I really want to love IPv6 but my ISP (Xfinity in California) will not provide a stable prefix.
This doesn't matter with IPv4, because all my internal IPv4 addresses are NATed. But with IPv6, although each device on the network can receive a globally routable IPv6 address, the prefix keeps changing, and so the address keeps changing. This makes internal networking a nightmare, since the address of my devices is not under my control.
I don't use NPT, but it would fix the problem, so people are going to continue using it until dynamic prefixes go away. Which will probably be never.
In effect, it's not much different than how IPv4 works with unstable WAN DHCP addresses from your provider, and I don't have the headaches that NAT brings with it.
It's a different way to think about the problem, but I've actually found it to be pretty nice.
Thank you for this! I've been trying to make Link Local Addresses work (https://en.wikipedia.org/wiki/Link-local_address). But, for tools like ping6 I have to specify the network interface like 'ping6 fe80::1%en1' otherwise routing doesn't work, and doing that complicates everything.
See also "Reaction of IPv6 Stateless Address Autoconfiguration (SLAAC) to Flash-Renumbering Events":
In scenarios where network configuration information related to IPv6
prefixes becomes invalid without any explicit and reliable signaling
of that condition (such as when a Customer Edge router crashes and
reboots without knowledge of the previously employed prefixes), hosts
on the local network may continue using stale prefixes for an
unacceptably long time (on the order of several days), thus resulting
in connectivity problems. This document describes this issue and
discusses operational workarounds that may help to improve network
robustness. Additionally, it highlights areas where further work may
be needed.
This is pretty horrific. You could investigate ULA which is a bit like RFC1918 addresses for IPv6. You could attach ULA addresses to a few devices such as a local DNS server, printers and the like.
NPT would enable you to route your ULA addressed gear to the internets if they don't have a globally routable address.
> NPT would enable you to route your ULA addressed gear to the internets if they don't have a globally routable address.
One convenient thing about ULA+NPTv6 is that, unlike IPv4 NAT, is that an external IPv6 address is basically 1:1 'equivalent' to an internal IPv6 address. The NPTv6 is stateless so that, firewall rules allowing, a connection can come right in without all sorts of contortions for port mapping.
Most (residential) gateways by default block incoming requests unless they're a reply to a previous outgoing connection. I know I can ping6 the iMac I'm typing this on, but attempts to (e.g.) SSH in are blocked by default.
To spell that out a bit more - a ULA to NPT address is IP based and not port based and is way more useful.
When you do a IPv4 "pinhole" port map you get precisely one mapping and it will timeout eventually, which can lead to all sorts of exciting debugging opportunities.
IPv4 does have 1:1 NAT but there are so few IPs so whilst I have a /24, 2 x /28 and 2 x /29 to play with and others, I doubt most do.
NPTv6 maps an entire address space from A->B and is actually not designed to deal with NATv4 anyway. It is for outbound connections.
It might be that your ASUS is combining two things into one UI for convenience. Mapping one IPv6 prefix on the WAN to another on the LAN is one thing. Allowing traffic to a particular IP:port to cross from WAN to LAN is another. They're independent, though of course both are needed for the overall high-level task of "allow my LAN server to be reachable to the internet", so it makes sense to have a UI that does both things under the hood.
You don't really need NPT. I'm on XFinity as well and I just have GUA from them and then my own set of ULA addresses.
If Xfinity changes the /60 they're giving me it doesn't change anything internally - because my internal names all use the ULA - and the GUA just gets used to get to the Internet.
As I understand it, the idea is to use many addresses per host. I.e. you don't need to use same addresses for internal networking as global networking.
I thought best practice for IPv6 is to essentially ‘ignore’ IP addresses as each NIC can have multiple addresses + the extended length making it unwieldy. Instead you either use a combination of zeroconf / Bonjour for DNS registration / service discovery + stateless IP address assignment (SLACC). If you want full control you can use DHCPv6 which can register hosts on a proper DNS service.
SLAAC is a core component of IPv6 - it's how a machine determines an address on a subnet without DHCPv6. Basically:
"yoohoo - where am I?"
"You are on 2001:1001:1001:f0d::/64. My name is [ipv6] and I am a router and for some odd reason, I won't tell you where DNS comes from because ... stupid design"
"Cool, I'll fiddle in my drawers and play with my MAC address and create a really long number that starts 2001:etc. I'll also create a few other addresses randomly to hide my private parts (which is a waste of time but looks good - lol)"
No idea what you are on about wrt EUI-64 being tied to SLAAC. Why not have a go at it instead of pontificating?
