[benttoothpaste]

In addition IPv6 has this weird restrictions on which prefixes are valid. For example if your ISP gives you /64 prefix, most consumer routers will not recognize it as valid. And even if you have a very configurable router it will take lots of work to configure that - even though in theory you should have tons of addresses available. And if you get a /128 prefix, good luck that - NATs are apparently disallowed in IPV6 world.

[mjevans]

RIPE approved prefix lengths for end customers are /48, /52, /56, /60, and /64; though the prefixes longer than /56 are strongly discouraged and probably reflect either an ISP that doesn't get IPv6 or that is anti-consumer if they do.

https://www.ripe.net/publications/docs/ripe-690#4-2--prefix-...

... "Each hexadecimal character in an IPv6 prefix represents one nibble, which is 4 bits. The length of a delegated prefix should therefore always be a multiple of 4.

A single network at a customer site will be a /64. At present, RIR policies permit assignment of a /48 per site, so the possible options when choosing a prefix size to delegate are /48, /52, /56, /60 and /64.

...

The following sections explain why /48 and /56 are the recommended prefix assignment sizes for end customers.

...

It is strongly discouraged to assign prefixes longer than /56 unless there are very strong and unsolvable technical reasons for doing this."

[tsimionescu]

Is RIPE a law? Can they force my ISP to give me a /56 if they're giving me a /128?

[zamadatix]

It's not law but going to hurt your ISP to not give at minimum a /64 way more than it's going to hurt anyone else as everything is made to make doing so easy from standards all the way down to hardware. Besides RIPE is going to hand them a /32 which is ~4 billion /64s without question and will keep doing that 'til the cows come home so it's not like trying to keep all of the customers in a single /64 saves them from running out of anything. Shoot I even got a /32 for a single non-ISP company without much hassle.

Also RIPE reserves the ability to retract the ISP's IPv6 space, though I really doubt it'd come to that. A lot of the original large swaths of IPv4 were considered owned not leased, that is no longer.

[zamadatix]

> For example if your ISP gives you /64 prefix, most consumer routers will not recognize it as valid.

A /64 is the most valid IPv4 prefix there is. Most consumers should be given multiple (usually about 16) and the router starts with the first one.

> And if you get a /128 prefix, good luck that

No kidding, that's a single address subnet!

> NATs are apparently disallowed in IPV6 world.

It's allowed it's just not the right answer in the vast majority of cases.

[zekica]

NAT is not disallowed in IPv6, it's just discouraged as it breaks end-to-end principle. You can still have stateful firewalls that work for the majority of cases and you can also use NPT (network prefix translation also called 1-to-1 NAT) if you want. There is even a RFC specifying on how to do NPT without creating compute overhead for routers by making the packets have the same CRC.

[Spivak]

NAT is actually probably preferred too for homelabbers one because you don’t have to re-address things ever and also because you can use your whole ISP assignment as a pool of dynamically assignable/attachable public addresses.

[DarylZero]

Are you thinking of prefix translation?

[Spivak]

Not that I know of. I’m using ip6tables with an, honestly garbage, script to give me similar functionality to AWS Elastic IPs.

- Everything inside the network gets a private address from DHCPv6.

- I have a pool of some of my assigned prefix designated as generic outbound which use masquerading and multipath routing so my home traffic isn’t all coming from a single address. This is mostly useless but was fun to set up.

- Then for the rest of the prefix I can create “attachments” where traffic from one of the public ips in the pool is routed to the private address using DNAT and then all outbound traffic from that host is SNATted to come from that public ip.

So the internal hosts can have zero knowledge that they even have a public address, their privates will just start receiving traffic from the internet. When I get a new assignment from my ISP nothing internal will have to change.

It’s port forwarding on steroids!

[DarylZero]

I see. Well it sounds like you "should" be using prefix translation instead of DNAT/SNAT (i.e., use the iptables DNPT/SNPT targets instead). Probably doesn't matter enough to change though.