ISPs more likely to throttle netizens who connect through carrier-grade NAT: Cloudflare Before the potential of the internet was appreciated around the world, nations that understood its importance managed to scoop outsized allocations of IPv4 addresses, actions that today mean many users in the rest of the world are more likely to find their connections throttled or blocked. So says Cloudflare, which last week …
rather than only deploying CGNAT consuming power and expenses deploy IPv6 in parallel
that way by default they go IPv6 and if there is a problem CGNAT it reduces the amount of load on CGNAT...
problem is most ISP's do CGNAT by default rather than relying on XLAT for IPv4 -<--> IPv6 connectivity
more education and sensible cost savings on networks needed...
regards
John Jones
What is your definition of 'wide adoption of IPv6'?
When the majority of all internet traffic that Google receives is over IPv6? Because that might be before the end of this year. IPv6 adoption.
Or when the first country has a 90% penetration rate? Because that might be before the end of this year for France and definitely next year for India. Per-Country IPv6 adoption.
Earlier this year I lost the IPv4 connection with my ISP while the IPv6 connection was still going. It took me two days to notice because practically all the services I connect to are reached over IPv6. If you run a big internet facing service you will provide IPv6 connectivity or you can forget about the Asian market. I remember when India was an IPv4 country and that was a royal pain as your customers would reach you through multiple (sometimes up to 7!) layers of CGNAT. Slow and unreliable connections, nearly impossible to troubleshoot, headaches all around.
Is there going to be a tipping point that speeds adoption? Probably not, I expect the rise of IPv6 to proceed at the same pace, regardless of whether it's the majority of all traffic. There is, however, going to be a tipping point for the price of an IPv4 address. Those prices keep rising (hence some hosters charging extra if you want an IPv4 connection with your package) but will at some point reach a tipping point with IPv4 address values falling off a cliff when many companies no longer need an IPv4 address because their customers have moved on.
By 2014, Facebook had mostly moved to an IPv6-only internal network where all developers and servers lived in an IPv6-only world. They had only installed a number of edge servers that would translate internal IPv6 traffic to external IPv4 traffic for that part of the customer base that was still IPv4-only. I suspect those edge servers to have become a lot less busy over the following twelve years.
Its almost like some smarrt people thought through the problem and the solution, dual stack, parallel run, phase out of IPv4, all before the IPv4 pools are exhausted.
To me it looks like its all going to plan. As several have said, most will not be aware, or even care that they are using IPv6, an why should they, its just one layer in the OSI 7 layer model and most ordinary (non-tech people) don't even know about that and probably don't even know about IP either.
If people are having problems due to the fugly "solution" that CGNAT is, or they refuse to use the newer technologies due to whatever belief (like they should be a human DNS server remembering random IP addresses), then thats their problem.
The whole idea after all was parallel run and that is already well established. IPv4 will phase out over time and CGNAT will die with it.
Friends don't let friends use IPv6. As Americans know from a beer commercial, it tastes worse and is more filling.
IPv6 was invented over 30 years ago, before the Internet was public, by a "B team" at IETF who did not really understand what they were doing, but instead were ripsschitt that IAB had previously selected TUBA as the next IP. TUBA came from DEC via the OSI committee, and was thus tainted by the eevilll OSI, even though in fact it wasn't the bad part of OSI. So they came up with a v6 that anyone who understood networking would discard immediately. Not that the PIP and SIPP drafts that merged into it were any better.
CGNAT gets blocked because blockheads don't understand security and victimize the innocent.
And the "OSI 7 layer stack" has nothing to do with TCP/IP, and is a poor way to look at networking. Oh, and they did away with layers 5 and 6 after the textbooks came out. But folks who like to cite the fact of a 7 layer model never understand what the Session and Presentation layers did, or were for, but were happy to quote a one-line summary from the original model document. (Hint: They were a mistake to be treated as layers; they're now optional application layer functions.)
Well, no, the problem is that I know about things about IPv6 you don't. It's the Children's Crusade Protocol -- it is a test of the hard-core faithful, willing to follow a stupid committee into oblivion because of their imaginary authority, even though it makes no sense if you think about it beyond the obvious "but don't we all need globally-unique IP addresses?"
And there we have it. You just proved the previous posters point.
I assume you also think the covid vaccine contains bill gates mind control chips, and the earth is flat?
"Well, no, the problem is that I know about things about IPv6 you don't."
It's been shown that many of the less intelligent members of society use this sort of conspiracy theory to let them believe they are actually somehow clever, and know stuff "normal" people don't.
The reason flat earthers and their ilk have so many conferences (despite there being nothing "new" to say) is that they use it as a back-slapping exercise - they praise each other for their special "knowledge" that the stupid sheep don't understand.
Just saying.
And there we have it. You just proved the previous posters point.
I assume you also think the covid vaccine contains bill gates mind control chips, and the earth is flat?
"Well, no, the problem is that I know about things about IPv6 you don't."
It's been shown that many of the less intelligent members of society use this sort of conspiracy theory to let them believe they are actually somehow clever, and know stuff "normal" people don't.
