I'll get endless pushback for this, but the reality is that adoption isn't at 100%, it very closely needs to be, and there are still entire ISPs that only assign ipv4, to say nothing of routers people are buying and installing that don't have ipv6 enabled out of the box.

A much better solution here would have been an incredibly conservative "written on a napkin" change to ipv4 to expand the number of available address space. It still would have been difficult to adopt, but it would have the benefit of being a simple change to a system everyone already understands and on top of a stack that largely already exists.

I'm not proposing to abandon ipv6, but at this point I'm really not sure how we proceed here. The status quo is maintaining two separate competing protocols forever, which was not the ultimate intention.

"And what do you base this belief on?

Fact is you'd run into exactly the same problems as with IPv6. Sure, network-enabled software might be easier to rewrite to support 40-bit IPv4+, but any hardware-accelerated products (routers, switches, network cards, etc.) would still need replacement (just as with IPv6), and you'd still need everyone to be assigned unique IPv4+ addresses in order to communicate with each other (just as with IPv6)."[0]

0: https://news.ycombinator.com/item?id=37120422

If you treat IPv4 addresses as a routable prefix (same as today), then the internet core routers don't change at all.

Only the edge equipment would need to be IPv4+ aware. And even that awareness could be quite gradual, since you would have NAT to fall back on when receiving an IPv4 classic packet at the network. It can even be customer deployed. Add an IPv4+ box on the network, assign it the DMZ address, and have it hand out public IPV4+ addresses and NAT them to the local IPv4 private subnet.

IPv6 seems to be a standard that suffered from re-design by committee. Lots of good ideas were incorporated, but it resulted in a stack that had only complicated backwards compatibility. It has taken the scale of mobile carriers to finally make IPv6 more appealing in some cases than IPv4+NAT, but I think we are still a long way from any ISP being able to disable IPv4 support.

"Only"? That's still the networking stack of every desktop, laptop, phone, printer, room presentation device, IoT thing-y. Also every firewall device. Then recompile every application to use the new data structures with more bits for addresses.

And let's not forget you have to update all the DNS code because A records are hardcoded to 32-bits, so you need a new record type, and a mechanism to deal with getting both long and short addresses in the reply (e.g., Happy Eyeballs). Then how do you deal with a service that only has a "IPv4+" address but application code that is only IPv4-plain?

Basically all the code and infrastructure that needed to be updated and deployed for IPv6 would have to be done for IPv4+.

How could it have been otherwise given the original network structures were all of fixed lengths of 32 bits?

What we needed was the equivalent of ASCII->UTF8.

As I see it, the transition mechanism for some IPv4+ that 'only' has longer addresses is exactly the same as for IPv6: new code paths that use new data structures, with a gradual rollout with tech refreshes and code updates where hosts slowly go from IPv4-only to IPv4-and-IPv4+ at different rates in different organizations.

If you think it's somehow different, can you explain how it is so? What proposal available (especially when IPng was being decided on in the 1990s) would have allowed for a transition that is different than the one described above (gradual, uncoördinated rollout)?

* https://datatracker.ietf.org/doc/html/rfc1726

* https://datatracker.ietf.org/doc/html/rfc1752

DNS is like today: A and AAAA records for IPv4 and IPv4+ respectively.

Core routers do not need to know about IPv4+, and might never know.

The transition is similar to 6to4. The edge router does translation to allow IPv4+ hosts to connect to IPv4 hosts. IPv4 hosts are unable to connect to IPv4+ directly (only via NAT). So it has the similar problem to IPv6 that you ideally want all servers to have a full IPv4 address.

What you don't have is a completely parallel addressing system, requirements to upgrade all routers (only edge routers for 4+ networks), requirements to have your ISP cooperate (they can just give you an IPv4 and you handle IPv4+ with your own router), and no need that the clients have two stacks operating at once.

It's essentially a better NAT, one where the clients behind other NATs can directly connect, and where the NAT gradually disappears completely.

shrug

Most of the world is a circus.

In networking terms, this is like a protocol which can reach ipv4 hosts only but loses packets to the ipv4+ hosts randomly depending on what it passes through. Who would adopt a networking technology that fails randomly?

We've never done something like the v4->v6 migration before, on this sort of scale. It's not clear what the par time for something like this is. Maybe 30 years is a normal amount of time for it to take?

3 billion people sorta use ipv6, but not really, cause almost all of those also rely on ipv4 and no host can really go ipv6-only. Meanwhile, many sites are HTTPS-only.

Layer 3 of the Internet is the one that requires support in all software and on all routers in the network path, and those are run by millions of people in hundreds of countries with no central entity that can force them to do anything.

HTTP->HTTPS is only similar in terms of number of users, not in terms of the deployment itself. The network effects for IP are much stronger than for HTTP.

They don't "sorta" use v6, they're properly using it, and you can certainly go v6-only. I'm posting from a machine with no v4. Also, if you want to go there: HTTPS was released before IPv6, and yet still no browser is HTTPS only, despite how much easier it is to deploy it.

Most browsers now discourage plain HTTP with a warning. Any customer-facing server basically needs to use HTTPS now. And you're rare if you actually have no ipv4, not even via a tunnel.

If they only got one shot at changing HTTP, do you think they would have tied TLS to HTTP/2 or given up on HTTP/2 altogether?

I don't know if HTTP's job is easier. Maybe on the client side, since there were never that many browsers, but you have load-balancers, CDNs, servers, etc. HTTP/2 adoption is still dragging out because of how many random things don't support it. Might be a big reason why gRPC isn't so popular too.

HTTP->HTTPS is not equivalent in any way. The payload in HTTP and HTTPS are exactly the same; HTTPS simply adds a wrapper (e.g., stunnel can be used with an HTTP-only web server). Further HTTP(S) is only on the end points, and specifically in the application layer: your OS, switch, firewall, CPE, ISP router(s), etc, all can be left alone.

