Sitting pretty in IPv4 land? Look, you're gonna have to talk to IPv6 at some stage • The Register Forums

Wednesday 1st August 2018 08:12 GMT Lee D

*COUGH*

dig AAAA theregister.co.uk

....

Still nothing. Coming on to 8 years of me saying this now. It only took 6 years to get SSL'd, though.

And the bit about running dual-stack on everything is a nonsense. What you run internally makes absolutely no difference at all. Sort out your edge first, so you can talk modern protocols OUT. The inside bit literally doesn't matter as you'll never run out of addresses or see any IPv6 advantage on an internal network, unless you literally have 16,777,216 devices inside your network (the limit of the 10.0 ranges).

To my knowledge, there's not a single piece of software that *demands* IPv6 internally all the way to the net. However, it won't be long before websites *demand* that you access them over IPv6. So all you need is your edge/gateway/router/proxy to support IPv6 and translate / proxy accordingly (gosh, if only there was a technology that could perform Network Address Translation.... oh, no, sorry, some fools condemned all that because "IPv6 would fix it all"... all that stuff that's not actually broke...)

59 3 Reply
1. Wednesday 1st August 2018 09:01 GMT Marco Fontani
  
  Meanwhile, dig AAAA regmedia.co.uk will give you a result. We've had IPv6 on the domain used to serve most images from since donkeys ago, as it was easy enough. For the main domain, there's still a bit of work to do.
  
  As I stated the last time, IPv6 is an ongoing "icing on the cake" thing, with no "business priority" whatsoever. It'll get finished when feasible.
  
  As you also state, there's no requirement to demand IPv6 at this point in time.
  
  Even if you had a IPv6 only connection, you'd still be able to access an IPv4 only site via a tunnel, in the exact same way I'm currently accessing the IPv6 web, since my "business" ISP is utterly unable to give me a native IPv6 connection.
  
  It'll come, Soon® (but unlikely to come this month)
  
  15 3 Reply
  1. Wednesday 1st August 2018 09:13 GMT Steve the Cynic
    
    since my "business" ISP is utterly unable to give me a native IPv6 connection.
    
    And yet my consumer ISP switched me to fibre from ADSL a couple of years ago, and fully native IPv6 came with it (and just worked).
    
    4 0 Reply
    1. Wednesday 1st August 2018 09:52 GMT Marco Fontani
      
      Different countries' ISPs have different priorities regarding IPv6 roadmaps :/
      
      7 0 Reply
      1. Wednesday 1st August 2018 16:03 GMT Steve the Cynic
        
        Different countries' ISPs have different priorities regarding IPv6 roadmaps :/
        
        You're not wrong. My ISP is the "incumbent" in France (although I'm guessing you knew the "in France" part), France Telecom (that bought Orange and then took Orange's name for itself). They had a reputation (among French ISPs) for dragging their heels on IPv6 (and I believe that on ADSL lines they still are, somewhat), but on their new fibre network (full FTTP, thanks), they hand out /56 prefixes.
        
        1 0 Reply
  2. Wednesday 1st August 2018 10:45 GMT Lee D
    
    As always, it's not the technicality it's the hypocrisy.
    
    You can't write articles that have the following quotes and keep a straight face while you're claiming that you don't need IPv6 as a priority:
    
    ---
    
    "That this has finally happened, though, means we're being told more loudly than ever that we no longer have an excuse."
    
    "As the world moves to IPv6, you need to support it for your internet-facing devices. Expect people using your extranet portal to insist on IPv6. Expect people with whom you establish IP tunnels over the internet to demand it too. So, you could take the unilateral decision to stick with just IPv4 on your internet-facing setup, but as the world changes it'll leave you behind."
    
    "You therefore need to start supporting IPv6, even if your heart still belongs to IPv4."
    
    "You still need to support IPv6 to some extent, even if you're not deliberately using it."
    
    "but externally you have to support both IPv4 and IPv6 if you're to ensure that everyone can get at, say, your website."
    
    "Let's imagine you have a web server, because you probably do. In our brave new world, you need to make it available to people via both IPv4 and IPv6 – because like it or not, there will soon be people out there who only do IPv6 and you increasingly need to support them."
    
    ---
    
    Why should I tolerate an article from a group of people who writes telling me what I *should* / *must* / *ought to* do, every month, for years, without fail when a) I've already done that, b) they haven't even done it themselves!
    
