100

The question above for the most part, been reading up on it. Also want to it for learning purposes.

top 50 comments
sorted by: hot top controversial new old
[-] tburkhol@lemmy.world 25 points 1 year ago

Definitely dual stack if you do. The real benefit of IPv6 is that, supposedly, each of your internal devices can have its own address and be directly accessible, but I don't think anyone actually wants all of their internal network exposed to the internet. My ISP provides IPv6, but only a single /128 address, so everything still goes through NAT.

Setting it up was definitely a learning process - SLAAC vs DHCP; isc's dhcpd uses all different keywords for 6 vs 4, you have to run 6 and 4 in separate processes. It's definitely doable, but I think the main benefit is the knowledge you gain.

[-] designatedhacker@lemm.ee 10 points 1 year ago

Your ISP is doing it wrong, which I guess you already know. I get a /64 net via DHCPv6 for my LAN which is pretty standard.

+1 to dual stack. Too much of the internet is v4 only, missing AAAA, or various other issues. I've also had weird issues where a Google/Nest speaker device would fail 50% of the time and other streaming devices act slow/funky. Now I know that means the V6 net is busted and usually I have to manually release/renew. Happens once every few months, but not in a predictable interval.

Security is different, but not worse IMO. It's just a firewall and router instead of a NAT being added in. A misconfigured firewall or enabling UPnP is still a bad idea with potentially worse consequences.

Privacy OTOH is worse. It used to be that each device included a hardware MAC as part of a statelessly generated address. They fixed that on most devices. Still, each device in your house may end up with a long lived (at least as long as your WAN lease time) unique IP that is exposed to whatever sites you visit. So instead of a unique IP per household with IPv4 and NAT, it's per network device. Tracking sites can differentiate multiple devices in the house across sites.

This has me thinking I need to investigate more on how often my device IPv6 (or WAN lease subnet) addresses change.

[-] Faceman2K23@discuss.tchncs.de 8 points 1 year ago

I get a fat /48 network, just in case I need one septillion, two hundred and eight sextillion, nine hundred and twenty-five quintillion, eight hundred and nineteen quadrillion, six hundred and fourteen trillion, six hundred and twenty-nine billion, one hundred and seventy-four million, seven hundred and six thousand and one hundred and seventy-six individual IPs.

IPV6 is pretty wild, we could effectively give every service connecting to every client, in every direction, for every single individual bit its own dedicated address without getting anywhere near using that address space.

load more comments (1 replies)
[-] Katrina 8 points 1 year ago

And the biggest disadvantage of IPv6 is that each of your internal devices has its own address and can be directly accessible from outside. So you need to completely rethink how you do security.

[-] lemming007@lemm.ee 5 points 1 year ago

And can be identified/tracked individually by outside entities. In IPv4, a website sees both my device and my kid's device as the same IP. In IPv6 they're different so this just provides more ways for them to track you.

[-] mea_rah@lemmy.world 3 points 1 year ago

First of all they use much more than the device IP to identify individual devices. IPv4 is no longer all that useful for identification with things like CGNAT being common.

But with IPv6 they'll see my device IP, then they'll see the same device with completely different IP, then again. Same for my kid's device. But again, all of the above applies. It is a concern, but there are much better ways of tracking you anyways.

[-] Onion6068@feddit.de 3 points 1 year ago

That's the reason for rcf 4941. It randomises the host part of your IPv6 address.

https://datatracker.ietf.org/doc/html/rfc4941

load more comments (2 replies)
[-] dan@upvote.au 17 points 1 year ago* (last edited 1 year ago)

There's a bunch of advantages. IPv6 can be useful since your devices can have the same IP both internally and externally. No dealing with port forwarding. No split horizon DNS (where you have different DNS entries for internal vs external). No NAT. No DHCP required for client systems (can just use SLAAC to auto-generate addresses). Much simpler routing. It's a bit faster. Proper QoS.

I used to use Comcast, who actually have very good IPv6 support. They were the first major US ISP to roll out IPv6 to everyone, around 10 years ago. Unfortunately my current ISP doesn't have IPv6, but they're aiming to roll it out this year.

[-] outcide@lemmy.world 6 points 1 year ago

How does that work, having the same IP internally and externally?

[-] dan@upvote.au 8 points 1 year ago* (last edited 1 year ago)

A good ISP that supports IPv6 will give you a /64 range. That's a huge number of IPs, 2^64. Easily enough for every device on your network to have a lot of public IPs. If you use Docker or VMs, you could give each one a public IPv6 address.

When every device on your network can have a public IP, there's no longer a reason to have private IPs. Instead, you'd use firewall rules for internal-only stuff (ie allow access only if the source IP is in your IPv6 range).

This is how the internet used to work in the old days - universities would have a large IP range, and every computer on campus would have a public IP.

Of course, you'd still have a firewall on your router (and probably on your computers too) that blocks incoming connections for things you don't want to expose publicly.

