So what is IPv6 and why should you care? IPv6 is intended to be the successor of IPv4 and most people know it for the very large address space. However, it has many other benefits as well and is worth learning for self hosting purposes.

IPv6 features

Huge address space

With IPv6, you no long need to be concerned with the limited address space of IPv4. In IPv6 land devices can have many different IPv6 addresses. You can have a different IPv6 address for each service and with the privacy extensions you can have a different IPv6 addresses for each outgoing connection on your computer.

Simplified subnetting

In IPv6 land everything is done via prefixes. An IPv6 prefix is simply the first half of the address which is used in routing to send traffic where it needs to go. A prefix is typically assigned to a vlan and the prefix is then delegated to all devices in that vlan. Because each device can have multiple addresses you can have each device get a public address and also a private address. A prefix is a /64 and if you want multiple prefixes you can get something like a /56, /48 or /32. (CIDR notation) To get a prefix from an ISP you use something called DHCPv6-PD. This is a lot like normal DHCP but it requests one or more prefixes from your ISP.

SLAAC (Stateless address autoconfig)

With SLAAC, devices pick an address and then verify it isn’t duplicated. From there a router will send out a RA (router advertisement) which tells the device what prefix to use. The device then drops the link local prefix and replaces it will a public prefix. The major benefit of this is that you no longer need to keep track of DHCP leases. SLAAC allows networks to self assemble without much setup.

IPv6 security and privacy

IPv6 still needs a firewall to be secure. You should not expose things to the internet without properly securing them and anything that is publicly accessible can be compromised. IPv6 also can create major privacy issues since each device has a public IP. SLAAC and the privacy extensions help a lot as they randomize IPs which makes tracking harder. However, devices still share a public prefix so there still could be privacy issues.

NAT64 to eliminate IPv4

One of the technologies to help eliminate the need for IPv4 is NAT64. NAT64 works by mapping IPv4 address to IPv6 ones by setting a prefix that fills in the upper space of the address. To delicate this prefix to devices you can either use Pref64 or DHCPv6 opt 108. On the device applications see a working IPv4 address since the operating system translates IPv4 to IPv6 before it goes onto the network. You can absolutely keep using IPv4 and NAT64 is only for those who want to be IPv6 exclusive networks.

  • ryokimball@infosec.pub
    link
    fedilink
    English
    arrow-up
    49
    arrow-down
    1
    ·
    5 months ago

    Thanks for posting this. The idea of individual services having their own IP address had never occurred to me and would solve so many issues.

    • twinnie@feddit.uk
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      2
      ·
      5 months ago

      I always thought it’s kind of odd how frivolous we are with IPv6 addresses given the problems that gave us with IPv4. US DoD has like 200 million IPv4 addresses and they probably only use a tiny fraction of that. There’s also a bunch of old companies like HP, IBM, and Apple, that have entire /8s, so that’s 16 million IPs each. I know IPv6 is ridiculously bigger but we’re talking about giving IP addresses to our lightbulbs now at a time we’re also looking to inhabit other planets.

      • FaceDeer@fedia.io
        link
        fedilink
        arrow-up
        47
        ·
        5 months ago

        You may know IPv6 is ridiculously bigger, but you don’t know it.

        There are enough IPv6 addresses that you could give 10^17 addresses to every square millimeter of Earth’s surface. Or 5×10^28 addresses for every living human being. On a more cosmic scale, you could issue 4×10^15 addresses to every star in the observable universe.

        We’re not going to run out by giving them to lightbulbs.

        • Vikthor@lemmy.world
          link
          fedilink
          English
          arrow-up
          25
          arrow-down
          1
          ·
          5 months ago

          You may know IPv6 is ridiculously bigger, but you don’t know it.

          “Space is big. You just won’t believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it’s a long way down the road to the chemist’s, but that’s just peanuts to space.”

          No matter whether we are talking about real space or IPv6 address space, Douglas Adams’ quotes always come handy.

        • DaPorkchop_@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          Okay, but to be fair you should divide that by at least 2^64 because ISPs are throwing out huge blocks left and right. My home plan with Swisscom gives me a single dynamic IPv4 address and an entire /64 IPv6 prefix, and I’m pretty sure it was /60 at one point.

      • Harlehatschi@lemmy.ml
        link
        fedilink
        English
        arrow-up
        21
        ·
        5 months ago

        But it’s 2⁵² addresses for each star in the observable universe. Or in other words, if every star in the observable universe has a planet in the habitable zone, each of them got 2²⁰ more IPs than there are IPv4 addresses.

      • Melmi@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        16
        ·
        5 months ago

        Going to other planets would require a total re-architecting of our communications infrastructure anyway. There’s such distance too it’s not really viable to have a shared internet. Even Mars would have up to 22 minute latency at peak. So I don’t think it makes sense to plan our current internet around potential future space colonization.

