[walton_simons]

My ISP supports IPv6, and while I can understand why a large organisation would want to use it (especially given the increasing cost and scarcity of IPv4 blocks), I'm still yet to be persuaded of its benefits for home users. I admit that I only have a very cursory understanding of how it works, and perhaps I'm just stuck in my ways, but the scale and complexity seems so extreme compared to IPv4, with no compensating advantages that I can see. So all my devices become globally routable. And? I can already do everything I want and need to do with a single IPv4 address and NAT.

Even just working out what IPv6 devices are on my network and who they're communicating with seems very difficult given the giant address space. I'm slightly ashamed to admit this (feels very anti progress!), but I've blocked all the IPv6 traffic on my home LAN. Devices can still talk to each other, but no IPv6 packets are allowed out to the internet. Everything still works fine. My firewall blocks a few hundred MB per day of IPv6 traffic, and I have no idea what any of it is.

Very happy to be told why I shouldn't do this though.

[dijit]

You've had a few replies so I guess mine will be lost to the aether.

NAT vs Direct addressing is an interesting topic, because we've gotten so used to working around the issues inherent in NAT that we take them as a sort of given. I'll lay them out here:

1) The actual NAT state table in your router is much slower than a simple bit-map firewall lookup. This will show up as a bit of latency on every new connection.

2) The state table can get full. When that happens some connection needs to be evicted. For web technologies this wont look too bad.. Maybe a websocket connection gets closed and re-connects in the background. But if you're streaming something over raw TCP then that's annoying. Basically it makes your internet connection just that little less stable.

3) uPnP exists to try to mitigate the p2p issues with NAT; but does a poor job. -- Take for instance, a video game with VOIP, consoles are notorious for this; centralising and muxing everyones audio is expensive, so it's more useful to help people build peer meshes. So "NAT PUNCHING" is the normal way to go, but of course that doesn't always work, so you have weird tutorials on "how to port forward" when in reality this shouldn't be needed, a stateful firewall would be enough if not for NAT. Some guides even suggest putting your devices in the DMZ with direct port forwards on every port from the internet[!!]

https://www.denofgeek.com/games/how-to-change-nat-type-on-ps...

[mehrdadn]

> The state table can get full. When that happens some connection needs to be evicted.

This would be so much more convincing with some numbers to show it actually does happen in reality, especially at a rate that's comparable to other random connection drop-outs.

[c0nsumer]

The most common symptom of this is someone mentioning that their home 'router' regularly needs reboots to keep working well. Excluding memory leaks, it's frequently the state table running out of space and connections going sideways as a result.

This is hard for individuals to see, but put a fair bit of load on a home consumer 'router' and, presuming you can get enough access to it to watch resources, you'll see it run out.

This is one of the things that better home network devices do: have sufficient RAM to handle a big state table, and manage it well.

IPv6 completely sidesteps this by not even needing a state table because no NAT.

[oarsinsync]

> IPv6 completely sidesteps this by not even needing a state table because no NAT.

You may have forgotten that a stateful firewall that tracks inbound and outbound connections still needs memory to store a state table still applies in IPv6.

Now it also needs 8x more memory per entry, as the addresses have gone from 2x 32bit to 2x 128bit.

[Dagger2]

There's almost certainly more data in each entry than just the IP addresses, so it won't be 8x. NAT also requires a second set of entries to track the NAT session, which further equalizes it.

[gerdesj]

Absolutely. A state is protocol, ports, addresses, timers, counters and more. QoS/DSCP, firewall marks and other things add to the fun.

[mehrdadn]

Makes sense if this happens, but does this actually happen to you? I've heard vague and rather dubious third-hand stories along these lines, but I've never actually encountered a router that needs rebooting to keep working well.

This actually seems bizarre to me now that I think more about it. The routers I've seen allow something like a few hundred thousand established connections over like a ~week. Say 300,000 over 3 days. To exhaust this you'd need to establish on average one new connection every single second (300000/3/24/60/60 ≈ 1), continuously for a week, while also timing out on every single one of them silently. Surely a normal person wouldn't exhaust such a table?

[dijit]

Exhausted NAT state tables is excessively common, evictions happen silently and the assertion that a reboot is required is for other reasons which I think are likely unrelated.

Professionally I run one (two, actually) of those annoying 'always online video games' and state drops in low quality routers is the most common cause of VOIP drop.

It seems like most router firmware has some kind of intelligent sensing software to see if there's a lot of traffic going over a state and then attempting to avoid evicting it. But for VOIP which can sometimes be silent.. or for a person not moving around in a game (and thus sending/recieving very few and very tiny updates) it can be seen.

