Support for IPv6
(backblaze.com)113 points by HieronymusBosch 18 hours ago
113 points by HieronymusBosch 18 hours ago
Indeed, but also not everyone gets the payoff that GP did. We did IPv6 only and abandoned it after a while because there were some show-stoppers in our cloud provider that didn't work (at the time, this was a few years ago). It ended up being a good investment in the two people spearheading the work, but otherwise was a waste of time/money.
Same applies for directory services, configuration management, etc. Eating vegetables
No translation, no subnet allocation issue (because no scarcity), global reachability from everybody to everybody (as internet was meant to be), no overlap (because no RFC1918)
The world is much easier when everybody has its own identity.
I'm not the OP, but I expect VPNs are easier to manage because you don't have to worry about slicing up the very, very limited IPv4 non-public space and puzzling out how to resolve addressing collisions between all of the various networks you have to manage. With IPv6 you can just calculate a /48 ULA prefix and allocate /64s for your VPNs (and every other internal network) out of that. If ever you run out of room, just calculate another /48 and carry on... easy!
Outstanding. As Google’s IPv6 traffic portion approaches 50% (https://www.google.com/intl/en/ipv6/statistics.html) it’s clear IPv6 is here, now, today. I wouldn’t dream of launching a new public-facing greenfield project without it.
Nothing's realistically dropping support for v4 any time soon, so v6 support is optional. On the other hand, we're far, far away from all users supporting v6, so v4 support is not optional.
Running a single IP stack is infinitely simpler and easier than running two concurrently, and until that "single IP stack" can be v6, I see very little reason to support it.
Fun fact: US government agencies are required to progressively migrate to IPv6-only environment, beginning with completing at least one pilot of IPv6-only system by FY 2021: https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-0.... Apparently, National Archives decided to pick archived Clinton White House website for this: https://clintonwhitehouse1.archives.gov/
I didn't recommend dropping IPv4. It's a terrible it to start a new project in 2024 without IPv6 support though. It's easy enough to build in from the beginning that there's not any real reason not to go for it.
And running a dual stack is trivially easy for almost everyone using it. That chart has almost half of Google's users coming in via IPv6. I promise you less than 1% of that 50% have ever even heard of IPv6, let alone done a single thing to configure it. With my ISP I'd have to go out of my way to turn it off, which I haven't done because this isn't 2008 where it broke things more often than never.
> It's a terrible it to start a new project in 2024 without IPv6 support though.
Why? Radical complexity reduction at essentially no cost to yourself or your customers seems like a tempting proposition.
Depends on your users; there are, for instance, plenty of phones that only natively have v6 and have to use NAT64 to reach v4 websites. So if you have such users, there might be a benefit to supporting v6 directly.
> Nothing's realistically dropping support for v4 any time soon […]
Or potentially ever, as predicted when IPng was being originally thought about:
We believe that it is not possible to have a "flag-day" form of
transition in which all hosts and routers must change over at
once. The size, complexity, and distributed administration of the
Internet make such a cutover impossible.
Rather, IPng will need to co-exist with IPv4 for some period of
time. There are a number of ways to achieve this co-existence
such as requiring hosts to support two stacks, converting between
protocols, or using backward compatible extensions to IPv4. Each
scheme has its strengths and weaknesses, which have to be weighed.
Furthermore, we note that, in all probability, there will be IPv4
hosts on the Internet effectively forever. IPng must provide
mechanisms to allow these hosts to communicate, even after IPng
has become the dominant network layer protocol in the Internet.
* https://datatracker.ietf.org/doc/html/rfc1726#section-5.5IMO the separate-stack nature of ipv6 was a mistake. I can see why they did it, but the changes could've been a lot more incremental otherwise, and we might've been done already. Everyone talks about the biggest change being the 128-bit address space, but the real leap is that pre-existing ipv4 blocks weren't preserved in ipv6.
The changes couldn’t have been more incremental. Routing hardware only understood the IPv4 header (and at that time I believe a lot of this was baked in silicon). There was no way to create an IPv4+ without needing to replace all the internet’s routers before it could reliably work.
