Let's Talk IPV6

[Zarathustra[H]]

Looks like this was wrong. I found a checkbox in the DNS Resolver service in pfSense titled "Register DHCP leases in the DNS Resolver" which might do the trick. I never bothered looking into it before because it is so easy to remember private IPV4 addresses...

This might name everything hostname.domain

My domain has always been set to the default "localdomain".

I don't even know what the implications are of changing it, or if I can choose freely. Would probably be convenient to keep it short to enable quicker typing of it...

Tried enabling it. It works, but only on IP's configured in the DHCP. I've always most of my IP's manually on the local machine, meaning they never communicate with the DHCP server, and thus the hostname does not get registered.

 

[Zarathustra[H]]

If I was in a similar situ, I'd probably set up a duplicate service for anything serving over IPv4, then work on transitioning anything which communicates with that service, one at a time.

If you can't do the services first, then set up the clients in a vm, then backup, transition the service and copy over the configuration for the clients.

Before that, though, I'd write down my IP pools. x.x.10.z would translate to a::a:10:z, etc. Hex is easy: instead of 0-9 you have 0-f, and for the sake of simplicity you can ignore a-f if you don't have a dumb program iterating through IPs sequentially (which you shouldn't, anyway). Once they're written down you'll be able to reference them easily while you're setting everything up, but you should be able to memorize them pretty quickly.

I wonder if I could make sure all hostnames on the network are good and not conflicting, one by one shift my local statically configured IP's to DHCP setting the same IP statically in the DHCP server instead. This should make all the hostnames resolve. Then I can go through every config file and switch out IP addresses to hostnames. Then when I switch to IPV6 the hostnames should still be the same, right, so it should be a drop-in replacement.

It does seem a little bit more complex and fragile though. In the current setup, pointing directly at statically assigned IP addresses, there are no outside dependencies.

If hostname is used, the DNS resolver becomes another variable which can introduce issues.

What happens if a client joins the network that randomly has the same hostname as one of the servers? Will this take shit down?

 

[Nobu]

I wonder if I could make sure all hostnames on the network are good and not conflicting, one by one shift my local statically configured IP's to DHCP setting the same IP statically in the DHCP server instead. This should make all the hostnames resolve. Then I can go through every config file and switch out IP addresses to hostnames. Then when I switch to IPV6 the hostnames should still be the same, right, so it should be a drop-in replacement.

Sounds like a pretty solid plan to me.

 

[Zarathustra[H]]

Sounds like a pretty solid plan to me.

I did edit the post above, adding some uncertainty in there.

If I am relying on hostname I'm adding another point of failure into the system that didnt exist before with a statically configured IP on the local machine. It doesn't need DHCP or DNS to be working. It will always be able to communicate with other statically set IP's. It felt sturdy and reliable to me. Everything around it could crash or go down, but as long as two boxes have power and a link between eachother, with local static IP's they can reach eachother.

Adding in these other variables makes me a little uneasy.

Don't get me wrong, my pfSense box has tremendous uptime and reliability, but still.

I also wonder what happens if a random wifi client joins the network that happens to have the same hostname as one I'm, using for a server. Might need to set them up on different domains in that case. Anything joining via Wifi would be hostname.wifidomain or something like that. Not quite sure how to set that up.

 

[BlueLineSwinger]

I wonder if I could make sure all hostnames on the network are good and not conflicting, one by one shift my local statically configured IP's to DHCP setting the same IP statically in the DHCP server instead. This should make all the hostnames resolve. Then I can go through every config file and switch out IP addresses to hostnames.

This is exactly the right way to do it. It's what I and others have been trying to explain (maybe not so clearly?) up-thread. This is how it's done professionally (except for those systems that cannot use DHCP for whatever reason, such as the DHCP server itself, other essential network devices, etc. Then it's just static DNS A/AAAA records for convenience.)

Then when I switch to IPV6 the hostnames should still be the same, right, so it should be a drop-in replacement.

This is where it falls apart unfortunately, unless you are able to obtain a IPv6 block (not likely with a consumer-level ISP plan) and use DHCP6 to issue addresses. SLAAC, the most common way to do addressing for IPv6, doesn't provide any kind of mechanism for reporting the hostname to a central resource.

Fortunately dual-stack works just fine, so you can still use IPv4 for internal communications while IPv6 is used to access the world.

 

[Zarathustra[H]]

Fortunately dual-stack works just fine, so you can still use IPv4 for internal communications while IPv6 is used to access the world.

