[cmroanirgo]

For me it's a few things that keep me from fully embracing it, & largely the problem is perception, as others have noted.

1. I'm a small-time self hoster. I need/want to control access to geographic locations and using IPv4 makes that pretty easy. Last time I checked, IPv6 was just so wrong that it's no good to use at all, and most IPv6 addresses were "unknown" in origin.

2. I'm used to the pseudo security that a NAT gives. I hear (ad nausea) about how NAT gives you no security. The simple truth is that obscurity does give yet another layer of protection, especially for machines that you're busily configuring to become secure. Of course, a real sysadmin here will be able to scoff and laugh, but for this homebrew old timer it's true.

But also, there's the obfuscation of your IP address when you're behind a NAT. This is pretty important in these ad tracking days. AFAIK (which is almost zero), doesn't IPv6 give adware companies a very good fingerprint on you?

3. All those ICMPv6 messages sniffing (and snooping?) really don't fill me with joy joy happiness. The only recourse is to read some dead boring RFC that my poor overloaded brain doesn't really want to have anything to do with. With IPv4, if you don't want PING, you turn it off, with IPv6.... it's subtle.

4. Firewalls require two sets of independent entries for the same service.

So, IPv4 is an address space that's understood. IPv6 really does feel like a Godzillian monstrosity and a chore to type in: double colons between every number and it's in Hex? At least with IPv4 you can type the numbers in pretty rapidly on a numpad.

So, I know this answer will be unpopular, especially to professionals, but for everyone I've encountered that's turned it off, the above list is pretty accurate.

Every few years I search around for a true "IPv4 to IPv6 for noobs" and every time I only find "It's the same... with these gajillion subtle differences". So, yeah, perception is definitely an issue, but scoffing at NAT doesn't help uptake at all. I really do try to be a good netizen, but it's hard. (that said, I do have a mail server set up to use ipv6 and all is good... except for the lists of unknown sources who hammer away at its security all day, every day)

[kalleboo]

I've adopted IPv6 for a small business network I run and it's been great being able to punch small holes in the firewall for certain services without dealing with NAT, port conflicts for software that makes it hard to configure ports, etc. I have a bunch of services that I access there that are configured IPv6-only just because it's so much easier to configure than NAT.

2. MacOS and Windows use IPv6 Privacy Extensions to randomize your address https://en.wikipedia.org/wiki/IPv6_address#Temporary_address...

3. They work great though, I always had weird MTU issues with IPv4 and had to hard-code one in my router, with IPv6 Path-MTU just works. It really annoys me when people turn off ping, stop doing that.

4. Poor UI for firewalls/routers that is not optimized for dual-stack IPv4/IPv6 is indeed a problem. And not just that, home or small business routers often have no IPv6 UI at all for stuff like firewall.

With IPv4 I always had trouble remember exactly what number was what device, with IPv6 it kind of forced my hand to set up DNS entries for everything and that short-term pain (what, 15 minutes?) paid back every time I had to connect to some printer I couldn't remember if it was .218 or .215

[Slix]

> I'm used to the pseudo security that a NAT gives.

In consumer routers, port forwarding is the exact same thing as an inbound traffic firewall. But when I turn on IPv6, what is the equivalent? Is my printer still protected from random inbound internet traffic?

On my Netgear R6700, I can't figure it out from the UI or from forum posts/help content. And without being certain, I don't want to turn on IPv6. Even though I'm technical enough to understand IPv6. Because my printer or my light bulb being exposed to the internet is a huge risk that my router is supposed to stop.

[jiggawatts]

IPv6 firewalls work the same as IPv4 firewalls.

You just remove the NAT from the equation.

The default is deny.

You have to explicitly enable inbound ports.

The difference is that you connect to the device address, not the NAT gateway address.

No more port conflicts.

No more split DNS.

Etc...

[throw0101a]

> In consumer routers, port forwarding is the exact same thing as an inbound traffic firewall. But when I turn on IPv6, what is the equivalent? Is my printer still protected from random inbound internet traffic?

Copy-pasting from a previous discussion a little while ago:

---

IPv4+NAT does not remove any more classes of problems than IPv6+firewall. Firewalls under IPv6 work exactly the same way as they do with IPv4.

An IP connection is started from the 'inside' to the 'outside', and the source-destination tuple is recorded. When an 'outside' packet arrives the firewall checks its parameters to see if it corresponds with an existing connection, and if it does it passes it through. If the parameters do not correspond with anything in the firewall's table/s it assumes that someone is trying to create a new connection, which is generally not allowed by default, and therefore drops it.

The main difference is that with IPv4 and NAT the original (RFC 1918?) source address and port are changed to something corresponding to the 'outside' interface of the firewall.

With IPv6 address/port, rewriting is not done. Only state tables are updated and checked.

New connections are not allowed past the firewall towards the inside with either protocol, and only replies to connections opened from the inside are passed through.

There's no magical security behind NAT: tuples and packet flags are read, looked up in a state table, allowed or not depending on either firewall rule or state presence.

The security comes from the state checking.

[…]

I have a printer with an IPv6 stack. I also have IPv6 addresses from my ISP. Yet somehow my Asus AC-68U prevents the public Internet from reaching my printer.

---

* https://news.ycombinator.com/item?id=28390634

IPv6 firewall on my Asus:

* https://www.asus.com/us/support/FAQ/1013638/

If you want to test, find the IPv6 address of your printer and try pinging it:

* https://tools.keycdn.com/ipv6-ping

[lokedhs]

Ping will still likely work. At least I can ping all my machines on my private network. However, I'm not able to ssh into it or anything else, because all traffic is dropped.

