77 comments

[ 4.4 ms ] story [ 143 ms ] thread
slightly OT: why is HN not ipv6 yet? why isn't reddit? why pretty much anyone except google and facebook isn't?
Because there is no benefit to running IPV6 if you have access to an IPV4 address.
There actually is. An increasing number of ISPs is going IPv6-only with central carrier-grade NAT for IPv4. Those gateways are often overloaded, resulting in vastly better performance over IPv6.
Except this study shows no difference in performance, but a 9x higher failure rate to establish an ipv6 connection.
The study did a good job breaking down the different IPv6 connectivity types, but didn't discuss different IPv4 connections. GP is comparing native IPv6 to IPv4 CGNAT, but the study seems to be comparing differing forms of IPv6 to native IPv4.
IPv6 traffic is much slower. In my case (I use Miredo client), link to Portsmouth, ServerHouse, GB is up to 30Mbit by IPv4 but no more than 1Mbit by IPv6.
You have native IPv4 and IPv6 over a tunnel, so of course IPv6 is going to be slower.

The point is that for an increasing number of users, it's the exact opposite.

NAT v4 addresses are no fun. IPv6 addressing is a big win there. Especially in the mobile space.
> NAT v4 addresses are no fun.

Everybody runs behind a NAT anyways, most systems work just find with multiple layers of NATs. I have been running an internal double NAT for months and the only reason I removed one layer from my onion was that back to mac fails badly with multiple layers of NATs.

No, not everyone runs behind a NAT system. Ever been to a university where everyone gets an non-RFC1918 IPv4 address? That's how IPv6 is. When I worked at Microsoft, everyone had a routed address on their workstations, too.

As you just admitted, NAT breaks things. Double NAT and CGN breaks a lot more. What about people who have no choice or no say in whether or not their Internet is NAT'd? There are ISP's where customers don't get routed IPv4 addresses. They get RFC1918 addresses and lots of double NAT'ing occurs. It's a bad scene.

> No, not everyone runs behind a NAT system. Ever been to a university where everyone gets an non-RFC1918 IPv4 address? That's how IPv6 is. When I worked at Microsoft, everyone had a routed address on their workstations, too.

Every normal customer is, every normal business is. Old institutions do not count because they are in a privileged position nobody else on the web is.

> As you just admitted, NAT breaks things.

And we learned to deal with it for many, many years. For many of us, a NAT is considered a feature not a bug in fact.

When I run a server I already have to assume that clients are NATed and as such I design my system to work that way. IPV6 only is a non existing part of the internet and as such not really something to optimize for. I get absolutely nothing currently by enabling IPV6 on my server because I cannot depend on it.

So your position is that we should just keep piling hacks upon hacks even though there is viable alternative that will drastically simplify a great many things for the foreseeable future?
> So your position is that we should just keep piling hacks upon hacks even though there is viable alternative that will drastically simplify a great many things for the foreseeable future?

My position is irrelevant in this discussion. I answered the following question based on my own experience in the field:

> why pretty much anyone except google and facebook isn't?

>For many of us, a NAT is considered a feature not a bug in fact.

What? Nat is always a bug with a hack piled upon hack upon hack. The amount of crap that needs done to get ip2ip communications working and other multiport protocols is stupid and introduces piles of security risks. Protocols like uPNP have produced a plethora of critical exploits allowing an attacker full access to the NAT'ed network. Firewall controlled IPv4 with a 1:1 ratio of ip to host is always much easier to control the security risks with.

Everyone else simply uses NAT because they have no other choice, there simply isn't IPs in the 4 address space to do whats needed.

So yet again we have a implementation tragedy where everyone would be better off with it working, but no one will do it, leaving us with a hulking crapsack we are used to in every aspect of our life.

Further reading: http://slatestarcodex.com/2014/07/30/meditations-on-moloch/

> The amount of crap that needs done to get ip2ip communications working and other multiport protocols is stupid and introduces piles of security risks.

I'm sorry, but you are naive if you think that NATs will go away with IPv6 or that the absence of NATs would make it safer. In fact, NATs have found a way back to IPv6 and any deployment I have seen with IPv6 that was not done by a university actually goes through a NAT.

This doesn't sound right to me. There is no need to do address translation in IPv6 networks. It may be that there is still a firewall in place with rules about incoming and outgoing connections, though.

In the IPv4 realm the term NAT is often interpreted to mean connection rules in addition to network address translation. It is the address translation that is the source and focus of much criticism of IPv4 "NAT" and it is exactly that feature that is unneeded in the IPv6 realm.