The reason flat earthers and their ilk have so many conferences (despite there being nothing "new" to say) is that they use it as a back-slapping exercise - they praise each other for their special "knowledge" that the stupid sheep don't understand.
Just saying.
bullying, condescending, sanctimonious, straw man toting tones of a bully.
all because someone has dared express a different opinion against the prevailing narrative that IPv6 is superior and has no issues.
I'm not the OP in question here but that's quite an attack on someone who is expressing an opinion that an addressing scheme isn't as good as its made out to be.
its an addressing scheme, it just denotes how to reach someone. we don't have to start calling people covid denying flat earthers over a technical reference.
my view is that IPv6 has some fundamental flaws that where ironed out in IPv4 & there is no currently appetite to remediate them in IPv6 & won't be until they become a big issue.
eui 64 addressing is classic example of an IPv6 issue that was addressed, but there are many others that have not been, ipv6 private addressing is a good one.
"bullying, condescending, sanctimonious, straw man toting tones of a bully.all because someone has dared express a different opinion against the prevailing narrative that IPv6 is superior and has no issues."
Now there's an example of being sanctimonious.
Did you even read his nutty and arrogant response to the original poster, such as ""Well, no, the problem is that I know about things about IPv6 you don't.", followed by a conspiratorial rant accusing people who approve of IPv6 of being on some zealot crusade of sucking up to a bogeyman "authority".
The fact that he then ended his diatribe with the statement that IPv6 made no sense was just the icing on the cake, and he deserved the ridicule he got.
Don't dish it out if you can't take it.
Well, the Internet would seem to disagree with you
IPv4 is first described in RFC791, dated September 1981, with general availability of the Internet on the 1st Jan 1983 "Flag Day", along with many revisions to the standard over time.
IPv6 is first described in RFC1883, dated December 1995, so the Internet was well and truly public well before that, so your claim is wrong. IPv6 has been updated via RFC2460, dated December 1998 and revised again in RFC8200, dated July 1997.
Both standards, like any other RFC are open to public scrutiny and debate, ensuring that only well thought out ideas become official standards, so it was not just one group as you claim. The IETF is completely separate to the OSI committee. The IETF ratify the RFC's, you can see this from the domain used in the standards, check the links above.
Similarly, the 7 layer model remains completely in use, IP is just Layer 3 after all, so thats all that really changed. If you are not sure on what the others layers do, just read up more.
Lastly, you are also wrong that the OSI 7 layer model "Is a poor way to look at networking" It is well respected and works well, thats why its a global industry standard.
> IPv6 is first described in RFC1883, dated December 1995
However, work started on what first became known as IPng and then IPv6 in the late 1980s.
At the time (late 1980s) there was some “not invented here” attitude around parts of the IETF with respect to the idea of taking large chunks of ISO CLNS and creating a better IP. Certainly many of the IETF routing protocols developed post 1988 took much from the ISO work on ES-IS and IS-IS protocols.
Sorry mate, your world view is OBE. Yes, IPv6 took a lot longer to reach critical mass than it should have done. (If TimBL had invented the web a few years later, large scale NAT would never have happened, and the Web would have been deployed over IPv6 from day one.) But now v6 is way past critical mass and IPv4 is rapidly being pushed into a legacy role. Fifteen years too late, which is a highly unfortunate reality.
For a long time Virgin Media was unable (unwilling) to offer IPv6 over its HFC network; Whilst the plan is to move to an XGS-PON product, I wonder how that's actually going and whether VM operate any IPv6? With a 20% odd market share if they aren't making the transition it'll have an impact on national UK adoption figures.
Likewise, I wonder what the IPv6 position is on mobile networks - in availability and in use by client devices?
"When the majority of all internet traffic that Google receives is over IPv6?"
That's not a hard stretch considering that approximately 60.5% of today's IP traffic comes from mobile users, and mobile users are on IPv6 networks. And, seeing that Google is baked into so much of the mobile user experience, both on Android and on iOS, again, that stat from Google is about as expected as the sun rising each morning.
The *question* is how much of the total IP worldwide traffic is (consciously) retained as IPv4 vs translation into IPv6 at the ISP. Cisco states that as of 2024 Google's IPv6 traffic is 48% global at the end of 2024, so I'm not quite sure where "majority" comes from as it barely makes that definition. The v4-v6 split is so close right now that v6 making a claim of majority might be technically accurate but only just so.
IMHO, for the immediate future, we're going to stay in a split IPv4 / IPv6 world; privately, many users will just stick with v4 for intranets and just allow their ISP to handle the IPv6 question as they see fit. If the problem is being handled invisibly, behind the scenes with no input necessary from you, why worry about the issues of migrating your own intranet system over? Just run as-is and let your ISP and modem handle all this for you (for example, as it is doing on the very computer that I am writing this from). Many individuals have decided that IPv6's management overhead just isn't worth the headache, let the big guys handle it where they need to; according to the usage maps, IPv4 internet connectivity is being retained in less tech-developed nations.
