The question above for the most part, been reading up on it. Also want to it for learning purposes.

  • Faceman🇦🇺
    link
    fedilink
    English
    112 years ago

    It’s good to learn, because it will become more common as time moves on, particularly if you get into the datacenter/cloud/ISP industry. It’s less important for the general home user, but it is important to understand how it works and how to use it safely.

    Just treating it like IPV4 with more address space is dangerous though. you need to think differently about security and firewalls as it is as if every device has its own dedicated WAN address and could be open to the internet without you knowing.

  • BaldProphet
    link
    fedilink
    42 years ago

    There aren’t many benefits from using IPv6 on LAN, as far as I can tell, unless you need more addresses than are available in the private address ranges.

  • @duncesplayed@lemmy.one
    link
    fedilink
    English
    6
    edit-2
    2 years ago

    I’ll buck the trend and say “yes, for a home LAN, it is the bees’ knees”. I don’t do it now because my country (and hence my ISP) does not do IPv6, but for most places it’s worth doing.

    It depends on how your ISP does it. When I did it before, my ISP gave me a /56, which is pretty sensible and I think fairly common. If you get smaller than a /64, (a) your ISP is run by doofuses, but (b) it’s going to be a pain and maybe not worth it.

    A /56 was much bigger than I needed. I actually only used 2 /64s, so a /63 would have been fine, but network configuration is fun (I think), so maybe you can get creative and think about different ways of allocating your network.

    I had 1 /64 for statically-assigned, publicly reachable servers. And then I had a separate /64 for SLAAC (dynamic) allocated personal devices (laptops, phones, etc.) which were not publicly-reachable (firewalled essentially to act like a NAT). (Sidenote, if you are going to use IPv6, I recommend turning on RFC7217 on your devices for privacy reasons. I think these days it’s probably turned on by default for Windows, Android, iOS, etc., but it’s worth double-checking)

    The big benefit to using IPv6 is that all of your home machines can be (if you want them to be) reachable inside your network or outside your network using exactly the same IP address, which means you can just give them a fixed AAAA and access them from anywhere in the world you like. If you’re into that sort of thing, of course. It’s a lot of fun.

  • @busturn@lemmy.world
    link
    fedilink
    English
    12 years ago

    You’re asking if you should use it, while my ISP was working on it in 2017 and then it all got canned when they got bought out :( .

  • manitcor
    link
    fedilink
    English
    22 years ago

    yes, ill admit i didnt do it myself until recently when I didnt want to do yet-another-nat-entry and decided to join modern networking.

    should have done it years ago.

    • operator
      link
      fedilink
      12 years ago

      What were the biggest pains? What was surprisingly easier than expected?

      • manitcor
        link
        fedilink
        4
        edit-2
        2 years ago

        worrying my head off about security because in the old days IPv6 had some issues esp with bascially putting every device on your network on the public internet with no firewall.

        learned that years ago hardware makers started defaulting to blocking all traffic from the outside when ipv6 is enabled. Once I felt comfortable just turning it on I found it pretty easy to grasp esp when the addresses stopped liking like random junk to my eyes.

        Once I knew how things worked actually exposing a specific system or port set to the internet was super easy, much easier than NAT + firewall.

        with my ISP. v6 unexpectedly brought a new level of privacy we had not had before. When you geolocate the IPs they show up in ISP datacenters all over the country. One day it looks like we are in VA, the next we are coming out of Seattle. We have yet to notice any speed or routing issues. IPv4 and IPv6 play well together though once you turn on v6 you might find yourself turning it on for more vlans than you planned because you want the features!

  • @dud3@feddit.de
    link
    fedilink
    English
    82 years ago

    Dual-Stack is usually no problem, but going IPv6-only is a pain, because a suprising amount of services are v4 only. Even NAT64/DNS64 doesn’t help everywhere.

  • Matt The Horwood
    link
    fedilink
    English
    22 years ago

    The server I have with ovh has ipv6 setup, but only 1 of my VMS on it has an address. It’s a lot harder to get your head around then it looks, no NAT. Firewall everything

  • @empireOfLove@lemmy.one
    link
    fedilink
    English
    14
    edit-2
    2 years ago

    For LAN, no. If you have a router NAT’ting traffic and providing DHCP service there’s really no need for ipv6. Almost every ipv6 enabled service provides both 6 and 4 usually and NAT figures it out, and many still provide only 4, meaning you can’t just get rid of ipv4 entirely.

    If your ISP has modernized and is actually providing an ipv6 address, I suppose there’s probably a tiny benefit of being able to go ipv6>ipv6 when routing, bust most all devices nowadays can handle NAT translation from ipv4 to ipv6 and vice versa with no routing penalty. I don’t know if there are any ISP’s out there who can provide static ipv6 addresses without a NAT router to your entire LAN though.

