64 comments

[ 3.2 ms ] story [ 65.1 ms ] thread
It would be nice if the Aussie broadband market would start enabling IPv6 but the pessimist in me thinks they'll just turn on CG-NAT and call it a day.

Since most consumers don't care, and CG-NAT bandaids the problem I don't see how the market will be motivated to spend the time/money to bring us IPv6. We're probably going to be stuck with shitty bandaid solutions for a while

I’m visiting Australia at the moment and the state of internet connectivity in central Melbourne is pretty poor.

Very slow internet at my AirBnBs, generally very poor WiFi availability and speeds in public, the co-working space I’m in (that is otherwise excellent) is a similar speed to my home connection in London.

Above all, latency makes some websites considerably less pleasant to use, and SSH to most places is painful. I know that’s not something the local market can necessarily fix though.

I've thought about working in Aus for a few months over a (northern) winter - what visa did you get?
I got a regular tourist visa. My main reason for visiting is seeing people, and I'm just doing a bit of remote work for a UK based company during time that I'm not seeing people. I'm not being paid in Aus, still being paid at home in £. I don't believe that counts as "working in Australia". I'm here for 1 month, I think the tourist visa allows you to visit for up to 3 months.

This is not visa advice.

As someone who moved to Australia from London, I can confirm: the latency is the real killer.

I'm one of the few lucky ones with FTTP which gets me close to 100mbit speeds. But as soon as I have to connect to a server outside of Oz I am pretty much back to (high) ADSL speeds. Latency to the US and Singapore (the two closest international backbones) is around 150-200ms. It's around double that for Europe. At peak times those backbones get very congested.

Funnily the only country I've been to that has faster and more consistent 4g was Japan.

100MB is still not great for business premises. At home in London I'm on 80MB fibre, and get ~76MB during peak times. At work in London we have 1GB (and typically get 1.2GB) between ~80 people. This co-working space is ~85MB for a similar number of people.
They did have it available opt in for a short while, but it broke so they stopped doing it.
I have a service with Aussie broadband, and I'm participating in the IPv6 beta. It's being activity worked on. The staff are highly communicative with those in the beta. It's been great so far.
Aussie Broadband seem to be the only ISP that puts any effort in and cares about their customers, I hope they don't get bought and become another part of TPG
They've stuffed up my billing every month for 12 months now. I've told them numerous times and they still can't fix whatever problem they have.

I'm glad other people are having more luck with them.

CG-NAT doesn't help you internally, which is why big US ISPs went to IPv6.

For your own infrastructure, re-using the same addresses over and over, as in a CG-NAT scheme, makes it far easier for mistakes to happen and far harder to diagnose them. Your network becomes a fragile component that your own network engineers are frightened to touch, hurting your ability to compete as a network provider.

What's 10.20.30.40? Your own notes show you use 10.20.30.40 in Sector A of the country for a Cisco router but you also named a different device, a microwave transceiver in Sector B of the country 10.20.30.40 with the NAT supposedly separating the two. So packets supposedly "from" 10.20.30.40 could be the Cisco router playing up again, but they could be that microwave transceiver misbehaving, or they could be CPE leaking a customer's internal addresses into your CG-NAT network. If you try to "solve" this over the network you might end up talking to a "different" 10.20.30.40 than the one causing problems and make things worse.

Once you realise you want IPv6 internally, it's not a huge leap to realise that you might as well at least _offer_ this to customers too.

There are <20M address in the IPv4 private address space, vs. maybe ~100M smartphones in the USA. So, yes, you need to reuse addresses internally if you have more than 20% market share.

But until all web sites and services have migrated to IPv6, each smartphone still needs an IPv4 address, right? How does introducing IPv6 internally solve the problem you described, if a significant portion of traffic is still using IPv4?

I believe every effort should be done to further the transition and make it less cumbersome in the future. Just the mental effect of "we're already partially using it" is invaluable
The _internal_ problem is addressing all your _internal_ systems, so that's what IPv6 immediately solves. You don't need everybody's cat blog to migrate to IPv6 to be able to connect to your 15 000 Cisco routers in 48 data centres distributed around the country, only the 15 000 Cisco routers need IPv6 addresses for that part.

For those smartphones, the other half of the equation is 464XLAT adaptors at the edge of your network. So no, the smartphones don't get given IPv4 addresses at all.