    15 0 Reply
  3. Monday 20th August 2018 07:22 GMT ZeroSum
    
    > It'll come, Soon® (but unlikely to come this month)
    
    Actions speak louder than words.
    
    0 0 Reply
2. Wednesday 1st August 2018 09:07 GMT Steve the Cynic
  
  *COUGH*
  
  dig AAAA theregister.co.uk
  
  ....
  
  Still nothing. Coming on to 8 years of me saying this now. It only took 6 years to get SSL'd, though.
  
  I came to the comments page expecting some snark about El Reg's lack of AAAA, and the very first post totally failed to disappoint. See icon as congratulations.
  
  16 0 Reply
3. Wednesday 1st August 2018 12:26 GMT Anonymous Coward
  
  > dig AAAA theregister.co.uk
  
  I think that would be a fair criticism if ElReg was a consultancy, but they're a news outlet. So it's legitimate to yell "FAKE ipv6 address!" but less legitimate to say "AAAA.news".
  
  1 0 Reply
4. Wednesday 1st August 2018 16:02 GMT Anonymous Coward
  
  @LeeD
  
  You can't translate between IPv4 and IPv6 on a router in the same way as something like NAT. Both sides need to support IPv6 and everything inbetween.
  
  0 0 Reply
5. Wednesday 1st August 2018 17:02 GMT Anonymous Coward
  
  "won't be long before websites *demand* that you access them over IPv6"
  
  Huh? Given that countless thousands of websites can be hosted from a single IP address, I don't see any pressing need for websites to try to push people towards IPv6 access, even in countries that are by necessity adopting IPv6 well ahead of us laggards in the US and UK.
  
  Why would websites demand IPv6 access? What's in it for them? How does reducing their potential audience benefit them in any way? How much more could their hosting provider really charge them for the use of a tiny fraction of one IPv4 address?
  
  I wouldn't be shocked if I could carry on ignoring IPv6 and using IPv4 alone for the next twenty years. Maybe it'll stop working then, because of unfixed Y2038 problems that were ignored because "no one will still be using IPv4 by then".
  
  8 0 Reply
  1. Wednesday 1st August 2018 17:10 GMT Nanashi
    
    Re: "won't be long before websites *demand* that you access them over IPv6"
    
    Facebook have measured their site as loading 10-15% faster over v6. That seems like something that websites ought to be interested in, no?
    
    Having v6 on your website doesn't reduce your potential audience. I'm not entirely sure where you got that idea from.
    
    4 3 Reply
    1. Wednesday 1st August 2018 21:46 GMT Anonymous Coward
      
      Re: "won't be long before websites *demand* that you access them over IPv6"
      
      I'm not aware of anything inherent in IPv6 that makes it more efficient at carrying TCP/IP. Maybe the routing is more efficient, but that's certainly not a reason for a website to demand people access them over IPv6.
      
      4 1 Reply
      1. Friday 3rd August 2018 21:23 GMT gnarlymarley
        
        Re: "won't be long before websites *demand* that you access them over IPv6"
        
        Ummm, I think we gave up with the IPv6 demands about five years ago. Instead we just went with NAT64 gateways back then. If folks really want to know the real IP of who is connecting instead of the gateway, they would be using IPv6 going already.
        
        0 0 Reply
6. Wednesday 1st August 2018 20:42 GMT Jamie Jones
  
  (gosh, if only there was a technology that could perform Network Address Translation.... oh, no, sorry, some fools condemned all that because "IPv6 would fix it all"... all that stuff that's not actually broke...)
  
  Wrong. IPv6 NAT exists, and is as easy as IPv4 NAT.
  
  Just because some "fools" say you no longer need to NAT, you can if you want. Heck, there is also DHCP6 and IPv6 private-lan address ranges if you really want to stay old school and stick with ip4 type restrictions.
  
  Please don't make stuff up to suit your argument, or call people fools because they understand the headaches NAT can cause. It makes you sound like Trump.
  
  3 1 Reply
7. Friday 3rd August 2018 18:10 GMT David Crowe
  
  Why would any network demand that you use IPv6 to access it? Unless it wants to cut itself off from a lot of the world?
  
