[iknowstuff]

What complexity? Devices being autoconfigurable without DHCP is less complex. Having no NAT is less complex. Having a public IP is less complex. You just got used to the complexity of IPv4.

Why the hell would you block IPv6. You ARE stuck in your ways. OS vendors consider it necessary on LAN for various functionality.

[georgyo]

I really think IPv6 is the future but,

Devices configuring without DHCP as a network administrator is really hard. There is no longer a single method to be given an IP6 address, and with the auto methods, there is no log either. Only some clients will do dhcpv6 which means you often have two different auto configuring services on a network.

Similarly, to see devices on a network I now have to use neighborhood discovery whice gives me a bunch of IPs, but very hard to figure out which IP is for that raspberrypi next to me. Port scans are much harder.

Public IP address are great, but now a filtering firewall is always required at the edge, since I don't want my printer being reachable on the internet. There isn't a upnp for IP6 to punch wholes automatically either. Ironically P2P over ipv6 is harder because the firewalls are so unforgiving.

[walton_simons]

Honestly it's reassuring to read this. I do want to understand IPv6 better and I think I am slowly getting to grips with how it all fits together, but the details regularly make me feel as though I need to throw out a lot of what I think I know about networking, and rebuild my entire mental model from the ground up.

[Decade]

Yes, you should throw out a lot of what you know about networking.

Port scanning _should_ be difficult in IPv6. Instead, you should be using DNS and/or multicasting.

Having multiple ways to configure IP addresses _isn’t_ a problem. Modern devices have lots of RAM. They can handle having lots of IP addresses.

Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it. Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely. https://tools.ietf.org/html/rfc4193

[gvjddbnvdrbv]

> Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely.

I.e. essentially what we already had with IPv4.

> Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it.

Security provided by 'the attackers get bored'....

[Dagger2]

Security is provided by a firewall. But a lot of IoT botnet stuff comes from people opening inbound connections to their cameras/NASs/etc so they can access them from elsewhere. These are hosts where the network security has been deliberately disabled. The large address space of v6 at least reduces the odds of someone finding the device -- an insecure, unexploited device is better than an insecure exploited one.

You could sort of consider the 64 bit host ID to be a cookie, stored in DNS, that has to be provided by the client to connect to the server. Viewed like this, the IP itself would be considered a layer of security, since it forces the client to know the correct DNS name (or spend a lot of time guessing) to connect.

[gvjddbnvdrbv]

> Security is provided by a firewall.

Right so as I said elsewhere I'll be dropping all packets for incoming connections at the firewall. I was heavily downvoted for that comment... I guess a lot of folk will leave insecure devices open to the world.

[Decade]

Not essentially what we have with IPv4.

IPv4 is from the old days of 1 device, 1 IP address.

RFC 4193 addresses are in addition to the globally routable IP addresses. Your laptop could have both classes of addresses. Your printer could have only one class of address.

Between the ULA and the global addresses, with DHCPv6 and NDP and IPv6 privacy extensions, my laptop currently has 13 IP addresses on its main network adapter. That’s leaving my router and my laptop on default settings, nothing special, no appreciable memory impact.

[mehrdadn]

> What complexity?

1. What the hell is DHCP-PD and is it better on or off?

2. What are 6to4, 6in4, 6rd, etc. and should the user care?

3. When should autoconf be stateless vs. stateful? I thought the point of IPv6 was to allow things to be stateless?

4. When should DHCPv6 be enabled vs. disabled? Why the hell is this even a question on some routers if devices are supposed to be "autoconfigurable without DHCP"?

5. What are the more subtle implications of all of the above that are not necessarily mentioned?

6. Give one good reason why in the world every single one of every user's devices should be reachable from anywhere on the internet for even a single moment in time? Why exactly do you feel you should even have a reachable path to my computer, and everyone else's too? Common sense precautions would suggest this shouldn't be possible by default.

Note: I personally don't need responses to all of these. I'm just listing some examples of questions that come up for people configuring it to illustrate why the choice to use IPv6 is hardly as simple as you depict it to be.

[viraptor]

These are valid questions regarding complexity, but I also think you're ignoring the complexity of v4. Here are v4 questions for home modems/routers you're just used to: What's bridged mode? What's upnp? What's dmz? What are static IP assignments, wasn't dhcp supposed to manage IP addresses? What's port forwarding? Should I enable "telephony support" and "legacy game support"? What's SIP-ALG?

In both cases for residential use: you're most likely ok with the defaults. And if you want to change something, you have to learn about the tech.

[mehrdadn]

I'm not ignoring the complexity of v4. I'm responding to "What complexity?"

But even if I was, "it only doubles the complexity" is not exactly a compelling response to "why should I switch to IPv6?"

[viraptor]

It doesn't double the complexity. Most of the questions above don't exist in ipv4. My point is that it's different complexity, not more complexity.

And for basic usage people can ignore that the same way they ignore it now.

[mehrdadn]

I meant "doubling" the complexity as in IPv6 + IPv4 vs. just IPv4.

If your argument is users can ignore IPv6 complexities as they already do with IPv4, then you've just established the IPv4 complexities can be disregarded by the user... which means you just destroyed your own argument...

I'm not interested in endless debates here though; I feel like I've made my point sufficiently well. If this is an attempt to change my view on the matter I think you're misunderstanding the purpose of the discussion.

[walton_simons]

Yeah, this is exactly the sort of thing I'm talking about. Lots of additional overhead and work, and — again, speaking as a home user — no apparent benefits for dealing with it all.

I get all the concerns about CGNAT and so on, but that's something for the ISP to figure out. If I get a message one day saying that my connection speed is about to drop 30% because of my insistence on IPv4, I will of course react!

The question for me is not, "why would I block it?" but instead, "why would I enable it?". There needs to be a reason, and right now I'm not seeing it.

[Dagger2]

And ISPs are figuring it out. All you need to do is leave v6 on in the routers they ship out.

But if you're running your own router then you're taking over part of the responsibility, so you need to handle your part of it.

[iknowstuff]

I think those have super easy to answer! All up-to-date OS-es support stateless autoconfig now, so forget about DHCPv6. Just disable it and everything will work magically.

6to4, 6in4, 6rd are legacy transition technologies, not needed when you have IPv6, so don't worry.