What happens there is split into two scenarios

1. User goes to Facebook. Facebook has IPv6, everything just works, no extra expense

2. User goes to My Cat Blog. My Cat Blog is IPv4-only but two layers of NAT64 make it work anyway [ Edited: My previous explanation here was just wrong. Sorry. Go read up on 464XLAT if you care, the phone needs to know what's going on here, so this is easier to deliver for a phone network than to home computers... ]

Case 2 isn't much better than CG-NAT for IPv4 services - your smartphone still doesn't have a "real" IPv4 address. BUT the ISP only needs to spend on it in proportion to continued use of IPv4. As sites big or small offer IPv6, their users automatically stop relying on 464XLAT for those sites and cut the costs of the equipment, whereas people who choose CG-NAT are stuck paying for that forever.

Legit Internode had native ipv6 enabled by default since 2008.

Whirlpool still exists also.

https://whirlpool.net.au/wiki/hw_feature_242

I had read that they aren't doing IPv6 on NBN connections though?

It seems that there has been a bit more adoption of it since I last checked which must have been a while ago, I'm surprised to see Telstra on the list!

I'm 'stuck' on Internode as they're still the only carrier that I can get that'll offer IPv6 on NBN fibre for a decent price. Even the rest of TPG's sub-brands don't offer v6. It's painful.
I have Comcast cable Internet in California. I own my own cable modem, and my own router (an Asus RT-AC68U).

Over a year ago, I decided to check out if I could do IPv6. And indeed I could! I am now getting a dynamically-allocated /64 block, which is used to make allocations to my desktop and my phone. From my perspective, IPv6 just works!

I hope, in two or so years, they come back to the same conference with a report of how much traffic has moved to IPv6.

> we are now looking at carrier-grade NAT vendors as a longer term solution rather then buying more IPv4 space

That's even worse. I read a definition of Internet long back which I vaguely remember

A network of devices where each device is assigned with unique IP address so that they can communicate with each other. No central party is needed for two devices to connect with each other!

This always fascinated me. But NAT breaks that definition or was the definition wrong? It no longer holds true. IPV6 is the only hope. I've wrote more about it here

https://www.ankshilp.in/post/the_broken_promise_of_internet/

Also IPv6 makes scanning the address space infeasible. This is the only realistic hope to get a bit more security in IoT.
That seems like security through obscurity.

I have other hopes to get IoT more secure. Open source firmware, for starters. Support contracts where you don't buy the hardware but buy a working (and insecure isn't working) device.

The problem with IPv6 is that it is a chicken-egg problem. Those who get CGNAT plus native IPv6 are part of the unfortunate bunch who are not using native IPv4 (and therefore miss out on certain IPv4-only services). Meanwhile, the IPv4-only services are causing issues for CGNAT. The logical conclusion is that everyone who currently offers IPv4-only should (and should've been) focusing on adopting native IPv6 dual stack. The continuous procrastination, out of greed and egocentric thinking, is what caused the current situation in the first place.

My ISP tried to shove CGNAT with native IPv6 through my throat. My modem was unstable. BitTorrent didn't work well anymore. I could not use services over LTE anymore (my LTE provider, actually same provider as my cable, used IPv4-only back then; don't know now). I relied on that to work. So they gave me what I had before: IPv4 only. Why not dual stack first?

Having to guess a 128bit AES key is also security through obscurity then!

Though it doesn't give any protection against local scanning.

I was about to comment exactly that.

This is security by realistic approximation of compute capacities and basic probability math.

Aka. good security

> (and therefore miss out on certain IPv4-only services)

Such as github, for example. Something that really surpised me when I setup an IPv6-only virtual machine and then went to clone some projects to setup the host.

That seems like security through obscurity.

People on HN like to say that "security through obscurity" is not security at all. But there's a reason that the military puts its secret stuff out in the middle of nowhere.

Only if it is assigned randomly. I doubt that.
Exactly. In many implementations I’ve seen the user’s MAC address ends up getting exposed to the WAN. I suppose this is the wet dream of Google, and that’s why they want to push ipv6 adoption.
Most systems use the privacy extensions that randomize addresses to prevent that.
Yes, I’m sure those iot devices will use infallible privacy extensions... Nah, they’ll probably expose their mac, which will make it trivial to scan for them.

Truth is, right now iot devices are protected by nat (your router) and maybe cgnat too (if your isp is good enough and provides that service). With ipv6 those devices will lie exposed to the wan. I hardly see how that’s an improvement.

Also don’t trust regular devices. Windows disabled privacy extensions because of a bug (not sure if it’s fixed already). https://social.technet.microsoft.com/Forums/windows/en-US/57... — I trust my router’s nat much more: it can’t be disabled because of a bug ;-)

> Truth is, right now iot devices are protected by nat (your router) and maybe cgnat too (if your isp is good enough and provides that service). With ipv6 those devices will lie exposed to the wan. I hardly see how that’s an improvement.