Having used IPv6 in anger for several years now, it is a bit different but it is actually quite beautiful at times. It does enforce decent DNS and who here has not said "its DNS"?
I've set up SLAAC before but it's not something I do often. Frankly I'm still on the fence of whether or not v6 was a good idea. Fiddling in the drawers with the MAC address is EUI-64 though, and I was under the impression that the SLAAC "client" doesn't broadcast any kind of discovery message - it just listens to the network to determine the prefix, and then generates the EUI-64 portion as its host address since it should be globally unique as it's based on its MAC address.
Like I said, I don't touch v6 much and I'm pretty surprised at how far we've made it past v4 allocations drying up and everything still seems to work.
You'll be fine for a long time. IPv6 is not quite right but not for the reasons that you'll usually see on HN/Reddit/whatevs.
It does work pretty well already but I put it rather below the significance of say global warming as a thing to really worry about.
Give it a go if you get a prefix from your ISP. It's worth a play.
This sort of thing takes 50+ years to work. You have to think like an Engineer with a lot of time to play with. The internet is everywhere, it doesn't change overnight.
> I thought it used EUI-64 assignments which leaks MAC addresses which is supposed to be a problem for some reason.
You're about a decade (2007) behind the times:
Nodes use IPv6 stateless address autoconfiguration to generate
addresses using a combination of locally available information and
information advertised by routers. Addresses are formed by combining
network prefixes with an interface identifier. On an interface that
contains an embedded IEEE Identifier, the interface identifier is
typically derived from it. On other interface types, the interface
identifier is generated through other means, for example, via random
number generation. This document describes an extension to IPv6
stateless address autoconfiguration for interfaces whose interface
identifier is derived from an IEEE identifier. Use of the extension
causes nodes to generate global scope addresses from interface
identifiers that change over time, even in cases where the interface
contains an embedded IEEE identifier. Changing the interface
identifier (and the global scope addresses generated from it) over
time makes it more difficult for eavesdroppers and other information
collectors to identify when different addresses used in different
transactions actually correspond to the same node.
This document describes an extension to IPv6 Stateless Address
Autoconfiguration that causes hosts to generate temporary addresses
with randomized interface identifiers for each prefix advertised with
autoconfiguration enabled. Changing addresses over time limits the
window of time during which eavesdroppers and other information
collectors may trivially perform address-based network-activity
correlation when the same address is employed for multiple
transactions by the same host. Additionally, it reduces the window
of exposure of a host as being accessible via an address that becomes
revealed as a result of active communication. This document
obsoletes RFC 4941.
I use OPNsense router, ULAs for my devices that need a static local ip. I also host many services over ipv6 with dynamic prefixes by using a DDNS client that scans for ipv6 prefix changes and updates my dns. OPNsense can automatically adjust firewall rules as prefix changes, but your hosted services cannot use ipv6 "privacy addresses".
For local lan services I make a dns entry in my router pointing to the ULA. I have had no issues but it took awhile to figure everything out. I host matrix chat and many other services using ipv6 without issues. YMMV.
Your internal networking should not be affected when you use ULA - those won't change, and IPv6 devices tend to have multiple IPv6. Yes, it won't allow you to address your internal nodes from the external network, but that is something that you didn't have with IPv4+NAT either.
Wouldn't this be like static bluetooth IDs, where you could be tracked wherever you go? I imagine that's a rare desire, amongst the internet population.
I could see requesting static IPs for particular devices, like you used to be able to do.
I'm not sure what the best current practices are for mobile, but for residential/business/etc., the most convenient behavior would be for the delegated prefix to be static unless it is requested to be changed. That tends to be the case already with ISPs who grant public IPv4 to customers - it's DHCP whose lease stays the same unless you forcibly change your MAC address or let the lease expire via turning off your modem, and so on.
Talking about IPv4 with NAT, a "consumer" with zero server-hosting needs could get away with a changing public IP. Someone with any kind of server needs, like hosting their own Internet-accessible IoT portal, personal VPN, website, game server, etc. would want a stable public IP address.
Yeah, that may lead to tracking, but it's the status quo, I suppose is the point.
In case it isn't known, IPv6 has so many addresses and is designed in such a way, that it is expected each "network" (think home network) would be given a network prefix of 56 or 60 bits. The "host" portion of an IPv6 address is the final 64 bits of the address. Therefore, each network an ISP issues to a client should have room for something between 16 and 256 subnetworks, each with effectively unlimited client address space.
The /128 is what your router gets. After that your router would request a delegated prefix to serve to the LAN, which would be a /64 or bigger. Casual internet search says Spectrum supports delegating /56's.
A delegated prefix cannot be smaller than a /64 so no, that's not possible.