If you're not running a web browser or web server (i.e., FTP, SMTP, DNS, database) then there are zero changes that need to be made to any code on a system. This is not true for changing the number of bits the addressing space: every piece of code that calls socket(), bind(), connect(), etc, has to be touched.

Whereas the primary purpose of IPng was to expand the address space, which means your OS, switch, firewall, CPE, ISP router(s), etc, all have to be modified to handle more address bits in the Layer 3 protocol data unit.

Plus stuff at the application layer like DNS (since A records are 32-bit only, you need an entire new network type): entire new library functions had to be created (e.g., gethostbyname() replaced by getaddrinfo()).

I hear people say the IETF/IP Wizards of the 1990s should have "just" picked an IPng that was a larger address space, but don't explain how IPv4 and hypothetical IPv4+ would actually work. Instead of 1.1.1.1, a packet comes in with 1.1.1.1.1.1.1.1: how would a non-IPv4+ router know what to do with that? How would non-updated routers and firewalls be able to handle longer addresses? How would non-updated DNS code be able to handle new record types with >32 bits?

To answer the last question, routers would need IPv4+ support, just like ipv6 which already happened. The key is it's much easier for users to switch after. No dual stack, you get the same address, routes, DNS, and middleboxes like NAT initially. ISPs can't hand out longer addrs like /40 until things like DNS are upgraded in-place to support that, but again those are pretty invisible changes throughout the stack.

So exactly like IPv6: you need to roll out new code everywhere.

> The key is it's much easier for users to switch after. No dual stack, you get the same address, routes, DNS, and middleboxes like NAT initially. ISPs can't hand out longer addrs like /40 until things like DNS are upgraded in-place to support that, but again those are pretty invisible changes throughout the stack.

So exactly like IPv6: you need to roll out new code everywhere.

Would organization have rolled out in IPv4+ any differently than IPv6? Some early, some later, some questioning the need at all. It's the exact same coördination / herding cats problem.

* roll out new code everywhere

* enable the protocol on your routers

* get address block(s) assigned to you

* put those blocks into BGP

* enable the protocol on middleware boxes

* have translation boxes for new-protocol hosts talk to old-protocol-only hosts

* enable the protocol on end hosts

And just because you do it, does not mean anyone else would do in the same timeframe (or ever). You're back in the chicken-and-egg of whether servers/services do it first ("where are the clients?"), or end-devices ("where are the services?").

Application rework would be exactly the same as with v6, because the issue was not with v6 but with BSD Sockets API exposing low-level details to userland.

Congratulations, you’ve re-invented CGNAT, with none of the benefits, and the additional hassle of it being an entirely new protocol!

No. No “extra bits” on an IPv4 address would have ever worked. NAT itself is a bug. Suggesting that as an intentional design is disingenuous.

The edge router has an IPv4+ subnet (either a classic v4 address, or part of a v4+ address). It maintains an L2 routing table with ARP+, and routes IPv4+ packets to the endpoint without translation. Private subnetting and NAT is only needed to support legacy IPv4 clients.

CGNAT pools IPv4 public addresses and has an expanded key for each connection, and translates either 4 to 6 or into a private IPv4 subnet. My proposal needs no pooling and only requires translation if the remote host is IPv4 classic and the edge router is not assigned a full IPv4+/24.

And since the goal is “backwards-compatability”, you’d always need to poll, because a “legacy” IPv4 client would also be unable to send packets to the IPv4+ destination. Or receive packets with an IPv4+ source address.

And it would be an absolute nightmare to maintain. CGNAT + a quasi backwards-compatible protocol where the backwards-compatability wouldn’t work in practice.

So you would have exactly the same problem as IPv6. I can say the same about v4 and v6 today. You could just turn off IPv4 on the internet, and we’d only need to do translation on the edge for the legacy clients that would still use IPv4. You can even put IPv4 addresses in IPv6 packets!

Each v4 address has a corresponding /48 of IPv6 tunnelled to it. The router with that IP receives the tunnelled v6 packets, extracts them and routes them on natively to the end host. This is something that v6 already does, so you don't need to make posts complaining about how dumb they were for not doing it.

It's an edge based solution similar to NAT, but directly addressable. And given that it extends IPv4, I think it would have been much more "marketable" than IPv6 was.

But again, this is all counterfactual. The IETF standardized IPv6, and 30 years on it's still unclear that we will deprecate IPv4 anytime soon.

I base it on comparing how the IPv2 to IPv4 rollout went, versus the IPv4 to IPv6 rollout. The fact that it was incredibly obvious how to route IPv2 over IPv4 made it a no-brainer for the core Internet to be upgraded to IPv4.

By contrast it took over a decade for IPv6 folks to accept that IPv6 was never going to rule the world unless you can route IPv4 over it. Then we got DS-Lite. Which, because IPv6 wasn't designed to do that, adds a tremendous amount of complexity.

Will we eventually get to an IPv6 only future? We have to. There is no alternative. But the route is going to be far more painful than it would have been if backwards compatibility was part of the original design.

Of course the flip side is that some day we don't need IPv4 backwards compatibility. But that's still decades from now. How many on the original IPv6 will even still be alive to see it?

Or what do you mean by “parts of an IPv4 address and their meaning”?

That multicast on IPv4 isn’t used as much is irrelevant. It functions the same way in both protocols.

In my experience the differences are just an excuse, and however similar you made the protocol to IPv4 the people who wanted an excuse would still manage to find one. Deploying IPv6 is really not hard, you just have to actually try.

I think they also wanted to kill NAT and DHCP everywhere, so there's SLAAC by default. But turns out NAT is rather user-friendly in many cases! They even had to bolt on that v6 privacy extension.

With ipv6, that can be simplified with just a couple of /32 or /48 prefixes per AS.

How is IPv6 "so different" than IPv4 when looking at Layer 3 and above?

