[georgyo]

I really think IPv6 is the future but,

Devices configuring without DHCP as a network administrator is really hard. There is no longer a single method to be given an IP6 address, and with the auto methods, there is no log either. Only some clients will do dhcpv6 which means you often have two different auto configuring services on a network.

Similarly, to see devices on a network I now have to use neighborhood discovery whice gives me a bunch of IPs, but very hard to figure out which IP is for that raspberrypi next to me. Port scans are much harder.

Public IP address are great, but now a filtering firewall is always required at the edge, since I don't want my printer being reachable on the internet. There isn't a upnp for IP6 to punch wholes automatically either. Ironically P2P over ipv6 is harder because the firewalls are so unforgiving.

[walton_simons]

Honestly it's reassuring to read this. I do want to understand IPv6 better and I think I am slowly getting to grips with how it all fits together, but the details regularly make me feel as though I need to throw out a lot of what I think I know about networking, and rebuild my entire mental model from the ground up.

[Decade]

Yes, you should throw out a lot of what you know about networking.

Port scanning _should_ be difficult in IPv6. Instead, you should be using DNS and/or multicasting.

Having multiple ways to configure IP addresses _isn’t_ a problem. Modern devices have lots of RAM. They can handle having lots of IP addresses.

Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it. Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely. https://tools.ietf.org/html/rfc4193

[gvjddbnvdrbv]

> Even better, these days you can allocate a unique local address to the printer (RFC 4193, fd00::/8) and eliminate Internet access entirely.

I.e. essentially what we already had with IPv4.

> Because of how difficult it is to port scan IPv6, as long as you don’t manually allocate a low-entropy address to the printer, it won’t be easy to get to it.

Security provided by 'the attackers get bored'....

[Dagger2]

Security is provided by a firewall. But a lot of IoT botnet stuff comes from people opening inbound connections to their cameras/NASs/etc so they can access them from elsewhere. These are hosts where the network security has been deliberately disabled. The large address space of v6 at least reduces the odds of someone finding the device -- an insecure, unexploited device is better than an insecure exploited one.

You could sort of consider the 64 bit host ID to be a cookie, stored in DNS, that has to be provided by the client to connect to the server. Viewed like this, the IP itself would be considered a layer of security, since it forces the client to know the correct DNS name (or spend a lot of time guessing) to connect.

[gvjddbnvdrbv]

> Security is provided by a firewall.

Right so as I said elsewhere I'll be dropping all packets for incoming connections at the firewall. I was heavily downvoted for that comment... I guess a lot of folk will leave insecure devices open to the world.

[Dagger2]

You said you'd be dropping all v6 packets, not just incoming connections. Not quite the same thing.

[Decade]

Not essentially what we have with IPv4.

IPv4 is from the old days of 1 device, 1 IP address.

RFC 4193 addresses are in addition to the globally routable IP addresses. Your laptop could have both classes of addresses. Your printer could have only one class of address.

Between the ULA and the global addresses, with DHCPv6 and NDP and IPv6 privacy extensions, my laptop currently has 13 IP addresses on its main network adapter. That’s leaving my router and my laptop on default settings, nothing special, no appreciable memory impact.