250 million-plus unused IPv4 addresses should be left alone, argues network boffin The 240/4 block of IPv4 addresses – the six percent of the available IPv4 space that is currently not available for public use – should be left alone rather than being added to the pool of available internet resources, according to Geoff Huston, chief scientist of the Asia Pacific Network Internet Center. Huston shared that …
> Tests show it's just too hard to put the unused 240/4 block to work
Probably easier than deploying IPv6
> Two thirds of the internet is not on IPv6 and is thriving on network address translation
Exactly.
IPv6 reminds me of OSI networking, as beloved by mainframes of a certain flavour. Designed by committee, and including all sorts of clever stuff to satisfy everyone. Unfortunately they both ended up being too hard to implement, and as a result, the simplicity of IPv4 still rules the internet.
(Yes, I've deployed IPv6, and until recently had a fully IPv6 enabled network - DNS, email, web, etc. Unfortunately the problems it causes (several*) seem to exceed the benefits it gives (none), so I'm now removing all IPv6 capability - I just don't need it.
<asbestos underwear installed...>
* For starters:
Problem 1: The IPv6 internet seems to be fragmented - not all addresses are always reachable from all providers due to commercial politics.
Problem 2: If I change provider, I have to change addresses on everything. Yes, I could use IPv6 NAT, but that was strongly discouraged by the IPv6 cult and only got included (late in the day) because it's necessary in the real world.
Problem 3: Practically no consumer ISPs (in the UK at least) support IPv6 properly (i.e. give you a /48 global prefix)
Problem 4: if connecting out from an IPv6 only location, various parts of the internet, e.g. TrueNAS repositories are bloody unreachable, making updates an absolute PITA.
Ubuntu and others also very unstable, must of the time.
Trying to build a gateway via a UK ISP with only IPv4 and an HE tunnel has not been successful, despite many profanities uttered.
Some of my cloud system manufacturers have said they also don't have IPv6 compatibility on the roadmap yet.
It's almost like people aren't that interested in getting IPv6 rolled out...
"Trying to build a gateway via a UK ISP with only IPv4 and an HE tunnel has not been successful, despite many profanities uttered."
I have had no issues with my zen + HE tunnel setup.
Note: setup.
In day to day use however, lots of places seem to block HE IPv6 ranges. I have to turn off v6 on my laptop when I want to get to admin.microsoft.com, etc...
"I have had no issues with my zen + HE tunnel setup."
HE on Plusnet is up OK, but setting up a tuinnel from the other end (in the Caribbean), less so. Bit of a learning curve on that part, and needs a run-up each time I get a chance to look at it.
I do get random wanings from Google my connection now looks suspicious for some reason, but nothing I can seem to influence.
> I have had no issues with my zen + HE tunnel setup...
> In day to day use however, lots of places seem to block HE IPv6 ranges.
I used the same approach (using Zen and Virgin for IPv4 connectivity), and yes, some things work fine. Reading around, it doesn't seem to be that sites are blocking HE, but there are peering issues that HE seem to be on the wrong side of. Until that nonsense is sorted, using IPv6 is a bad joke.
Edited to add:
Zen seem to provide some level of IPv6 capability on the Fritz Box router they supply, but I couldn't get it to work at all. Virgin seem to have absolutely no interest in IPv6, and are still delivering their cable TV over proprietary co-ax, not IP (I know this because they foisted their STB on me to get a decent discount on the broadband. Since I way paying for it, I hooked it up (via the ethernet port) and it seemed to be going ok with the menus etc. but as soon as I tried to watch any content it errored out because the co-ax wasn't connected. Unfortunately the Virgin termination point is in the server room, and the big TV isn't, so their fancy STB went back in its box.)
"Reading around, it doesn't seem to be that sites are blocking HE, but there are peering issues that HE seem to be on the wrong side of. "
Oh no, I actually get error pages on some systems that the IP range (2001:470:etc) I am coming from is blocked by <insert service here as it's not always the same one>
Problem 3: Practically no consumer ISPs (in the UK at least) support IPv6 properly (i.e. give you a /48 global prefix)
Depends what you mean by 'properly'. BT assigns IPv6 addresses, and so far I've had no problems with reachability. If you're after IPv6 PI addresses, that's a different problem, and one of those policy issues. IPv6 PI wasn't encouraged, along with other normal activities like multi-homing and v6 NAT. For most consumers (ie residential), it just works.
The rest is mostly just politics, ie allocating 240/4 should mostly be a software update and change to bogons filters, but it isn't being done because of pressure to force migration to IPv6.
should mostly be a software update and change to bogons filters
Hmm, did you read the same article as me ?