(Certainly ARP vs ND is different.)

Therefore if I'm on an IPv6 phone, odds are very good that my traffic winds up going over IPv4 internet at some point.

We're 30 years into the transition. We are still decades away from it being viable for servers to run IPv6 first. You pretty much have to do IPv4 on a server. IPv6 is an afterthought.

Just put Cloudflare in front of it. You don’t need to use IPv4 on servers AT ALL. Only on the edge. You can easily run IPv6-only internally. It’s definitely not an afterthought for any new deployments. In fact there’s even a US gov’t mandate to go IPv6-first.

It’s the eyeballs that need IPv4. It’s a complete non-issue for servers.

Why do I have to get some third party involved??

Listen, you can be assured that the geek in me wants to master IPv6 and run it on my home network and feel clever because I figured it out, but there's another side of me that wants my networking stuff to just work!

NAT is RFC 1631.

IPv6 is RFC 1883.

Admitted, that was very basic NAT.

Actually, my bad. NAT was NEVER standardized. Not only NAT was never standardized, it’s never even been on standards track. RFC 3022 is also just “Informational”

Plus, RFC 1918 doesn’t even mention NAT

So yes, NAT is a bug in history that has no right to exist. The people who invented it clearly never stopped to think on whether they should, so here we are 30 years later.

The protocols involving NAT are what end up on the standards track like FTP extensions for NAT (RFC 2428), STUN (RFC 3489), etc.

201.20.188.24.6

And most of what they know about how it works clicks in their mind. It just has an extra octet.

I also think hardware would have been upgraded faster.

Something like aaff:a.b.c.d

Leaving off the prefix: could just mean strictly IPv4.

It didn’t speed up adoption and people then tried most of the other solutions people are going to suggest for IPv4+. Want the IPv4 address as the network address instead? That’s 2002:a.b.c.d/48 - many ISPs didn’t deploy that either

For people who deal with ip addresses, the switch from ipv4 to ipv6 means moving from 4 digits (1.2.3.4) to this:

   2001:0db8:0000:0000:0008:0800:200c:417a
   2001:db8:0:0:8:800:200c:417a
   2001:db8::8:800:200c:417a

Plus switching completely to ipv6 overnight means throwing away all your current knowledge of how to secure your home network. For lazy people, ipv4 NAT "accidentally" provides firewall-like features because none of your home ipv4 addresses are public. People are immediately afraid of ipv6 in the home and now they need to know about firewalls. With ipv4, firewalls were simple enough. "My network starts with 192.168, the Internet doesn't". You need to learn unlearn NAT and port forwarding and realise that with already routable ipv6 addresses you just need a firewall with default deny, and then add rules that "unlock" traffic on specific ports to specific addresses. Of course more complexity gets in the way... devices use "Privacy Extensions" and change their addresses, so making firewall rules work long-term, you should use the device's MAC Address. Christ on a bike.

I totally see why people open this bag of crazy shit and say to themselves "maybe next time I buy a new router I'll do this, but right now I have a home with 4 phones, 3 TVs, 2 consoles, security cameras, and some god damn kitchen appliances that want to talk to home connect or something". Personally, I try to avoid fucking with the network as much as possible to avoid the wrath of my wife (her voice "Why are you breaking shit for ideological reasons? What was broken? What new amazing thing can I do after this?").

Try `ping 16909060` some day :-)

LOL. Yup. What can I do after this? The answer is basically "nothing really" or "maybe go find some other internet connection that also has IPv6 and directly connect to one of my computers inside the network (which would have been firewalled I'd hope so I'd, what, have to punch open a hole in the firewall so my random internet connection's IPv6 can have access to the box? how does that work? I could have just VPN'd in with the IPv4 world).

Seriously though, how do I "cherry pick hole punch" random hotel internet connections? It's moot anyway because no hotel on earth is dishing out publicly accessable IPv6 addresses to guests....

Just like for an apartment you append something like 5B. And for a house you don't need that.

I don’t even buy your way of thinking - unlike an “engineering” solution or an “incentives” solution, the problem with “social solutions I speculate about” is: they offer nothing until implemented. They are literally all the same, no difference between the whole world of social solutions, until they are adopted. They are meaningless. They’re the opposite of plans.

Like what’s the difference between IPv4+, which doesn’t exist, and “lets pass a law that mandates ipv6 support”? Nothing. This is what the mockery of “just pass a law” is about. I don’t like those guys, but they are right: it’s meaningless.

It couldn't do that reliably. We don't have any flags left for that that. Options are not safe. We've got one reserved flag which is anyways set to 0, so that's not safe either.

There's the reserved bit (aka the evil bit[1]). Are you saying gear out there drops packets with reserved bit set to 1? Wouldn't surprise me, just curious.

Seems like IPv4+ would have been a good time to use that bit. Any IPv4+ packets could have more flags in the + portion of the header, if needed.

[1]: https://en.wikipedia.org/wiki/Evil_bit

For ping, I think it originally had different binaries because ICMPv4 and ICMPv6 are different protocols, but Linux has had a dual-stack `ping` binary for a very long time now. You can just use `ping` for either address family.

The ISPs aren't gonna do it on their own.

But IPv4 will never, ever die. The rise of NAT as a pervasive security paradigm[1] basically neuters the one true advantage IPv6 brought to the table by hiding every client environment behind a single address, and the rise of "cloud everything" means that no one cares enough about reaching peer devices anyway. Just this morning my son asked me to share a playlist, so of course I just send him a link to a YouTube Music URL. Want to work on a spreadsheet for family finances with your spouse in the next room? It lives in a datacenter in The Dalles.

[1] And yes, we absolutely rely as a collective society on all our local devices being hidden. Yes, I understand how it works, and how firewalls could do this with globally writable addresses too, yada yada. But in practice NAT is best. It just is.

Honestly it's a huge success due to this fact alone.