    If you’re buying a vps or something ipv6 is easier to get a static address for.

    That of course leaves the last good reason: why not? If you’re doing homelab hosting stuff why not experiment with ipv6 and fully modernize your network. They suck to type in but it’s fun to know your stuff is brand new and using the “best”.

    • poVoq
      link
      fedilink
      English
      22 years ago

      I have currently an issue with a WebRTC SFU not working behind a IPv6 to IPv4 translation, at least I suspect that is the cause.

  • @tburkhol@lemmy.world
    link
    fedilink
    English
    442 years ago

    Definitely dual stack if you do. The real benefit of IPv6 is that, supposedly, each of your internal devices can have its own address and be directly accessible, but I don’t think anyone actually wants all of their internal network exposed to the internet. My ISP provides IPv6, but only a single /128 address, so everything still goes through NAT.

    Setting it up was definitely a learning process - SLAAC vs DHCP; isc’s dhcpd uses all different keywords for 6 vs 4, you have to run 6 and 4 in separate processes. It’s definitely doable, but I think the main benefit is the knowledge you gain.

    • Katrina
      link
      fedilink
      English
      -32 years ago

      And the biggest disadvantage of IPv6 is that each of your internal devices has its own address and can be directly accessible from outside. So you need to completely rethink how you do security.

      • thanevim
        link
        fedilink
        62 years ago

        Isn’t that what tburkhol addressed in their first paragraph? Or are you suggesting further steps than just putting those devices behind NAT? I am not at all trying to be snarky, I actually want to know more about this.

      • @lemming007@lemm.ee
        link
        fedilink
        English
        52 years ago

        And can be identified/tracked individually by outside entities. In IPv4, a website sees both my device and my kid’s device as the same IP. In IPv6 they’re different so this just provides more ways for them to track you.

    • @designatedhacker@lemm.ee
      link
      fedilink
      English
      142 years ago

      Your ISP is doing it wrong, which I guess you already know. I get a /64 net via DHCPv6 for my LAN which is pretty standard.

      +1 to dual stack. Too much of the internet is v4 only, missing AAAA, or various other issues. I’ve also had weird issues where a Google/Nest speaker device would fail 50% of the time and other streaming devices act slow/funky. Now I know that means the V6 net is busted and usually I have to manually release/renew. Happens once every few months, but not in a predictable interval.

      Security is different, but not worse IMO. It’s just a firewall and router instead of a NAT being added in. A misconfigured firewall or enabling UPnP is still a bad idea with potentially worse consequences.

      Privacy OTOH is worse. It used to be that each device included a hardware MAC as part of a statelessly generated address. They fixed that on most devices. Still, each device in your house may end up with a long lived (at least as long as your WAN lease time) unique IP that is exposed to whatever sites you visit. So instead of a unique IP per household with IPv4 and NAT, it’s per network device. Tracking sites can differentiate multiple devices in the house across sites.

      This has me thinking I need to investigate more on how often my device IPv6 (or WAN lease subnet) addresses change.

      • Faceman🇦🇺
        link
        fedilink
        English
        92 years ago

        I get a fat /48 network, just in case I need one septillion, two hundred and eight sextillion, nine hundred and twenty-five quintillion, eight hundred and nineteen quadrillion, six hundred and fourteen trillion, six hundred and twenty-nine billion, one hundred and seventy-four million, seven hundred and six thousand and one hundred and seventy-six individual IPs.

        IPV6 is pretty wild, we could effectively give every service connecting to every client, in every direction, for every single individual bit its own dedicated address without getting anywhere near using that address space.

        • ferret
          link
          fedilink
          English
          211 months ago

          Just wait until IoT takes off and every key on your keyboard has a unique address

  • @fedev@lemmy.world
    link
    fedilink
    English
    -22 years ago

    Because devices in your LAN will all be accessible from the internet with IPv6, you need to firewall every device.

    It becomes more of a problem for IoT devices which you can’t really control. If you can, disable ipv6 for those.

      • @orangeboats@lemmy.world
        link
        fedilink
        English
        82 years ago

        Port forwarding is exclusively a NAT phenomenon.

        In IPv6 every device should in theory have a public address - just like how every computer had a public IPv4 address back in the 1980s ~ 1990s.

        However, most sensible routers will have a firewall setup by default that blocks all incoming connections for security reasons. You still need to add firewall rules.

        • @fedev@lemmy.world
          link
          fedilink
          English
          22 years ago

          This is correct. My router however doesn’t have that level of firewall. It’s either all allowed or nothing is.

          • @orangeboats@lemmy.world
            link
            fedilink
            English
            12 years ago

            IP addressing is just a way to give a globally unique number to each device. It’s just a number.