  0 1 Reply
Wednesday 1st August 2018 08:31 GMT Palladium

NAT

Damn you NAT, why are you still so good at your job?

43 0 Reply
1. Wednesday 1st August 2018 09:53 GMT Anonymous Coward
  
  Re: NAT
  
  So good, in fact, that I can send this from a private IPv6 address through a router that is using a dynamically assigned IPv6 address in an IPv6 block which it was assigned yesterday when I turned it back on.
  
  IPv6 supports NAT and Dynamic IP 100%, people telling you differently are spreading fake news.
  
  10 3 Reply
  1. Wednesday 1st August 2018 10:46 GMT FIA
    
    Re: NAT
    
    IPv6 supports NAT and Dynamic IP 100%, people telling you differently are spreading fake news.
    
    Isn't that the point? I must confess I've not read up on IPv6 for a while now, but the impression I got last time I did the reading is that I'd have all my internal devices on the private range (terminology??) and then use NAT to translate the first 64bits (or whatever size subnet the ISP gives me) to the external range.
    
    Then I'd have fixed internal IPs and bidirectional NAT would still allow everything to be externally addressable if I so desired as there's a one to one mapping with the last 64 bits.
    
    Or has all this changed or I misunderstood?
    
    Seemed like an elegant way of having a dynamic IP and publicly addressable stuff.
    
    (Obvs there'd be a firewall in there too so you'd have to explicitly allow access, but still...)
    
    3 1 Reply
    1. Wednesday 1st August 2018 13:18 GMT Nanashi
      
      Re: NAT
      
      Normally you would just use your global addresses on the LAN. If you have a dynamic prefix and you want a fixed LAN range, you can run ULA on the LAN at the same time as the global addresses. It's not necessary to invoke any form of NAT at all to do any of this.
      
      1 0 Reply
    2. Wednesday 1st August 2018 14:27 GMT Steve the Cynic
      
      Re: NAT
      
      Or has all this changed or I misunderstood?
      
      It hasn't changed, and you have misunderstood. I think.
      
      At home, my router is given a fixed IPv6 prefix, 2a01:stuff::/56, by my ISP. That doesn't change, even though the public IPv4 of its WAN interface changes every time anything reboots or disconnect/reconnects the router. (The key point, I think, is that that prefix belongs to the LAN interfaces of the router, not the WAN interface.)
      
      The router then distributes this prefix to the machines in my local network that need it(1). Being a 2a01 prefix, it's globally valid, not ULA, and there is no IPv6 NAT needed.(2)
      
      And yes, there's a firewall in there. A UTM, more specifically, which does a substantial amount of intrusion prevention and stateful inspection (and is even configured to tolerate this and that and the other alarm-raising behaviour ONLY from that small list of external addresses. (Some wacky behaviour on the part of the Steam store CDN, mostly.)
      
      (1) The Windows 2000 VM that I boot up occasionally does not have IPv6 configured, so it doesn't have any need of this stuff.
      
      (2) That's almost true, but the IPv6 NAT that's needed is done by the UTM/IPS firewall to redirect DNS requests that are supposedly going to the WAN routerbox to instead go to an RPi that's running an Active Directory DC on Samba 4+ and Samba's internal DNS support. Windows 10 seems to behave very oddly if you configure automatic addressing and a forced DNS server address. Internet access *works* just fine, but the "you have Internet connectivity" detector thinks you're not connected.
      
      1 0 Reply
      1. Wednesday 1st August 2018 21:03 GMT Jamie Jones
        
        Re: NAT
        
        Steve and FIA, you're both right!
        
        Steve, what you are describing is the "typical" fixed network setup - much the same as if in the IP4 world, you had a block of IP4 addresses allocated to you.
        
        What FIA is remembering is IPv6-to-IPv6 Network Prefix Translation (NPTv6), which is more or less as he/she remembers, but is designed not as a solution for home networks (obviously, there are enough IPv6 addresses around where this isn't necessary.), but for portable networks, or networks which might change provider, and/or certain multihome situations. More reasons why this would be useful are in the first link:
        
        https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/nptv6-overview
        
        http://www.rfc-editor.org/rfc/rfc6296.txt
        
        But yeah, as Steve described, the general experience will be with a permanently static address range - NPTv6 would have more niche uses.
        