IPv6 is failure only if you measure success by replacing IPv4 or if you called "time" on it before the big mobile providers rolled it out. The fact that all mobile phones support it and many mobile networks exclusively deploy it tells you what you really need to know.

IPv6 is a backbone of the modern Internet for clients, even if your servers don't have to care about it due to nat64.

Ultimately, an address system that replaces “1.1.1.1” with “JEDBSO:7372B6D6A:727:8:72829:762927” or whatever just isn’t viable.

Even AWS doesn’t let you use IPv6 with anything… and they charge you for using IPv4 now.

Shocking it took them so long but, hey, it's there now.

I can tell you what is what simply from the Ipv4 address, but when its IPv6, my dyslexia is going to kick my behind.

Readability reduces errors, and IPv6 is extreme unreadable. And we have not talked yet about pre-fix, post-fix, that range :: indicator, ... Reading a Ipv6 network stack is just head pain inducing, where as Ipv4 is not always fun but way more readable.

They where able to just extend IPv4 with a extra range, like 1.192.120.121.122, 2.... and you have another 255 Ipv's ... They did the same thing for the Belgium number plates (1-abc-001) and they will run out in the year 11990 somewhere lol...

The problem is, that Ipv6 is over engineered, and had no proper transition from Ipv4 > Ipv6 build in, and that is why 30 years later, we are still dealing with the fallout.

Of course that’s due to the relatively small amount of information it contains and having a larger address space is always going to break that.

I think the same thing happens on a different scale with ISPs. They don't want to deal with it until they have to for largely the same reason.

In my experience it’s much easier and much more pleasant do deal with. Every VLAN is a /64 exactly. Subnetting? Just increment on a nibble boundary. Every character can be split 16 ways. It’s trivial.

You don’t even need to use a subnet calculator for v6, because you can literally do that in your head.

Network of 2a06:a003:1234:5678::555a:bcd7/64? Easy - the first 4 octets.

Network of 10.254.158.58/27? Your cheapest shotgun and one shell please.

"Easy,2a06:a003:1234:5678"

"2806:8003: and then what, I forgot the rest?"

remembering 2a06:a003:1234:5678::555a:bcd7/64. Your cheapest shotgun and one shell please.

e.g. you’ll get 2a06:a003:1234::/48 from the ISP - what you’ll really need to remember is the 2a06:a003:1234:xxxx::/64 part. And I use the VLAN id for the xxxx part. Trivial.

I DO think using 64 bits for hosts was stupid but oh well.

Why have so, so many address bits and then give us so few for subnetting? People shame ISPs endlessly for only giving out /56s instead of /48s, pointing at the RFCs and such. But we still have 64 entire bits left over there on the right! For what? SLAAC? Was DHCP being stateful really such a huge problem that it deserves sacrificing half of our address bits?

We're past that for a decade, but various services have not caught up yet https://datatracker.ietf.org/doc/html/rfc6177

         The actual intention has always been that there be no hard-
         coded boundaries within addresses, and that Classless Inter-
         Domain Routing (CIDR) continues to apply to all bits of the
         routing prefixes.

Hey man, if I want to assign an address for each individual transistor in my system, that's my business.

I'm not sure what that feature would be though.

Networking should be boring.

Small site multihoming, for example, is an absolute disaster. Good luck if you're trying to add a cellular backup to your residential DSL connection.

IETF says you should either have multiple routers advertising multiple provider-assigned prefixes (a manageability nightmare), or that you should run BGP with provider independent address space; have fun getting your residential ISP or cellular carrier onboard with this idea.

They're not building products, and they're not supporting, visiting or even talking to their customers. Design-by-committee is a full time job that people actually building things for a living tend to not have time for.

The fact is that already in 1993 routing tables were just too big, and the fact is that having a "flat" address space was always going to mean huge routing tables, and the fact is that because IPv6 is still "flat" routing tables only got larger.

The fix would have been to have a subset of the address space that is routed as usual for bootstrapping ex-router address->AS number mapping, and then do all other routing on the basis of AS numbers _only_. This would have allowed us to move prefix->AS number mappings into.. well, DNS or something like it (DNS sucks for prefix mapping, but it could have been extended to not suck for prefix mapping), and all routing would be done based on AS numbers, making routing tables in routers _very small_ by comparison to now. Border routers could then have had tiny amounts of RAM and worked just fine. The IP packets could have borne AS numbers in addition to IP addresses, and all the routers in the middle would use only the AS numbers, and all the routers at the destination AS would know the routes to the destination IPs.

But, no. Great missed chance.

Well, we still could do this with IPv6, but it would be a lot of heavy lifting now.

EDIT: Ah, I see draft-savola-multi6-asn-pi existed.

EDIT: Ah, see also LISP [https://www.rfc-editor.org/rfc/rfc6830]. But LISP is essentially dead.

Yes, an interface can hsve two separate IPv6 addresses, but that doesn't make it easy.

If you do the easy and obvious thing of setting up two routers to advertise their prefix with your preferred priority when they're available (and advertise it as unavailable when they're not), your devices are likely to configure themselves for addresses on both prefixes, which is great.

Then when you open a new tcp connection (for example), they'll pick a source address more or less randomly... There's a RFC suggestion to select the source address with the largest matching prefix with the destination address, which is useful if the prefix is pretty long, but not so useful when the prefix is 2001:: vs 2602::

Anyway, once the source address is selected, the machine will send the packet to whichever router most recently sent an announcement. Priorities only count among prefixes in the same announcement. If you manage to get a connection established, future packets will use the same source address, but will be sent as appropriate for the most recently received advertisement.

This is pretty much useless, if you want it to work well, you're better off with NAT66 and a smart NAT box.

I would experiment with advertising two default routes, one with a significantly higher metric than the other. Most / all outgoing traffic would go through one link then. If you want to optimally load both uplinks, you likely need a more intelligent (reverse) load balancer.