So while network address translation is superfluous in IPv6, there is still an argument to be made for network access rules.

I would be interested to here what technical arguments were being made for true network address translation in an IPv6 network.

> There is no need to do address translation in IPv6 networks.

There is no need, but typically desire. Which company is comfortable leaking out individual employees IP addresses if they can avoid it? There are more downsides from a security point of view than upsides.

That can be done with randomized assignment of addresses to hosts rather than dynamic address translation. Everyday you come to work you get a different address. No need to do that dynamically at the network border or on a per connection basis.

But thank you for pointing out explicitly one of the 'reasons' that is given for IPv6 NAT.

  > This doesn't sound right to me. There is no need 
  > to do address translation in IPv6 networks. It may 
  > be that there is still a firewall in place with rules
  > about incoming and outgoing connections, though.
Multi-wan egress balancing (without bgp) is one usecase for NAT66 (NPTv6).
I have native IPv6 at home, it doesn't use NAT.
And we learned to deal with it for many, many years. For many of us, a NAT is considered a feature not a bug in fact.

Sounds like Stockholm syndrome. Are there any desirable properties of NAT that can't be duplicated with a firewall?

> Sounds like Stockholm syndrome. Are there any desirable properties of NAT that can't be duplicated with a firewall?

That they are widely deployed, reasonably predictable and quite transparent to the user. Which means that in the default configuration a user has a secure setup that apps however can partially circumvent to enable incoming traffic on UDP ports. Many computer games or P2P systems exploit this setup quite successfully to set up P2P networks without any user interaction.

Many computer games or P2P systems work around the pain that is NAT. But with IPv6 you just... remove the workaround. That's always going to be better.

If you like the "game requests a firewall exception by making a uPnP call to the router" model, there's no reason at all you can't do exactly the same thing under IPv6. The only difference is that games that don't have all the hacky workarounds will also work.

> Every normal customer is, every normal business is. Old institutions do not count because they are in a privileged position nobody else on the web is.

WHAT?

I am at a tiny German ISP, got a new contract one year ago, and have a publicly routable IP.

I’ve never seen an ISP that doesn’t provide at least one publicly routable IP per customer, some, like mine, even provide additional ones for a few euros each.

> I’ve never seen an ISP that doesn’t provide at least one publicly routable IP per customer, some, like mine, even provide additional ones for a few euros each.

There are a few ISP's in APNIC and LACNIC regions that hand out RFC1918 addresses to end users. I've seen a few NANOG posts of people trying to greenfield such setups in the US, too. Mostly in the RF/radio space.

>I am at a tiny German ISP, got a new contract one year ago, and have a publicly routable IP.

You have one IP, not one per computer. Thus your router becomes a NAT for the devices you have internally.

I can, if I want to, as I said, order multiple IPs, for multiple devices.

Currently I only have one, as I don’t need more, but I can easily get one per computer.

Just like I can get one phone number per room.

> I can, if I want to, as I said, order multiple IPs, for multiple devices.

Very few ISPs let you do that and if they do, continuous blocks are really expensive these days, even for servers. For end user networks it's even less likely that you get them. Maybe in the states, but not in Europe. In Germany especially there are many ISPs that do not give you any IP address any more but have a carrier side NAT unless you call phone support or switch it in a panel somewhere and then you get exactly one dynamic IP that rotates every 24 hours.

If you have an ISP that gives you anything larger than /24 I would really like to hear which one that is.

Try looking for ISPs whose main business is hosting and business lines, for which home users are just a side business ;)

Those, like TNG, often offer far better contracts.

> Try looking for ISPs whose main business is hosting and business lines, for which home users are just a side business ;)

First of all we're reaching the point where we basically discuss a tiny part of the overall space and as such this is not even relevant to the original point any more.

Secondly, the ISP you named (TNG) does not appear to even give out blocks for customers.

The claim I made, that most ISPs at least provide one IP per customer, so you personally can use one device with a public IP, is still true.

The "small ISPs give out multiple IPs on request" is a different, but related part.

Then we are discussing about completely different aspects because I was talking about an owned block which would be the only way to avoid a NAT on your side.
An ISP can give you a bunch of separate, but still static IPs. That’s too rare.

It’s effectively like the standard 24h dynamic IPs, just that they never change them. You don’t own the IP, but are still guaranteed to be reachable under it.