        Even so, IPv6 is truly massive. We could give a /64 to every square centimeter of the Earth’s surface and still have IPs to spare. Frankly, I think the protocol itself will be obsolete before we run out.

        • iopq@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          You thought so, but in year 2525 they will still be complaining about TCP congestion mechanisms

      • bobalot@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        5 months ago

        What is the impetus for change?

        The things you listed are nice but not game changing for most people.

        • Ephera@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          I don’t have much experience with IPv6 yet either, but as I understand, the primary benefit is that you can get rid of a lot of the crappiness of IPv4, which you might just deem ‘normal’ at this point, like NAT and DHCP. It does happen quite a bit, for example, that we’d like a unique identifier for a host, but with IPv4, you need to store a separate UUID to accomplish that.

      • billwashere@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        5 months ago

        Likely because they’re old and resist change like me?

        Seriously though it’s such a shift from what I understand I’m very reticent to even start the process. I have a lab at work though that I should really start playing with it at no real risk to anything production. You know what, I’m going to do that next week! Yeah, progress.

        First docker and now IPv6. I’m so cutting edge 🤣

      • Avid Amoeba@lemmy.ca
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        edit-2
        5 months ago

        Because I have to learn, understand what you wrote, probably more, and especially internalize its security implications. I currently understand all that for IPv4 and I’m confident I’m not leaving holes open when I self-host services. But of course it’s probably a good idea to learn and use IPv6. It’s just not free and when you have existing infrastructure and muscle memory on IPv4, there’s that much more work. If I was starting anew, I’d probably do it. It’s similar with SaltStack. If I was starting anew I’d use Ansible instead.

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          And good luck trying to remember the IP in IPv6.
          I would believe DNS is now mandatory when you want to implement IPv6?

  • drkt@scribe.disroot.org
    link
    fedilink
    English
    arrow-up
    26
    ·
    edit-2
    5 months ago

    I reject the notion that a shared prefix raises privacy concerns because the alternative is they all share a single IP address as they do in v4.

    Anyway, been v6 for years. Love it. It’s just easier to work with, to be honest. It took me a while to get it, but once I rotated my brain a little and stopped thinking in v4 logic then it all clicked. My ISP is insane and gave me a /48, so I have a lot of addresses.

    I know my prefix by head, something everyone is still telling me is too hard for them (skill issue). You also don’t have to remember 8 hextets, just your prefix. In my case that’s only 3, but for you it won’t be more than 4. It’s not that hard. I zero out all the hextets between my prefix and the last so my v4 and v6 addresses just look like this 192.168.78.160 and 2a05:f6c7:8321::160 respectively. Don’t have to remember two addresses when dualstacking.

      • drkt@scribe.disroot.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        It is spec, but so is /56 and even /64. It’s kind of crazy to give me, a residential costumer, a /48

        I appreciate it, though. I like my 3 hextet prefix!

        • Melmi@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          Only giving a /64 breaks stuff, but some ISPs do it anyway. With only a /64 you can’t subnet your network at all.

        • 𝘋𝘪𝘳𝘬@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          8
          ·
          5 months ago

          With this huge ranges we’ll have the same problem with IPv6 in a few years that we already have with IPv4.

          • Melmi@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            4
            ·
            5 months ago

            I really doubt it. We could give everyone on Earth their own /48 with less than 1% of the IPv6 address space.

            • 𝘋𝘪𝘳𝘬@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              The ranges will become larger over time because “we have it”, and companies will get thousands of sections with figuratively unlimited IP addresses in them each.

          • Possibly linux@lemmy.zipOP
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            They can just allocate more IPs. The IPv6 range is barely even used.

            Also I imagine that there will be a secondary market for IPv6 at some point.

            • 𝘋𝘪𝘳𝘬@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              5 months ago

              The IPv6 range is barely even used.

              Yet.

              Also I imagine that there will be a secondary market for IPv6 at some point.

              Like there already is one for IPv4 addresses?

              I stand by my point:

              No-one will ever need a /48 range.

    • CarbonatedPastaSauce@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      5 months ago

      I took the networking TCP/IP fundamentals class for my first MCSE in 99, and the instructor wouldn’t shut up about how IPv4 would be replaced within 5 years.

  • enemenemu@lemm.ee
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    5 months ago

    Cool, thx!

    For me to switch, I’d need a simple tutorial on how to do it. Something that I could learn and solve first problems within a day or weekend. I hope it’s not grub level difficult

    • cron@feddit.org
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      5 months ago

      Its really not that hard. Sadly, my ISP doesn’t offer IPv6 yet, but for my vServer, enabling IPv6 was just a checkbox during creation. Then, you need to make sure that the service (e.g. webserver) also listens on the IPv6 address and maybe tweak the configuration of the webserver to actually serve websites via IPv6. Also, check your firewall settings. Lastly, you need to set the DNS AAAA records and you’re done.