That's the problem. It sounds like it would work if you do this. The documentation suggests multi homing like this would work. When your server gets a request, it sends back the response from the address it received on... but the problem is what router it sends to; when it sends to the correct router, everything is good, when it sends to the wrong router, that router's ISP should drop the packets, because they come from a prefix they don't know about.

> I would experiment with advertising two default routes, one with a significantly higher metric than the other.

Sounds like it would work, but as far as I've found, the priority metric only works if the prefixes are in the same advertisement. If each router advertises its own prefix, the actual metric used is most recent advertisement wins as default route.

Because it breaks your network when that router goes away. Your switch ACLs, firewall rules, and DNS records all become invalid because they contain addresses that no longer exist, that your devices continue trying to reach anyway.

So every time I got a new prefix, machines would lose connectivity, usually until I rebooted them.

Switched to OpenWRT which respected my ULA.

But with multi-homing you would need to actively test which of your uplinks has Internet access anyway, won't you? And you would have to react somehow when one of your uplinks goes down.

It's easiest to do by abstracting your site away. Make it use a LAN, and do port-forwarding and proxying through a box that knows about the multiple uplinks, and handles the switch-over when one of them goes down. I don't see how it might be easier with IPv4 than with IPv6.

I still assume that you don't want the internals of your office network directly accessible via the public Internet, even when you easily can; VPNs exist for a reason.

> It's easiest to do by abstracting your site away. Make it use a LAN, and do port-forwarding and proxying through a box that knows about the multiple uplinks, and handles the switch-over when one of them goes down. I don't see how it might be easier with IPv4 than with IPv6.

In the IPv6 world, this is pretty much what you have to do. A whole lot of extra complexity and expense that you didn't have previously.

And IPv6 has the benefit of a significantly simpler 1:1 NAT.

The answer in this case ends up being solutions like explicit web proxies, or alternatively a VPN concentrator or the like from which you can receive a routable prefix delegation, and then run multiple tunnels to satisfy your own availability or policy routing needs. Either way, you’re building some complex infrastructure to overcome regressions imposed upon you at layer 3.

That doesn't solve the problem. DNS remains broken until each and every device, assuming VERY generously that it is capable of dynamic DNS at all, realises that one of its prefixes has disappeared and it updates its DNS records. With DNS TTL and common default timeouts for prefix lifetime and router lifetime, that can take anywhere from 30 minutes to 30 days.

> and firewall rules should be on the subnet boundary in this scenario, any decent firewall (including referee PFsense/OpnSense) support ACLs that follow IPv6 address changes.

This requires you to assign one VLAN per device, unless perhaps you've got lots of money, space, and power to buy high end switches that can do EVPN-VXLAN so that you can map MAC addresses to SGTs and filter on those instead.

What device on your office LAN should maintain its own DNS records? Advertise your own caching DNS server over DHCP(6), give its responses a short TTL (10 sec), make it expire the relevant entries, or the whole cache, when one of your links goes down. I suppose dnsmasq should handle this easily.

It seems that the discussion turned away from a multi-homed setup (pooling the bandwidths of two normally reliable links) to an HA/failover setup (with two unreliable links, each regularly down).

It either needs to be able to update DNS by itself (a la Active Directory), or it needs to be able to give the DHCP server a sensible hostname in order for DHCP to make this update on its behalf, which most IoT devices cannot.

People like you talking about IPv6 have the same vibe as someone bewildered by the fact that 99.9% of people can’t explain even the most basic equation of differential or integral calculus. That bewilderment is ignorance.

"Easy" is meant in that context. The people acting like the IPv4 version is easy.

So your second paragraph doesn't fit the situation at all.

"The shit about IPv6" is a mess of approaches that even the biggest fanboys can't agree on and are even less available on equipment used by people in prod.

IPv6 has failed wide adoption in 30 decades, calling it "easy" is outright denying the reality and shows the utter dumb obliviousness of people trying to push it and failing to realize where the issues are.

Not an issue in ipv4 because ARP isn't IPv4 so IP traffic shaping ignores it automatically.

Android doesn't support DHCPv6 so I can't tell it my preferred NTP server, and Android silently ignores your local DNS server if it is advertised with a IPv4 address and the Android device got a IPv6 address.

Without DHCPv6 then dynamic DNS is required for all servers. Even a 56 bit prefix is too much to remember, especially when it changes every week. So then you need to install and configure a dynamic DNS client on all servers in your network.

This is not even that unreasonable. Sadly, the number of IP devices in the world by now far exceeds the IPv4 address space, and other folks want to do something about that. They hope the world won't freeze but would sort of progress.

It’s not hard for people who get an appropriate education and put some effort into it. Your lack of education is not my ignorance.

The difficulty of setting IPv6 up at your house vs. the needs of a multi-homed, geographically diverse enterprise couldn't be more dissimilar.

I'd lay off the judgment a bit.

BTW a homelab often tries to imitate more complex setups, in order to be a learning experience. Can these difficulties be modelled there?

all of it ipv4 based. ipv6 maybe in distant future somewhere on the edge in case our clients will demand in.

inside our network - probably not going to happen

Public-interfacing parts can (and should) support IPv6, but I don't see much trouble exposing your public HTTP servers (and maybe mail servers) using IPv6, because most likely your hosting / cloud providers do 99.9% of it already, out of the box (unless it's AWS, haha), and the rare remaining cases, like, I don't know, a custom VPN gateway, are not such a big deal to handle.

amount of work to support ipv6 on the edge will be very big and none of our clients asked for it as far as i know.

the only time we discussed it, it's when we were getting fedramp certification. because of this https://www.gsa.gov/directives-library/internet-protocol-ver...

This is neither hard nor expensive.

Mind you, our team discussed this numerous times over a few years and never came up with a solution that didn't look like it would require us to completely fork-lift what we were doing. The whole team was FOR getting us to v6, so there was no dogmatic opposition.