How would have it made it easier to migrate when all of the new blocks wouldn’t be accessible (in either direction) if the traffic passed through any router that hadn’t yet been upgraded? Nobody could really use any of the extended space at all until every single router had been upgraded to this IPv4+.
It is a common misunderstanding (I hear “we could have just made IPv4 bigger” a lot) but apart from the routing issues above (needing to replace every router before it could work at all), the endpoints are also a problem. Nothing in the expanded space could actually call out to a legacy IPv4 endpoint - it could sent packets to it, but that legacy host wouldn’t be able to return packets back since it wouldn’t understand the larger address. And of course the legacy endpoint couldn’t initiate a connection to anything in the extended space either from its side.
So you not only have all the same problems of IPv6 (like needing to upgrade everything), you actually add a bunch of problems of breaking the ability of big parts of the internet from being able to communicate with the rest.
Dual-stack was necessary because everything couldn’t be switched over on the same day. If everything was upgraded at once, your extended-IPv4 idea would work, but otherwise it would break the internet!
IPv4 at the edge and call it a day.
Why build today with deprecated technology ? Build your infra v6-only, add a layer at the edge to support old clients via IPv4. Job's done.
You should design your infrastructure to avoid paying too much for other people's legacy.
I personally push for IPv6-only internal networks whenever possible, and have deployed several such designs in datacenters.
Unfortunately, a lot of applications are building on platforms where IPv6 is an afterthought if even present at all. Take for example Azure, where IPv6 support is a fucking joke. From core services like Route Server not supporting it, to it being impossible to build v6-only networks due to forced v4 subnet and vNIC requirements, to many services that Microsoft provides only running on v4.
As much as I want to push IPv6 everywhere, that physically cannot happen until companies support it for all use cases. In the mean time dual stacking can be better than nothing but the complexity is non-trivial when the alternative is just running straight v4...
I'm on a laptop on an ipv6 only subnet at the moment which mostly does the job with dn64/nat64.
The only benefit of this is to increase familiarity with ipv6. I'm trying to push some colleagues to do an ipv6 only section of our network which has limited interconnect, but there's a lot of concern about devices that still don't support ipv6, and ultimately what's the business reason to do it compared with subnetting 10.0/8 and natting at your firewalls
IPv4 stuff is accessible over IPv6. It's just the other way around that is not the case.
Not by default it’s not. An ipv6-only deployment cannot natively access an ipv4 network, there is no backwards comparability in the protocol.
I'm pretty sure we're discussing about connecting to the Internet.
What I understood is being implied is that ipv6 has little utility if it cannot access ipv4, but is not the case the other way around.
The fact that a company like monopolistic, abusive, privacy invading company like Google that desperately desperately wants me to run ipv6, ensures that I will disable it on every device I own and corporate network I run.
This is like boycotting 5G cell phones because you don't like Verizon.
>They want you to run IPv4 too.
Exactly.
I'd expect that they don't much care which version of IP you use, as long as they can show you ads -- which is their business model after all.
I… think that at the end of the day, Google wants you to run v6.
Google competes with Facebook. Facebook wants sites to host Facebook Pages and such, which needs no IP addresses. Google wants lots of websites and other services on an open web, to which it can sell lots of ads, and for which it can run a good search engine that again brings in lots of opportunities. A lack of IP addresses isn't a problem for Facebook, but it is one for people who want to host new web sites and other services. And therefore Google wants to alleviate that problem, with which IPv6 can help.
You've perhaps seen the Onion article whose headline goes something like "Heartbreaking: The Worst Man You Know Just Made An Excellent Point"?
You're simply kneecapping yourself if you refuse to learn how to acknowledge and incorporate good ideas that happened to be uttered by execrable entities.
Excellent logic! Hitler drank water and, if you had the chance to ask him, he would have likely suggested you also drink water. Does that mean you won't drink water now?
If Hitler was pushing a new kind of water which he argued was superior to the old water you've been drinking all your life, maybe some skepticism would be warranted?
