[p1mrx]

> Cloudflare public DNS is 1.1.1.1. If I switch to ipv6, I get to use 2606:4700:4700::1111. You telling me that's an upgrade?

The concept of vanity IPv4 addresses was invented in 2009, when Google acquired 8.8.8.0/24 from Level3. This is an emergent feature of a small, densely packed address space. IPv6 had existed for a decade (EDIT: not two decades) by that point, so you can't really blame the designers.

Sprint controls 2600::, probably by accident, but they're not doing anything interesting with it.

[hot_gril]

That's true, but even the less memorable v4 addresses are easier to deal with and nicer on the eyes. And on a LAN with a NAT, you typically get memorable addresses like 192.168.1.2.

Maybe the bigger issue was trying to get rid of NAT. People don't want every local network device to have a public IP and have to trust that the router's v6 firewall will do its job.

[JohnFen]

> People don't want every local network device to have a public IP

I absolutely don't want this. But as I understand it, I can avoid this by assigning my machines the IPv6 nonroutable addresses fe80::/64. They're the equivalent of 192.168.* and 10.*

[hot_gril]

Same as the firewall, it's fine if it's done right. But does every machine get link-local v6 addresses by default? My Mac is set to "automatic," which I assume asks the router. Even if I use link-local, does every router (even crappy ones) respect the no-forward rule? This is along with several other aspects of my network changing to use v6.

Meanwhile, if someone sends a v4 packet with TCP port 22 to my router, it can't tell where to forward it even if it wanted to. It takes effort to do that, namely a port forwarding config.

[JohnFen]

> But does every machine get link-local v6 addresses by default?

If you use DHCP, then I think you can configure that. What I have in mind is to assign static IPs to all of my fixed machines anyway, and use DHCP to assign IPs to transient machines. Not sure if that's reasonable, but it's my current thinking.

> does every router (even crappy ones) respect the no-forward rule?

There may be broken ones, but it doesn't matter so much because your ISP won't route such addresses regardless.

[hot_gril]

> If you use DHCP, then I think you can configure that. What I have in mind is to assign static IPs to all of my fixed machines anyway, and use DHCP to assign IPs to transient machines. Not sure if that's reasonable, but it's my current thinking.

You probably can, but as it's often said, most security breaches are caused by misconfiguration.

>There may be broken ones, but it doesn't matter so much because your ISP won't route such addresses regardless.

Yeah fair enough, I can trust my ISP to do that at least.

[JohnFen]

> You probably can, but as it's often said, most security breaches are caused by misconfiguration.

Yes, but that's no different with IPv4. What it really means is that we have to learn the intricacies of IPv6 in order to use it confidently. Right now, I am nowhere near comfortable that I have sufficient understanding. That can be fixed through enough study, but is also part of the friction in adopting IPv6.

[unethical_ban]

NAT is a bandage over a crippling of proper network behavior. You trust your port forwarding isn't illicitly opening itself, no? Then you can trust a default deny inbound policy on IPv6.

[hot_gril]

My port forwarding would have to actively try to allow traffic to my host. It doesn't even know where to forward to. And like it or not, NAT has momentum. Getting rid of NAT would be a big migration in of itself.

[Dagger2]

This is actually wrong, and dangerously so. Your router knows perfectly well where to forward any given packet to: it forwards it to the IP that's in the packet's "destination IP" header.

If a connection comes into your router with the destination IP set to one of your LAN machines, NAT will not stop the connection.

There's no reason to be using NAT to protect yourself from inbound connections, because that's not a thing NAT even does in the first place. It often makes things actively worse even, by making it easier to port scan for your servers and by giving you a false sense of security.

[unethical_ban]

NAT66 exists, it just isn't a necessity in IPv6. There are also private IPv6 networks.

They are called Unique Local Addresses (ULA) and are in the range fd00::/8.

Which itself is so much better than RFC 1918 addresses. If you need private, non-Internet routable addresses, then you generate a random one. In the event two private networks need to communicate over VPN, for example, there is no clash.

[p1mrx]

You can number a LAN with fd00::/64 and use IPv6 NAT to reach the internet, so the addresses are even shorter than 192.168.1.x. It's just not commonly done that way.