It points out that the number of devices needing updates is vast - and the majority of them simply won't get an update. Hence anything unlucky enough to get an address in the newly released block will be less accessible than if it were on IPv6 only.
I have had IPv6 from A&A for several years and I run a dual stack network with both Linux and Windows machines with no problem. A&A provide a 6-to-4 gateway/DNS service so in principle I could go v6 only. However I have devices that are v4 only on the network so it's easier to keep v4 going. One arcane issue I had was with my VPN tunnel back to the home network. That is currently v4 only but when I visited my daughter recently the tunnel wouldn't work on her network. She had recently changed ISP to a fibre provider that was dual stack, so my phone acquired a v6 address on that network. The browser on the phone then picked up the v6 address of the server on my network it wanted to connect to, but it wouldn't route over the v4-only tunnel! Happily, merely adding the v6 address range of my internal network to WireGuard's AllowedIPs list on the phone solved that one.
Absolute tosh. Another post from the "if it's too complicated for me, it must be crap" school of thought.
Problems 1 & 3 are related to ipv6 rollout rather than the protocol.
Problem 2. No different to IPv4, in that, If you have your own ASN, with an associated IP range, then you don't need to change IP addresses of devices. If you don't, then how else are things meant to know that your network connection has physically changed? Even then, that will; be mitigated by your use of SLAAC, DHCP.
> Probably easier than deploying IPv6
No, in fact it is not. Code would have to change in the depths of the IP stack of every machine.
If governments had had the guts to just forbid IPv4 on the public Internet 20 years ago, we wouldn't have this problem. But idiots just keep digging things deeper.
I recently sold my IPv4 class-C as it had no actual benefit to me and cost money to maintain.
In exchange, I have a /48 IPv6 range and a single IPv4 address allocated by my ISP (plus some IPv4 & IPv6 addresses for my cloud servers). I have zero problems!
Internal Windows machines prefer to run IPv6 anyway. So do my Linux machines. A little bit of DNS with A and AAAA records and it's entirely seamless
I also run dual-stack mail servers, and around 25% of incoming mail uses IPv6 in preference to IPv4.
Lucky you - but your use case is probably unique, or practically so, thus ideally suited to IPv6.
I taught myself IPv6 out of interest and so that I could use it on my HomeLab, but to the average user IP-anything is mumbo-jumbo, and as the article clearly states, there is a huge cost to switch to 100% v6, with no benefit whatsoever to those billions of users. So why would they want to pay for it, directly or indirectly?
The horse already bolted years, nay decades, ago - whenever it was that NAT was invented/adopted...
Not sure what makes you think IPv4 is simpler?
On my own VyOS router handling a fairly simple dual stack home setup with a few hosted services on a few different servers, the IPv4 configuration (Firewall + NAT + Hairpin NAT) is basically twice as large as my IPv6 configuration (Firewall). ~800 lines vs. ~400 lines.
That's with Hairpin NAT implemented only for a few of the hosted services. If I wanted it for all of them, the difference would be even larger.
Regardless, millions of people are now behind CGNAT. Besides no longer being able to host services, those CGNAT boxes tend to cause performance issues at peak hours, so their IPv4 experience can often be very subpar with all sorts of weird issues.
Also running dual stack.
Problem 1 - never noticed it
Problem 2 - define "change addresses on everything", more below
Problem 3 - dunno, mine doesn't do it at all which is why I'll be changing when my contract is up, or when the altnet currently throwing loads of fibre into our town is able to connect me, whichever comes first. For now I use HE's tunnelbroker service which mostly works - like others I have occasional (and they are occasional) where services are blocked (no, not unroutable, blocked) by someone's policy, but I get that in the IUPv4 world as well.
Now, that addressing things issue ...
The reason you think it's not a problem when you change providers with IPv4 is because your IPv4 connection is BROKEN. You're behind NAT (or more correctly, NAPT), and that is by definition broken. "But everything works" is only because lots of developers have put a lot of effort into working around/hiding all the stuff that NAT breaks. Across the internet, a VERY LARGE amount of money and resources is spent on "unbreaking" things - for example, without NAT, VoIP providers wouldn't need to route all your traffic through a gateway who's sole function is to unbreak SIP. In short, NAT wastes a sh1tload of resources that could be better spent on making things that are productive. But let's leave that aside and talk IPv6.
For most of what you do, the address doesn't matter. For most of your internal stuff, mDNS and the other bits of automatic service discovery should take care of things. But if that's not enough, you can use private addressing internally and put those in your internal DNS. For externally accessible stuff - I have some of that, and the obvious question is "so how often do you change providers ?", followed by "and why don't you complain about the same issue updating DNS with IPv4 ?".
> For externally accessible stuff - I have some of that, and the obvious question is "so how often do you change providers ?"