        2 0 Reply
2. Wednesday 1st August 2018 10:29 GMT naive
  
  Re: NAT
  
  And reverse web proxies like HaProxy, who by using SNI, significantly reduce the need for external ip-addresses.
  
  1 1 Reply
  1. Wednesday 1st August 2018 10:47 GMT Lee D
    
    Re: NAT
    
    Reverse proxies also allow access to IPv6 websites when you have no internal IPv6 whatsoever. Kind of the point of a proxy, in fact.
    
    5 0 Reply
Wednesday 1st August 2018 08:49 GMT A Non e-mouse

Birth of IPv6

Whilst July 2017 may be the date of the (latest) RFC for IPv6, some of us have been running IPv6 for over a decade...

5 8 Reply
Wednesday 1st August 2018 08:52 GMT AustinTX

Never!

IPv6 is all who-knows-how it works all-behind-the-scenes and I have no way of knowing if a hostile entity is punching straight through my firewalls or even re-routing my traffic because he knows the IPv6 secrets and my stupid SOHO router merely "supports" it.

18 4 Reply
1. Wednesday 1st August 2018 09:11 GMT HighTension
  
  Re: Never!
  
  NAT is *not* a security feature! Firewall policies and rules are applicable to IPv6 in the same way as IPv4. Eg in shorewall, a policy for a simple two-interface firewall looks like:
  
  #SOURCE #DEST #POLICY #LOG LEVEL
  
  int net ACCEPT
  
  fw net ACCEPT
  
  all all DROP info
  
  works equally well for both - accept outbound connections from the internal network and the firewall, drop and log everything else. It's really not that complicated, and with no NAT way more flexible (no more port-forwarding!)
  
  7 23 Reply
  1. Wednesday 1st August 2018 09:27 GMT Sam Liddicott
    
    Re: Never!
    
    > NAT is *not* a security feature!
    
    and yet it successfully prevents unwanted external access for so many users, while permitting desired external access through uPNP and NAT helpers.
    
    Have you tried pushing an unexpected connection through a NAT router?
    
    40 3 Reply
    1. Wednesday 1st August 2018 12:05 GMT HighTension
      
      Re: Never!
      
      With /horrible/ things like uPNP on consumer routers (which more often than not implement it and other things badly or incorrectly), it's not NAT that really provides the real security, it's the firewall (which on every consumer router I've seen in the last decade is turned on by default).
      
      And just to reiterate, at no point did I claim that NAT is not possible with IPv6. It's just not necessary.
      
      5 3 Reply
      1. Wednesday 1st August 2018 13:50 GMT defiler
        
        Re: Never!
        
        And just to reiterate, at no point did I claim that NAT is not possible with IPv6. It's just not necessary.
        
        I was under the impression that NAT was regarded as a "bad thing" on IPv6, and that since everyone had a publicly routable address you shouldn't ever be using it.
        
        I do get people's reticence to abandon the safety net of IPv4 NAT, but it's really as simple as dumping any packets that aren't on an "established" session on the firewall. Shit, Draytek do that straight out of the box (although they didn't initially - oops!)
        
        My bugbear with IPv6 is that it was invented by somebody (or 1000 somebodies) looking at IPX with all of its autoconfiguration, and they pinched bits. But not enough to just let the client figure itself out. In the meantime we got stuff like DHCP for IPv4 and we're happy with that, but we suddenly have to configure using two mechanisms for IPv6? The firewall is absolutely the least of my worries...
        
        3 1 Reply
        
        Wednesday 1st August 2018 15:47 GMT SImon Hobson
        
        Re: Never!
        
        I was under the impression that NAT was regarded as a "bad thing" on IPv6
        
        It's a "bad thing" on IPv4 as well. The problem is that so many people have never seen the efforts that have gone into working around the breakage it causes, haven't seen the countless piles of cash that (for example) VoIP providers have had to invest in proxy machines to work around how NAT breaks SIP. Not even good old FTP works without help from an ALG in the NAT gateway.
        
        Besides, with "home" routers coming with uPNP turned on by default, your security from NAT is (while not completely useless) severely compromised since ANY device on your network can ask the router "please open wide these inbound ports for me" and get them.
        
        So in response to the printer comment, all it takes is for ANY internal device to fake a uPNP request from the printer to the router and the printer can be accessible from the outside.
        
        There may be things that make IPv6 "difficult" - not using NAT isn't one of them.
        