That does seem way easier. Let everything set up just work the way it is using IPV4, and add an IPV6 address for things that need to reach outside.

Could even just firewall off IPV4 from the WAN in that case so I don't have to worry about managing security on two different stacks.

That is by far the easiest solution.

I still may not like IPV6 very much, but this means a lot less work, which makes me a bit happier.

Will still need to figure out how VPN tunneling is going to work, but I am guessing my provider doesn't even know that yet.

 

[BlueLineSwinger]

If I am relying on hostname I'm adding another point of failure into the system that didnt exist before with a statically configured IP on the local machine. It doesn't need DHCP or DNS to be working. It will always be able to communicate with other statically set IP's. It felt sturdy and reliable to me. Everything around it could crash or go down, but as long as two boxes have power and a link between eachother, with local static IP's they can reach eachother.

Eh, technically true, but I believe you're over-thinking it and the concern is unwarranted.

I also wonder what happens if a random wifi client joins the network that happens to have the same hostname as one I'm, using for a server. Might need to set them up on different domains in that case. Anything joining via Wifi would be hostname.wifidomain or something like that. Not quite sure how to set that up.

The DHCP server should realize the particular hostname is linked to a specific MAC, and not honor a random client trying to set it.

 

[Zarathustra[H]]

This is where it falls apart unfortunately, unless you are able to obtain a IPv6 block (not likely with a consumer-level ISP plan) and use DHCP6 to issue addresses. SLAAC, the most common way to do addressing for IPv6, doesn't provide any kind of mechanism for reporting the hostname to a central resource.

Just to make sure I understand. You need a full block (how large of a block?) in order to use DHCPv6? That seems like a strange limitation...

 

[Nobu]

I also wonder what happens if a random wifi client joins the network that happens to have the same hostname as one I'm, using for a server. Might need to set them up on different domains in that case. Anything joining via Wifi would be hostname.wifidomain or something like that. Not quite sure how to set that up.

Personally I would just not accept any hostnames which aren't configured in the router/dhcp server. Or else, just have wifi clients connect to a separate network (or subnet) entirely. If you named that subnet bobsnet, then clients on that subnet would be bobsnet.hostname.

 

[BlueLineSwinger]

Could even just firewall off IPV4 from the WAN in that case so I don't have to worry about managing security on two different stacks.

Unfortunately not viable. There's still a lot out there that is inaccessible via IPv6.

Just to make sure I understand. You need a full block (how large of a block?) in order to use DHCPv6? That seems like a strange limitation...

You need an IPv6 block/subnet assigned to you regardless. The main limitation with consumer-level service is that they generally will not assign a fixed IPv6 subnet, same as they won't assign a fixed IPv4 address. The catch-22 with DHCP server config in general, of course, is you have to know the subnet in advance in order to set it up.

SLAAC works differently, in that it uses the router to obtain the assigned subnet, and then passes it to the hosts behind it when requested. The host then configures its own address(es) based on that subnet (using anti-collision mechanisms similar to those of IPv4 169.254.0.0/16 zeroconf).

The basic IPv6 subnet assigned by an ISP is a /64, which is the standard size for a single LAN segment. All ISPs that support IPv6 will assign this. Most will assign a larger block, such as /60 (e.g., Comcast) or /56 on request, which can then subnetted into multiple /64 by the router for multiple LAN segments. No one assigns anything smaller (I really hope), because it breaks SLAAC stateless auto-configuration.

 

[Zarathustra[H]]

Unfortunately not viable. There's still a lot out there that is inaccessible via IPv6.



You need an IPv6 block/subnet assigned to you regardless. The main limitation with consumer-level service is that they generally will not assign a fixed IPv6 subnet, same as they won't assign a fixed IPv4 address. The catch-22 with DHCP server config in general, of course, is you have to know the subnet in advance in order to set it up.

SLAAC works differently, in that it uses the router to obtain the assigned subnet, and then passes it to the hosts behind it when requested. The host then configures its own address(es) based on that subnet (using anti-collision mechanisms similar to those of IPv4 169.254.0.0/16 zeroconf).

The basic IPv6 subnet assigned by an ISP is a /64, which is the standard size for a single LAN segment. All ISPs that support IPv6 will assign this. Most will assign a larger block, such as /60 (e.g., Comcast) or /56 on request, which can then subnetted into multiple /64 by the router for multiple LAN segments. No one assigns anything smaller (I really hope), because it breaks SLAAC stateless auto-configuration.