            And there wasn’t a real public/private distinction when the Internet was still in its infancy. Printers were indeed given “public” addresses because people needed a number for it.

            If you don’t want your printer to be reachable by the public Internet, use a firewall to block outside connections. If you can use NAT, you certainly can use a firewall. Heck, they are almost the same thing if you have been using the Linux kernel (iptables/nftables handle firewalling and masquerading with the same tool!)

            Routability is not the same as reachability. With NAT transversal you can reach my “private” hosts all the same, although you can’t route to me because I don’t have a public address.

    • @orangeboats@lemmy.world
      link
      fedilink
      English
      5
      edit-2
      2 years ago

      It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.

      Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.

      • @Reliant1087@lemmy.world
        link
        fedilink
        English
        32 years ago

        So even though the device has a public address, the route is through the firewall, hence the ability to filter traffic?

        • Unaware7013
          link
          fedilink
          12 years ago

          Yes, the firewall is still your transition point from your internal network to your ISP network. Just like with ipv4, you should be configuring your ipv6 firewall to only allow designated traffic into your network from the internet.

        • @orangeboats@lemmy.world
          link
          fedilink
          English
          2
          edit-2
          2 years ago

          Right. Packets still have to go through your router, assuming that your router has firewall turned on, it goes like this:

          1. Your router receives a packet.

          2. It checks whether the packet is “expected” (a “related” packet) - by using connection tracking.

            For example, if ComputerA had sent something to ServerX before, and now the packet received by router says “from ServerX to ComputerA”, then the packet is let through - surely, this packet is just a reply to ComputerA’s previous requests.

          3. If step 2 fails - we know this is a new incoming packet. Possibly it comes from an attacker, which we don’t want. And so the router checks whether there is a rule that allows such a packet to go through (the assumption is that since you are explicitly allowing it, you know how to secure yourself.)

            If I have setup a firewall rule that says “allow packets if their destination is ComputerB, TCP port 25565”, and the received packet matches this description, the router lets it through.

          4. Finally, the packets that the router accepts from the previous steps are forwarded to the relevant LAN hosts.

          • @Reliant1087@lemmy.world
            link
            fedilink
            English
            22 years ago

            I understand this part :) I use a fairly complex firewall at work though I only know bits and pieces from reading different manuals. I think the part I didn’t understand was how exactly the routing worked differently in IPv4 vs v6. I get that because NAT happens in IPv4, packets can’t be routed at all without the firewall/router but I wasn’t sure what was the mechanism by which v6 made sure that packets went through the router, especially when you have stuff like v6 DHCP relays.

            • @orangeboats@lemmy.world
              link
              fedilink
              English
              22 years ago

              Ah, I misunderstood your original comment, oops! But yes, IPv6 packets are routed just like IPv4 ones, just without the NAT’ing process i.e. the packet remains untouched the entire trip.

      • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
        link
        fedilink
        English
        -12 years ago

        The argument for IPv6 that there could be a unique address for 200 devices for every person living on the planet was much more compelling when network security was a more simple space.

        • @amki@feddit.de
          link
          fedilink
          English
          12 years ago

          Nothing has changed about why that is compelling: NAT sucks and creates nothing but problems.

          Network security is almost the same with IPv6.

          If you rely on NAT as a security measure you are just very bad at networking.

          • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
            link
            fedilink
            English
            -12 years ago

            I mean that, when IPv6 started filtering out to non-specialists, network security wasn’t nearly as complex, and nor was the frequency of escalation what it is today. Back when IPv6 was new(ish), there weren’t widespread botnets exploiting newly discovered vulnerabilities every week. The idea of maintaining a personal network of internet-accessible devices was reasonable. Now maintaining the security of a dozen different devices with different OSes is a full time job.

            Firewalling off subnets and limitting the access to apps through a secured gateway of reverse proxies is bot bad networking. That’s all a NAT is, and reducing your attack surface is good strategy.

      • 30021190
        link
        fedilink
        English
        12 years ago

        IPv6 doesn’t support NAT… Or am I woefully out of date.

        But your home router will just firewall like it does already but you don’t have NAT as a simple fall back for “security”. It does make running internal services much easier as you no long need to port forward. So you can run two webservers on port 80 and they be bother allowed inbound without doing horrible load balance or NAT translation.

        • @fedev@lemmy.world
          link
          fedilink
          English
          12 years ago

          The router does have a firewall but it blocks everything inbound by default. Some routers (at least mine) do not offer the granularity to filter traffic for certain devices (no NAT either). It’s either allow all in or nothing.

          When you enable IPv6 and switch off the firewall (since you can’t host anything otherwise), every device becomes exposed to the internet.

          Then unless the devices have a firewall themselves, all is exposed. Not just the web services, ssh and the rest as well.