        3 1 Reply
    2. Wednesday 1st August 2018 12:25 GMT Christian Berger
      
      Re: Never!
      
      "Have you tried pushing an unexpected connection through a NAT router?"
      
      Well that usually doesn't work when you want it to work... usually thanks to ALGs you can sometimes get it to work by spoofing some data on a seemingly unrelated connection. (i.e. downloading a file over HTTP which contains FTP commands)
      
      1 3 Reply
    3. Wednesday 1st August 2018 13:37 GMT Nanashi
      
      Re: Never!
      
      Have you tried pushing an unexpected connection through a NAT router?
      
      I have -- it worked fine. The form of NAT that we're talking about here (`iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE`, right?) only applies to outbound connections (that's the "-o wan0" part); it has no impact on inbound ones, which won't match the rule above.
      
      If you have a router that's NATing outbound connections, you can still do inbound connections just fine unless some other aspect of the router or network setup (such as... a firewall) prevents it.
      
      (I know that most networks have those aspects, but I set one up that NATed outbound connections yet still had working inbound connections just to prove that doing so does in fact work, and that it's not the NAT that's breaking the inbound connections.)
      
      2 3 Reply
      1. Wednesday 1st August 2018 21:08 GMT Charles 9
        
        Re: Never!
        
        "If you have a router that's NATing outbound connections, you can still do inbound connections just fine unless some other aspect of the router or network setup (such as... a firewall) prevents it."
        
        How does one actually connect to an RFC1918 address behind a NAT without the inside connecting first? That's one reason a NAT is considered a safeguard: bease it allows the LAN to use addresses that normally aren't routable on the outside, a defense in itself like an unpublished phone number.
        
        4 0 Reply
        
        Wednesday 1st August 2018 21:51 GMT Anonymous Coward
        
        Re: Never!
        
        Exactly. Whoever wrote that obviously doesn't understand NAT, and that it doesn't need a firewall to provide security. How is anyone going to send packets to a PC at 192.168.1.100 from outside the NAT unless ports are being forwarded, or even send packets to the router unless there are open ports on the router on the WAN interface side. Typically management from e.g. HTTP is only enabled on the LAN by default, so the clueless home user doesn't have to worry about it.
        
        Security may not have been the reason for its existence, but it was a highly serendipitous benefit.
        
        5 0 Reply
        
        Thursday 2nd August 2018 01:48 GMT Terafirma-NZ
        
        Re: Never!
        
        @DougS
        
        Wow and if you dig a hole in your driveway that should stop thieves getting to your house, or least by your description.
        
        NAT provides no security whatsoever, the printer mentioned above only needs to initiate a single outgoing packet to the router that will then open a port public side and any (that is ANY!) internet traffic that hits that port public side will be sent to the printer. About time people stopped confusing the basic "established" firewalls rules used in home router devices for NAT providing security!
        
        As for how can someone route to your 192.168.1.0/24 IP space at home behind your NAT device. Quite easily remember the box is just a router passing traffic from any connected subnet to another. This assumption just says I expect my ISP to not forward traffic using private addressing on the source or destination and most don't do this. There are varying methods to get traffic destined to your private range at home to pass over the net.
        
        NAT simply states if traffic passing the router meets this rule then change the source/destination IP and/or port to something else, if it does not meet this rule then pass it unmodified. <- here see no security at all!
        
        Your firewall is what says if this traffic is from the WAN and is not for an established connection in the connection tracking table then drop it usually via the implicit deny any any rule at the bottom.
        
        Sure plenty of you will go on thinking NAT provides security until your IPv6 printer starts spitting out pages of unwanted messages - of course it won't as your ISP will have enabled the firewall by default.
        
        This doesn't even account for the open wireless access point installed on most home printers these days (a quick scan of my neighborhood shows plenty)
        
        1 5 Reply
        
        Thursday 2nd August 2018 06:34 GMT Charles 9
        
        Re: Never!
        
        "Wow and if you dig a hole in your driveway that should stop thieves getting to your house, or least by your description."
        
        Well-known and technique. It's called a fosse. Now the thief has to cross the gap first, and most thieves don't come with ladders.
        