I've had no trouble with external accessibility and something even worse: an ISP with a total lack of fixed prefixes. I get assigned a new prefix at router reboot. But no worries, My OpenWRT router assigns a fixed suffix (eg. ::42) to my server, opens a port to nginx, and that's that except for needing DDNS.
> Any effort to [migrate] would mean consumers need new routers/modems, which would cost them money without improving their online experience.
which of course applies to v6 as well.
as it did to NAT.
So if we could replace our kit for NAT back in the day, why not again for v6 or 240/4 as well?
In fact, why not use the 240/4 range as Part 1 of a 2-part address, so the endpoint can relieve their gateway of doing the NAT for them?
Okay okay, I'll get my coat...
Are you saying think of all those users of unsupported Windows systems?
Given how long this proposal has been under consideration, there should be no reason why W10 & 11 don’t support the 240/4 block as default out-of-the-box.
As for Internet of Junk devices, , if they are over one year old, they are already out-of-support…
From the article, it would seem the problem is the cheap and cheerful ISP supplied routers, which the ISPs update over the wire…
Are you saying that where the guy claimed, "Any effort to [migrate] would mean consumers need new routers/modems", he was wrong?
Quite possibly. Think of it this way. Pretty much every week we get news of some new critical vulnerability that means stuff needs patching. So the implication is that consumers routers/modems can't be pushed a software update so remove 240/4 from a bogons list, assuming the device actually has one. If their firmware can't be updated, that means a wider security issue.
A lot of that equipment has not gotten security updates in a very long time. The only reason it's not as big an issue as it could be is that there's a lot of different equipment, so vulnerabilities can't give you access to all of it in one go and a lot of it hasn't been penetration tested enough to find them. Lots of botnets have used some subset of those routers to propagate. While ISPs can theoretically update the ones they provided, they quite often don't, might not really be able to because all they have is remote access to the configuration, not the code, and can't manage some relatively simple things without breaking their users and are therefore conservative with any changes they do make.
Adding either the 240/4 block or IPV6 support requires significant changes to a low-level part of the box. No, an ISP is not going to do that to the equipment they've already sent out unless they have a true monoculture and only have to do it once. They're probably not going to do it to the hardware they own which can't handle those ranges either, even though they don't have to send someone into their customers' houses if they mess that one up. The major difference between 240/4 and IPV6 is that a lot of their equipment will support IPV6 as it is replaced for other reasons, but most of that doesn't support 240/4 either because it was reserved for future use and discarded for speed. Adding either is hard, but IPV6 is easier, more likely to work, and more useful into the future.
Adding either the 240/4 block or IPV6 support requires significant changes to a low-level part of the box.
Where do you get that idea? It isn't, or shouldn't be a low-level change, it's just amending a filter list. Assuming there's a filter at all. And if there are filters, there should be a mechanism to change those via a software or firmware update. I know that for pretty much all Cisco stuff since around IOS 10.2 you could happily configure and route those addresses, unless you added a bogons filter to stop those being advertised. Especially as the space has been sitting tagged as reserve for decades now.
Most consumer tin just isn't that sophisticated because most of the filtering is done on the provider side. Sure, it would need those filters updating but that's BAU for an ISP. There may be some users finding themselves unreachable or reachable, if they've decided to use 240/8 addresses internally.. But that's their problem because they shouldn't have.
it's not a filter list. It's about 4 lines of C code in the kernel, copied into Linux from BSD. It's a test for the upper bits set in the IPv4 4 byte source and destination fields of the IP packet. It is not forwarded if these bits are set.
The change is simple: remove the 4 lines of code. The problem is not the code. The problem is the supply chain logistics behind deploying that patch to all the codebases of all the routing-active devices, most of which are at this point functionally orphanware.
I disagree with Geoff it's unfixable, but I think it's unlikely to be fast, and so the most likely outcome is a slow bleed to 80/20 rather than a one-and-done situation.
My point was that the change isn't a switch on the web UI. It's not a line in a config file. In many cases, it's a kernel code change, which isn't that many lines of code but still requires recompiling the kernel and pushing out that update. Most devices that ISPs provide don't get new kernels from them. New kernels come from the manufacturer who has forgotten all about these boxes years ago. In many cases, the update files don't even change the kernel, just the configs and libraries, making applying kernel updates a more involved process.
There are some other devices which have separate hardware for routing which may have that rule coded in, and in that case, the change is bigger. Again, not that many lines of code to remove the logic, but a lot of stages required to get someone to make that change and get it installed on all the equipment in which that hardware exists. If you think ISPs have the ability to simply make any change of this magnitude, I'm surprised to see you constantly annoyed at IPV6; all they'd have to do is push a kernel version with the existing IPV6 support turned on, after all. That is a lot of work too, but at least a lot of it has already been done. When my ISP didn't offer IPV6, their hardware (optional) had the support. They just didn't give out addresses. Now, they do support it and most modern routers, including their pre-switch hardware, will just connect and use that.