You're planning to just get rid of your firewall when you don't need it for NAT anymore?

The problem is many of these IoT pierce holes in the firewall (upnp) to expose themselves to the WAN.
Some will, some won’t. Most will.

Some machines’ TCP stacks can be crashed with a single packet. Some IoT devices can be added to botnets. Some get patched.

I think you are blaming too much on ipv6, much of which exists today in the ipv4 world.

You can always set up your router to be a stateful v6 firewall and block wan-to-lan accesses you don’t like or want, much the same way NAT works today, on an outbound-before-inbound model.

Within a /64 globally unique prefix assigned by their router devices can choose to either:

Assign themselves addresses randomly ("privacy addresssing") OR Assign themselves addresses based on their EUI64 (a hardware unique ID burned into them at the factory, as in MAC address)

It's feasible to try scanning a known /64 for addresses based on a specific manufacturer's EUI64 block. Maybe Sony brand smart TVs for example. It'd take a bunch of traffic, and thus time, but it could be done.

But it isn't feasible to try scanning the whole /64 for random assigned addresses. You're going to need to send _many terrabytes_ of probe messages to that network. Even over a gigabit network link inside a data centre that might take hours and cost a not insignificant amount of money, to a home or office network it's going to flood the system (causing somebody to make a support call) and take weeks to execute.

Ignore the network practicalities and think just about the economics. Suppose it costs me one millionth of a penny to scan an IP address. I can scan the entire IPv4 Internet for less than $40.

But on the IPv6 Internet, at that price $1 billion only scans me one /64 network. My home has several of those. If you could somehow steal my entire net worth by breaking into a device on my network but first you had to scan all the addresses you're _losing_ money on the deal.

The complexity in that few sentences you wrote alone wants me to keep doing nice and simple and reliable ipv4. I don't think I'll ever transition, because the amount of knowledge I have to acquire to trust myself with all the complexities of ipv6 is gigantic. Ipv4 however, is simple. I can have a simple firewall at home that does NAT, a DHCP server and I'm done and secure. Well ok, secure enough. But I don't even know how to find out what documentation to study to make that same setup on ipv6.
IPv6 works the same way.

Masquerading NAT is not a security feature. You need state tracking to build a masquerading NAT (so that your residential gateway knows which internal machine to route reply traffic to), and once you have state tracking, you can build a stateful firewall. It doesn't matter which version of IP is carrying the traffic, it still has to go through your gateway before it can get to you, and the gateway can do all the policing you want it to.

If you want certain services on your internal machines to be reachable from the outside over IPv6, you open up that service's port in your gateway's firewall configuration, which is ... exactly what you do for IPv4 too.

OpenWRT (a popular third-party residential gateway firmware) has a stateful IPv4 and IPv6 firewall and DHCPv6/PD support out of the box. You flash it, and if your ISP provides IPv6, you're done. If they don't, you can set up e.g. a 6in4 tunnel with Hurricane Electric, and you're done.

It's not complicated. Yes, you have to learn some things, but they're the same things you had to learn when you were starting out with IPv4.

I believe the default on retail set ups (defaut for MacOS, iOS and Windows) plus router is random addressing. So surely it may be different on certain corporate or university networks. But at least there is a guy supposed to be paid to handle security.
[Edit: I was wrong about that: //No, it is not. By default the suffix is generated based on your MAC address.//]

Moreover the wasteful norm to rely on /64 subnets and other, similar more practical than privacy-conscious design decisions diminish the potential to stay pseudo-anonymous.

I don't think MAC is the default [1]:

the following operating systems use IPv6 privacy extensions BY DEFAULT:

    All versions of Windows after Windows XP
    All versions of Mac OS X from 10.7 onward
    All versions of iOS since iOS 4.3
    All versions of Android since 4.0 (ICS)
    Some versions of Linux (and for others it can be easily configured)
For routers, then I have no way to tell. But I would be surprised if stateless addressing wasn't the default on the vast majority of retail routers.

[1] https://www.internetsociety.org/blog/2014/12/ipv6-privacy-ad...

This also means that banning separate IP's is now infeasible. Not that it's the right way to go about things anyway, but a ton of sites rely on it
You can still ban the /64
They also say "despite the decision to invest in NAT technology, Aussie Broadband has also decided it needs to speed up its IPv6 rollout".

