Comment by kuon

Comment by kuon 10 months ago

15 replies

View on Hacker News

About two years ago, when we deployed our datacenter, I insisted for IPv6 first.

All out management network is IPv6 only, all kvm, switches, routers...

It was a pain and gives nearly no practical advantage (at the time), but the motivation was to make everyone "intimate" with IPv6. We learned a lot and we even discovered some implementation bugs (for example, Cisco default link local address is not /64 and this is not compliant with more recent RFC and will make them unable to communicate with BSD systems).

Now we have IPv6 everywhere and everybody from dev to sysadmin is aware of IPv6 and we start to see some real advantages. VPN are easier to manage, routing is easier, firewall is easier, clustering, failover... everything is "cleaner".

We still have IPv4 (dual stack) on some servers, but about 80% of them are IPv6 only with DNS64/NAT64.

api 10 months ago

It's obvious that a major reason more people don't do this is a lack of instant payoff.

Reply View 6 replies
  • freedomben 10 months ago

    Indeed, but also not everyone gets the payoff that GP did. We did IPv6 only and abandoned it after a while because there were some show-stoppers in our cloud provider that didn't work (at the time, this was a few years ago). It ended up being a good investment in the two people spearheading the work, but otherwise was a waste of time/money.

    Reply View 0 replies
  • bravetraveler 10 months ago

    Same applies for directory services, configuration management, etc. Eating vegetables

    Reply View 4 replies
    • Gud 10 months ago

      All those give me a clear advantage in the long run. What’s the advantage for me with ipv6?

      Reply View 3 replies
      • simoncion 10 months ago

        > What’s the advantage for me with ipv6?

        I don't know what your situation is, but I'm a regular programmer-type employee who has been through more mergers than I ever expected to. Every company I've been at used IPv4 addresses for the systems on their internal networks.

        I've observed that one of the things that takes the longest to sort out after the merger "closed" (or whatever they call the "It's official. We now own you." phase) is merging the two company's internal networks. While some of the delay comes from removing redundant systems and "harmonizing" security policies and the like, the IT folks who I talked to about the process always told me that the thing that takes by far the longest time is IP address management... specifically, having to renumber networks and the systems on them, and reconfigure or reinstall the software on them to account for the renumbering.

        If you're using IPv6's ULA addressing for your internal networks, the odds of an address collision are very nearly zero. With IPv4 addressing... unless your network is tiny, the odds appear to be very nearly one.

        Reply View 0 replies
      • bravetraveler 10 months ago

        I don't know you as well as I should :) I should say I'm not that interested in selling something that is both free and 'politically' loaded.

        People have made up their minds, they'll pick it up or they won't. No "skin off my teeth" at all. Implementation details matter to those who care. They have their reasons, I'm not one to question them.

        One of the things I like about v6 is it allows us to give up the charade or vanity of addressing. At least minify it. One can define classes of networks and simply identify hosts by MAC (or FQDN assuming an AAAA record).

        I already have to tote that information around to configure them. Having a v4 address can be seen as duplicating the role of identity, while risking conflict. Outright removal of v4 may offer benefits in some scenarios.

        Now... 'conflict' is how BGP anycast literally works. Two or more hosts announce the same location. There are perfectly valid reasons to still use v4, neither precludes the other.

        Reply View 0 replies
      • Arnt 10 months ago

        One past employer of a friend has an internal network using IPv4 only. Every night a database query runs on one database and updates a second database based on the results (a DSS updated from a data warehouse, I think). One of the TCP connections involved goes through five levels of NAT, internally to the company.

        No one on the team liked adding the fifth NAT, but no one felt confident enough to undo any of the old NATs either.

        If you use IPv6 internally you don't dig yourself into holes like that one. You have enough addresses that you can choose clarity and maintainability in little day-to-day choices and a few years later that clarity has added up.

        Reply View 0 replies
BonoboIO 10 months ago

Why is it now easier to manage?

Reply View 3 replies
  • JackSlateur 10 months ago

    No translation, no subnet allocation issue (because no scarcity), global reachability from everybody to everybody (as internet was meant to be), no overlap (because no RFC1918)

    The world is much easier when everybody has its own identity.

    Reply View 0 replies
  • simoncion 10 months ago

    I'm not the OP, but I expect VPNs are easier to manage because you don't have to worry about slicing up the very, very limited IPv4 non-public space and puzzling out how to resolve addressing collisions between all of the various networks you have to manage. With IPv6 you can just calculate a /48 ULA prefix and allocate /64s for your VPNs (and every other internal network) out of that. If ever you run out of room, just calculate another /48 and carry on... easy!

    Reply View 1 reply
    • kuon 10 months ago

      This and you can allocate prefix for services. Also you can do layer 3 access control because there is no NAT. Also NAT can get messy when chained. One very practical example is that if I am connected with SSH to a server, and connection is interrupted with a network gear config change for example, when it is back up, SSH will be still connected and might not even notice. With NAT, states can be dropped.

      Reply View 0 replies
NewJazz 10 months ago

What do you use for a NAT64 gateway?

Reply View 2 replies
  • zamadatix 10 months ago

    Not GP but in similar setups I've had good success with using the FWs (typically Fortinet or Palo Alto) as the NAT64 gateway. Hosted services that require 1:1 NATs also end up there anyways so it's a good fit for DC.

    Reply View 0 replies