          • @fedev@lemmy.world
            link
            fedilink
            English
            12 years ago

            There was a way around it however but not something everyone will be able to do with their home router. I had to ssh to the router using ISP admin credentials leaked on the internet, then create a file in init.d that loads a custom iptables file with the firewall rules I needed for IPv6. NAT for IPv6 however was not supported by the kennel used for my router.

        • @NocturnalEngineer@lemmy.world
          link
          fedilink
          English
          62 years ago

          IPv6 has NPTv6, which allows you to translate from one prefix into another.

          Useful if you’ve got dual WAN, and can’t advertise your own addressing via the ISP. You can use NPTv6 to translate between your local prefix and the public prefixes. But NPTv6 is completely stateless. It’s literally a 1:1 mapping between the prefixes.

          • @orangeboats@lemmy.world
            link
            fedilink
            English
            3
            edit-2
            2 years ago

            IPv6 has both NAT66 and NPTv6. (Note that NPTv6 was once called NAT66 too, but I am referring to the “stateful, one-to-many” NAT66 here. Yeah, it’s confusing.) NAT66 is more like the traditional stateful NAT that all of us know and understand.

  • @redcalcium@c.calciumlabs.com
    link
    fedilink
    English
    2
    edit-2
    2 years ago

    The possibility to have your packets passed through a shorter route compared to IPv4 packets is worth it imo. I have 280 ms ping to the US and I can cut it down to ~250ms by routing my traffic via certain countries with vpn. I really hope widespread IPv6 deployment would optimize global internet routing so my latency would improve even if just a few ms so I don’t need to use VPN to override my route manually.

    • Oliver Lowe
      link
      fedilink
      English
      22 years ago

      Maybe a silly question: any ideas why there are shorter routes using IPv6?

      • @redcalcium@c.calciumlabs.com
        link
        fedilink
        English
        22 years ago
        • Fewer hops usually required when using IPv6, which means shorter latency.
        • Simplified header means less processing time needed to process IPv6 packets, which might improve latency on each hop.
        • It also supports multicast, but I’m not sure if it can be used to improve routing and latency.
        • Oliver Lowe
          link
          fedilink
          English
          12 years ago

          Thanks! Is there something about the larger area space which means there are fewer hops?

          • @redcalcium@c.calciumlabs.com
            link
            fedilink
            English
            42 years ago

            I suspect it’s more like the workaround used by network operators to scale up IPv4 to serve billions of users necessitate more and more layer of nodes to route your packets through.

  • Semi-Hemi-Demigod
    link
    fedilink
    22 years ago

    I’m lazy and don’t want to remember more than three digits in an IP address or secure all my devices like they’re publicly routable so I’m sticking with IPv4

  • @tvcvt@lemmy.ml
    link
    fedilink
    English
    22 years ago

    There’s a pretty interesting series on the topic at Tall Paul Tech’s YouTube channel (here’s the most recent: https://youtu.be/WFso88w2SiM). He goes into quite a bit of detail over the course of a few videos about how he handled everything and highlights some of the trials and tribulations with the isp. It’s not a guide per se, but definitely stuff worth thinking through.

  • @dan@upvote.au
    link
    fedilink
    English
    17
    edit-2
    2 years ago

    There’s a bunch of advantages. IPv6 can be useful since your devices can have the same IP both internally and externally. No dealing with port forwarding. No split horizon DNS (where you have different DNS entries for internal vs external). No NAT. No DHCP required for client systems (can just use SLAAC to auto-generate addresses). Much simpler routing. It’s a bit faster. Proper QoS.

    I used to use Comcast, who actually have very good IPv6 support. They were the first major US ISP to roll out IPv6 to everyone, around 10 years ago. Unfortunately my current ISP doesn’t have IPv6, but they’re aiming to roll it out this year.

    • Outcide
      link
      fedilink
      English
      62 years ago

      How does that work, having the same IP internally and externally?

      • @dan@upvote.au
        link
        fedilink
        English
        8
        edit-2
        2 years ago

        A good ISP that supports IPv6 will give you a /64 range. That’s a huge number of IPs, 2^64. Easily enough for every device on your network to have a lot of public IPs. If you use Docker or VMs, you could give each one a public IPv6 address.

        When every device on your network can have a public IP, there’s no longer a reason to have private IPs. Instead, you’d use firewall rules for internal-only stuff (ie allow access only if the source IP is in your IPv6 range).

        This is how the internet used to work in the old days - universities would have a large IP range, and every computer on campus would have a public IP.

        Of course, you’d still have a firewall on your router (and probably on your computers too) that blocks incoming connections for things you don’t want to expose publicly.

  • Fireduck
    link
    fedilink
    English
    22 years ago

    Absolutely. I use ipv6 so I can directly reach all my servers. For public facing things I put it on an ipv4 address but for my own internal stuff, ipv6.