If you only see one /128 as the IP of your router's WAN interface and nothing else, then that is the /128 assigned to your router by DHCP and nothing to do with prefix delegation.
Yes, a /64 comes in. But the first IPV6 address I use in a prefix, that is the only one that they ever seem to accept traffic for. So functionally, it's a /128.
It is rather sad that the internet that we have, what 50-70 odd years post invention is so stifled with nonsense about addressing schemes and that.
You seem to use the term "static IP" as a talisman. I have zillions (possibly gazillions) of them on IPv6 and roughly a few 100 or 1000 on IPv4 (I own an IT company).
Dynamic DNS is a thing, so is ULA for IPv6 which looks quite like IPv4 RFC1918.
Try connect to your service on a dynamic IP after it has changed and for whatever reason your dynamic dns update has failed. Or your DNS server of choice has failed (even Google and Cloudflare have had DNS outages). Or your domain has expired/been unceremoniously deregistered from you without warning. All these have happened. And they tend to happen when you need access the most.
"Try connect to your service on a dynamic IP after it has changed and for whatever reason your dynamic dns update has failed."
Compared to a PPP session with an ISP, dynamic DNS is a walk in the park and you can have multiple ones if it is that important. You could even have a mobile phone SMS an IP out.
DNS is seriously resilient to outages. Yes CF, Goog n co have all had outages but the beauty of DNS (and a pain at times if mismanaged) is TTL. Don't set all your records with a TTL of 300. I run quite a few DNS servers - Windows, BIND, PowerDNS and others, not to mention rather a lot of unbound and dnsmasq resolver/forwarder thingies.
Evaluate your requirements, evaluate the resiliency and functionality of the available technologies, evaluate your own skills and take appropriate action ... for you. That works at home just as well as at work.
You may find that you are running your own DNS server (or three) ...
"Stateful packet filtering can provide the same level of security for IPv6"
The keyword here is "can". The difference here is this: if your NAT is not configured properly, your network is not accessible, nothing works, the problem is obvious, and is going to be fixed ASAP. If your stateful firewall is not configured properly, everything works fine, except that your network is visible from places it wasn't supposed to be. It requires some dedicated checks to verify.
So, the problem with NAT vs firewall security is not technical, it is psychological (but no less dangerous): when you have a working (but insecure) system by default, it is easy to miss the hardening step. The consequences can be catastrophic.
See also "IPv6 Multihoming without Network Address Translation":
Network Address and Port Translation (NAPT) works well for conserving
global addresses and addressing multihoming requirements because an
IPv4 NAPT router implements three functions: source address
selection, next-hop resolution, and (optionally) DNS resolution. For
IPv6 hosts, one approach could be the use of IPv6-to-IPv6 Network
Prefix Translation (NPTv6). However, NAT and NPTv6 should be
avoided, if at all possible, to permit transparent end-to-end
connectivity. In this document, we analyze the use cases of
multihoming. We also describe functional requirements and possible
solutions for multihoming without the use of NAT in IPv6 for hosts
and small IPv6 networks that would otherwise be unable to meet
minimum IPv6-allocation criteria. We conclude that DHCPv6-based
solutions are suitable to solve the multihoming issues described in
this document, but NPTv6 may be required as an intermediate solution.
hot take of the day: NAT is (mostly) a shitty idea. we can give everything a WAN ipv6 and a private LAN address. devices should maintain their own firewalls and if defense in depth is required, the router should maintain a firewall that blocks incoming by default but still give everything its own address.
I agree that NATv6 is a bad idea, but imo we neeed firewalls on the router.
Because on paper a endpoint firewall is a good idea, because you take that with you even when you change the network, but...
then there is the Windows firewall:
- Applications that punch their own holes, like steam
- Windows which grants itself inbound exceptions and reenables them if you disable them
- A non standard filtering order (deny is always defore allow, not in order)
And then there are all those born in the 80s people that were told on LAN parties to "just disable the Windows firewall" and kept doing so.
> And then there are all those born in the 80s people that were told on LAN parties to "just disable the Windows firewall" and kept doing so.
You caught me. I think a firewall on the router is absolutely essential regardless of NAT scenarios.
With the understanding that you have an entire generation of computer users who equate that internet box with some degree of safety, you will find less friction with some tweak to that experience. You can still call it "port forwarding", block all inbound by default, and keep most of the same UX.
I personally like to operate my home network like a DMZ. Being able to reach any computer from any other without screwing around with networking is very convenient to me. I operate with an all-or-nothing trust model on my LAN. Having some centralized firewall helps a lot with this.