If you think ISPs have the ability to simply make any change of this magnitude, I'm surprised to see you constantly annoyed at IPV6; all they'd have to do is push a kernel version with the existing IPV6 support turned on, after all. That is a lot of work too, but at least a lot of it has already been done.
It isn't a case of thinking, it's a case of knowing. I've been involved in designing a few national broadband networks. Those had to support millions of devices, and was somewhat involved in vendor selection. Because of the sheer number of devices required, ie anyone ordering a home broadband connection, you have to be able to automate the fsck out of every step of the process. So order entry generating config templates, warehouses stocking maybe a few thousand devices that can just be mailed out. Then when users* (or installers) plug that in, they connect to an authentication server that pushes any firmware changes and the config. Those servers generally sit at the Ethernet/NID layer and any would-be vendor has to support that kind of automation.
And then for added FUN!, the broadband service(s) also have to support the ability to allow resellers, or wholesalers own potential service offers, especially when the national networks were for heavily regulated incumbents. Smaller ISPs might not have the ability to either influence vendors, or do that kind of automation, but it's something that has been around for decades and is BAU for large ISPs and telcos.
*This includes the potential of some users wanting to use their own CPE, which is generally authenticating at the NID level and providing a website with the basic, bare-bones config to get any IP layer services working. Usually with a note saying this is all the support you're going to get for a 'wires only' service.
By all means. Implement this change, start offering your services on the block you don't have permission to use, and react with surprise when nobody can access your server. It's relevant because the job of IANA and the regional organizations is trying to make sure the internet works, rather than making IPV4 addresses slightly cheaper. If the block isn't supported by a lot of devices, then that needs to be fixed before they start using them. By the way, that's not just a lot of home ISP modems. It is also plenty of other hardware which would need updating, so even if you turn yours on, there is no guarantee that the ISPs between you and some other server will pass on that traffic.
But you don't have to care. Nothing stops you from trying to use the block anyway. Some companies have used it for an even larger private address space. Go ahead and see if it does what you want.
i've worked in places where they owned public addressing and blackholed it on the internet while using it internally for specific use cases.
idea was it would not be routable if a miscreant tried accessing it from the internet.
they could have just used a bogon / martian / reserved but if you use your own owned addresses that you know are routed to null then there is no fear for an address currently reserved being openly routable in the future.
It works.
And the more IPv6 was foisted upon us, the more we realized how simple (and therefor robust) IPv4 really was.
The academics can bang their IPv6 drum all they want, the rest of us just want to get doing what we need (or want) to do. And, if the IPv4 boot still fits, why change ?
I am adamant about one thing : I do not want to become a full-fledged administrator just to have my home PC, a few laptops and several mobile phones connected to my Orange box and, therefor, to the Internet. With IPv4, it's a breeze. With all I read about IPv6, it would be a nuisance. And I will do well without having to explain to my wife that her normal web sites don't all work today because somebody did something to the IPv6 connection. No thank you.
So I don't want IPv6. Not before you pry my IPv4 NAT out of my cold, dead hands . . .
Lucky you, having a provider that gives you a usable IPv4 address. Unfortunately there are plenty of people who can't get one of those, because their provider has very few, because their RIR has run out. In those cases they have to use CGNAT (NAT, at ISP level) which is fine in theory, but now you're sharing an IP with thousands of other users. Some of those other users may do something dodgy online which means that some websites will block those IP addresses and the whole ISP is suddenly unable to get to those websites.
If you dual-stack, you can use IPv6 where it works and fall back to IPv4 where it doesn't. At that point CGNAT works better (because fewer people are using it) so it's viable for ISPs to surrender (=sell) some IPv4 blocks to the lesser served areas and the internet becomes a fairer place for all.
Lucky you, having a provider that gives you a usable IPv4 address. Unfortunately there are plenty of people who can't get one of those, because their provider has very few, because their RIR has run out. In those cases they have to use CGNAT (NAT, at ISP level) which is fine in theory, but now you're sharing an IP with thousands of other users.
Damn. That would make IPv6 seem like a good idea.
I've always had my very own IP address — dynamic though it be, it rarely changes and a free account at dynu.com deals with that. So IPv4 NAT in my firewall fits me just fine. I can open incoming ports and forward them wherever I want them to go.
> but now you're sharing an IP with thousands of other users. Some of those other users may do something dodgy online which means that some websites will block those IP addresses and the whole ISP is suddenly unable to get to those websites.