        "As for how can someone route to your 192.168.1.0/24 IP space at home behind your NAT device. Quite easily remember the box is just a router passing traffic from any connected subnet to another. This assumption just says I expect my ISP to not forward traffic using private addressing on the source or destination and most don't do this. There are varying methods to get traffic destined to your private range at home to pass over the net."
        
        But how does it work the other way the way wardrivers are probing for devices behind the NAT. Since they're the ones initiating the connection, not the inside, how would they get through if the address is RFC1918 or some other range that's not supposed to be routable, or even routable to more than one destination?
        
        2 1 Reply
        
        Thursday 2nd August 2018 10:12 GMT HighTension
        
        Re: Never!
        
        Because, in the absence of a firewall, they can probe all ports on the public IP, and if they find any open, one or more of those could be the open external port of a NATed session. If they connect to said IP/port, they can reach the device behind the NAT.
        
        1 1 Reply
        
        Thursday 2nd August 2018 13:42 GMT Charles 9
        
        Re: Never!
        
        Exploting an open connection is always an option, NAT or no. But if the internal device is purely internal (does not connect to the outside), then you basically have no way in if you're trying to connect from the outside, and you don't need the firewall for that; it's simply a matter of the basic rules causing incompatible routing. I originally said an unpublished number but it's more like a PBX: without a pre-existing route or help from the front desk, you can't just dial into any old extension in the system.
        
        Put another way: why is Carrier-Grade NAT considered such a PITA if not for that catch?
        
        1 0 Reply
        
        Thursday 2nd August 2018 14:16 GMT HighTension
        
        Re: Never!
        
        @Charles9 One of the commentards was talking about a Home/SOHO router. You have to assume in this case that most devices behind it will be trying to talk to something on the outside (looking for updates, phoning home, checking for mail/tweets etc). And if nothing is connecting in or out you'd not really need any NAT awyway!
        
        0 1 Reply
        
        Thursday 2nd August 2018 17:26 GMT Nanashi
        
        Re: Never!
        
        How does one actually connect to an RFC1918 address behind a NAT without the inside connecting first?
        
        Hey, I didn't say anything about RFC1918. We're talking about NAT here (the thing you get from doing `iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE` with netfilter, yes?). You can use RFC1918 without NAT and you can use NAT without RFC1918; they're two separate things.
        
        It's true that running a network on RFC1918 will drastically limit the set of people that can connect to it, but a) some people (e.g. your ISP, your government) can still connect, so it's not secure, and b) RFC1918 isn't NAT, so even if you think using RFC1918 makes you secure, it's still not NAT that's doing it.
        
        If anybody doesn't believe me, feel free to set up a few VMs and test it for yourself.
        
        0 0 Reply
        
        Saturday 11th August 2018 15:14 GMT Charles 9
        
        Re: Never!
        
        Wouldn't really matter either way. It's just that using RFC1918 addresses makes it that much more likely the packet stays inside.
        
        And I've got a better one for you. Why don't you prove it actually happens in real life by describing the means to do it using a spare home router, meaning one can easily do it at home using actual physical devices and wires?
        
        0 1 Reply
  2. Wednesday 1st August 2018 09:28 GMT HighTension
    
    Re: Never!
    
    Wow, two thumbs down for that! Some real IPv6 loathing on here!
    
    3 14 Reply
    1. Wednesday 1st August 2018 09:30 GMT Anonymous Coward
      
      Re: Never!
      
      Two thumbs down for repeating the myth that supporting IPv6 requires you to ditch your NAT.
      
      19 2 Reply
      1. Wednesday 1st August 2018 11:39 GMT Chronos
        
        Re: Never!
        
        I don't see where HT said you must ditch NAT. What was said was that creating the exact same stateful filtering that NAT serendipitously provides is piss easy if you want to use globals on your internal network.
        
        The real myth here is that NAT is some kind of firewall. If that were true, why do we keep seeing C&C channels tunnelling in and out of RFC1918 nets?
        
        There's also the little "incompatibility" myth, which is shorthand for "oh fuck, we're going to have to do it properly this time" because you don't have the crutch of NAT being required to make your link to the outside world useful, which is what this argument really boils down to: We've all got comfortable with assuming there's a NAT layer there to do all your state tracking for you. Now you're going to have to write the dreadfully complicated few lines of firewall rules yourself. Mercy!
        
        Cue the "I can't remember prefixes with hex words in them" wailing and gnashing of teeth.
        