[-] rehabdoll@lemmy.world 3 points 1 year ago

A good isp would give you something bigger than a /64 - /56 or /48. something that you can subnet.

[-] vrighter@discuss.tchncs.de 4 points 1 year ago

wouldn't /64 still leave you with 64 bits for you to do whatever? Ipv6 has a 128 bit address. If you can do subnets with a small usable portion of 32 bits, then you certainly can with a full 64 bits

[-] busturn@lemmy.world 3 points 1 year ago

The smallest recommended IPv6 subnet is /64. The biggest issue you will encounter is that SLAAC will refuse to work on anything smaller, and it just so happens that Android still doesn't support DHCPv6 and will be left without a valid address.

load more comments (2 replies)
load more comments (2 replies)
[-] empireOfLove@lemmy.one 12 points 1 year ago* (last edited 1 year ago)

For LAN, no. If you have a router NAT'ting traffic and providing DHCP service there's really no need for ipv6. Almost every ipv6 enabled service provides both 6 and 4 usually and NAT figures it out, and many still provide only 4, meaning you can't just get rid of ipv4 entirely.

If your ISP has modernized and is actually providing an ipv6 address, I suppose there's probably a tiny benefit of being able to go ipv6>ipv6 when routing, bust most all devices nowadays can handle NAT translation from ipv4 to ipv6 and vice versa with no routing penalty. I don't know if there are any ISP's out there who can provide static ipv6 addresses without a NAT router to your entire LAN though.

If you're buying a vps or something ipv6 is easier to get a static address for.

That of course leaves the last good reason: why not? If you're doing homelab hosting stuff why not experiment with ipv6 and fully modernize your network. They suck to type in but it's fun to know your stuff is brand new and using the "best".

load more comments (1 replies)
[-] Faceman2K23@discuss.tchncs.de 11 points 1 year ago

It's good to learn, because it will become more common as time moves on, particularly if you get into the datacenter/cloud/ISP industry. It's less important for the general home user, but it is important to understand how it works and how to use it safely.

Just treating it like IPV4 with more address space is dangerous though. you need to think differently about security and firewalls as it is as if every device has its own dedicated WAN address and could be open to the internet without you knowing.

[-] npmstart_pray@lemmy.fmhy.ml 5 points 1 year ago

Indeed it is good to learn: ipv6.he.net/certification is a free course everybody should take the first 2-3 levels of.
The login credentials you create for that website will allow you to login to their sister site tunnelbroker.net and claim a /48 delegation for your DDNS tunnel, also free, to promote the changeover to v6 from v4, especially for people with dynamic WAN IPS from their ISP and no IPv6.

load more comments (1 replies)
[-] duncesplayed@lemmy.one 8 points 1 year ago* (last edited 1 year ago)

(Whoops, accidentally hit "Delete" instead of "Edit" and Lemmy doesn't ask for confirmation!! Boo!! I'll try to retype my comment as best I can remember)

I'll buck the trend here and say "Yes, for a home LAN, it's absolutely worth it. In fact for a home LAN it is more important than in a data centre. It is absolutely the bees' knees for home and is worth doing."

All of that depends on how your ISP does things. When I did it, I got a /56, which is sensible and I think fairly common. If your ISP gives you anything smaller than a /64, (a) your ISP is run by doofuses, but (b) it's going to be a pain and might not be worth it. (I now live in literally one of the worst countries in the world for IPv6 adoption, so I can't do it any more)

The big benefit to it is that you can have your servers (if you want them to be) publicly reachable. This means you can use exactly the same address to reach them outside the network as you would inside the network. Just make one AAAA for them and you can get to it from anywhere in the world (except my country).

When I did it, I actually just set up 2 /64s, so a /63 would have been sufficient (but a /56 is nice). Maybe you can think of more creative ways of setting up your networks. Network configuration is a lot of fun (I think).

I had 1 /64 for statically-assigned publicly-reachable servers. Then I had a separate /64 for SLAAC (dynamic) end-user devices, which were not publicly reachable (firewalled to act essentially like a NAT). (Sidenote: if you do go to IPv6 for your home network, look into RFC7217 for privacy reasons. I think it's probably turned on by default for Windows, Android, iOS, etc., these days, but it's worth double-checking)

[-] festus@lemmy.ca 6 points 1 year ago

Sigh... not an ISP, but the service I rent my server from only provides me with a /128. Yes that's right, exactly one IPV6 address and not one more.