"many users will just stick with v4 for intranets and just allow their ISP to handle the IPv6 question as they see fit. If the problem is being handled invisibly, behind the scenes with no input necessary from you, why worry about the issues of migrating your own intranet system over?"
Well, that's a big "if". How is your ISP supposed to deliver v6 packets to machines over your network? They'll deliver them to your router, but you need to handle the last part.
It's true that things will normally be handled automatically without you needing to do anything, but what that means is that your router picks up a prefix from the ISP via DHCPv6-PD and then uses it to deploy IPv6 on the local network. Short of using proxies, you can't really get around having it on your local network.
Can you load https://ipv6.icanhazip.com/? If not then your ISP/modem aren't handling v6 for you in the way you think they are... and if you can, I think you'll find that you have v6 on your intranet. That, or your browser is proxying everything through Apple/Google or something similar.
This site can’t be reached
Check if there is a typo in ipv6.icanhazip.com.
DNS_PROBE_FINISHED_NXDOMAIN
That's using Fibrus fttp from a Samsung phone. I will try again when I am on the O2 public network in Sainsburys.
Fibrus use Netgear routers which do seem a lot more IPv4 than the BT one I had.
You should get in return a page containing just your IPv6 address.
The NXDOMAIN shows that your local nameserver only attempted to look up the IPv4 "A" address, rather than the IPv6 "AAAA" address.
That may be a local configuration issue rather than a lack of IPv6 per se.
The definition of a wide adoption of IPv6 seems to be when all popular website have AAAA records.
theregister.com and github.com are examples of popular sites that are IPv4-only, which means no connection without at least NAT64.
I don't think the price of IPv4 addresses is going to fall off a cliff any time soon, as demand far outstrips supply.
@eric 9001
The "lack of AAAA on the register has been discussed here for years and its always promised as being looked at.
If only El Reg had some people that understood this stuff that they could talk to, then they might be able to figure out how to configure it.
The front end is Cloudflare and they provide IPv6, so this is not a difficult problem to solve.
"The definition of a wide adoption of IPv6 seems to be when all popular website have AAAA records."
Not really. The Google measurement, for example, is how many users actually use IPv6 to reach Google servers.
Anyway, the new game in town now, given the general progress, is running your enterprise network as an IPv6-mostly network, where IPv6 is used except when it really can't be, because the remote host only has an A record, in which case you use 464LAT. Then the local infrastructure can be 100% IPv6-only and the OPEX goes down.
icloud private relay user on virgin media here.
google is constantly throwing CAPTCHA's at me & quoting the icloud cloudflare ipv6 address i'm using.
just ironic that cloudflare tout ipv6 as a solution when i'm obviously being NAT'd by icloud/cloudflare to an IPv6 that google reputation engine has doubts about.
easy to block a single IPv4 or a subent allocated to a carrier, IPv6 address space is so vast that they typically dish out a /64 the whole of which would need blocking if not the entire subents allocated to the SP's.
Point being that the blast radius for IPv6 is far larger than IPv4 -literally in terms of total addresses that are on the naughty list.
I think that the global IPv6 adoption (as measured by Google) will exceed 50% in the last week of 2025, if not before. The reason is that IPv6 usage peaks at weekends (because more private subscribers use IPv6 than workplace subscribers) and because private usage peaks during the end-of-year holidays.
Also the Google estimate for China is meaningless; actual usage in China is 77% (China Daily, 2025-10-31). So if Google could measure China properly, they would already show more than 50% worldwide adoption.
It's about time for the IPv6 naysayers to shut up.
well there are still free IPv4 to IPv6 gateways out there - I'm using one. Just sayin'.
The only problems I have discovered are at the firewall, where people might not know how to configure them properly, as all IPv6 addresses are effectively public. It would be like it was in the 90's where all IP addresses were visible to one another, and unfiltered. 'Code Red' anyone?
I was under the impression the 4G mobile networks were using CGNAT on IPv6 traffic. I know the internet visible IPv6 address of my phone is different to the one the phone gives me and that I am unable to make an inbound connection to my phone.
In turning off the 3G network, it seems Three are discontinuing the 3Internet service which allocated routable IPv4 addresses to devices.
Why would carriers implement something as crazy as CGNAT on IPv6, thats deliberately breaking something for no valid reason ?
There are many situatios where end to end connectivity between devices is a good thing. There is no logical reason to do this on v6.
can you tracert it to see whats happening ?
Can you name and shame the carrier as its not obvious which side of the pond you are on.
>as its not obvious which side of the pond you are on.
The side that matters... UK.
The carrier is EE,
This just one of many discussions over recent years there has been on the EE forums. I encountered it in 2020 and got around it by using the A&A L2TP tunnel service (my router creates and maintains an L2TP tunnel with A&A's server which has a static and publicly routable IPv4/v6 address and so can handle inbound connections directed to it).
I seem to remember other (UK) 4G networks being similiar, although as I noted elsewhere Three's 3Internet service (3G) did allocate a static publicly routable IPv4 address. If it wasn't that EE's 4G service was so much more performant at the office I needed the service in 2020, I would have used Three's service.
