Thoughts on IPv6
A few months ago, the awesome provider Init7 has released their awesome FTTH offering Fiber7 which provides synchronous 1GBit/s access for a very fair price. Actually, they are by far the cheapest provider for this kind of bandwith.
Only cablecom comes close at matching them bandwidth wise with their 250Mbits package, but that’s 4 times less bandwith for nearly double the price. Init7 also is one of the only providers who officially states that their triple-play strategy is that they don’t do it. Huge-ass kudos for that.
Also, their technical support is using Claws Mail on GNU/Linux - to give you some indication of the geek-heaven you get when signing up with them.
But what’s really exciting about Init7 is their support for IPv6. In-fact, Init7 was one of the first (if not the first) providers to offer IPv6 for end users. Also, we’re talking about a real, non-tunneled, no strings attached plain /48.
In case that doesn’t ring a bell, a /48 will allow for 216 networks consisting of 264 hosts each. Yes. That’s that many hosts.
In eager anticipation of getting this at home natively (of course I ordered Fiber7 the moment I could at my place), I decided to play with IPv6 as far as I could with my current provider, which apparently lives in the stone-age and still doesn’t provide native v6 support.
After getting abysmal pings using 6to4 about a year ago, this time I decided to go with tunnelbroker which these days also provides a nice dyndns-alike API for updating the public tunnel endpoint.
Let me tell you: Setting this up is trivial.
Tunnelbroker provides you with all the information you need for your tunnel
and with the prefix of the /64 you get from them and setting up for your own
network is trivial using
The only thing that’s different from your old v4 config: All your hosts will immediately be accessible from the public internet, so you might want to configure a firewall from the get-go - but see later for some thoughts in that matter.
But this isn’t any different from the NAT solutions we have currently. Instead of configuring port forwarding, you just open ports on your router, but the process is more or less the same.
If you need direct connectivity however, you can now have it. No strings attached.
So far, I’ve used devices running iOS 7 and 8, Mac OS X 10.9 and 10.10,
Windows XP, 7 and 8 and none of them had any trouble reaching the v6 internet.
Also, I would argue that configuring
radvd is easier than configuring DHCP.
There’s less thought involved for assigning addresses because
autoconfiguration will just deal with that.
For me, I had to adjust how I’m thinking about my network for a bit and I’m posting here in order to explain what change you’ll get with v6 and how some paradigms change. Once you’ve accepted these changes, using v6 is trivial and totally something you can get used to.
- Multi-homing (multiple adresses per interface) was something you’ve rarely done in v4. Now in v6, you do that all the time. Your OSes go as far as to grab a new random one every few connections in order to provide a means of privacy.
- The addresses are so long and hex-y - you probably will never remember them.
But that’s ok. In general, there are much fewer cases where you worry about
- Because of multi-homing every machine has a guaranteed static address (built from the MAC address of the interface) by default, so there’s no need to statically assign addresses in many cases.
- If you want to assign static addresses, just pick any in your /64. Unless you manually hand out the same address to two machines, autoconfiguration will make sure no two machines pick the same address. In order to remember them, feel free to use cute names - finally you got some letters and leetspeak to play with.
- To assign a static address, just do it on the host in question. Again, autoconfig will make sure no other machine gets the same address.
- And with Zeroconf (avahi / bonjour), you have fewer and fewer oportunities to deal with anything that’s not a host-name anyways.
- You will need a firewall because suddenly all your machines will be accessible for the whole internet. You might get away with just the local personal firewall, but you probably should have one on your gateway.
- While that sounds like higher complexity, I would argue that the complexity is lower because if you were a responsible sysadmin, you were dealing with both NAT and a firewall whereas with v6, a firewall is all you need.
- Tools like nat-pmp or upnp don’t support v6 yet as far as I can see, so applications in the trusted network can’t yet punch holes in the firewall (what is the equivalent thing to forwarding ports in the v4 days).
Overall, getting v6 running is really simple and once you adjust your mindset a bit, while stuff is unusual and taking some getting-used-to, I really don’t see v6 as being more complicated. Quite to the contrary actually.
As I’m thinking about firewalls and opening ports, actually, as hosts get wiser about v6, you actually really might get away without a strict firewall as hosts could grab a new random v6 address for every connection they want to use and then they would just bind their servers to that address.
Services binding to all addresses would never bind to these temporary addresses.
That way none of the services brought up by default (you know - all those ports open on your machine when it runs) would be reachable from the outside. What would be reachable is the temporary addresses grabbed by specific services running on your machine.
Yes. An attacker could port-scan your /64 and try to find the non-temporary address, but keep in mind that finding that one address out of 264 addresses would mean that you have to port-scan 4 billion traditional v4 internets per attack target (good luck) or randomly guessing with an average chance of 1:263 (also good luck).
Even then a personal firewall could block all unsolicited packets from non-local prefixes to provide even more security.
As such, we really might get away without actually needing a firewall at the gateway to begin with which will actually go great lengths at providing the ubiquitous configuration-free p2p connectivity that would be ever-so-cool and which we have lost over the last few decades.
Me personally, I’m really happy to see how simple v6 actually is to get implemented and I’m really looking forward to my very own native /48 which I’m probably going to get somehwere in September/October-ish.
Until then, I’ll gladly play with my tunneled /64 (for now still firewalled, but I’ll investigate into how OS X and Windows deal with the temporary addresses they use which might allow me to actually turn the firewall off).
blog comments powered by Disqus