A few years back I had cause to investigate an attack, and from this, I discovered there were many ISPs using a /24 block. I found the best way to thwart the attack was to set a router rule to automatically block the /24 an attacking source IP was in rather than focus on the individual address.
> It works.
No, in fact it doesn't. It broke the Internet.
By preventing just any host from talking to just any other host, it caused massive centralization and concentrated a dangerous amount of power in a few companies, which routinely abuse it.
It also twisted and complicated the design of dozens of protocols, as people tried to work around the reachability problems it caused. The amount of development and configuration effort involved in keeping that garbage running dwarfs anything that IPv6 could possibly demand.
"By preventing just any host from talking to just any other host, it caused massive centralization and concentrated a dangerous amount of power in a few companies, which routinely abuse it."
Thanks, I'll stick with NAT and the fact that my devices *dont* talk directly to other devices (and yes I'm aware of firewalls).
*Fix* it? By itself? Obviously not.
It might have *prevented* it if people years ago had had any capacity to think beyond next week or beyond "works for me", or any concern for the public interest. It would at least have cut down on the pressure that created the situation.
It might yet *help* to fix it... if more people develop such capacities and concerns. It's probably a technical prerequisite, and it would at least clear away some barriers to improevment. But it would still take a huge amount of work to even slowly roll back the giant entrenched power structures that we have now. There's a very good chance that the real potential of the Internet has been permanently destroyed.
My ISP just started permitting IPv6 relatively recently, and my old router sort of supported it, but not really. I got a new router and was filled with some trepidation about trying to get IPv6 to work. As it turned out, there was basically no effort involved. The router got its IPv6 allocation, and all my devices that support IPv6 got their addresses, and that was it. Given that I don't have sophisticated needs, IPv6 was actually easier to set up than IPv4, and it seems to just work. YMMV, of course.
If the new router was provided by your ISP, I would expect it to work out of the box.
However, having set a few Draytek routers up, that connected directly to an ISP service, it often took a couple of attempts to get the right combination of IPv6 options before things would talk.
Large percentages of people in India and China use IPv6 daily, because the first world hogged all the IPv4. No one is inconvenienced because of this. No one is even required to be aware that they are using one over the other, or of their existence at all. They got a new router that supported IPv6, and because most of their devices already supported IPv6, suddenly they are using IPv6. You've been reading all the wrong things.
Big fucking deal. Even if those IPv4 addresses could be redistributed - a mighty big if - it would make no difference. There are ~7B people on the planet and~4B IPv4 addresses. Inconvenient truth: there just isn't enough IPv4 to go round and there never will be.
BTW when IPv4 space was freely available, the world chewed through a /8 every month or theresabouts. If 240/8 could be used - another mighty big if - it'll be exhausted in about a year. At which point we're in the same situation as today. All of the money and effort needed to make 240/8 usable (or take IPv4 space away from those who have more than they need) is a lost cause. It would also be much more painful than deploying IPv6, another iInconvenient truth.
If 240/8 could be used - another mighty big if - it'll be exhausted in about a year.
Nice rant, but the idea is to release 240/4, so 16x more addresses than a /8. How quickly that would be exhausted would then depend on how that space is allocated and assigned. Which also gets into the politics, and the idea that IP addresses have value rather than being a common good.
They quoted /8 a month, so that would make it 1.33 years. That is unless some countries would like to stop doing CGNAT as ridiculously as some have had to, in which case you could use those in about a week. Most likely, even if we could turn on the whole block, countries that have 1 IP address per 300 people won't get very many of them. If we do all the work of enabling those, I'm sure the cloud providers will happily buy up the blocks and rent them back to everyone with cloud resources.
According to TPTB, only those up to no good use p2p without requiring some form of connection broker...
Yes without NAT and global public addressability it would have been interesting to see what applications appeared. I suspect that despite everything, people would have still gone for the central connection broker service style.
I seem to remember that some services (Zoom?) started to provide p2p services by acting as a broker and effectively setting up a p2p VPN for those conversations that only involved two people, so their meeting traffic didn't have to go via the central servers.
One of the nice things about NAT is that inbound calling is off by default. like the home phone, I suspect with globally accessible IP addresses, there would be a greater number of "junk"/cold callers.
I wish I could upvote you for the first bits, but downvote you for the last paragraph.
There is NOTHING AT ALL that NAT does for you security wise that a basic stateful firewall wouldn't do by default. Assume a default "block all incoming traffic" rule, you don't get any unsolicited inbound traffic coming in. But setup a connection with a peer, and yes I think it would be restricted to UDP, and your outbound traffic will also enable the inbound traffic - leaving the centralised part of "whatever" as merely an exchange for peers to find each other. And guess what, that's what BitTorrent does - the tracker merely allows devices to find each other, after that they talk peer-peer IF the user was able to get things to work via the IPv4 NAT.