"Why would carriers implement something as crazy as CGNAT on IPv6, thats deliberately breaking something for no valid reason ?"
Like they need a valid reason!
I do know one guy who once said that if his company adopted IPv6, they'd use private addresses and use a NAT, because that's how they're used to doing it with IPv4, and so it keeps it all familiar.
For cellular data on US providers. I imagine IPv6 is used to some extent opportunistically, but I connect to a few sites from my phone that show the originating IP when you connect and it is no doubt part of some Verizon CGNAT pool.
Now maybe if you have the clout of a big ISP you can insure your CGNAT addresses don't get blacklisted / tarpitted / rate limited and that's why I've never run into such issues. At least not knowingly. I suppose I would have a hard time telling the difference between happening to get assigned a "bad" CGNAT IP and having a poor quality data connection, given how used to the latter we've all been forced to become since cellular data became a thing 20 years ago. As far as I know, my data connection is having problems so I'll just try again later - and when I do I'll get a different CGNAT IP.
For cellular data providers in the UK, too (and likely elsewhere).
I only have mobile internet access when I'm in the UK and I constantly suffer the staircase/hydrant/bicycle challenge. It's fascinating how we've managed to continuously evolve protocols above layer 3 (to the extent of HTTP/3 using QUIC instead of TCP) while the network layer refuses to ditch the sideburns and flares.
the network is like a road,
roads have existed for thousands of years.
some modern roads follow the same paths as old roman roads.
yet you can drive your horse & cart, old banger or modern electric or hyper car along them.
yes its got better surface on it today etc but still goes from a to b.
trainlines on the other hand, not so versatile as a road. you can run different generations of rail vehicles on them but they are highly regulated and the vehicles have to strictly adhere to the regulations.
Yes it is so easy to use 10.x for internal addresses that there is little incentive to do the work required to deploy IPv6 on an intranet. Typically it doesn't get done unless there are reasons you need to present IPv6 externally, but many companies have limited need for public facing IP addresses and can get by with a class C or less.
Still, if your daily job is to design, implement and maintain networks and you don't know anything about the "newer" technologies, you aren't doing your job properly. You may have no need to implement IPv6 right now, but that's not an excuse to ignore it because you don't like it. You're also cutting you out from jobs that require IPv6 knowledge. For the matter, here many new ISPs are running on IPv6 first because they can't source enough IPv4s.
I assume you are not a network engineer then.
I'm working at my 4th carrier since 2012, major global & domestic carriers.
I've never used IPv6 at work.
Current carrier is well within the UK top 10 in terms of customers.
Our customers get IPv6 on their service.
99% of our internal stuff runs on IPv4.
all my day to day stuff is IPv4.
recent major internal projects are all IPv4.
IPv4 & IPv6 are just addressing schemes. the actual numbers used are less important than the distinction they provide and ability to route & secure services.
Each dc runs a bunch of services, often duplicated as in each dc has infrastructure services like dns, ad, ntp, backup, replication, management etc etc.
then we have our workloads that vary from corporate, customer etc etc etc
we also use abstractions like tags etc.
ultimately we rely heavily on automation too.
with tens of thousands of VM's just in the UK, we just need things to work, which means things need to securely & reliably talk to each other, which means we utilise a lot of techniques like ips, firewalls, load balancing, gslb, dns, overlays etc.
after decades of operation we have lots of legacy systems that provide the core of the services that make the business viable.
we can't just rebuild everything a new and expect it to instantly work. we simply don't have enough people power to do an instant cutover and have things work.
naturally it'd have to be a phased approach, enabling ipv6 1 system / service at a time while also ensuring IPv4 connectivity remains and replicate the security & reliability mechanisms for IPv6.
doing all of that on a live system is wrought with danger, plus we would have 2 big security surfaces instead of 1 big 1.
its not impossible, its all doable, we've a lot of the sharpest minds in the industry & all our vendors would trip over themselves to support us.
yet its not happened because what advantage does that give us?
our customers can used IPv6, I'm sure anyone in the business that needs to use IPv6 can. All our tooling, automation, security, reliability mechanisms etc etc work perfectly fine on IPv4,
I can't think of a single reason why we need IPv6 internally right now.
we have lots of rfc 1918 & public addresses if we need.
despite an abundance of addressing we also use NAT, proxies etc for internal traffic for various reasons.
In a non carrier business I worked for we used public addressing internally for some systems and ensured those addresses where null routed at the internet reason being was to ensure that if the multiple layers of security we had where some how circumnavigated then those internal systems would never be routable from the internet.
I truly don't get the passion some have for IPv6, it's just a hierarchical addressing mechanism. It just tells a network what address something can be reached on & the desperate networks work out how to move traffic to & from it.
also end to end connectivity is a busted flush, in 2025 its trivial to spin up an overlay to ensure reachability even over CGNAT, see https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
yes the wider Internet is running out of IPv4 address,
yes some regions have no available IPv4 addresses,
yes IPv6 removes the need for CGNAT or even NAT
but why do corporates that need internal comms only need to use IPv6?
once the wider world moves more and more to IPv4, leaving corporate systems on IPv4 actually is a security benefit.
