The real official answer is to register/allocate a new subnet, with no intention of putting it into the global routing tables. IPv6 only comes into play because doing that with IPv4 is mostly impractical these days.
The author lost me when they got into raw iproute commands. Not because I'm not acquainted (I run my own custom complex router using a standard Linux distro). But rather if someone knows enough to configure things at this level, then they would just come to this solution on their own. Most people trying to solve this problem will not - eg think that mobile video rack belonging to a touring musician.
Readily-accessible solutions I can come up with off the top of my head:
1. Two off the shelf routers and double NAT. The middle network can be changed if it conflicts with the outer network
2. One router/NAT, but two IP networks on the inner network - one statically assigned for devices to communicate with each other, and one assigned via DHCP for accessing the horizon through NAT. That second network can then easily be changed.
3. Play battleship more strategically using class E address space, DOD/BigCo address space, and/or smaller subnets in the middle of the customary size for a range (eg 192.168.1.160/27).
If I can avoid Double NATing, I do because it tends to degrade network performance and can have interesting characteristics on some inbound traffic (although that depends on the use case).
But the third option honestly isn’t recommended enough. DoD space is rarely routable, and if you are on a private network already, even moreso. It’s also less common than RFC1918.
However, there is one caveat. Some large corporates do use it for just the same reason. Even though it is rarer than 10 or 172 space, you’d be surprised how many large orgs do run DoD internally.
(Disclaimer: I use DoD space for my travel router at hotels)
It's still difficult to find equipment and ISPs that reliably work with IPv6. I'm sure it will be ready for prime time in the next decade or two, right when we get fusion power plants, self driving cars that don't require supervision, and the AI singularity.
We will never get rid of ipv4. Apparently my country ISPs have more ipv4 than they need (they actually rent them to others), so they just don't bother with ipv6.
I guess when the world moves away from IPv4, your country will have the entire IPv4 space for itself, and massive headaches with NAT to route out, and the relative impossibility to route in.
I think that government intervention here is needed in order to coordinate people. We'll all be better off once ivp4 is dead and buried, but the incentive for each entity to do so is minimal. It could be some other powerful entity instead of government, for example tier 1 ISPs degrading ipv4 performance substantially or Google delisting websites that don't support ipv6 (and eventually delisting websites that do support ipv4).
> We'll all be better off once ivp4 is dead and buried
Doesn't IPv6 hurt anonymity? NAT is annoying, but hides the number of devices you have. ISPs assigning you different IPs at different times at least provides some measure of identity resetting.
To say nothing of how easy it is to keep IPv4 devices confined the local network
I understand your pessimism but believe IPv6 is coming.
I worked on network management software, the kind of software that runs on out of band networks that are unlikely to ever need IPv6. In the beginning IPv6 was a required feature for sales but it was accepted that no one was going to use it so little effort was put into testing it. More recently, it HAS to work. It is being used in anger internally in large telecoms companies.
I expect adoption to proceed at a glacial pace until some tipping point. Consumer ISPs will be the last to adopt it.
I’ve encountered this issue with Docker. They randomly assign an RFC1918 subnet for internal services, and occasionally, this subnet clashes with a genuine corporate network or IP address. This can be quite frustrating to troubleshoot, especially if you’re not involved in Docker networking on a daily basis.
I've always been able to solve this problem more simply using IPv4 link-local addressing (https://www.rfc-editor.org/rfc/rfc3927), it doesn't matter if somebody abuses the same range because the outbound interface is explicitly specified in sin6_scope_id passed to connect() and bind().
But if you're writing code at a higher level than the bsd sockets api, it's a whole can of worms.
I think most regular off the shelf consumer WiFi routers can already do this.
The "192.168.0.1" ip address being the internal network and the external network because you're chaining routers together is awfully common and consumers expect it to just work without needing to understand IP addresses like a nerd.
17 comments
[ 3.8 ms ] story [ 56.2 ms ] threadThe author lost me when they got into raw iproute commands. Not because I'm not acquainted (I run my own custom complex router using a standard Linux distro). But rather if someone knows enough to configure things at this level, then they would just come to this solution on their own. Most people trying to solve this problem will not - eg think that mobile video rack belonging to a touring musician.
Readily-accessible solutions I can come up with off the top of my head:
1. Two off the shelf routers and double NAT. The middle network can be changed if it conflicts with the outer network
2. One router/NAT, but two IP networks on the inner network - one statically assigned for devices to communicate with each other, and one assigned via DHCP for accessing the horizon through NAT. That second network can then easily be changed.
3. Play battleship more strategically using class E address space, DOD/BigCo address space, and/or smaller subnets in the middle of the customary size for a range (eg 192.168.1.160/27).
But the third option honestly isn’t recommended enough. DoD space is rarely routable, and if you are on a private network already, even moreso. It’s also less common than RFC1918.
However, there is one caveat. Some large corporates do use it for just the same reason. Even though it is rarer than 10 or 172 space, you’d be surprised how many large orgs do run DoD internally.
(Disclaimer: I use DoD space for my travel router at hotels)
Doesn't IPv6 hurt anonymity? NAT is annoying, but hides the number of devices you have. ISPs assigning you different IPs at different times at least provides some measure of identity resetting.
To say nothing of how easy it is to keep IPv4 devices confined the local network
Or am I missing something?
I worked on network management software, the kind of software that runs on out of band networks that are unlikely to ever need IPv6. In the beginning IPv6 was a required feature for sales but it was accepted that no one was going to use it so little effort was put into testing it. More recently, it HAS to work. It is being used in anger internally in large telecoms companies.
I expect adoption to proceed at a glacial pace until some tipping point. Consumer ISPs will be the last to adopt it.
But if you're writing code at a higher level than the bsd sockets api, it's a whole can of worms.
- CGNAT 100.64.0.0/10
- "Benchmark" 198.18.0.0/15
The "192.168.0.1" ip address being the internal network and the external network because you're chaining routers together is awfully common and consumers expect it to just work without needing to understand IP addresses like a nerd.