Despite IPv6, you still need CGNAT, because not every site/service is available over IPv6. It's fine as long as it's a stopgap, not the main solution.

At what point will NAT no longer be required? Is IPv6 really seen as a successor or just a supplement to IPv4?
At least in gaming, ipv6 causes issues especially together with NAT or dual stack lite...
- v4<->v4 increasingly requires NAT due to scarcity

- v6<->v6 does not require NAT

- v6<->v4 requires NAT but does not require your v6 device also have a v4 address

Until the v6<->v4 is no longer needed you will always have some form of NAT as there aren't enough addresses to give everyone a v4.

> Despite IPv6, you still need CGNAT, because not every site/service is available over IPv6. It's fine as long as it's a stopgap, not the main solution.

NAT64 is better than CG-NAT (single NAT vs double NAT) and they both solve the same problem.

In the UK, BT officially enabled IPv6 but it is a "maybe" IPv6. Sometimes it is enabled, sometimes not. It is 2019....
From my experience it’s consistently IPv6. Is it that some small areas of their network are v4 only still, but the majority is v6?

At my employer we typically find IPv6 is 25-30% of our traffic. It’s better than I thought it would be but still not great. Much of that percentage is BT and Sky.

My advice would be get a better ISP. I have rock solid IPv6 here in the UK with a /48 and a RIPE record.
Sometimes a better ISP isn't always an option. I live on the south coast in a Virginmedia area, and have requirements that make it the only sensible option since it's so far ahead of other ISPs on downstream bandwidth.

I do run an IPv6 tunnel out of my network to get access to the IPv6 internet and add my tiny bit of traffic to things and try and increase adoption, but I'd much prefer it if VMB just gave me IPv6 native. Not even sure they're working on it.

Unfortunately where I live there is only one fibre to the premise provider and that's not going to change. I don't care about IPv6 enough to swap fibre to the premise for DSL.
Doesn't your FTTP provider give IPv6 then?

I have a BT Openreach fibre, and A&A give IPV6, and several v4s

I use BT openreach too. They do but as I said patchy connectivity. I see that when I run nslookup in windows which isn't smart enough to fall back to IPv4 DNS when v6 is not reachable. It seems to be on and off.
You're on A&A and getting patchy connectivity?
I am on BT openreach. What is A&A?

I get patchy v6 connectivity. v4 is stable.

https://www.aa.net.uk/ I'm using it and get rock solid IPv6. Also they have actual people who know what they are doing manning the phones.
This has nothing to do with native IPv6. They are putting 1000s of customers behind one single IPv4 address which is a nightmare for everyone involved (think about port forwarding not working anymore, etc.)
What makes you think they'll use just one address and not a pool?
I didn't say they were using just one address. I was saying they are putting 100s or 1000s of customers behind one single address (which is happening in Europe for years already, with UPC for example). Of course they have several IPv4 addresses.
It really doesn't matter. The result is the same.
I don't have much sympathy. What I read is an ISP saying "gee, all those IPv4 addresses we use internally are costing us a mint, whatever shall I do?".

I see lots of comments here about the merits of IPv4 v IPv6 v CG-NAT. That's all irrelevant. Aussie Broadband, like all Australian ISP's, provide their customers with a router configured to do NAT. If like me you don't want that your on your own you are better off purchasing your own gear. They won't support you, but at least you will be familiar with it. For some ISP's like Optus you have no choice - they've crippled the firmware in their routers so you can't change it.

Given the router is doing NAT they can use any carrier. And indeed, some Australian NBN ISP's use IPv4/DHCP, some use PPPoE and others were at one point doing QinQ and of course for pre-NBN ADSL connections it was ATM. Whatever, if your router is doing NAT it doesn't doesn't effect the customer one way or the other. IPv6 is a perfectly reasonable choice for a carrier in those circumstances, and for bonus points it means you can give your customer routeable IP addresses. (It would simplify my home setup considerably.) And it doesn't use a single paid for IPv4 for internal routing!

As for the hand wringing about the price - we've known this was coming for decades. We've figured out the solution and it's been available for purchase for years. They've almost certainly replaced their gear at least once in those years. They definitely replaced the routers they've handed out to customers because of the NBN rollout. If they didn't replace it with something IPv6 capable that's piss poor planning - particularly so because unlike most countries the NBN roll out gave Australian ISP's the perfect opportunity to do it.

Sometimes I worry if ISPs aren't incentivized to chose IPv6 over just having CG-NAT. Of the ISPs that are available in my area, some are doing just CG-NAT and no IPv6.