I dont know that ipv6 is a lost cause as implied. I run a site on the public internet and enabled ipv6 many years ago. Every time I check signup ips or mail logs there is more and more ipv6 in there. I'd say 50% of the traffic is ipv6 in recent times. Clearly many isps and service providers are rolling it out, even if yours or mine isnt. I think most equipment is capable of operating ipv6 out of the box.
Oh, so NOW you see the benefits of NAT and realise that it's perfectly fine for almost the entire world.
After decades of pushing that it needs to die if we're ever going to use IPv6 (never been true! You could IPv6 NAT quite happily and that would actually be a great transition tool to have v4 networks and just change out the gateway fora v4/v6 NAT gateway).
Now, suddenly, NAT is so good that we don't NEED all those extra millions of IPv4 addresses anyway?
Further to that, I just paid a one-off pittance and got a single static IPv4 IP with my ISP. I also have a small range with a £10 a month dedicated server in a French datacenter, included for free.
So, sorry, but we clearly do NOT have a shortage of IPv4 IP's, because it really shouldn't be that easy to permanently take one off the market if they are as rare and valuable as people claim.
And again, The Reg - I'm IPv6 wherever I can be - websites, email, dozens of other services, etc. (but, hell, basically no ISP supports IPv6). Where's yours?
"dig AAAA theregister.co.uk" still returns nothing. I think it's now 12 years after I was told "we're working on it", and then repeated almost every year whenever there's an IPv6 article.
If you look at the market value of IPv4 addresses, you can see that the price peaked about 2 years ago and has been trending downwards since. That's probably because more places have adopted IPv6 and CGNAT is working better than expected. There are still drawbacks with CGNAT, but if it means an extra billion people can use the internet then I'm happy it's available even if it wouldn't suit me personally.
I used to have a static IP when I used ADSL. About 5 years ago I swapped to 4G (I can get 180Mb versus the 11Mb I get on ADSL). I thought I would badly miss that static. I didn’t.
Yes, it’s annoying to have to keep updating firewall rules on customer sites etc, but I didn’t miss it as much as I thought I would, CGNAT has worked out okay.
I’m due to get FTTP in three years, and will look forward to having a static again. But I’ll be happy to keep using NAT though, there’s nothing in IPv6 that’s a must-have for me, and I certainly don’t need the headaches that v6 would surely bring.
Irony is that I've been using dynamic for years and have dynamic DNS services on which I base my firewall, etc. rules.
Just that now my VDSL picks up a static by default, which is slightly better for me because that extra 1-minute DNS change window on a reconnect is no longer present.
It's far, far, far easier and safer to have NAT and then hole-punch OUT than it is to port-forward, etc. in.
I have an external server, that handles all my "open ports" and then santises and reverse proxies back to my internal servers. The internal servers VPN out to that server, so no port-forwarding required, and you can limit both what you allow over the VPN at all, and what you allow through the reverse proxy.
Also means you get nice "currently offline" messages when you access a service if the internal servers are down.
I solved the 4G static address problem with an A&A L2TP-VPN, kept it on as it was cheaper than other options. Now it doesn't matter what network and address type my server is using, the service users don't get to see it.
An alternative is Draytek's VPN Matcher service, but that does tie you to a Draytek router; with A&A you only need a router that supports outbound L2TP-VPN creation.
After decades of pushing that it needs to die if we're ever going to use IPv6 (never been true! You could IPv6 NAT quite happily and that would actually be a great transition tool to have v4 networks and just change out the gateway fora v4/v6 NAT gateway).Now, suddenly, NAT is so good that we don't NEED all those extra millions of IPv4 addresses anyway?
Yep. It's been fun to watch how the IPv6 holy wars have been fought. So from no-NAT, to ok, NAT is a good idea to dealing with minor details like supporting PI space and multi-homing. The technology has moved on, more systems support v6 for things like NAT and firewalling. A lot of systems still don't, ie 'obsolete' or kit that's long been EOL'd, but with care and a translation gateway often can be carefully nudged into working.
Further to that, I just paid a one-off pittance and got a single static IPv4 IP with my ISP.
That's really one of the issues for businesses and power-users, ie the concept of a static address and portability, but again something that can be planned for. So using private addresses internally so if/when you need to change provider, it's only the external address that needs to change. It can also be an efficent allocation/assignment issue, so a v6 /48 is a LOT of addresses and waaay more than most people or businesses will need. But there's still room for future expansion and allocating v6 space to the Mun, Mars etc. Which is also a bit of a pet peeve, like not allocating v6 space by country (or historically, v4) making global routing waay more clunky.