I'm not being lazy, I know lots about IPv6, I'm just paid to work on IPv4 & there is zero money coming my way to work on IPv6.
No, they are not. You can't use IPv6 exactly the same way you use IPv4. Some things are done differently.
"but why do corporates that need internal comms only need to use IPv6?"
As long as they are internal comms only, your choice. But they won't be able to connect to any IPv6 only system outside your network, then, when they need it.
How many expensive network engineers would want to adopt IP when they only know [IPX|Decnet|AppleTalk|Sneakernet].
As already said, if someone only knows IPv4 and not IPV6 then they aren't a network engineer by today's standards.
But the main thing is that for the bulk of users - which would be the masses of home users - there is very little (if anything) needed to use IPv6. For example, most of the significant ISPs in the UK (Plusnet being a notable exception even though they ran trials many years ago and are owned by BT who do) do IPv6 as dual-stack with IPv4 by default - and the users just never notice. It's there by default, most OSs these days prefer IPv6 over IPv4, so that's why IPv6 adoption is now high.
Granted, it's a different situation for large business users - but they tend not to be sitting being a consumer grade CGNAT for their connection.
>” so almost everyone's home kit supported IPv6 long before their ISP did.”
You are forgetting most home uses used ISP supplied land line kit which tends to be IPv4 only for reason of cost (EE I’m looking at you). Obviously, third-party non-ISP kit has been supporting IPv6 since 2012 and in some cases earlier.
Sky broadband and vodafone broadband enable IPv6 out of the box. Many of their users will be using IPv6 and having no knowledge they are doing so.
Talk-talk is a notable big ISP that doesn't do IPv6 at all. When asked a few years ago on their forum, one of the staff replied "we don't need to - we have plenty of IPv4 addresses"!
"Talk-talk is a notable big ISP that doesn't do IPv6 at all. When asked a few years ago on their forum, one of the staff replied "we don't need to - we have plenty of IPv4 addresses"!"
Given their financial woes, makes you wonder what their v4 addresses would be worth if sold, and how that would stack up against a v6 network upgrade. If there is any merit in the idea, chances are they'll have left it too late and the bottom will drop out of the v4 address market?
most CPEs (modems, routers) introduced Dual Stack IPv4 and IPv6 in 2012 in a miraculous coordination so almost everyone's home kit supported IPv6 long before their ISP did.
With varying degrees of success. I remember going through three or perhaps four routers before I found one that could reliably get and hold an IPv6 connection using PPPoE. Thankfully my ISP (IDNet) have very good support staff who were able to help diagnose the issues so that I could report them back to the router manufacturer. Sadly all but one did nothing to fix the issues which is why I had to go through so many before I got one that worked.
If remember correctly one of the routers badged as dual-stack only supported one at a time. When I questioned this I was told that I was expected to switch between v6 and v4 as/when I needed it.
What amazed me was that the previous trial ended because PN were rebuilding their core network. Now I suppose it's acceptable that the old trial servers were not compatible with the new core but how do you build a core network without baking IPv6 in from the start if you already know that it exists? What kind of madness is that?
Starlink does use CG-NAT.
Iliad in Europe uses IPv6 + MAP-E for the same reason. Sky in Italy uses IPv6 + MAP-T (still a form of CG-NAT) because it has not enough IPv4s available. It's still better than a pure IPv4 CG-NAT system because you can reach IPv6 services without any NAT, using it only to access IPv4 only destinations.
In a properly configured system user won't notice which stack they are using. The only real issue is without properly set up DNS+DHCP (SLAAC was a bad idea) accessing internal devices via IPv6 addresses is far less friendly. And still too many routers have primitive DHCP/DNS services (i.e. no automatic DNS entries from DHCP leases).
Vodafone in Italy started to use CG-NAT too (don't know if they sold IPV4 addresses...)
Actually only the largest and older ISP that could obtain large IPv4 address spaces in the past that have no troubles with IPv4 addresses - and are delaying implementation to extract more money from them. Especially the US ones. But US is not the "world".
The cloud allowed companies to avoid to get IP addresses themselves to run public-facing customers, but the cloud provider are hoarding IPv4s too to delay the need of IPv6 - but many providers started to sell low-end VPS with IPv6-only addresses, asking to pay more if you want an IPv4. Of course, they are useless if you can access them from an IPv6 enabled client.
In a properly configured system user won't notice which stack they are using. The only real issue is without properly set up DNS+DHCP (SLAAC was a bad idea) accessing internal devices via IPv6 addresses is far less friendly. And still too many routers have primitive DHCP/DNS services (i.e. no automatic DNS entries from DHCP leases)
You might want to talk to Google about that. The Android development team responsible absolutely refuse to add support for DHCPv6 other than (coming soon, apparently) prefix-delegation. Their chief developer is apparently adamant that DHCPv6 is a terrible idea and everyone should use SLAAC.