Firewalls are only necessary for OSes that open ports without good reasons and without good controls. In other words, your reaction is justified if you think Windows is normal and an example of how things should be.
The rest of the world, though, knows that you don't just randomly open ports without good reason and without ways to turn off services.
This is insane. I don't want to have to learn, document, configure, and patch a different firewall on every internet connected device I own. That's a total nightmare. Computers can have their firewalls managed at the domain level. How is that support to work for bluray players, game consoles, light bulbs, phones, echo devices, door cams, thermostats, and kitchen appliances?
Nope. At a minimum everyone should have a stateful firewall at their edge making their devices impossible to reach/scan from the internet at large. Home routers that defaulted to using NAT made that dead simple.
On the rare occasion you really need something open to the entire internet it can sit in your DMZ. If I ever do make the move to using IPv6 on my network I'll likely continue to use NAT
Yes? My configuration isn't complex enough at home to require my own documentation, but I absolutely had to read what the manufacturer provided, configure the firewall for my needs, and update the firmware. I don't think anyone should just throw a router in front of their network and think "This will just work!" - I mean, it might "work", but what is it leaving open? What is it logging? Who can access it?
Home routers have gotten pretty good about sane defaults these days, but at a minimum I'd be disabling UPnP and looking over what those defaults are before trusting it to protect my network.
which is literally the same situation as if you had a device local firewall? sensible defaults and you learn to configure for stuff you want to change.
Except that I have to check defaults and configure my home router once and I'm done (for a while at least). If every single device on my network had it's own firewall, each with their own settings, capabilities, and defaults, I'd have to configure and check the defaults for every device on my network.
You could argue that having one edge device running a checked and configured firewall means that you don't have to worry about the firewalls installed on every other device on the network, but anyone who has networking experience will know better. Problems are bound to come up on the internal network if nothing else and troubleshooting issues becomes a lot more complicated!
Also, if we're counting on every IoT product to come with its own embedded firewall you can be sure many of those are going to be so poorly thrown together that they introduce more security problems than they solve. This is a class of products that has earned a horrible reputation in terms of security.
Like I have said in another thread, if you misconfigure a firewall, the network usually works, but not secure. If you misconfigure a NAT, nothing works, and your error is clearly visible.
I don't see a way to fix this (and configuration errors are common).
Routers should have dashboards that give easy status of firewall configuration ala Windows firewall: Green for no inbound rules (or whitelisted rules) and yellow/red for non-checked rules.
Routers could even have LEDs or status displays like some higher end Ubiquiti prosumer products have, showing firewall status.
Routers could have a user-accessible API and Windows client that shows status on a taskbar item.
The technical solutions are there, but I don't have faith ASUS and co will build a competent product.
The technical solutions will not work, as there are many, many possibilities to make a mistake. Misleading router UI, copying the configuration from somewhere else and forgetting to update it, moving a computer to another network, just forgetting to enable a firewall (in many cases it is impossible to set up a IPv4 network without a NAT precisely because IPv4 addresses are rare — but it is perfectly possible to do it with IPv6, and it will be insecure by default).
Secure systems are robust against user mistakes (and even middlemen mistakes). A NAT is one such system. Alternatives do not work like that.
> The technical solutions are there, but I don't have faith ASUS and co will build a competent product.
The last time I was looking for a home router I specifically went for Asus because their default firmware is pretty good, and third-party options are available:
While I mostly agree, there's definitely the issue of readdressing if your ISP changes your IPv6 prefix. In NATted IPv4, you can maintain your own eternally consistent internal address scheme, regardless of what's going on "outside". But in IPv6, if your dynamic IP changes, all your devices get new addresses. I can definitely see the value in creating a stable internal address layout on IPv6, as this article says.
Of course, I have no idea how often an ISP actually changes your IPv6 prefix. In an ideal world, it'd never change...
Something I'm a bit fuzzy on, but can WAN/LAN address separation be done without NAT? I think it can, but if it can't that seems like a good argument in favor of keeping some form of NAT even for IPv6. While it definitely shouldn't be the only defense, I think it is a reasonable layer of defense for home networking.
Depends on what you mean by "separation". My LAN devices have IPv6 addresses that would be reachable from the WAN if my router's firewall didn't block incoming packets to those addresses. For some of those devices that host public services, I enable traffic just for the relevant protocol and port to their IP, instead of bothering with port forwarding.
This answer is what every argument about IPv6 and NAT boils down to: they say "NAT" but really mean "firewall". In my opinion, using NAT for IPv6 networks is just a false sense of security to make you think LAN nodes are more protected because their address numbers look different, when all you're really trying to say is "don't route to this node from outside".
why it would be a 'false' sense of security if it's not exposed? I don't seem to get it as 'security through obscurity' at all. sincere question, I'm not a network guy.