> more systems support v6 for things like NAT and firewalling
I'd assume that firewalling was built into every device from day one, because using IPv6 without a router-based firewall is crazy talk. Unless you're confusing NAT with firewalls.
> So using private addresses internally so if/when you need to change provider, it's only the external address that needs to change
In my case my provider doesn't give me a fixed prefix either, so I don't get as far as worrying about changing providers. I just use a fixed suffix for my server. Never had a problem beyond having to use DDNS.
Further to that, I just paid a one-off pittance and got a single static IPv4 IP with my ISP. I also have a small range with a £10 a month dedicated server in a French datacenter, included for free.
Do tell. The best I can find here is a 30€/month fee to borrow a fixed IP, plus I have to use the provider for my Internet connection. If even be happy with the fixed IP address being someone else, and route from that over a VPN to get my in and out using that IP address. Needles to say I don't want an IP address that will always be on blacklists!!
Ionos do a basic unlimited bandwidth VPS for £1/month (plus VAT). All you need to do is choose a bare bones Debian image and install Wireguard. There are scripts available if you don't want to do it manually, eg wireguard-install. I did that myself a few weeks ago as I'm (still!) waiting for my new ISP to allocate a static IP address to me and it works fine - the client setup couldn't really be easier, particularly if your device has a camera to scan the QR code...
When I was with them some years back, Plusnet offered a single static IPv4 for a £5 one-off fee; and it appears they still do.
See "Can I get a static IP or an IP block" on Plusnet's website here: Understanding your IP address
They're a UK ISP, completely owned by BT since 2007 but operated as a separate concern for some unclear-to-me reason. Unfortunately, BT themselves (as a huge ISP) does not offer a static IP to home users.
Yup, been with them for years. But guess what, while they used to be one of the best - with tech support that worked (you could actually communicate with people who had a clue about the tech), more and more the've gone down the race to the bottom of the pond. If your service work, great; if it doesn't, then good luck with their support these days. And the router they provide is ... very basic, has "interesting" bugs, and they have no plans for IPv6.
For good measure I've got to migrate a web site off their hosting. Had it for years, running on a domain name they provide for free after some service f-up years ago. I can't send mail from that domain now as it doesn't have an SPF record. And I can't add an SPF record because their DNS doesn't support it. If I don't use their DNS, I can't use their hosting - so I have to migrate the hosting (and start paying for the domain name which I'll also migrate), then I can move the DNS, and then I'll be able to send mail again.
I'll be moving to another provider at the sooner of a) my contract being up, or b) the fibre altnet busy installing in my town takes orders.
If you read the article: Huston pointed to India's widespread adoption of IPv6 – after the nation missed out on an IPv4 allocation commensurate to its population – as an example of a scenario in which NAT just can't do the job, and IPv6 is therefore necessary. The same is true for China. So, with the two most populous countries in the world on IPv6, where's the problem? All new mobile phones support IPv6 and they've been the majority end devices for several years now.
All new connections here have been IPv6 for at least five years, but the service providers are the ones who run the 6to4 gateways meaning that customers don't need to care, which is as it should be. My guess is that more and more providers will adopt this strategy as they replace older equipment, not least because it will mean they don't have to worry about having enough IPv4 addresses.
IPv6 isn't perfect but it's better than IPv4 plus the various klduges that have stopped this from failing. Bitching about it and waiting it for it to get fixed is how we got where we are: time to move on.
Pretty much pre enshitified :(
The sorry truth is most of these cheap and nasty (definitely not cheerful) devices actually run Linux albeit often ancient kernels and busybox versions on underpowered and obscure hardware.
Most of the kernels (&modules) and the iproute2 utils do support ipv6 but the UI doesn't and I imagine the preconfigured netfilter rules block 240.0.0.0/8.
The main disability is that these are not supported for very long, or at all, so upgrades are not possible. (Unless you are up for the [small] challenge of hacking into one of these devices eg Kogan-N300-4G-LTE-CAT4-Modem-Wireless-Router-KAR0514GMDA)
So until the vast majority these device become landfill and are replaced with decent supported hardware the internet is going to be shit all the way down... at least layers 7 to 3. :(
"The main disability is that these are not supported for very long, or at all, so upgrades are not possible."
That's assuming that Joe Average [home] consumer is even interested in upgrading or hacking their internet access device after it has been installed.
That's a long stretch of belief. For most people their home router is just another appliance - plug it in, get it working, walk away for the life of the device until it simply stops working. Then rinse, repeat.
Joe Consumer is not interested in wasting any more time on their home tech than absolutely necessary. And I completely understand and accept that - we all, with the exception of tech geeks for which this is either a hobby or a job, have a *lot* more important things to do with our lives than fiddle unendingly with our stupid, recalcitrant tech to get it working.