Unitymedia in Germany no longer gives out IPv4 addresses to new customers, even if you call support.
> I get absolutely nothing currently by enabling IPV6 on my server because I cannot depend on it.

You know you can dual stack right? It's not a binary option. You can run IPv4 and IPv6 addresses side by side, offering the best connectivity to all clients. You gain a lot by enabling IPv6, and not much to lose. Out of curiosity, why are you against IPv6 so much? It's coming, it's not going away. Over 25% of US residences have routed IPv6 addresses. Adoption is higher in other parts of the world.

> You know you can dual stack right?

I know, but why should I? When the time comes I will enable IPv6 but right now it's more hassle than it's worth.

> You gain a lot by enabling IPv6, and not much to lose. Out of curiosity, why are you against IPv6 so much?

I'm not against IPv6, I just don't gain anything from it. Which means that effectively it just complicates the general setup for me, more things that can break etc.

> Adoption is higher in other parts of the world.

It would appear those parts of the world are not customers to me, users of my software or they are fine with IPv4. And again, that's what is the thinking process for many, many people that have small web services or websites.

> It would appear those parts of the world are not customers to me, users of my software or they are fine with IPv4

How do you know if you don't have IPv6 endpoints?

> that's what is the thinking process for many, many people that have small web services or websites.

And those sites will continue to be small with that kind of thinking.

> When the time comes I will enable IPv6

The user stats show that the time is now. What kind of signal are you waiting for?

> How do you know if you don't have IPv6 endpoints?

For my open source projects I do not care. For the business side of things at any company I worked for the bulk of the revenue came from a handful of countries where invoicing was set up, the interface was translated to, everybody spoke English in support etc. If I would ever have to grow a business into an area where there is no IPv4 connectivity or problematic one, there would be plenty of other issues before.

> And those sites will continue to be small with that kind of thinking.

One has nothing to do with the other. Sites grow because they grow their consumer base and that has pretty much nothing to do with IPv6 connectivity (at the moment). The future is irrelevant in this discussion as the thread was about why few people care currently.

> The user stats show that the time is now. What kind of signal are you waiting for?

Not the stats I am looking at, but I'm willing to be shown different statistics. For all companies I worked for IPv6 has been not even a topic worth discussing so irrelevant was it for the the operations.

Oh my god, it's so nice to live on a network of routable addresses. It felt weird for the first year at college but once you have it for a while the reduced overhead is so nice.

When I started managing a /24, the network administration was so amazing. Like relaxing on a big squishy couch. The internal nameserver and the external nameserver... were the same nameserver with one set of records. The firewall was actually a firewall, not set of limitations that could be imposed by a firewall but were in fact a technical limitation of the network gateway.

I miss it so much. Now I'm sitting on a network that uses a private block, VPN-ed into a network that uses ALL 3 1918 blocks (don't ask). From the computer I'm sitting at various subnets will be routed to the local network, and others to the remote network. There are systems that I can not communicate with on both networks. I will stand up SSH tunnels to whenever I need to talk to them.

>Ever been to a university where everyone gets an non-RFC1918 IPv4 address?

Heh, yep, with a firewall that dropped all incoming connections. Worse than configurable NAT.

Huh, I wonder why that got a downvote.

Anyway I found something funny, they finally 'fixed' the FAQ.

In 2010 and earlier:

> ResNet does not have a firewall , we simply block all incoming TCP connections outside of ResNet.

From 2011 on:

> ResNet have a firewall and we block all incoming TCP connections outside of ResNet.

isnt reddit pretty heavily invested in aws? aws doesn't support ipv6. nor does google compute.
ELBs are dual-stack v4/v6 by default.

That's about it though for IPv6 support on AWS. Annoyingly, Route53 supports AAAA records but their nameservers are only reachable via IPv4.

Complete guess here, but their analytics, fraud, spam, etc systems are IP based and don't work well with the v6 address space yet?

Cloudflare handles their front end, so it should be as easy as toggling an option in the CF admin page.

Here's the other side of the story: Not a sysadmin, but I'm an independent programmer with an online app. I've set up a Debian vps at OVH with IPv6 and it was unbearably slow. I used to believe it was OVH, but the reason seems to be that most things e.g. package managers wait for the request in IPv6 (or the one to the DNS) timeout before trying IPv4. An apt-get upgrade takes hours. I guess there's some kind of configuration to improve that, but when step 0 of setting up IPv6 starts with problems, I just stick to stacks that I can manage.
The problem there is probably the DNS resolution. I like the way apple does it: they resolve AAAA and A in parallel. Whatever comes back first is being used for the connection attempt. Much better than waiting for a ~5 second timeout on AAAA before calling back to A.
This is no longer the case. Their implementation of Happy Eyeballs now prefers IPv6 over IPv4. This is as of iOS 9 and El Capitan.
> This is no longer the case. Their implementation of Happy Eyeballs now prefers IPv6 over IPv4. This is as of iOS 9 and El Capitan.