I'm not saying that "I will disable v6 because Google wants me to enable v6" is a good argument, but your rebuttal is pretty bad as well.
Calm down. Please try to make your point less flamboyantly.
I am running as many IPv6 only services as I can. All MY core services that I use daily are v6 only. At the end of 2024 i am still shocked to see how much new software does not work without ipv4. My most recent struggle was with Seq - the opentelemetry server for example. It is full of new software created in the recent few years that just refuses to work without ipv4. And not because it need to reach some server on the internet. It just does not work if you do not have ipv4 (even private).
>Why make so much trouble for yourself?
I'm not sure what you mean by that. I'm not GP, but I actually have to do more work to disable IPv6 on my systems than to use a dual stack.
As such, please explain what you mean by making "so much trouble for yourself."
This seems as good a place to ask as any: how does one obtain a (larger) block of IPv6 not via their ISP/datacenter and then route it (to a network they control) through their ISP/datacenter-provided IPv6 uplink? Is that even possible?
You get yourself an AS and a registration and then talk to your ISPs about how to BGP peer with them.
Read this to start wtih
https://www.arin.net/resources/guide/ipv6/first_request/#end...
Thanks. Same process as IPv4, but my question was more focused on the ??? magical last step of getting the ISP to advertise that route.
Literally you just talk to your ISP. A support ticket or a technical phone contact. They'll either just do it for you or get you set up to announce your routes to them.
You'll need an ISP that does actual business networking things, probably. I doubt Xfinity home service would do it for you.
If you are in RIPE land you can get a PI (provider independent) /48 from a LIR (a RIPE member) and ask your datacenter to announce it.
https://www.ripe.net/manage-ips-and-asns/ipv6/request-ipv6/h...
https://tunnelbroker.net/ will give you a free IPv6 subnet and you can route it over your existing IPv4 link. I think you can get either a /64 or /48.
I had a tunnel with them I was using for a while, but ended up turning it off a couple of months ago.
Any request to a CDN will be slower since you’re not hitting the cache closest to your actual ISP, and since it’s “a VPN” a lot of things start to break, need more captchas, or get blocked for you since there’s a higher level of abuse from HE’s tunnel broker IP blocks.
Oh wow, I didn’t know they were still around! I used that to get an IPv6 address more than a decade ago; I think they used the bastardized IPv4-mapped-to-v6 address format at the time. But iirc it involved extra network hops because it was tunneled rather than routed, but maybe I’m misremembering.
I’m guessing they have larger blocks for sale?
I was very happy to get symmetric Gig internet at my new place but very bummed that my ISP doesn’t offer IPv6.
I had enjoyed learning about and deploying it on my LAN whenever Comcast added support (SLAAC is magical) but I guess I’ll be waiting for quite a while to play with it again :(
There's also a cool trick you can do with IPv6 addresses for servers where you use RA to broadcast your IPv6 prefix on the LAN and the OS assigns itself a valid public IPv6 using the MAC address for uniqueness. Very clean and easy.
> route when you can, switch only when you need to mantra
Naive question: isn't switching faster than routing?
Only at small scale: the flat MAC lookup quickly becomes more expensive than matching against a handful of (post-consolidation) routing prefixes.
E.g. in their setup only the switch the hosts are directly plugged in needs to be aware of the individual hosts; all other switches/routers only look at it with a granularity no finer than this access switch. And at some point even coarser.
All 'boring' packets are hardware switched/routed with no CPU involvement in everything bigger than your home cable router.
For both switched and routed networks it's possible to build hardware that can route at the same speed as the ports, so in 2024 performance isn't really a reason to choose switched or routed.
Cost might be though - I believe that for the same number of gigabits, hardware sold as a switch is substantially cheaper.
IPv6 is great, but it does open up new challenges with traffic management, reputation, and bot analysis. We need advances there.
We need something better than IPv6 that better addresses the needs of users. IPv6 does too much and is too complicated.