It all depends on firewall configuration, but I think you may unnecessarily scare people by suggesting they're wide open just because ping works.

[kazen44]

ICMP should be allowed anyways because of MTU path discovery.

stop disabling ping

[throw0101a]

> ping

True. There are IPv6 port scanners available:

* http://www.ipv6scanner.com/cgi-bin/main.py

* https://www.subnetonline.com/pages/ipv6-network-tools/online...

[GrayShade]

All right, but assuming I have a dynamic DNS setup, how do I connect to one of the hosts in my network?

I think most OSes do that privacy thing where they periodically randomize the suffix of their v6 address.

[yrro]

Your hosts will also use SLAAC to determine their permanent 'management' address, that's the one you use for connecting _to_ them.

The 'management' address won't be used as the source addrrss packets originating _from_ the host unless the use of temporary/privacy addresses is disabled.

[lillecarl]

I need to remove IPv4 from my home network so that I can finally try and understand all mechanics around it properly.

[yrro]

If you've not seen it before - check out https://ipv6.he.net/certification/ - it's a pretty neat basic IPv6 training course.

[throw0101a]

Given the number of addresses available in a /64 IPv6 subnet, pick a value to statically assign to it and use that. If you have a SSH bastion host / jump box, perhaps pick ::22 as the end address part.

A friend assigned ::25 for the service vIP of his SMTP server/process, and ::143 for IMAP. Your web(mail) host could be ::80 and/or ::443. All on the same host (if you wish). If you have an HA setup you can have the vIP failover by using (e.g.) keepalived.

Using tokens may be of some interest as well:

* https://man7.org/linux/man-pages/man8/ip-token.8.html

You can have a public prefix address, as well as a local 'private' ULA address at the same time. In some ways I wish the best practice would be for IoT devices and appliances (like printers) only have link-local addresses, and perhaps ULA if advertised, with global addresses only configured via config switch. It would perhaps allay some the concerns that people have (like you do).

[kalleboo]

Home routers (and even small business routers from companies you'd expect better from like Ubiquiti) are often completely missing the UI for stuff like IPv6 firewall and it's a real tragedy and definitely something that is holding back adoption.

[throw0101a]

> 2. I'm used to the pseudo security that a NAT gives.

If you wish to do this with IPv6 you can with ULA and NPTv6:

* https://en.wikipedia.org/wiki/Unique_local_address

* https://en.wikipedia.org/wiki/IPv6-to-IPv6_Network_Prefix_Tr...

> 3. All those ICMPv6 messages sniffing (and snooping?) really don't fill me with joy joy happiness.

For those wondering: ping works by sending ICMP(v4) echo request packets. If you wish to block v4 ping you block echo requests (Type 8) and echo replies (Type 0):

* https://en.wikipedia.org/wiki/Internet_Control_Message_Proto...

ping6 works by sending ICMP(v6) echo request packets. In IPv6-land block Types 128 and 129:

* https://en.wikipedia.org/wiki/Internet_Control_Message_Proto...

To block traceroute block Types 11 (v4) and 3 (v6): TTL/hop exceeded notifications.

> IPv6 really does feel like a Godzillian monstrosity and a chore to type in: double colons between every number and it's in Hex? At least with IPv4 you can type the numbers in pretty rapidly on a numpad.

We've run out of IPv4 addresses. We need a larger address space with more bits. More bits mean more typing. Get over it? ¯\_(ツ)_/¯

[BenjiWiebe]

Please don't block ttl exceeded packets... It will cause some very hard to troubleshoot network issues for someone somewhere sometime.

[kjs3]

Amen, brother. Someone like your CEO at somewhere like his lake house at the end of a dodgy DSL line from Cletus's ISP and Bait Shop.

I kid, I kid...they didn't sell bait.

There are a lot of unpleasant failure modes to blocking ICMP without completely understanding the implications.

[throw0101a]

I agree… but some folks seem to think blocking ping and traceroute give you some kind of extra security.

[chippiewill]

Your arguments regarding NAT only make sense when considering carrier grade NAT.

With IPv6 you can set up your machine to use "temporary" addresses which will use random addresses from your router's subnet instead of a fixed one (based off of the NIC's mac address) and for a limited duration. The duration is normally some number of hours, but you could make it 10 seconds if you preferred.

[psim1]

> Last time I checked, IPv6 was just so wrong...

> I'm used to the pseudo security that a NAT gives

> my poor overloaded brain doesn't really want to have anything to do with

You've certainly made the point that you are too lazy to learn. Otherwise, you haven't made a case against IPv6 at all.

[dx034]

The point is that many people are too lazy to learn a more complicated alternative to something simple they've used for a long time. And that's why ipv6 still hasn't taken off in many areas.

[5e92cb50239222b]

> 4. Firewalls require two sets of independent entries for the same service.

Depends on the exact rule you're writing, but nftables can remove a lot of duplication. Many rules cover both IPv4 and IPv6. It's the default since Debian 11.

[ksec]

Agree with every single point. I guess that is the difference from user perspective to engineering perspective.

I often wished there was just a simple IPv5.

[floatboth]

Don't touch ICMP, just don't.

http://shouldiblockicmp.com

https://rachelbythebay.com/w/2015/05/15/pmtud/

> sniffing (and snooping?)

Nothing is new here. ND is basically what ARP was. You don't disable ARP, do you?

[kazen44]

technically, you cannot even disable ARP because of it inherent reliance on ethernet...

Atleast ND is a proper layer 3 seperation of link-layer discovery..