I discovered all this only a couple of days ago while trying to work out why my mobile phone was the only device on my LAN that didn't have working IPv6. As soon as I changed my router (TP-Link) from DHCPv6 to RADVD+RDNSS my mobile phone was happy. Thankfully so were all my Windows machines.
The real reason is DHCP allow a network to control which devices get an address and how. Even SLAAC has to work together DHCPv6 to get configurations SLAAC can't give. Look at how RDNSS has to be added later.
SLAAC is a bad idea today, DHCP gives far more control to network administrators, and it can integrate with DNS registrations better than SLAAC. It miight not be important for mobes, but it is imporant for systems you need to contact explicitly in a networks, especially since IPv6 addresses are not user friendly.
This is, as said before, a clear example of "enshittification" - Google main business is hoarding user data to sling ads to them, and thereby Google has to remove any obstacle that could hinder it. Android exists only to support Google main business. Users needs will be bent to that. There is no other real reason to avoid DHCPv6.
I have a separate SSID for Androids users. SLAAC does work. Just, Google systems are blacklisted....
Sorry, is that version 1 or version 2? I read the specs for IPv6 version 1 and thought 'If I cared I, could do better while drunk." What kind of fuckwit would require that my hardware address be embedded into my ip address? Is it the same type of fuckwit who would increase the size of the addresses by 4 times, the minimum header size by 2x and not increase the default packet size. Was it the same Intel engineer who decided that the input buffers on their network cards would never need to handle a packet bigger than 1514 bytes?
You probably couldn't.
v6 doesn't require your hardware address be embedded in your IP address. It increased both the minimum required packet size from 576 bytes to 1280 bytes, and the maximum size up to 4 gigabytes, but the actual packet size of the network is an L2 concern rather than an L3 concern, so v6 can't change it in the first place.
I've seen a lot of people who thought they could do better than v6, but they can usually only suggest things that wouldn't work at all, things that v6 already does, or things that they clearly haven't thought through the details of. Or they refuse to tell anybody what their better ideas are. If you think you can do better then go ahead, but you already hit the first two points.
If anybody thinks that creating, ratifying, and getting industry adoption of a standard is something they could do quicker or better, then it suggests to me they know nothing about the procedures involved for any of those stages.
Standards are developed through wide engagement, forming consensus and mostly voluntary adoption. Getting large groups of people from different sectors and organisations each with different interests to agree on something as detailed as any technical standard is the sort of endeavour that the ancient Greeks would have considered a punishment from the gods.
>” If anybody thinks that creating, ratifying, and getting industry adoption of a standard is something they could do quicker or better”
In networking, the corpses of the OSI/MAP/TOP/GOSIP show just how expensive getting a standard firstly adopted as a Standard and then deployed (MAP/TOP/GOSIP) was in the 1980s. IPv6 is demonstrating that being the only game in town isn’t sufficient to get widescale and rapid adoption.
QUIC really only grew so quickly because it used UDP (ie. The established protocol stack) and could be implemented in the browser. As Google Chrome had a large install base achieving widespread deployment was trivial. Obviously, getting websites to support it was less easy, but getting the protocol ratified meant it got implemented by other browsers and in the major webservers and so simply needed a software update and a settings change…
SLAAC was a bad idea that could make sense in 1995 - when DHCP was still a new technology (its first RFC is 1993) and they couldn't think a small sub-$100 system could act as a router+DHCP+DNS server for a LAN one day. And many systems were still single ones that connected through an analog modem.
Advertising the network prefix and letting the client compute its address looked smart - and the MAC address ensured uniqueness. Then it turned out is wasn't smart. No recent implementation works that way by default any longer.
The MTU is dictated by the underlying transports - Ethernet jumbo frames have been available for a long time now. While lower speed networks may not see any advantage by using jumbo frames, higher speed one can.
Anyway, most consumer internet connections use some form of PPP carried over by analog modem implementations... which introduces overhead and issues on its own. Switching to pure IP implementation woudl redice the overhead, but requires changes again ISPs are not willingly to do.
"Fresh" is relative, but Metronet is a US fiber ISP founded in 2005, so 20 years ago.
Metronet has—since 2005, mind you—implemented an exclusively 100% CGNAT network. The "holdover" technology is apparently the state of the art for some ISPs.
Anyways, Metronet were recently acquired by private equity firm KKR and T-Mobile.
Google refused to honor DHCP6 in android. Other than that, android works fine with IPV6, although it requires SLAAC to configure it. However, all IPv6 routers provide SLAAC, so what's your problem?
I personally hate the fact I can't set my IPv6 address manually in android, but that doesn't make their adoption "half baked"
Yes, it's half-baked because it can't work in any private network where SLAAC is disabled and IPv6 clients can only get address via DHCPv6 for security reasons. And that's because Google wants to hoard data from any network without controls. If the phones switch to the cellular network fo avoid firewalls/proxies/etc. for Google business is better.... what if some of those devices sinkholes ads?