I'm not a networking guy. Do you think that approach would work for a device behind CG-NAT? (i.e. route the IPv6 address over the WAN, rather than port forwarding; which I can't do because of the CG-NAT)
You mean you have CGNAT for IPv4 but a publically routable IPv6 delegated subnet? If so, sure, what I wrote depends only on the IPv6 delegated subnet. How you get your IPv4 address is not relevant to it.
What I'm saying is that if you can get, say, 2001:db8:1234::/48 delegated to your router, then:
1. You would configure your LAN to have the subnet 2001:db8:1234:1::/64
2. You would configure the webserver on your LAN to have a static IP like 2001:db8:1234:1::1
3. You would add a firewall rule in your router on the WAN interface to allow incoming TCP traffic with destination [2001:db8:1234:1::1]:443 . This rule would have higher precedence than the default rule that blocks all incoming traffic).
At this point, anyone in the world who attempts to reach 2001:db8:1234:1::1 will reach your ISP, which will route it to your router's WAN interface (because the ISP delegated the prefix to your router), which will allow the packet to cross from WAN to LAN because of the firewall rule, which will then route it to your webserver.
Of course. You use a firewall. Thinking of NAT as a firewall is a common misunderstanding. With IPv6 you will still want a firewall, which is often built into your external gateway/router.
My work network has a /64 for WAN (yes quite a lot of addresses for a point to point link) and a /48 for "internal use". So WAN is merely a few billion IPs and VLANS - gazillions of IPs. OK we also have six other WANs and allocations but that is another story.
We have no need for NAT in the traditional IPv4 sense but NPT is handy for failover and that is why it was invented because IPV6's design lacked one crucial thing: telling the clients which internets are available so they can select which local address to start out from.
Technical technical footnote: you can just use link-local address for inter-router links because all the router cares about is the next next-hop, and you don't need a globally routable address for that.
In an IPv6 network, it is possible to use only link-local addresses
on infrastructure links between routers. This document discusses the
advantages and disadvantages of this approach to facilitate the
decision process for a given network.
"Technical footnote: /127 addresses are supported"
Yes they are but I want a shit load of stuff on my WAN available to the world and I don't want to piss around with NAT n that.
The IPv6 address-space is big enough to deal with PtP links. It doesn't really matter, You could do a /127 for WAN and then I allocate a /64 from my /48 for WAN. Or you could use a recent RFC that enables a /64 or smaller to be used for WAN without a separate allocation.
Instead of a router coming default with NO access control/firewall, and inbound connections being denied by the technical impossibility of addressing an inbound Internet packet to a private address, the industry should shift to "default ACL of allow all outbound, allow none inbound" and then have users craft inbound firewall rules as needed.
> I think it is a reasonable layer of defense for home networking.
Let's say Amazon won't deliver to your apartment number, just a central point at your apartment.
- This is like thinking you can stop locking your door because your apartment number isn't public information.
- It would be better if your apartment had a direct public address so you could get packages to your doorstep instead of having them wait in some common area.
- Most people take regular, obsessive trips to application-level exchanges like "Facebook" to interact with others and are fine with it. Hopefully everything you ever want to do is OK with Facebook.
>Something I'm a bit fuzzy on, but can WAN/LAN address separation be done without NAT?
Yes, it can. I used to work in a place that had so many public IPv4 addresses that they were using them for laptops and workstations. With a good firewall configuration it is certainly possible.
However I agree with you that IPv6 NAT may be useful still.
I ran into the oddest thing after switching ISPs. IPv6 kept dropping out with my devices and I traced it back to the LAN side of my router accepting router advertisements from inside my network. Easy enough to fix, I flipped the flag to not accept router advertisements on the LAN interface.
The weird part is that I traced the router advertisements as coming from an old Google Chromecast. It was advertising the prefixes of my old ISP. Bug or intended? If the latter, why?
The lack of adoption of IPv6 over so many years, it makes me think that they should just have slapped a couple extra address bytes on IPv4 and call it a day.
But that's basically what IPv6 is. Regardless of whether two bytes, twelve bytes, or twenty bytes are added to a IPv4 address, the complexity of implementation mostly remains the same.
This doesn't matter with IPv4, because all my internal IPv4 addresses are NATed. But with IPv6, although each device on the network can receive a globally routable IPv6 address, the prefix keeps changing, and so the address keeps changing. This makes internal networking a nightmare, since the address of my devices is not under my control.
I don't use NPT, but it would fix the problem, so people are going to continue using it until dynamic prefixes go away. Which will probably be never.