Now; you want concrete evidence, and unfortunately the kinds of routers most people have (Say, a Virgin Hub 3.0 which is based on the Touchstone TG2492[0]) does not lend itself to being monitored well.

We're in some luck though, as I happen to run something immeasurably more powerful: a PfSense branded NetGate APU2[1]

PfSense absolutely /loves/ letting you know how it feels; and if we assume that I'm a "normal" user, (I have 1 laptop, 1 phone and an apple watch as the only devices on my network right now and I'm just browsing like normal) then we have some measure of how much memory a state table really consumes.

My state table currently contains a mere 170 states (according to iftop), but it's not really hurting my memory:

> 6% of 4030 MiB

Yet, I can see that some states have been forcefully closed, despite having lots of ram available to store too (these statistics were reset yesterday):

   state-mismatch                       748            0.0/s

In general the state table is very busy:

  State Table                          Total             Rate
    current entries                      152               
    searches                        90040931          338.1/s
    inserts                           437333            1.6/s
    removals                          437181            1.6/s

it's worth noting that this device is forcefully configuring itself to hit a max of 403000 states total:

  states        hard limit   403000

So it's not "memory" like you suggest, but since doing nat translation on every single packet is CPU intensive, states can be dropped if the table can't keep up.

[0]: 256MB of ram reserved for the state table it seems: https://deviwiki.com/wiki/Virgin_Media_Super_Hub_3

[1]: 4G of general purpose ram: https://www.firewallhardware.it/en/apu2-3nic/

[mehrdadn]

Thanks for sharing. While I have a hard time grasping your usage (why in the world are 3 devices opening 1.6 connections every second?), it's not really relevant as your own data shows state tables don't get exhausted, right? Your table only has 152 entries, which is quite a far cry from exhausting its 403,000 slots.

[throw0101a]

1.4 times faster, per Apple:

* https://www.zdnet.com/article/apple-tells-app-devs-to-use-ip...

[jedberg]

Anecdotal, but IPv6 saved me a lot of headache recently.

I got a warning about an unauthorized attempted login to my gmail account. They gave me the IP of the offending login. I was able to track that IP not only back to my house, but to a specific device in my house.

It was my NAS, and it was trying to log into gmail to send me an email about a failing drive. Gmail no longer allows username/password logins from third party apps, so I got a warning instead.

Without IPv6, I would have just chalked it up to a misbehaving device and ignored it since it came from my own IP, but because of IPv6, I was able to see it was from the NAS and investigate further.

[iknowstuff]

What complexity? Devices being autoconfigurable without DHCP is less complex. Having no NAT is less complex. Having a public IP is less complex. You just got used to the complexity of IPv4.

Why the hell would you block IPv6. You ARE stuck in your ways. OS vendors consider it necessary on LAN for various functionality.

[georgyo]

I really think IPv6 is the future but,

Devices configuring without DHCP as a network administrator is really hard. There is no longer a single method to be given an IP6 address, and with the auto methods, there is no log either. Only some clients will do dhcpv6 which means you often have two different auto configuring services on a network.

Similarly, to see devices on a network I now have to use neighborhood discovery whice gives me a bunch of IPs, but very hard to figure out which IP is for that raspberrypi next to me. Port scans are much harder.

Public IP address are great, but now a filtering firewall is always required at the edge, since I don't want my printer being reachable on the internet. There isn't a upnp for IP6 to punch wholes automatically either. Ironically P2P over ipv6 is harder because the firewalls are so unforgiving.

[walton_simons]

Honestly it's reassuring to read this. I do want to understand IPv6 better and I think I am slowly getting to grips with how it all fits together, but the details regularly make me feel as though I need to throw out a lot of what I think I know about networking, and rebuild my entire mental model from the ground up.

[Decade]

Yes, you should throw out a lot of what you know about networking.

Port scanning _should_ be difficult in IPv6. Instead, you should be using DNS and/or multicasting.

Having multiple ways to configure IP addresses _isn’t_ a problem. Modern devices have lots of RAM. They can handle having lots of IP addresses.

Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it. Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely. https://tools.ietf.org/html/rfc4193

[gvjddbnvdrbv]

> Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely.

I.e. essentially what we already had with IPv4.

> Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it.

Security provided by 'the attackers get bored'....

[Dagger2]

Security is provided by a firewall. But a lot of IoT botnet stuff comes from people opening inbound connections to their cameras/NASs/etc so they can access them from elsewhere. These are hosts where the network security has been deliberately disabled. The large address space of v6 at least reduces the odds of someone finding the device -- an insecure, unexploited device is better than an insecure exploited one.