That's another example of pure "enshittification" - Google data hoard and ads-slinging business is driving Android tech features.
do it
you won't get very far, its an rfc 1918 address, 10/8 can't be routed to across the internet which is why RFC 1918 addresses are used on consumer LAN's it doesn't matter that customers overlap rfc 1918 addresses as they need to be outbound NAT'd to reach a public internet address.
What network are you connecting to?
Internally, LTE network are IPv6-only at the lowest level and therefore IPv6 support is in fact a hard requirement for LTE to work - but the ISP can go out of their way to only offer an internet connection with NAT'd IPv4 - meaning on the end device, the internal IPv6 addressing is hidden and all you see is IPv4 addressing.
In my experience, in combating bots, if the originating ISP only has a IPv4 /24 block of addresses, it is more likely the majority of its other IP addresses will also be bots, so best block the entire range rather than the single IP address.
I suspect with IPv6 people will do similar, as blocking individual addresses doesn’t make much sense.
(I'm sure Cloudflare knows this of course already...)
Blocking by IP made sense in the 90s and maybe up till late 00s, but cloud providers, bot nets, etc have massively reduced their effectiveness. Add to that Geo IP services that have bad information on wide swaths of IPs (including the IP I am posting with, for example you can use https://www.maxmind.com/en/locate-my-ip-address ), the IP I am coming from has been present at it's current address I'd bet for at least 20 years. If you did a WHOIS on the IP it literally shows you the correct street address where the IP is at. Yet MaxMind has no idea other than somewhere in the U.S..
I briefly fought a credential stuffing attack in 2023 with a similar situation. Over 10,000 unique IP addresses trying to get through the service, mostly from "Republic of Seychelles", five /16s, and ten /24s, and the Geo IP databases (for the most part) had no idea where those IPs were coming from. I found a service at the time that would run Geo lookups against multiple providers and it was comical to see such radically different responses, thousands of miles apart depending on the IP space/Geo IP provider queried. WHOIS information appeared to be accurate (confirmed with traceroute in a few cases I tested at the time).
I fired off an email to Maxmind(who was/is the Geo provider for the CDN my org uses) at the time with a list of example subnets, asking for clarification of their data vs WHOIS data, but they never responded.
> This means an IP-based security system may inadvertently block or throttle large groups of users as a result of a single user behind the CGNAT engaging in malicious activity
It's worse than that. Hands up if you visited a news site and it tells you you've used up your quota of free news for the day and now wants you to pay. And this is your first time visiting the site in a week.
Cloudflare are constantly telling the world how to solve attacks and issues, but yet refuse to sort their own DNS resolvers. They should make it harder for Attackers to use their services to launch DNS reflection and amplification attacks. Alternatively, it would be a good business model to be part of the problem to boost sales i guess
everyone bangs on about IPv6 like its a solver of all problems and your lazy & stupid for not adopting it or implementing it at your place of work.
In IPv4's lifetime, a number of pitfalls and issues have been discovered & engineered out that have made it far better than it was at the start.
Everyone focusses on NAT being an issue but I suspect they never experienced the days when your computer screen was filled with pop ups and your PC riddled with viruses moments after dialling up to the internet.
Yes OS's are now more secure, Browsers more protecting etc, but NAT on broadband routers stopped your machine getting remotely hacked whilst Microsoft worked out how to implement a default firewall on your computer.
yes OS & applications protections are better today, but protocol implementation of IPv6 has removed the protection afforded by stateful NAT on your router.
people, say that NAT is no protection from unsolicited connections, I'm yet to see anyone reach any of my hosts behind my stateful NAT router, how can my stateful NAT router route to an internal address when it has no lookup table entry from the remote source to my internal IP?
the numbers of people that need genuine end to end connectivity is tiny, if they truly need it and are behind a CGNAT then a tunnel from the likes of cloud flare is likely a viable alternative, else pay for a connection with a public IPv4 or a hosted solution that uses a public IPv4.
the biggest pitfall of IPv6 is not having NATv6 & actively blocking any initiatives to implement NATv6.
having NATv6 doesn't mean it must be used.
having NATv6 does mean that IPv6 becomes a lot easier to implement especially in environments that need multiple internet connections. but don't have the skills or expertise to implement Provider-independent address space.
its trivial on IPv4, with IPv6 going from 1 provider to another address space requires hosts to have 2 ISP addresses & sure routing with some kind of mechanism to tell each client to use 1 address or the other (could be dropping the providers prefix to 0 or something) but it is far more involved than it is on IPv4.
I agree that too many technical types hate on NAT and I've had arguments in the past about how effective NAT is for security. I'll also call bull on the other claim that NAT 'breaks the internet'. That's clearly rubbish given how successful the internet is and how many so called point-to-point only protocols work just fine through NAT.
But I also don't think NAT is so good that we should be adding it to IPv6. A halfway decent firewall will be doing most of what NAT does and other useful things besides. Security is a useful side-effect of NAT but there are other ways to be more secure. And whilst workarounds for NAT have been invented I can sympathise with the idea that it's another layer of complexity that makes some applications more difficult to write than they should be.