It prefers, but only if it gets a response within 25milliseconds. It still queries AAAA and A in parallel.

> It prefers, but only if it gets a response within 25milliseconds. It still queries AAAA and A in parallel

Correct. The large technology companies that shape the world are indicating their preference and shift towards an IPv6 world, yet you still claim that you see no benefit? You don't want to be on board with them?

> yet you still claim that you see no benefit?

Did you reply to the wrong thread? I did not indicate my preference here, I replied to OPs question about why his server might be slow and what other systems are doing.

I've also noticed this. My home ISP (Internode, RIP) provides an IPv6 range. I dutifully set up AAAA records for a couple of my servers and then ended up disabling them either on the client or server side as things as simple as SSH were timing out. I don't think it was DNS, I'm fairly sure there was an MTU issue but I didn't dig into it that much.
because some customers of "internet" like me in northern america have an IPv4 only access to the internet.

Thanks to teksavvy that blames videotron. Customer services says: not a problem.

There is a growing balkanisation between highly dense zone with the critical mass for getting a ROI in IPv6 transition and less dense zone that where equiped with a correct IPv4 backbone.

Non mobile land connection is getting less and less connected to the internet, because "mobile" is the future. But mobile data plan and hardware are freakingly expensive as if there was a money divide on the internet between riches and poors. I don't want no smartphone, no mobile connection, no netflix: I just want a 1Megabyte/s clean internet with 100% internet connection.

It is really the IPv6pocalypse here. Half baked technologies put on the front, while the basics (100% access, UDP not dropping too much, not too much lags) are decaying (as if equipments where not upgraded).

I used to be a QIII player. Nowadays it is excessive lags, spikes everywhere on every continent. My internet sux balls big, QIII was a good reason to have internet. Now, everyone is happy with buggy crashy games that are sloooooowwww in gameplay but with a 4KHD 120fps.

Why must I have internet? Because administrative tasks requires me to have it to gather and send forms. Else, I would drop it.

2.8% of mondial energy burnt...for this

This compares ipv6 vs ipv4 dual stacks between the same endpoints. The conclusion is that performance is equivalent but the establishment of the connection has a 9x higher failure rate for ipv6.

(Edits:grammar)

Not a performance issue per-se, but more an ugly unintended consequence of IPv6 issues: peer-flooding in torrent transfers. I use libtorrent to distribute my data sets and i'm seeing all the usual trackers are being flooded (DoS-like) via the vast available, in this case phony, IPv6 address space[1]. The unstated contention by agents of content owners being that bit-torrent can never do anything but wrong. Selfishly focused on their own content they're statistically not utterly wrong, but they are using the design of IPv6 to poison the well for benevolent use.

[1] https://torrentfreak.com/popular-torrents-being-sabotaged-by...

>Update: The IPv6 addresses which are used appear to be fictional. They haven’t been allocated yet and are non-routable.

What kind of network are they using that lets them send forged source addresses? Also, a temporary solution in that case would be to use a blocklist of non-allocated ranges.

BT is UDP and you can write whatever you want into a packet.
Right. Looks like I'll have to add some networking to my to-learn list. Thanks.
I didn't RTFA but would point out that the performance problems I've run into with IPv6 aren't related to the specification itself but buggy implementation code from vendors, which I expect to improve with time.
Most definitely the case with at least Windows 8. Since I upgraded to Windows 10 I haven't experienced the problem. With Windows 8, after an uncertain period of time every app (browsers, torrents, games) would stall. It would drive me nuts until I found a post that recommended disabling the IPv6 networking protocol. It seemed to work fine until Windows 10 came along and all is good. Other devices on the network using Windows 7, android OS, didn't have any connectivity issues when the Windows 8 device did, so I'm sure it had to be Windows 8.
There are also issues with end user rollouts. For example, comcast uses prefix delegation to give you are /60 which your router (pfsense in my case) then uses for the internet network (it carves out a /64). However, this prefix changes! As it is not a statically assigned prefix, my internal devices renumber whenever it changes, it would make it a huge pain to get a consistent mapping for my internal devices (media server, printer, etc) were I to go ipv6 only.