Intersting.

Too bad DHCPv6 cannot use dynamic subnets. I guess DCHPv4 never could either, but it didn't have to because it was using a private address space.

 

[Zarathustra[H]]

Unfortunately not viable. There's still a lot out there that is inaccessible via IPv6.

Huh. I thought IPV4 was built into IPV6 in a specific address range so you can access IPV4 hosts?

Or did I completely misunderstand that at some point.

I could have sworn there was a special address range reserved for embedding IPV4 addresses in IPV6, and This would allow IPV6 clients to reach IPV4 hosts, but not vice versa.

 

[trick0502]

So many assumptions here.

1.) I don't work in IT and never have. This is a hobby for me.

2.) I prefer IPV4 and no DNS for my home network.

3.) I agree that IPV6 has many benefits. I just don't like the implementation.

4.) If I did work in IT I'd execute on whatever made most sense for the organization, regardless of my personal preferences on my home network. When you get paid to do a job, you do that job for whomever is paying you, not for yourself, so your personal preferences don't really matter.

In general though, enthusiastically accepting any change is no better than outright rejecting every change.

I enthusiastically accept the changes that make my life easier, and outright reject the ones that make my life harder. As should everyone.

how do you not run dns? do you have a rainbow table for a host file?

 

[Zarathustra[H]]

how do you not run dns? do you have a rainbow table for a host file?

I have a structure to my subnets and I have memory.

I only need to rememeber the last octet of the IP address. I only have about 25 servers I need to keep track of. Easy to remember them. Why would I complicate things with DNS?

 

[BlueLineSwinger]

Huh. I thought IPV4 was built into IPV6 in a specific address range so you can access IPV4 hosts?

Or did I completely misunderstand that at some point.

I could have sworn there was a special address range reserved for embedding IPV4 addresses in IPV6, and This would allow IPV6 clients to reach IPV4 hosts, but not vice versa.

Afraid it doesn't work that way. It's important to remember that, despite their many similarities, IPv4 and IPv6 are different protocols. For example, IPv6 doesn't implement broadcast at all. In practice it's really no different than running IPv4 alongside other network protocols (e.g., IPX, AppleTalk, etc.) was years ago.

You may be think of something like IPv4-mapped IPv6 addresses, which are certain ranges/subnets set aside in IPv6 to represent IPv4. No one actually assigns these to a host (at least I hope not, such subnets aren't even publicly routable). Instead, they are used to facilitate things like NAT64, which allows an IPv6-only host to access an IPv4 server. But AFAIK no one really uses such things, as they already have IPv4 set up anyways and dual-stack is just as easy (probably easier, actually). Though if we get to some weird point where it's impossible for some to get IPv4 addresses and others are still stuck solely on them, such hacks might be necessary.

 

[trick0502]

I have a structure to my aubnets and I have memory.

I only need to rememeber the last octet of the IP address. I only have about 25 servers I need to keep track of. Easy to remember them. Why would I complicate things with DNS?

so when you need to bring up google in a web browser do you type google.com or 172.217.11.36?

 

[Zarathustra[H]]

so when you need to bring up google in a web browser do you type google.com or 172.217.11.36?

No. I of course cannot memorize all domain names in the world. I use DNS for accessing WAN addresses, or most of them at least, I just don't run a DNS service for my LAN because I don't feel I need it.

 

[Kardonxt]

I'm with OP. IPV6 is a CF.

I'm sure it goes against best practices, but we just disable it on any piece of equipment we touch as SOP because it seems to cause so many quirky issues. We tried to make do for a while because it was the future. At this point I'll believe it when the US converts to the metric system lol.

 

[trick0502]

No. I of course cannot memorize all domain names in the world. I use DNS for accessing WAN addresses, or most of them at least, I just don't run a DNS service for my LAN because I don't feel I need it.

so you run dns on your router

 

[Nobu]

so you run dns on your router

You don't need DNS on your router to access the internet. A computer can communicate directly with a DNS server on the internet – just need it's IP address.

 

[trick0502]

You don't need DNS on your router to access the internet. A computer can communicate directly with a DNS server on the internet – just need it's IP address.

so when you run ipconfig /all on your pc what do you get for a dns server? I got a million on your routers IP address.

 

[BlueLineSwinger]

I'm with OP. IPV6 is a CF.

I'm sure it goes against best practices, but we just disable it on any piece of equipment we touch as SOP because it seems to cause so many quirky issues. We tried to make do for a while because it was the future. At this point I'll believe it when the US converts to the metric system lol.