        8 14 Reply
        
        Wednesday 1st August 2018 11:49 GMT Anonymous Coward
        
        Re: Never!
        
        Now you're going to have to write the dreadfully complicated few lines of firewall rules yourself. Mercy!
        
        No you're not.
        
        IPv6 supports everything IPv4 does. There's no need to make adopting it unnecessarily difficult by demanding people study long sysadmin courses just to set up their home network.
        
        5 0 Reply
        
        Wednesday 1st August 2018 14:05 GMT Nanashi
        
        Re: Never!
        
        It's not exactly horribly difficult though, is it? If you know how to run these four commands:
        
        iptables -P FORWARD DROP
        
        iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        
        iptables -A FORWARD -i lan0 -j ACCEPT
        
        iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE
        
        then you already know how to run these three commands:
        
        ip6tables -P FORWARD DROP
        
        ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        
        ip6tables -A FORWARD -i lan0 -j ACCEPT
        
        It doesn't take a long sysadmin course to learn how to not run one command! What's everybody so afraid of?
        
        For the other 99% of people who don't know to set up the necessary firewall rules for a NATed network in v4, it's even simpler: just plug in the ISP-provided dumb box and away you go, just like you've always done it.
        
        5 3 Reply
        
        Wednesday 1st August 2018 15:29 GMT Chronos
        
        Re: Never!
        
        IPv6 supports everything IPv4 does. There's no need to make adopting it unnecessarily difficult by demanding people study long sysadmin courses just to set up their home network.
        
        There, you just did it again. Please stop putting words into people's mouths. Nowhere did I say that home users will have to do this; the router folks can and should do it by default. It's utterly trivial for a consumer router to know which interface is the LAN and which is the WAN and construct the firewall with or without NAT to a safe default. Of course, they probably won't given the historical state of uPNP, WPS and so on being similar in quality and thought for the end user as a British Leyland car built in the 70s but that's not my problem unless and until I get a job at Draytek et al.
        
        We, the El Reg commentards, are not consumers. If you want a discussion on consumer broadband, head on over to ThinkBroadband or Kitz where you will find untold thousands of like-minded users. The article addresses, therefore the comments are about, proper networking rather than consumer "hit generic chipset with a lump hammer until it sort of works, apply logo to /fs-overlay/var/www/images and ship" routers.
        
        For the avoidance of doubt, nobody was or is saying that v6 doesn't support NAT, that NAT should be ditched on consumer networks or that it'll require at least a CCNA to set up v6 in the home.
        
        3 3 Reply
        
        Wednesday 1st August 2018 12:10 GMT HighTension
        
        Re: Never!
        
        Thanks for your support Chronos. Unfortunately it seems stating facts is not a way to popularity. Perhaps it was the wording "with no NAT", which I should have phrased as "no requirement for NAT".
        
        Having end-to-end addressing is also vastly more convenient for difficult protocols like SIP/RTP, IPSec, FTP and so on, without having to work around endless brain-dead ALGs and helpers that never work properly.
        
        8 6 Reply
        
        Wednesday 1st August 2018 12:24 GMT Anonymous Coward
        
        Re: Never!
        
        Arguing over NAT isn't productive for encouraging people over to IPv6. Better to explain that they can still use a feature than to try to convince them that they don't want that feature.
        
        Characterising the downvotes on your post, which was about why not to use NAT, as people downvoting a post in favour of IPv6 will inevitably have escalated that issue.
        
        7 0 Reply

Topics

Special Features

Vendor Voice

Resources

COMMENTS

Page:

"won't be long before websites *demand* that you access them over IPv6"

Re: "won't be long before websites *demand* that you access them over IPv6"

Re: "won't be long before websites *demand* that you access them over IPv6"

Re: "won't be long before websites *demand* that you access them over IPv6"

NAT

Re: NAT

Re: NAT

Re: NAT

Re: NAT

Re: NAT

Re: NAT

Re: NAT

Birth of IPv6

Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Re: Never!

Page:

POST COMMENT House rules

Enter your comment

Add an icon

About Us

Our Websites

Your Privacy

"won't be long before websites demand that you access them over IPv6"

Re: "won't be long before websites demand that you access them over IPv6"

Re: "won't be long before websites demand that you access them over IPv6"

Re: "won't be long before websites demand that you access them over IPv6"