[-] ilega_dh@feddit.nl 7 points 1 year ago

Oof, that’s a very obvious sign they do not understand how IPv6 is supposed to work. At all.

load more comments (2 replies)
[-] orangeboats@lemmy.world 4 points 1 year ago

My ISP delegated me only one /64.

load more comments (2 replies)
[-] Reliant1087@lemmy.world 3 points 1 year ago

My ISP dynamically allocates a /64. I don't even know why they do that.

load more comments (2 replies)
[-] Oxff@lemmy.world 8 points 1 year ago

IPv6 is the future so I'd say yes. Dual stack is the way to go. If you can get public address block from your ISP thats great. If not I'd recommend HE tunnel or something similar. Just remember to firewall as ever device is reachable in most configurations.

load more comments (1 replies)
[-] mvee@lemmy.ml 7 points 1 year ago

No, I like living in my nat cocoon so I don't have to worry as much about all the devices on my network. Jk it's turned on, but I don't usually enable it on devices

[-] Blaster_M@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

Get a firewall. Malicious STUN, ALG DoS attacks, just these things make your NAT router less secure than you think it is.

[-] duncesplayed@lemmy.one 6 points 1 year ago* (last edited 1 year ago)

I'll buck the trend and say "yes, for a home LAN, it is the bees' knees". I don't do it now because my country (and hence my ISP) does not do IPv6, but for most places it's worth doing.

It depends on how your ISP does it. When I did it before, my ISP gave me a /56, which is pretty sensible and I think fairly common. If you get smaller than a /64, (a) your ISP is run by doofuses, but (b) it's going to be a pain and maybe not worth it.

A /56 was much bigger than I needed. I actually only used 2 /64s, so a /63 would have been fine, but network configuration is fun (I think), so maybe you can get creative and think about different ways of allocating your network.

I had 1 /64 for statically-assigned, publicly reachable servers. And then I had a separate /64 for SLAAC (dynamic) allocated personal devices (laptops, phones, etc.) which were not publicly-reachable (firewalled essentially to act like a NAT). (Sidenote, if you are going to use IPv6, I recommend turning on RFC7217 on your devices for privacy reasons. I think these days it's probably turned on by default for Windows, Android, iOS, etc., but it's worth double-checking)

The big benefit to using IPv6 is that all of your home machines can be (if you want them to be) reachable inside your network or outside your network using exactly the same IP address, which means you can just give them a fixed AAAA and access them from anywhere in the world you like. If you're into that sort of thing, of course. It's a lot of fun.

[-] activator90@lemmynsfw.com 5 points 1 year ago

I tried converting my internal and external self hosted setup to IPv6 only, like it's the trend nowadays. But halfway through it I couldn't really see the point

[-] SheeEttin@lemmy.world 5 points 1 year ago

Depends on how you define "worth it". Most selfhosting is done not for worth, but for a hobby.

[-] Zorque@kbin.social 3 points 1 year ago

Hobbies are often worthwhile. Maybe not financially, but often psychologically.

load more comments (1 replies)
[-] preasket@lemy.lol 5 points 1 year ago

There’s another question: will we ever actually run out of IPv4 addresses, so that cloud providers and ISPs no longer offer them?

[-] dan@upvote.au 14 points 1 year ago* (last edited 1 year ago)

That's already happened, which is why some ISPs use CGNAT. CGNAT is "carrier-grade NAT" which means the internet provider does NAT on their network.

Only having CGNAT with no IPv6 is a pain since you can't do any port forwarding. It's double-NAT which slows things down a bit (you use NAT on your network, then your ISP uses NAT on their network).

Some cloud providers also have IPv6-only servers for cheaper. IPv4 address are still available but the price to acquire them is significantly higher than it used to be.

load more comments (10 replies)
load more comments (1 replies)
[-] dud3@feddit.de 4 points 1 year ago

Dual-Stack is usually no problem, but going IPv6-only is a pain, because a suprising amount of services are v4 only. Even NAT64/DNS64 doesn't help everywhere.

[-] fedev@lemmy.world 4 points 1 year ago

Because devices in your LAN will all be accessible from the internet with IPv6, you need to firewall every device.

It becomes more of a problem for IoT devices which you can't really control. If you can, disable ipv6 for those.

[-] orangeboats@lemmy.world 6 points 1 year ago* (last edited 1 year ago)

It's not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.

Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it's not really different to NAT port forwarding rules.

[-] Reliant1087@lemmy.world 3 points 1 year ago

So even though the device has a public address, the route is through the firewall, hence the ability to filter traffic?

load more comments (4 replies)
load more comments (3 replies)
[-] paperbenni@lemmy.world 5 points 1 year ago

Wait, ipv6 doesn't require port forwarding to expose something to the internet?

[-] orangeboats@lemmy.world 8 points 1 year ago

Port forwarding is exclusively a NAT phenomenon.

In IPv6 every device should in theory have a public address - just like how every computer had a public IPv4 address back in the 1980s ~ 1990s.

However, most sensible routers will have a firewall setup by default that blocks all incoming connections for security reasons. You still need to add firewall rules.

load more comments (3 replies)
load more comments
view more: next ›
this post was submitted on 13 Jul 2023
100 points (100.0% liked)

Selfhosted

40360 readers
306 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS