The question above for the most part, been reading up on it. Also want to it for learning purposes.
Definitely dual stack if you do. The real benefit of IPv6 is that, supposedly, each of your internal devices can have its own address and be directly accessible, but I don’t think anyone actually wants all of their internal network exposed to the internet. My ISP provides IPv6, but only a single /128 address, so everything still goes through NAT.
Setting it up was definitely a learning process - SLAAC vs DHCP; isc’s dhcpd uses all different keywords for 6 vs 4, you have to run 6 and 4 in separate processes. It’s definitely doable, but I think the main benefit is the knowledge you gain.
Your ISP is doing it wrong, which I guess you already know. I get a /64 net via DHCPv6 for my LAN which is pretty standard.
+1 to dual stack. Too much of the internet is v4 only, missing AAAA, or various other issues. I’ve also had weird issues where a Google/Nest speaker device would fail 50% of the time and other streaming devices act slow/funky. Now I know that means the V6 net is busted and usually I have to manually release/renew. Happens once every few months, but not in a predictable interval.
Security is different, but not worse IMO. It’s just a firewall and router instead of a NAT being added in. A misconfigured firewall or enabling UPnP is still a bad idea with potentially worse consequences.
Privacy OTOH is worse. It used to be that each device included a hardware MAC as part of a statelessly generated address. They fixed that on most devices. Still, each device in your house may end up with a long lived (at least as long as your WAN lease time) unique IP that is exposed to whatever sites you visit. So instead of a unique IP per household with IPv4 and NAT, it’s per network device. Tracking sites can differentiate multiple devices in the house across sites.
This has me thinking I need to investigate more on how often my device IPv6 (or WAN lease subnet) addresses change.
I get a fat /48 network, just in case I need one septillion, two hundred and eight sextillion, nine hundred and twenty-five quintillion, eight hundred and nineteen quadrillion, six hundred and fourteen trillion, six hundred and twenty-nine billion, one hundred and seventy-four million, seven hundred and six thousand and one hundred and seventy-six individual IPs.
IPV6 is pretty wild, we could effectively give every service connecting to every client, in every direction, for every single individual bit its own dedicated address without getting anywhere near using that address space.
Just wait until IoT takes off and every key on your keyboard has a unique address
No, I like living in my nat cocoon so I don’t have to worry as much about all the devices on my network. Jk it’s turned on, but I don’t usually enable it on devices
Get a firewall. Malicious STUN, ALG DoS attacks, just these things make your NAT router less secure than you think it is.
Depends on how you define “worth it”. Most selfhosting is done not for worth, but for a hobby.
IPv6 is the future so I’d say yes. Dual stack is the way to go. If you can get public address block from your ISP thats great. If not I’d recommend HE tunnel or something similar. Just remember to firewall as ever device is reachable in most configurations.
deleted by creator
Okay, so manu of these answers are just plain wrong. In short, you shouldn’t care as the biggest impact will be to network admins. They are the ones who have to configure routing and handle everything else that comes with new addresses. The rest of the world simply doesn’t know or notice whether they are using IPv4 or v6. Business as usual.
If the question is whether you should play with it at home. Sure thing if you have the desire to. It’s the future and only a matter of time before it becomes a reality. Said network admins and ISPs have been delaying the transition since they are the ones who have to work it out and putting your entire user base behind single IPv4 NAT is simpler than moving everything to IPv6.
From network admin perspective, yes it’s worth moving to IPv6 since network topology becomes far simpler with it. Fewer sub-networks, and routing rules to handle those. Less hardware to handle NAT and other stuff. Problem is, they made the bed for themselves and switching to IPv6 becomes harder the more you delay it. Number of users in past 10 years or so has skyrocketed. Easily quadrupled. We use to have home computers with dial-up. Easy enough, assign IP when you connect, release it on disconnect. Then broadband came and everyone is sitting online 100% of the time. Then mobile phones which are also online 100% of the time. Then smart devices, now cars and other devices start having public internet access, etc. As number of users increases, network admins keep adding complexity to their networks to handle them. If you don’t have public IP, just do
tracerouteand see how many internal network hops you have.There’s a pretty interesting series on the topic at Tall Paul Tech’s YouTube channel (here’s the most recent: https://youtu.be/WFso88w2SiM). He goes into quite a bit of detail over the course of a few videos about how he handled everything and highlights some of the trials and tribulations with the isp. It’s not a guide per se, but definitely stuff worth thinking through.
Dual-Stack is usually no problem, but going IPv6-only is a pain, because a suprising amount of services are v4 only. Even NAT64/DNS64 doesn’t help everywhere.
Thank you! I just want to say, I’ve also been curious about ipv6 every now and again for a long time, and this thread has helped me to understand more.
You’re asking if you should use it, while my ISP was working on it in 2017 and then it all got canned when they got bought out :( .
Because devices in your LAN will all be accessible from the internet with IPv6, you need to firewall every device.
It becomes more of a problem for IoT devices which you can’t really control. If you can, disable ipv6 for those.
Haha, no not really. IPv6 has the ability to provide public IP address for each device, but that doesn’t mean it will have to. Other than number of possible addresses, nothing is different. Routing, firewalls, NATs, etc. All remains the same.
It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.
Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.
So even though the device has a public address, the route is through the firewall, hence the ability to filter traffic?
Right. Packets still have to go through your router, assuming that your router has firewall turned on, it goes like this:
-
Your router receives a packet.
-
It checks whether the packet is “expected” (a “related” packet) - by using connection tracking.
For example, if ComputerA had sent something to ServerX before, and now the packet received by router says “from ServerX to ComputerA”, then the packet is let through - surely, this packet is just a reply to ComputerA’s previous requests.
-
If step 2 fails - we know this is a new incoming packet. Possibly it comes from an attacker, which we don’t want. And so the router checks whether there is a rule that allows such a packet to go through (the assumption is that since you are explicitly allowing it, you know how to secure yourself.)
If I have setup a firewall rule that says “allow packets if their destination is ComputerB, TCP port 25565”, and the received packet matches this description, the router lets it through.
-
Finally, the packets that the router accepts from the previous steps are forwarded to the relevant LAN hosts.
I understand this part :) I use a fairly complex firewall at work though I only know bits and pieces from reading different manuals. I think the part I didn’t understand was how exactly the routing worked differently in IPv4 vs v6. I get that because NAT happens in IPv4, packets can’t be routed at all without the firewall/router but I wasn’t sure what was the mechanism by which v6 made sure that packets went through the router, especially when you have stuff like v6 DHCP relays.
Ah, I misunderstood your original comment, oops! But yes, IPv6 packets are routed just like IPv4 ones, just without the NAT’ing process i.e. the packet remains untouched the entire trip.
-
The argument for IPv6 that there could be a unique address for 200 devices for every person living on the planet was much more compelling when network security was a more simple space.
Nothing has changed about why that is compelling: NAT sucks and creates nothing but problems.
Network security is almost the same with IPv6.
If you rely on NAT as a security measure you are just very bad at networking.
I mean that, when IPv6 started filtering out to non-specialists, network security wasn’t nearly as complex, and nor was the frequency of escalation what it is today. Back when IPv6 was new(ish), there weren’t widespread botnets exploiting newly discovered vulnerabilities every week. The idea of maintaining a personal network of internet-accessible devices was reasonable. Now maintaining the security of a dozen different devices with different OSes is a full time job.
Firewalling off subnets and limitting the access to apps through a secured gateway of reverse proxies is bot bad networking. That’s all a NAT is, and reducing your attack surface is good strategy.
Wait, ipv6 doesn’t require port forwarding to expose something to the internet?
Port forwarding is exclusively a NAT phenomenon.
In IPv6 every device should in theory have a public address - just like how every computer had a public IPv4 address back in the 1980s ~ 1990s.
However, most sensible routers will have a firewall setup by default that blocks all incoming connections for security reasons. You still need to add firewall rules.
This is correct. My router however doesn’t have that level of firewall. It’s either all allowed or nothing is.
There’s no “should in theory”. It’s only a possibility due to sheer number of possible combinations. No one was ever going to make every device public. It makes absolutely no sense. Why would your company’s printer be online or isolated networks or VPNs? There’s no point.
IP addressing is just a way to give a globally unique number to each device. It’s just a number.
And there wasn’t a real public/private distinction when the Internet was still in its infancy. Printers were indeed given “public” addresses because people needed a number for it.
If you don’t want your printer to be reachable by the public Internet, use a firewall to block outside connections. If you can use NAT, you certainly can use a firewall. Heck, they are almost the same thing if you have been using the Linux kernel (iptables/nftables handle firewalling and masquerading with the same tool!)
Routability is not the same as reachability. With NAT transversal you can reach my “private” hosts all the same, although you can’t route to me because I don’t have a public address.