Consider this:

25k employee company. Four main datacenter hubs spread out across the USA with 200 remote offices evenly dual-homed into any two of the four.

All four of the DCs had multi-ISP Internet access advertising their separate v4 blocks and hosting Internet services. The default-route was redistributed into the IGP from only two locations, site A and B. e.g. two of the four DCs were egress for Internet traffic from the population of users and all non-internet-facing servers. IGP metrics were gently massaged as to fairly equally use of both sites.

All outbound traffic flowed naturally out of the eastern or western sites based on IGP metrics. This afforded us a tertiary failover for outbound traffic in the event that both of the Internet links into one of the two egress sites was down. e.g., if both of site A's links (say, level-3 and att) were down, the route through site A was lost, and all the egress traffic was then routed out site B (and vice-versa). This worked well with ipv4 because we used NAT to masquerade all the internal v4 space as site X's public egress block. Therefore all the return traffic was routed appropriately.

BGP advertisements were either as-path prepended or supernetted (don't remember which) such that if site A went down, site B, C, or D would get its traffic, and tunnel it via GRE to the appropriate DC hub's external segment.

The difficulty was that traffic absolutely had to flow symmetrically because of the firewalls in place, and easily could for v4 because NAT was happening at every edge.

With v6 it just didn't seem like there was any way to achieve the same routing architecture / flexibility, particularly with multi-homing into geographically disparate sites.

I'm not sure anymore where we landed, but I remember it being effectively insurmountable. I don't think it was difficult for Internet-hosted services, but the effort seemed absolutely not worth it for everything on the inside of the network.

That’s before you go on to using PBR. I want to route traffic with different dscp via different routes.

Ultimately I want the rout g to be handled by the network, not by the client.

IPv4 and nat makes that a breeze.

edit Less flippantly, what are you wanting to base the routing rule on? What's your ipv4 routing rule?

DSCP is allowed in ipv6.

https://www.juniper.net/documentation/us/en/software/junos/c...

The "proper" way would be to get your own ASN and use BGP to route the traffic.

If you're wanting to use a secondary WAN link as a backup for when the other goes down you could have the backup link's LAN have a lower priority. (So I guess hope everything implements RFC 4191 like you said).

You can use NAT66/NPTv6 if you want (though it's icky I guess).

How are you doing it currently?

Sadly my 4g provider will not peer via bgp with me, even if I could provide an AS and Sufficiently large IP range.

I think my home ISP will actually peer with me, but I’d have to tunnel to them over my non-fibre connection, and there’s reduced resilience in that case.

At work that wouldn’t help at all, there are very few providers for many of our branch offices.

So once again ipv6 only works with “icky” nat, or on simple 1990s style connections, and not in the real world of multiple providers. Now sure I can do npt which means I don’t need to keep track of state, but then if I didn’t keep track of state I lose the benefits of a stateful firewall.

As such the only benefits of nat on v6 is that source ports will never need to change even if client 1 and client 2 both send to server 1 port 1234 from source port 5555. This helps with a handful of crappy protocols which embed the layer 4 data (port number) in a layer 6 or 7 protocol.

In the case of pfSense this is a recent change. It was not supported when I migrated away from it less than five years ago.

I am thinking that since an option starts with 2 bytes and everything must be padded to a multiple of 4 bytes, we can add 16 bytes to the packet, which would hold 7 extra address bytes per source and destination, giving us 11 byte addresses. ISPs would be given a bunch of 4-byte toplevel addresses and can generate 7-byte suffixes dynamically for their subscribers, in a way that is almost the same as CGNAT used today but without all the problems that has.

Most routers will only need to be updated to pass along the option and otherwise route as normal, because the top level address is already enough to route the packet to the ISP's routers. Then only at the edge will you need to do extra work to route the packet to the host. Not setting the option would be equivalent to setting it to all 0s, so all existing public hosts will be automatically addressable with the new scheme.

There will of course need to be a lot more work done for DNS, DHCP, syntax in programs, etc, but it would be a much easier and more gradual transition than IPv6 is demanding.

Plus, it's only 2048x the address space. It's within the realm of possibility that we will need to upgrade again once this place is swarming with robots.

Then the government could, for example, limit criminals' access to the internet by mandating that their packets be dropped on most major ISPs, or at least deprioritised.

I suspect by "incredibly conservative" you mean "backwards compatible", which... no. You can't make an addressing extension backwards compatible with hardware that doesn't read all of the address. Of course, we did that anyway with CGNAT, and predictably it causes huge problems with end-to-end connectivity, which is the whole point of IPv6. You're probably thinking more along the lines of an explicit "extension addressing header" for v4. Problem is, that'd mean a more awkward version of IPv6's /64 address split[0], combined with all sorts of annoying connectivity problems. The same corporate middleboxes that refuse to upgrade to IPv6 also choke on anything that isn't TCP traffic to ports 80 and 443. So you'd need Happy Eyeballs style racing between CGNAT IPv4 and "extended IPv4".

Also, that would just be a worse version of 6in4. Because they also thought of just tunneling IPv6 traffic in IPv4 links. I don't think you understand how incredibly conservative IPv6 actually is.

The problem with "incredibly conservative" IP extensions is that nothing beats the conservatism of doing literally nothing. IT infrastructure is never ripped out and replaced unless there is a business case for doing so. The current problem with IPv6 adoption is that nobody has yet said "let's stop processing IPv4 traffic", they've only said "let's get more dual-stack hosts online", which is a process that only asymptotes to 100% IPv6, and never reaches it.

IPv4 was not the first version of the Internet protocol. That honor goes to Network Control Protocol (NCP). The reason why we don't have an asymptotic long tail of Internet hosts still demanding NCP connectivity is because this was back when "having a connection to the Internet" meant "having a connection to ARPANET". The US military could just refuse to process NCP packets and actively did this to force people onto IPv4. Now imagine if someone big like Google said "we're going to stop accepting IPv4 connections" - people would jump onto v6 immediately.