You could sort of consider the 64 bit host ID to be a cookie, stored in DNS, that has to be provided by the client to connect to the server. Viewed like this, the IP itself would be considered a layer of security, since it forces the client to know the correct DNS name (or spend a lot of time guessing) to connect.

[Decade]

Not essentially what we have with IPv4.

IPv4 is from the old days of 1 device, 1 IP address.

RFC 4193 addresses are in addition to the globally routable IP addresses. Your laptop could have both classes of addresses. Your printer could have only one class of address.

Between the ULA and the global addresses, with DHCPv6 and NDP and IPv6 privacy extensions, my laptop currently has 13 IP addresses on its main network adapter. That’s leaving my router and my laptop on default settings, nothing special, no appreciable memory impact.

[mehrdadn]

> What complexity?

1. What the hell is DHCP-PD and is it better on or off?

2. What are 6to4, 6in4, 6rd, etc. and should the user care?

3. When should autoconf be stateless vs. stateful? I thought the point of IPv6 was to allow things to be stateless?

4. When should DHCPv6 be enabled vs. disabled? Why the hell is this even a question on some routers if devices are supposed to be "autoconfigurable without DHCP"?

5. What are the more subtle implications of all of the above that are not necessarily mentioned?

6. Give one good reason why in the world every single one of every user's devices should be reachable from anywhere on the internet for even a single moment in time? Why exactly do you feel you should even have a reachable path to my computer, and everyone else's too? Common sense precautions would suggest this shouldn't be possible by default.

Note: I personally don't need responses to all of these. I'm just listing some examples of questions that come up for people configuring it to illustrate why the choice to use IPv6 is hardly as simple as you depict it to be.

[viraptor]

These are valid questions regarding complexity, but I also think you're ignoring the complexity of v4. Here are v4 questions for home modems/routers you're just used to: What's bridged mode? What's upnp? What's dmz? What are static IP assignments, wasn't dhcp supposed to manage IP addresses? What's port forwarding? Should I enable "telephony support" and "legacy game support"? What's SIP-ALG?

In both cases for residential use: you're most likely ok with the defaults. And if you want to change something, you have to learn about the tech.

[mehrdadn]

I'm not ignoring the complexity of v4. I'm responding to "What complexity?"

But even if I was, "it only doubles the complexity" is not exactly a compelling response to "why should I switch to IPv6?"

[viraptor]

It doesn't double the complexity. Most of the questions above don't exist in ipv4. My point is that it's different complexity, not more complexity.

And for basic usage people can ignore that the same way they ignore it now.

[mehrdadn]

I meant "doubling" the complexity as in IPv6 + IPv4 vs. just IPv4.

If your argument is users can ignore IPv6 complexities as they already do with IPv4, then you've just established the IPv4 complexities can be disregarded by the user... which means you just destroyed your own argument...

I'm not interested in endless debates here though; I feel like I've made my point sufficiently well. If this is an attempt to change my view on the matter I think you're misunderstanding the purpose of the discussion.

[walton_simons]

Yeah, this is exactly the sort of thing I'm talking about. Lots of additional overhead and work, and — again, speaking as a home user — no apparent benefits for dealing with it all.

I get all the concerns about CGNAT and so on, but that's something for the ISP to figure out. If I get a message one day saying that my connection speed is about to drop 30% because of my insistence on IPv4, I will of course react!

The question for me is not, "why would I block it?" but instead, "why would I enable it?". There needs to be a reason, and right now I'm not seeing it.

[Dagger2]

And ISPs are figuring it out. All you need to do is leave v6 on in the routers they ship out.

But if you're running your own router then you're taking over part of the responsibility, so you need to handle your part of it.

[iknowstuff]

I think those have super easy to answer! All up-to-date OS-es support stateless autoconfig now, so forget about DHCPv6. Just disable it and everything will work magically.

6to4, 6in4, 6rd are legacy transition technologies, not needed when you have IPv6, so don't worry.

[throw0101a]

> I'm still yet to be persuaded of its benefits for home users.

According to Apple, IPv6 is 1.4 times faster than IPv4 (latency wise AFAICT):

* https://www.zdnet.com/article/apple-tells-app-devs-to-use-ip...

This is supposedly "due to reduced NAT usage and improved routing."

[ac29]

In that article, Apple says the connection setup is 1.4x faster, not that there is a 40% improvement in throughput or latency.

[ksec]

I wonder are these mostly on Client side or is this ISP side of things?

