a cookie called device=7573+4758585 and next time the browser sends back that number.

Obviously the cookie is only one of many parameters used. Cookies might be "blocked" (which often just means they are cleared when you shut down your browser, session cookies typically aren't blocked). To "track" a user, to recognize the same user when they come back, you look at maybe eight or ten different parameters. Any three of the eight are sufficient.

Test for IPv6 Is Wrong, Problems with IPv6

[DERoss]

I tried the test at http://test-ipv6.com/ cited in the article. It said "Connections to IPv6-only sites are timing out. Any web site that is IPv6 only, will appear to be down to you."

According to the test site Down For Everyone Or Just Me at http://downforeveryoneorjustme..., the IPv6 test URI http://ipv6.vm1.test-ipv6.com/... -- timed out for me -- is down for everyone. The IPv6 test URI http://2001470118119/ip/?callb... gives the result "Huh? [2001:470:1:18::119] doesn't look like a site on the interwho." (While the IPv6 address in that URI copied and pasted correctly in http://downforeveryoneorjustme..., Slashdot's editor for this comment deleted the colons in the preview.)

I have a browser extension that displays the IP address of whatever Web page I am viewing. I often see IPv6 addresses in that display. While some IPv6 addresses might not be available to me, that could be a case of a server down or the address defunct. In any case, Web sites with IPv6 addresses do not appear down for me.

While my browser does indeed render IPv6 Web pages okay, I have disabled IPv6 for my newsgroup (NNTP) reader. One NNTP server to which I subscribe too often times out unless I disable IPv6. I do not know if that is a problem with the server or with my NNTP reader application. I really do not care.

Re:Test for IPv6 Is Wrong, Problems with IPv6

[Dagger2]

I wouldn't put too much trust in DFEOJM.com; it even claims that Google is down. Meanwhile, I have no trouble connecting to ipv6.vm1.test-ipv6.com:

Connecting to ipv6.vm1.test-ipv6.com (ipv6.vm1.test-ipv6.com)|2001:470:1:18::119|:80... connected.

You might be single-homed behind Cogent, who have an issue with reaching HE (specifically, the issue is that they just can't stop being assholes). If so then you should probably talk to your ISP and get them to get an extra upstream.

Re:IPv6 sucks ass

[unixisc]

IPv4 compatibility w/ IPv6 ain't the same as, say, Windows 10 compatibility w/ Windows 7, or i7 compatibility w/ i3. Think of v4 as being a surface street or a 2 lane highway, and v6 being an 8 lane freeway.

It's twice as much work; so,...

[herbierobinson]

It takes twice as much work to configure IPv6 (assuming you need to keep supporting IPv4). It's no big deal if you are just configuring a few switches, but if you talk about the number of routers a large ISP has, it becomes a lot of work. So, until they get close to running out of IPv4 addresses to assign to customers, don't hold your breath.

Re:It's twice as much work; so,...

[sl3xd]

if you talk about the number of routers a large ISP has, it becomes a lot of work.

Configuring large numbers of routers isn't an unsolved problem, even if you roll your own automation.

A large ISP is insane if they dodn't use automation to configure their hardware -- it guarantees consistency across the network, which reduces their overhead.

At that point, adding a "new" router is no different from updating the configuration on an existing router.

Re:It's twice as much work; so,...

[herbierobinson]

That will work if every switch and router is the same and is running the same OS version (as was pointed out in the article you referenced). That's not likely to be true in a really large network.

Also, it's been my experience that script based solutions (especially ones that exercise a user interface) are fragile and require a lot of tinkering. And it's still going to be twice as much work (assuming that adding more configuration steps to the script only increases the probability of failure linearly, which might not be the case). Sure, it's better than doing each one manually, but it's still non-trivial.

subnet sizes

[unixisc]

Are there any other subnet sizes in VLAN that are used? Incidentally, /96 makes more sense than /64, and had that been the rule, having automatic routing embedded in the global prefix would have been more achievable