[0] Let's say we add a 32-bit extension header onto IPv4

But that baggage is a huge part of the problem. Almost nothing you know about IPv4 applies when you switch to IPv6, and most of us found that out the hard way when we tried to make the switch. Leaves a pretty bad taste in your mouth.

The things I need to think about are precisely the things that changed radically. Firewall rules aren't the same due to prefix changes and no NAT. DHCP isn't the same, DNS isn't quite the same, distributing NTP servers isn't the same.

Almost nothing of what I knew about configuring my home router for IPv4 has transferred to IPv6 configuration.

Also a nitpick: switching is irrelevant here, that’s L2. L2 doesn’t even know what’s an IP address :)

There was some dude on YouTube that resurrected the first Ethernet bridge (which was built for thicknet) - I recall even that worked with IPv6.

This is exactly what I'm talking about. When you have problems with your IP network, that's the first thing you try and figure out, "what's my address? Why is that my address? Did it change? If so, why? Are other devices able to get packets? What are their addresses? Why can those addresses get packets but this address can't?"

Mobile carriers have done that between consumer devices and network towers. That forced a lot of innovation (including tools like better DNS64 and "happy eyeballs" protocols) and network stack hardening.

The roll out of out CGNAT in some cases is "let's drop IPv4 traffic randomly" and "happy eyeballs" in consumer devices is transparently driving a lot of consumer traffic to IPv6.

This is why mobile and consumer devices are leading the pack on IPv6 adoption.

It's maybe not all of Google that next needs to say "we're going to stop accepting IPv4 traffic", it's maybe more specifically GCP (and AWS and Azure) that need to do that to drive the non-consumer IPv6 push we need. The next best thing would be for all the cloud providers to at least start raising IPv4 address prices until their clients start to feel them.

One of the giant CDNs translates all IPv4 traffic to IPv6 at the edge (stateless NAT46) and is IPv6-only in its core network (for one of its primary product networks; like everybody they have multiple networks.)

Oh and btw, your address is now 9245593924 Oak St.

I hate social media more than most people do, and I don't use tiktok and don't think anyone else should, but can we all please stop comparing a mobile phone app to using heroin? It's misinformed and dangerous to make rhetorical comparisons like that.

Everyone knows Facebook/Meta is actually the heroin. A product intentionally designed to steal your life and enrich its owners. Duh

Is this a satirical post? I'm really struggling to comprehend it coherently

Did you mean nicotine?

> Only people with no actual life experience with drugs or drug users would make such an asinine and overtly hyperbolic statement as that.

Ma'am withdrawing from tiktok cannot kill you. Consuming tiktok cannot kill you. Tiktok does not make you shit yourself

Also assuming your heroin isn't tainted it isn't toxic and you can have a normal life expectancy.

Can we all stop pretending it's a not an issue?

The US did a good job of taking those away, so it's hard to complain when others come in to fill that void.

Unfortunately, whether it's a deadly drug or a deadly disease, these casual references are unlikely to drop from public discourse anytime soon. And I personally would rather live in a world where insensitive or potentially-triggering language is gently discouraged, than one where the pendulum swings too far the other way towards censorship or radical left woke cancel culture. Words can be unintentionally callous without being "micro-aggressions". (And I say that as a liberal progressive.)

Thanks for posting in a personal and persuasive manner, instead of anger. Yours is the more effective approach anyway.

I'd hope to hold this community to a higher standard than "the public discourse".

TikTok is in no way like heroin, stop using that false analogy

If it's the first thing you think about when you wake up, and it kills you to sleep at night, and you think about it all day, sure, one's a highly addictive habit that destroys lives, and the other is heroin. Which is also a highly addictive habit that destroys lives. Funnily enough, one destroys lives because it's legal, and the other destroys lives because it's illegal. But if you're taking your phone to bed with you at night, and it's the first thing you check in the morning, before you even have a thought to yourself, okay, you're not injecting it with a needle under a freeway underpass but after you get fired for watching TikTok on the clock and can't pay your rent, is you're landlord gonna care when you don't pay rent whether you got fired for drugs or a smartphone addiction?

some people feel like they are addicted to short form content but it’s really nothing like a drug addiction much less an addiction to something as devastating as heroin

It's highly addictive. The negative effects are somewhat diffuse and may take a while to really impact your life, but they're very real.

And, rather importantly, it's legal and widely available, and the industry behind them is suppressing evidence of their harms and making tons of money off of addiction.

TikTok causes chemical release in the brain and which can cause other self psychological damage. Heroin causes chemical release in the brain in the brain, and can cause other self psychological damage.

Both are addictions, both are hard to fight. Some find it easier some find it hard.

The effects of one are more devastating sure, Alcohol is more damaging than Caffeine; I'm not ruling that out.

However the effects of Heroin which comes with addiction and the cravings are some-what mimicked within the realms of TikTok.

To op below: I'm now rate limited, so I can't reply directly.

A drug, a real life substance that is designed to alter human chemistry. Cannabis, Caffine, MDMA, DMT all alter your brain chemistry organically.

You cannot compare one or to something that is man-made digital. You can however compare the effects of a substance that is organically designed to that of something is digital. The relation of effects of TikTok to Heroin are very similar.

Social media is being designed as a digital service to alter human chemistry. It works, why do you think the world is in utter shit? Why do you think social enterprises pay big bucks to exploit the human psyche by hiring sociologists/psychologists?

The TikTok icon on mobile devices is strategically designed to manipulate and trigger a response.

Facebook is a grand example with the A/B emotional testing they did with Cambridge Analytica which that is that is far worse then heroin IMO. At least with Heroin you need to inject.