So I'm of the camp that NAT was a great solution to a problem with some additional advantages but since the problem doesn't exist with IPv6 let's not bother making work for ourselves.
NAT is absolutely not complicated.
when my 84 year old dad can connect all his IoT stuff to the internet and it all works seamlessly then NAT is most definitely not complicated.
when you have a bunch of hosts that you don't want to have public IP addresses, NAT makes it trivial for those hosts to still connect to internet systems.
Multiple ISP's for redundancy? it's trivial on Ipv4 with NAT, an absolute mare on IPv6 without provider independent addressing. on IPv6 without provider independent addressing, each host needs an address on each ISP & you need source routing to ensure the traffic goes out the correct ISP so it can come back via the same ISP.
getting PIA working is not trivial and requires advertising your prefix out all your ISP's. The alternative of source routing through multiple ISP's is complex and requires lots of duplicate rules in your security infrastructure and becomes a security & reliability risk of getting things wrong.
if you don't get static IPv6's from your ISP then every time they change your prefix all your hosts re-IP and your rules are bunkum.
IPv6 is not as trivial as it is made out to be. Lots of considerations and thought is required to keep things stable when the ISP prefix changes. Many ISP's change the prefix a number of times through the year.
using private IPv6 addresses with NATv6 would make it trivial to use as many ISP's as you want with no need to re IP your internal hosts or amend rules, just like with NATv4..
IPv6-to-IPv6 Network Prefix Translation RFC 6296 is a proposed alternative to full stateful NAT, providing a 1:1 mapping between public prefix & private prefix. does make you wonder why they just don't ratify full NATv6 and let the industry decide.
Domestic users won't notice or care about lack of NATv6 but it can be a mare for businesses unless they get those static addresses or better still the provider independent addresses.
I'm going to backtrack on this slightly. I've actually been doing some research on all things network over the last few days just to satisfy my curiosity after getting engrossed in the Android v DHCP discussion. I now agree that NAT does not provide security features. Or at least that it is dangerously incorrect to make that statement. It is more correct to state that some implementations/configurations of NAT have security benefits.
The point is that NAT is not just one thing. The kind of NAT most of us have come across in our routers is Symmetric NAT and that offers security benefits. But there are several other types of NAT that do not.
So I now think that telling people not to bother with a firewall because they are behind NAT is misleading.
As for whether IPv6 networks could still benefit from NAT I'm not sure. I'm retired now so was only following the discussion out of idle curiosity and I think for now my brain would rather go back to contemplating the mysteries of golf :)
Funnily enough, even symmetric NAT provides no security benefit.
The site you linked says "Incoming packets must be part of an established session, enhancing security.", but that's not actually true. The correct version of that statement is that incoming packets must be part of an established session in order for their destination address to be rewritten by the symmetric NAT. If they aren't, that just means that their destination address won't be rewritten.
Not rewriting the destination address of a packet is not the same thing as dropping the packet. The router will process the packet using its original destination address, and if that address is one of the machines on the LAN then that's where the packet goes.
The article says Cloudflare blames ISPs for throttling users, but I haven't ever seen this.
I see big-content, especially Googoyle's captcha, but _especially_ Cloudflare's tar-pit that crashes browsers, flatly refuses access, has no recourse.
It's not ISPs that are blocking users, it's Cloudflare that is blocking users, and trying to blame ISPs for Cloudflare's behavior. I was seriously going to buy into their stock until they started shafting the end-user, and preventing users from accessing sites.
in the early days, before CIDR, addresses where handed out in classful allocations
https://en.wikipedia.org/wiki/Classful_network#Background
it was a time when they assumed at most there would be a few thousand large institutions that needed to connect their computers.
the notion that everyone wold want let alone need a connected computer in their home was far fetched.
if you where a large institution you'd get a /8, a small institution would get a /24.
NAT was not a thing.
they could not envisage at the time how we would use these things.
It's interesting that this is coming from Cloudflare.
They are the most prominent example of rate limiting, blocking based on reputation and geography, as they put it, "socioeconomic bias", and so on.
They also want to protect scammers by mixing their web site endpoints in with their legitimate customers, while at the same time they want to deanonymize people behind CG-NAT by surreptitiously monitoring DNS using DNS-over-https, so this is a little more than hypocritical.
While the thing is written as though Cloudflare is talking about Cloudflare's decisions which lead to "socioeconomic bias" and other issues, they don't actually say it's about them. It really should. They're the primary cause of the problems, just as they're the ones who protect DDoS-for-hire gangs that make Cloudflare's products seem much more necessary than they really are.
Instead of blaming CGNAT, maybe we should be more concerned about outdated security measures that haven't kept up with modern networking techniques and current practices. Yes, things were less complicated in the past and security models were simpler. CGNAT with multiple users sharing one Public IP address is like modern housing with high-rise condominiums instead of everyone living in detached single family houses. The condo has one physical address shared with 100's of families.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