      • cmnybo@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        If you need IPv6, you can get a free tunnel from Hurricane Electric. They will give you a /48 if you request it. I used it for years since my old ISP didn’t have IPv6. I am close to one of their servers, so the latency was very low.

        • cron@feddit.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          You’re right, that’s an option. I could set this up at my router, this way it would be almost indistinguishable from IPv6 via my ISP.

        • r00ty@kbin.life
          link
          fedilink
          arrow-up
          2
          ·
          5 months ago

          I used HE for ages until my isp gave native ipv6. I also used sixxs back then too. Both provided good connectivity for the few sites that were around using it at the time.

      • enemenemu@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        5 months ago

        I have no idea. Speedport from vodafone, ipv6 is enabled but I don’t use it 😅 I’m not behind some NAT

  • Crogdor@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    5 months ago

    I’ve considered using v6 as I host a lot of services from my homelab and it would be great if each had its own address. The question I have is, is v6 prevalent enough that all the clients out there are ready to go and I can just switch my lab servers to v6 and swap my A records with AAAA records, or will I still need to serve up v4 (and therefore, may as well just stick with the topology, reverse proxies, etc. I’ve already got.)

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      5
      ·
      5 months ago

      You start by adding ipv6 and serving both. One side needs to move first. Content providers or isps.

      The big tech companies are using ipv6. In the UK the isps are mostly offering it too.

      Host both and help us move towards dropping Ipv4 some day. It’s not going to happen in a day.

  • CompactFlax@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    5
    ·
    5 months ago

    I still haven’t figured out how to make a firewall rule with slaac on pfsense, with an ISP that hands out addresses at random. It’s my understanding’s slaac is the “right” way to do things, not dhcp and reservations.

    Granted, it’s been a minute since I tried so I don’t remember the issues, but as I recall, when ipv6 prefix changes, device gets new IP (and it seems not just the prefix part. I can get the firewall to register IPs into DNS and use a dns based firewall rule, but unbound restarts and blows out its cache when a device joins the network. And there another part to it but it’s all gone fuzzy.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      Actually how is your ISP giving out IPs to you? Mine uses IPv6 PD to give me a /48. And I then use SLAAC locally on the first /64 prefix on my LAN. Plus another /64 for VPN connections.

      If you mean receiving RA/ND packets from your ISP (which are used to announce IPv6 prefixes) then you need to allow icmpv6 packets (if you don’t want to be able to be pinged, just block echo requests, ICMP in v4 and v6 carry important messages otherwise).

      If your ISP uses DHCPv6 Prefix delegation you will need to allow packets to UDP port 546 and run a DHCPv6 client capable of handling PD messages.

      If you have a fixed prefix, then you probably don’t need to use your ISPs SLAAC at all. You could just put your router on a fixed IP as <yourprefix>::1 and then have your router create RA/ND packets (radvd package in linux, not sure what it would be on pfsense) and assign IPs within your network that way.

      If you have a dynamic prefix… It’s a problem I guess. But probably someone has done it and a google search will turn up how they handled it.

      EDIT: Just clarified that the RA/ND packets advertise prefixes, not assign addresses.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      This is my biggest bugbear about a lot of UK isps. They are dynamically allocating ipv6 prefixes for absolutely no good reason.

      I’ve only ever done ipv6 using Linux directly as a firewall or a mikrotik router. So cannot help with pfsense I’m afraid.

      • Markaos@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        The “correct” way to handle “static” addresses with dynamic prefix is using tokenized network interfaces (which is pretty much just the lower 64 bits of the IPv6 address). That will then be used for SLAAC in addition to the randomly generated address. The support for dynamic prefixes in firewalls on Linux and Mikrotik is however still pretty dire (obviously, as it’s not an enterprise feature). No clue about BSDs/pfSense

  • r00ty@kbin.life
    link
    fedilink
    arrow-up
    5
    ·
    5 months ago

    I believe the privacy concerns are made moot if all consumer level routers by default blocked incoming untracked connections and you need to poke holes in the firewall for the ports you need.

    Having said that, even knowing the prefix it’s a huge address space to port scan through. So it’s pretty secure too with privacy extensions enabled.

    But for sure the onus is on the router makers for now.

  • bhsuarez@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 months ago

    All of this is great but the human brain can only accurately remember a sequence of 8 digit numbers so I think that’s why IPv4 is gonna stick around for a bit. I’ve memorized too many CIDR ranges 🫠