That's assuming that Joe Average [home] consumer is even interested in upgrading or hacking their internet access device after it has been installed.
Luckily Joe Average doesn't have to do that. It's been best practice for well over a decade for consumer tin to be plug & pray. Mail it out with a factory default image, then first thing it'll do when plugged in is connect to a config server and pull down any updates and config it needs. For consumer stuff working on teeny margins, it just costs waaay too much to support doing it any other way. Just test the system first to avoid any ClownsTrike fiascos and the need to mail out tens of thousands of bricked NIDs
Well here we are, in the future and somebody, somewhere has made a right pig's ear. As usual.
Rule 1 of IT: Never, ever try to build in something for the future. The future that actually turns up will always be radically different to your guess as to what it might look like.
Since some of my fellow IT and Video Network Admins DO use those IPv4 address blocks, their solution for in-house Global WAN usage is to use COTS (Common Off-The-Shelf) routers and switches BUT change-over the firmware to open source software in order to recognize the 240.0.0.0 and above block range. It actually ENHANCED security since those blocks are NOT easily reachable most un-modded switches and routers AND there is lots of room for behind-the-big-fat-firewall NAT (Network Address Translation) table managements tasks to have networks that have racked-motherboards for MILLIONS of separate IP addresses typically used for Linux-based A.I Model-running Beowulf Cluster computing.
One fellow IT fellow I know stacked TEN THOUSAND+ COTS older bulk-buy single-CPU and DUAL-CPU AMD EPYC motherboards each with four older GPU cards put behind the firewalls on 240.0.0.0 and above IP-addresses using nothing but open-source-firmware-modded COTS switching/routing and 10 Gigabit network card hardware bought for 10 cents on the dollar at various auctions! The 16-bits and 32-bits precision LLM and Stable Diffusion models he runs would have been tens to hundreds of millions of dollars via an NVIDIA or AMD GPU solution but in his case, it was all for less than $3 Million USD running on cheap Hydroelectric-power at 10 cents or even less per KW/hr in off-peak hours or 14 cents per KW/hr peak hours.
The cooling solution was to send all the excess heat via a 3D modelled HVAC system to a condensor/heat exchanger that pipes all that excess heat out into an enclosed two metre deep 20 metre long by 15 metre wide above-ground swimming pool that gets used as a heat sink which ALSO functions as the company employee swimming pool/hot tub! That one literally gets used every day as an employee perk! It was a CHEAP and great cooling solution that also adds some extra company perquisites for the IT admin employees! They even put water proof plastic high-chairs in the pool and have a swim-up coffee/drinks bar in the pool!
V
Behold the IT marvel of the century: an admin, tired of ordinary IPv4, repurposes the forgotten 240.0.0.0 range for his global WAN. With open-source firmware, he retools standard routers and switches into elite, obscure devices. His setup boasts over 10,000 bargain-bin AMD EPYC motherboards, each sporting ancient GPUs. These technological antiques run cutting-edge AI models. All of this operates behind a fortress of a firewall.
Cooling this behemoth is pure genius: a 3D-modeled HVAC system funnels the heat into a vast swimming pool. This isn’t just any pool — it’s two meters deep and doubles as a staff oasis. Employees enjoy daily swims and cocktails at the swim-up bar. Efficiency meets luxury in this audacious tech fantasy.
Thank you - another voice of reason around these parts. Every time I see this chump post his insane nonsense I wonder where his super duper mega chips that are faster than light and can transport us all to Andromeda in 3 seconds are...
I'd never thought about the impact of ipv6 - no internal NATing required... So literally every device is adressable - and therefor track & traceable on the wider Internet. Whereas with IPv4+NAT it's only the boundary of private networks... Can understand why they're pushing for it now!
Look a little closer.
The default on any modern device is ... tada! ... privacy addresses. Your device literally picks new addresses on a fairly frequent basis, from a /64 prefix. Yes, that's 2^64 addresses to go at, or 2^32 times the size of the ENTIRE IPv4 address space. Tracking individual addresses is pointless.
But, you will be playing in a /64 prefix which is effectively no different privacy wise to the single IPv4 address people are used to sharing at their NAT gateway. So a miscreant can consider the /64 prefix as representing all your devices in the same way as they treat your IPv4 address now. In principle, they have no way of knowing if traffic from (say) two different IPv6 address in the same prefix are the same or different devices in the same way that they can't differentiate between one or two devices sending traffic from behind a NAT gateway with single IPv4 address.
Because of this, few bother using the address. The professional creeps like Feacesborg have used other techniques for a very long time to track people.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