It is great marketing to list 40%. But we need to know 40% of what. If it was 1ms, than 0.4ms faster isn't much of a performance.

[q3k]

> Very happy to be told why I shouldn't do this though.

Because your IPv4 traffic goes (or will, in the future, as IPv4 depletes further) through a slow, overprovisioned CGNAT - making IPv4 much slower then IPv6.

[bzb3]

That's scaremongering and simply false. Cgnat servers are not necessarily congested. I've been to several isps with cgnat and none of them suffered from congestion.

On a more personal note, if ipv6 were so great, their fans wouldn't have to make up things to badmouth ipv4.

[throwaway2048]

NAT is fundamentally a limited technology that has massive scaling problems that simply do not exist in non-nat networking situations.

The larger the network behind the NAT, the more problems you get. This is also before considerations like the fact NAT breaks 2 way connectivity that is the cornerstone of the design of the internet.

>if ipv6 were so great, their fans wouldn't have to make up things to badmouth ipv4.

The explicit goal and reason IPv6 was created was to make up for the short-comings of IPv4.

[oarsinsync]

The IPv6 standard was ratified in the 1990s.

The Internet of the 1990s was very different to the Internet of 2020. The widespread surveillance of activity as it exists today was not a consideration back then, nor were there the same security concerns, making it a desirable property to have every device uniquely and globally addressable.

Privacy extensions were then ratified (RFC 4941) after 2007 as a workaround, and firewalls get applied on hosts and gateways to protect against bad actors on the Internet (which are significantly more prevalent today than 20+ years ago).

IPv6 is not a magic bullet. The increase in addressable space is definitely a positive. Pretty much everything else is up for debate, depending on perspective and use case.

I've been dual-stacking networks for over a decade. The easy part[0] is making the network work with both IPv4 and IPv6. The hard part is making everything else work.

[0] Easy is relative. I agree with everything listed in https://news.ycombinator.com/item?id=24059729 as additional sources of complexity and confusion. That's still just the mole hill at the start of the mountain.

[q3k]

> I've been to several isps with cgnat and none of them suffered from congestion.

And I've been on several residential ISPs where IPv4 was unusable during peak netflix hours, likely because people were blindly disabling IPv6 on their devices.

[techsupporter]

I had to disable IPv6 for Netflix because Netflix has decided that the IPv6 address space I get from Hurricane Electric and the IPv6 address space my wireline ISP hands out are both "VPNs" and blocks them.

With AAAA enabled for *.netflix.com address resolution, I can't watch Netflix. If I actually paid for it, versus getting it included as a perk of T-Mobile, I'd have quit over that. I shouldn't have to fiddle with DNS to watch a service I pay for.

[bzb3]

That's not necessarily a problem with nat; anybody with basic networking knowledge can tell you that packets that move through v4 and V6 do not have to follow the same routes. Since there are more users using v4 than V6 it's common for v4 routes to be congested while V6 routes are not.

[q3k]

I know.

[billpg]

While NAT works very well for home users, servers still need distinct IPs if they are to be accessible by the public. You can get away with shared IPs with some protocols but sometimes you need a whole IP to yourself.

[throwaway2048]

The advantage of ipv6 for consumers is that many ISPs (especially non american ISPs) don't and can't hand out public IPv4 addresses, due to the lack of remaining IPv4 addresses for them to allocate.

The choice isn't between every device being globally routable (which is easily solved by a firewall WITHOUT NAT) and a single routable address, the choice is between zero public routable addresses, and as many as you need.

[tialaramex]

[The parent edited their post to render my comment wrong]

[treysis]

He didn't say "all", he said "many". And that is factually right. Many ISPs use DSLite/CGNAT and don't hand out public IPv4 addresses to their customers anymore. Yes, some offer the option to change to a public IPv4, some charge extra money for this feature, and some don't offer it at all!

E.g. my ISP doesn't hand out public IPv4 and you can't order it, unless you change to a business contract. However, my ISP is doing some weird 1:1-NAT, so while I don't get assigned a public IPv4 to my router, I do get assigned a single IPv4 on the CGNAT router that also translates back to my home network.

[oarsinsync]

> However, my ISP is doing some weird 1:1-NAT

It's probably a 1:Many NAT, where the external IP you see yourself as coming from, is used by many customers, not just you.

Otherwise there's no upside to deploying the additional overhead and cost of CGN devices for the carrier.

[throwaway2048]

I also have a non American ISP, and they will not give me a public IPv4 address, for any amount of money.

[gvjddbnvdrbv]

I'm certainly going to be dropping all incoming IPv6 packets when my ISP foists IPv6 on us.