[tjgq]

Totally agree with you in that IPv6 and the end of NATs are great for the Internet.

My honest (though possibly unpopular) opinion is that the incentive should have been given years ago through government intervention, by legally compelling ISPs to provide IPv6 connectivity to their customers. If most of the Internet had been switched to IPv6 by now, no bidding war over IPv4 addresses would need to take place.

Naturally, it's moot to point out what could have been done and wasn't. But I think this illustrates a limitation of market-based incentives: they seem to work well on the short term, but have a tendency to fail on the long one. Slow IPv6 adoption is, in my view, a market failure that should have been corrected through government intervention.

[wampus]

I have IPv6 through my ISP, Comcast. It's completely broken and unusable due to a bug in the router they upgraded me to last year and force me to use because I have a business account. It took me half a day to figure out the cause of the problem. I'll probably wait another six months to look at it again. This is just one of many sad details plaguing the rollout of IPv6. Maybe the solution will come by skipping it entirely and using something backwards-compatible with IPv4, only with a larger address space (baby steps).

[simoncion]

That's strange. My buddy across the street also has a Comcast Business account. While he does have to use a particular modem, it's handing out a DHCP lease to his personal Airport Extreme. He also has fully functioning IPv6 service.

Do you like, have several IPv4 addresses assigned to you or something?

[cpach]

We’re probably worse off if we let governments choose the technology winners. That could impose even higher costs than what we face today.

[hackuser]

> Totally agree with you in that IPv6 and the end of NATs are great for the Internet.

I can see the advantages, but do I want my devices to have publicly routable addresses? I prefer that the public Internet doesn't know the exist and can't easily contact them without receiving a recent outbound connection. (Perhaps I missing an obvious solution here?)

[tjgq]

What you want is called a firewall.

There seems to be this common misconception that a firewall and a NAT box are the same thing, but they're not. It just happens that most NAT implementations also work as firewalls (though not the other way round).

Even if you don't have a firewall, the odds of someone discovering your IPv6 address by chance (i.e. without you communicating with them first) are incredibly low. Common IPv6 deployment practice is to delegate at least a /56 prefix to each end user, so your device gets an address chosen at random from 2^72 possibilities. You can even hop into a different address every few minutes for added security (some IPv6 stacks do this).

So please don't spread the misconception that IPv6 is somehow less secure than IPv4! :)

[hackuser]

This is a bit condescending and an overreaction. I know well what firewalls and NAT are, and I asked a question, I didn't assert any misconception.

I'll address the technical issues in my response to the other commenters response.

[tjgq]

I certainly did not mean to be condescending. I offer my apologies if my post came across as so.

[hackuser]

Thanks.

[NeutronBoy]

If your firewall (which you'll still need) is configured correctly, then the wider internet either won't know an address isn't routable, or won't be able to do anything even if it is (there are various schools of thought on blocking ICMP messages from the internet, which range from "you break the internet if you block ICMP" to "I'll blackhole ICMP so nobody knows my devices exist")

[hackuser]

> the wider internet either won't know ...

Once a private device communicates with a public Internet server, won't that server and every network between it and the private device (my ISP, etc.) know a publicly routable IP address on my private network? I know a firewall could still help protect it (simple SPI, for example) but having a publicly routable IP would seem to simplify the attacker's job, and possibly reveal information about specific devices and users (i.e., track who is doing what).

Also, I assume my firewall's public IP must be on the same public subnet as my internal devices. It doesn't seem like it would be hard to guess the addresses of devices on the private side.

I haven't looked at IPv6 much, so again I suspect I'm overlooking something basic.

> If your firewall (which you'll still need) is configured correctly

In my experience, this situation isn't common -- especially among end users but even among professionals.

[tjgq]

In the absence of a firewall, you are correct that any node that gets hold of the publicly routable address assigned to one of your devices will be able to communicate with it from the outside. This is indeed a problem for most users, who won't know or bother to configure one; ISPs should do it for them on the CPE.

Regarding the tracking of specific users: RFC 3041 stateless autoconfiguration (which is deployed at least on Linux and OSX - not sure about Windows) allows a device to switch to a new random IPv6 address within its assigned prefix every few minutes. This mitigates, though it does not eliminate, an attacker's ability to correlate connections originating from the same device over a period of time.

Naturally, all of those addresses will share a common IPv6 prefix. But that is no different from most residential NATs, where all connections are observed from the outside to originate from the same IPv4 address.

Also due to stateless autoconfiguration, guessing the address of a device from the outside is equivalent to finding a needle in a 2^64-straw haystack. It's not impossible, but it takes time and a lot of traffic to do so.

[hackuser]

Thank you!