You're literally describing any activity that someone enjoys generating natural dopamine, and then comparing it to a drug that crosses your blood-brain barrier and mimicks your brain's chemistry to give you a super-charged chemical version of that. The difference in dopamine levels is orders of magnitude. Your brain re-wires itself to handle the level of dopamine produced and you start only feeling normal if you're constantly using the drug. I would be surprised if Tiktok generated even 1/10th the dopamine level of using methamphetamine. It all honestly sounds quite fun, but my awareness of the consequences will prevent me from ever trying them.

Eating a good meal, having sex, finishing writing your first novel, winning a race, doing breath work, doing yoga, rock climbing, and an unlimited supply of examples generate dopamine in our brains the same way that Tiktok does. They can all ruin your life just as much, if you allow them to.

A much better comparison would be to describe Tiktok as a "digital slot machine", and indeed slot machine mechanics have been heavily studied by social media platforms to make usage more habitual. Nir Eyal's Hooked was an interesting and informative read on this topic. If he describes social media as heroin in the book I'll happily take the self-own.

> TikTok causes chemical release in the brain

Basically everything causes a chemical release in the brain. For example HN does as well, would you compare posting on HN to heroin?

> both are hard to fight

I know and knew people both addicted to heroin and to TikTok. Let me assure you that ditching a short-form content addiction is VASTLY more easy than ditching heroin.

> the effects of Heroin which comes with addiction and the cravings are some-what mimicked within the realms of TikTok

This is true for everything that humans enjoy. Next you gonna say that talking a walk in nature or working out is like heroin because I enjoy it and I’m addicted to it (if I don’t do it every day I feel bad and I have a compulsion to do it every day)

> why do you think the world is in utter shit

I disagree with that assessment, the “world” as a whole is actually much better than it used to be 30 years ago. Of course that might not be the case for you individually but then this thread is more about your feelings than an objective observation of the world.

> At least with Heroin you need to inject.

Most heroin users don’t inject which ones again shows you don’t know anything about it outside of tropes and cliches.

“At least with TikTok you need a smartphone and internet and swipe to unlock” - see how dumb that makes me sound?

Don’t get me wrong I dislike the tech hegemony and social media as much as you - I just think your way of arguing damages your position more than it helps it.

I see it as Digital Heroin. If others, you don't, fine.

Social Media is addicting. I use none and explaining it as " digital heroin" may be an extreme way to present the thought but at least it's bluntly represents the curse of it. Finally, it's not the teenagers at fault. It's the governments in the first place for allowing this. I saw it on the wall when Facebook came to be back in 2007.

I'm sure they're talking about the 8 million dollar Porto Embargo or whatever, but I would love one day to hear a podcast discussing the genius of the Toyota Corolla. Safe, affordable, available, reliable. I've had friends with Toyotas that were about to fall off their base from road salt rust but the engine and transmission still worked perfectly.

Pretty amazing that you can be of modest or lavish means and still own a really solid car that everyone can fix. A lot funner than hanging out in the repair shop waiting for a specialist to fix a blown turbo headgasket.

Would be nice to know why Apple didn't throw its war chest at the WarnerBros/HBO acquisition Netflix just did.

Recommendation threads on Reddit usually begin with "anything but Samsung". They seem designed to be made cheap and hit the lowest price point with consumers that don't want to spend a lot more on something they don't really care about, so I'm not surprised to learn that ads are a part of their strategy.

But also, why do fridges need to connect to the internet?

This is a living organism with moving parts and a time limit - you update nginx with a change that breaks .well-known by accident, or upgrade to a new version of Ubuntu and suddenly some dependency isn't loading correctly, or that UUID generator you depended on to generate the name for the challenge doesn't get loaded, or certbot becomes obsolete because of some API change and you can't upgrade to the latest because the OS is older and you installed it from the package manager.

You eventually see it in your exception monitoring or when an ssl monitor detects the cert is about to expire. Then you have to drop that other urgent thing you needed to get done, come in and debug it, fix it, and re-issue all the certs at the rate limit allowed. That's assuming you have that monitoring - most sites probably don't.

If you detect that issue with 1/3 of the cert left, you will now have 15 days to figure that out instead of 30. If you can't finish it in time, or you don't learn about it in time, the site(s) hard fail on every web browser that visits and you've effectively got a full site outage until you repair it.

So you discover it's because of certbot not working with a new API change, and you can't upgrade with the package manager. Now you need to figure out how to compile it from source, but it doesn't like the python that is currently installed and now you need to install that from source, but that version of python breaks your python web app so you have to figure out how to migrate your app to that version of python before you can do that, and the programmer that can do that is on a week long whitewater rafting trip in Idaho.

Aside from all that, what happens if a hacker manages to wreck the let's encrypt infra so badly they need 2 weeks to get it back online? The internet archive was offline for weeks after a ddos attack. The cloudflare outage took one site of mine down for less than 10 minutes, it's not hard to imagine a much worse outage for the web here.

Sometimes these kind of decisions seem to come from bodies that think the Internet exists solely for doing the thing they do.

Happens to me with the QA people at our org. They behave as if anything happens just for the purpose of having them measure it, creating a Heisenberg situation where their incessant narrow-minded meddling makes actually doing anything nearly imposible.

Consider the inevitable need for immediate renewal due to an incident. Would you rather have this renewal happen via a fast, automated and well-tested process, or a silently broken slow and manual one?

You knew exactly when it was going to fail and you could put it on your calendar to schedule the work, which consisted of an email validation process and running a command to issue the certificate request from your generated key.

The only moving part was the issued certificate, which you copied and pasted over and reloaded the server. There are a lot less things to go wrong on this process, which at one point I could do once every two years, than in a really complicated automated background task that has to happen within 15 days.

I love short duration automated free certs, but I think we really need to have a conversation about how short we can make them before we make it so humans no longer have the time required to fix problems anymore.

There are other CAs that offer certs via ACME. For example, Google Trust Services.