I thought about using an additional ULA subnet (ipv6 supports multiple subnets), but apparently many vendors do not yet support RFC 6724, or support it poorly with regard to ULA addresses. As such, I get mixed results with devices trying to use the ULA address for internet egress.

NAT66 (npt) is another possibility, and some people end up having to use this when they have more than one ISP (multi-wan balancing) anyway, but I haven't found a good way to update the nat target when the prefix changes yet (might try moving to openbsd and try ifstated calling a script to a pf table or something).

> For example, comcast uses prefix delegation to give you are /60 which your router (pfsense in my case) then uses for the internet network (it carves out a /64). However, this prefix changes! As it is not a statically assigned prefix, my internal devices renumber whenever it changes, it would make it a huge pain to get a consistent mapping for my internal devices (media server, printer, etc) were I to go ipv6 only.

Part of the point of IPv6 is that your addresses reflect the real network topology - when your upstream changes, your addresses change. The right thing is to ensure that your router is also updating DNS for your internal devices, and use names to refer to them. You shouldn't expect anything to have a truly static IPv6 address.

  > The right thing is to ensure that your router is also
  > updating DNS for your internal devices, and use names
  > to refer to them.
How does a router go about doing that with SLAAC? Running dhcp6 is something I would like to avoid. Maybe Bonjour/mDNS are just going to be far more prevalent in the ipv6 world.

For most devices, a constantly changing IP is well and good (eg ipv6 privacy extensions). However, for servers it is less than desirable.

This is the missing part for me as well. I run DNS internally and it works just fine for IPv4, but everything is using SLAAC so I can't have AAAA records.

The only solution I've heard so far is to have a client on each machine that would update the DNS server with the new address, which sounds terrible.

I'm just about at the point that I'm just going to install DHCPv6, but last I heard not every OS supported it?

Hah. The more I look into this the more awkward it seems; I was lucky enough to have dhcp6 Just Work on my home network but it sounds like not everything supports it.
GeoIP routing is sometimes worse with native IPv6 than IPv4. Take gstatic.com for example which goes to a neighbouring country with IPv6 (inside same ISP, but still):

  $ ping -c 3 gstatic.com
  PING gstatic.com (82.77.159.222) 56(84) bytes of data.
  64 bytes from cache.google.com (82.77.159.222): icmp_seq=1 ttl=61 time=2.11 ms
  64 bytes from cache.google.com (82.77.159.222): icmp_seq=2 ttl=61 time=1.98 ms
  64 bytes from cache.google.com (82.77.159.222): icmp_seq=3 ttl=61 time=1.78 ms

  --- gstatic.com ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2002ms
  rtt min/avg/max/mdev = 1.780/1.960/2.118/0.143 m

  $ ping6 -c 3 gstatic.com
  PING gstatic.com(bud02s22-in-x03.1e100.net) 56 data bytes
  64 bytes from bud02s22-in-x03.1e100.net: icmp_seq=1 ttl=55 time=9.85 ms
  64 bytes from bud02s22-in-x03.1e100.net: icmp_seq=2 ttl=55 time=9.67 ms
  64 bytes from bud02s22-in-x03.1e100.net: icmp_seq=3 ttl=55 time=10.5 ms

  --- gstatic.com ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2003ms
  rtt min/avg/max/mdev = 9.675/10.031/10.568/0.403 ms
So I have this in /etc/gai.conf now:

  precedence ::ffff:0:0/96  100
The worst problem with Google's GeoIP implementation is that you really can't report problems to them in a good manner. They have this: https://support.google.com/websearch/contact/ip but it only works for Google.com and not YouTube. I really, really wish Google would put more resources on this.
I've gotta say, I was impressed with how easy the IPv6 setup was with the latest version of OpenWRT. I just recently upgraded and, with Comcast's native IPv6 support, everything just worked and all of the machines on my LAN grabbed externally-routable addresses. After poking some holes in the default firewall rules, I can connect directly from my machine at work (also IPv6 addressed) to a machine at home without any port mapping or translation. Feels nice.
Particularly on mobile, Facebook is seeing fairly big wins with IPv6. It's not entirely clear why, but it's happening. Here's Paul Saab's deck from earlier this year: https://www.dropbox.com/s/15xi92296lw32hu/Facebook-World-IPv...
I bet on NAT latency. No NAT must be great for push messaging, since the network is stateless and less keepalives are necessary to keep the connection open.