Not so. IPv4->6 removes all existing v4 address blocks and redoes the addressing scheme. Those changes weren't necessary for expanding the address space. This implies that day 1 of using ipv6, all your addresses are different (and way longer), all your routes change, DNS DHCP etc all need to be swapped out, and bans/reputation are all reset with no clear replacement. And there were a bunch of smaller changes / new features.
Whatever you do to get more addresses, it will look similar in the end, but the steps could've been very different.
How would a computer with an expanded address scheme communicate with another device with an unexpanded IPV4 address? How would that client get its response back?
How would a router know what to do with it without updating its software?
At the end of the day, you are talking about using a different than IPV4 address scheme and using a different protocol than IPV4. Everything in the stack will need to be updated. Every hop on the route, every single piece of software that will interact with the network address. Backwards compatibility still requires everything but the older device to be updated.
If you think IPv6 is too complicated, you are either overestimating IPv6’s complexity or underestimating IPv4’s complexity. IPv6 is undeniably simpler. It has a cleaner header format that is simpler to parse, it has no need for on-path routers to perform fragmentation, it combines host/router discovery and various diagnostic control packets down into a single protocol called ICMPv6, it has stateless address autoconfiguration and correct link-local address behaviours amongst others. It fixes decades of mistakes that have accumulated in IPv4.
> IPv6 is undeniably simpler.
Perhaps to someone who's never been exposed to IPv4.
But for those who know IPv4 from before, it means almost a complete rewrite of all the knowledge. Just about every detail of setting up an IPv6 network is different from an IPv4 network, with just the superficial bits staying similar.
It also has bits that are undeniably more complex than IPv4, like dynamic address allocation. You got SLAAC, RA, stateful and stateless DHCPv6, with the latter being required in certain cases. And with that you now got two different ways to provide DNS servers to clients, and which one takes precedence is undeniably non-trivial[1] and even implementation dependent!
[1]: https://datatracker.ietf.org/doc/html/rfc8106#section-5.3.1
What do you suggest as "something better than IPv6"?
How is that better than IPv6? Remember that there is no way to squeeze more address bits into IPv4 header, that need to come up with a new protocol. In fact, need to come up with a whole suite of new protocols. You could just make the addresses bigger but still need to deploy.
IPv6 changed some things, most of them for the better, and it already works. The only problem is migrating and the problem is people who don't want to switch.
One example of how IPv6 is better than IPv4 with more address bits, is that 128-bit address is big enough to put the whole IPv4 address in. NAT64 put the IPv4 address in the 64-bit host section. MAP-T puts the whole NAT state in address, getting rid of expensive CGNAT.
That's my proposal, ipv6 with extra steps. As in, incremental steps instead of one impossibly big change. tl;dr keep the pre-existing v4 /32 blocks day 1, and the rest follows.
Edit: I said "my" proposal, but pretty sure the same idea has been brought up many times.
Getting rid of IPv4 address allocation is one of the huge advantages of IPv6. IPv4 is chopped up into little pieces and the routing table is mess from it. Starting from scratch, IPv6 can make that better.
IPv6 also realized that most people don't need their own address space. It is valuable in IPv4 to own an allocation, but IPv6 is so huge it doesn't matter.
For setup, IPv6 does it automatically for customers. Peering requires entering IPv6 addresses, but that is a one time thing.
About two years ago, when we deployed our datacenter, I insisted for IPv6 first.
All out management network is IPv6 only, all kvm, switches, routers...
It was a pain and gives nearly no practical advantage (at the time), but the motivation was to make everyone "intimate" with IPv6. We learned a lot and we even discovered some implementation bugs (for example, Cisco default link local address is not /64 and this is not compliant with more recent RFC and will make them unable to communicate with BSD systems).
Now we have IPv6 everywhere and everybody from dev to sysadmin is aware of IPv6 and we start to see some real advantages. VPN are easier to manage, routing is easier, firewall is easier, clustering, failover... everything is "cleaner".
We still have IPv4 (dual stack) on some servers, but about 80% of them are IPv6 only with DNS64/NAT64.