I wouldn't call IPv6 a clusterfuck. For sure it has its quirks. Many apps needed to be updated and network hardware replaced/upgraded, but that's pretty much settled. There have been some growing pains and initial adoption was slowed by such, but has picked up considerably in the last few years (FWIW, the US is near the top of IPv6 adoption at >40%, according to Google and Akamai. The Internet Society's State of IPv6 Deployment 2018 is also interesting.)

I'd say that if you're in a position to be doing IT/network for a business and you're actively disabling IPv6, you're going backwards.

The Internet Society also has a nice page of IPv6 resources for getting started.

* * *

Also follow-up/modify what I wrote about NAT64 earlier. I was thinking more business/corporate/office-type install. I'd completely forgotten about things like very large provider networks, such as cell/mobile networks. Many of those, especially in fast-growing regions, are going IPv6-only. They'd have to be using NAT64 or a similar solution. Still though, not something most of us would/should be looking at, and dual-stack is the way to go.

 

[Nobu]

so when you run ipconfig /all on your pc what do you get for a dns server? I got a million on your routers IP address.

208.67.222.222

 

[Ehren8879]

For the average user, they aren't even aware they're using IPv6. For those that need to care, it isn't too complicated to adapt to in the home, business or enterprise. Im sorry, it's just not.

Those that complain of issues, operational or technical are those that may have had an issue a decade or so ago or those that continue to hammer IPv4 learned fundamentals to shape their IPv6 deployments.

It's different, but it is stable. Get over it.

 

[trick0502]

208.67.222.222

so how does any device on your network talk to other devices On your by hostnames?

 

[Nobu]

so how does any device on your network talk to other devices On your by hostnames?

They don't, because they don't need to. Like OP, I don't have a lot of devices, and the ones I have don't need to communicate with eachother. When they do, I can just figure out the IP, no big deal. The DNS in my router isn't being used, and would be disabled if I could do so.

 

[sphinx99]

Early on in this thread, the OP mentioned not wanting to be beholden to ISPs for putting devices on an internal fully IPV6 network. A bunch of people chimed in saying that isn’t an issue and taunting the OP’s backward thinking ways. What I’m reading now is that you actually do need a block from an ISP, many of us won’t be able to obtain one, and the solution is to run an internal IPV4 network? I definitely don’t understand IPV6 as well as I would like but have to admit I don’t necessarily like the idea of a single directory, and it doesn’t sound like the panacea some on this thread have made it out to be.

someone mentioned IPV6 privacy extensions, could someone elaborate on what they are / are not?

 

[BlueLineSwinger]

Early on in this thread, the OP mentioned not wanting to be beholden to ISPs for putting devices on an internal fully IPV6 network. A bunch of people chimed in saying that isn’t an issue and taunting the OP’s backward thinking ways. What I’m reading now is that you actually do need a block from an ISP, many of us won’t be able to obtain one, and the solution is to run an internal IPV4 network? I definitely don’t understand IPV6 as well as I would like but have to admit I don’t necessarily like the idea of a single directory, and it doesn’t sound like the panacea some on this thread have made it out to be.

someone mentioned IPV6 privacy extensions, could someone elaborate on what they are / are not?

Dual-stack IPv4/IPv6 has long been the recommended setup. It allows for the introduction and integration of IPv6 while allowing the existing IPv4 network to continue to cover circumstances where the former isn't quite there yet. I don't think anyone here has called for a wholesale swap-out, or been less that forthcoming about IPv6's current shortcomings. But it does correct a number of issues with IPv4, most notably the address shortage and ubiquitous need for NAT.

One way or another, at the consumer level, you're dependent on your ISP to define and supply your IPv6 subnet. Unfortunately, much as they will not assign you a static IPv4 address, most ISPs also will not assign a static IPv6 subnet. For the majority of users this is not an issue. They're not doing anything that really requires communication between local nodes and static addressing and/or hostname resolution is not needed. For those of us that are the exception (raises hand), this is one of those instances where current IPv6 shortcomings are filled in by maintaining IPv4. And of course, there are still a lot of servers out there (including this forum) that have no IPv6 address.

A quick googling of IPv6 privacy extensions should give you a decent overview. Basically, it's the periodic randomization of the IPv6 address used by a node to connect to other nodes.

I'm not sure what you mean by "a single directory".

 

[auntjemima]

This thread had been amazing. I learned so much! I used to think just like Zara, so I'm glad I read this post!

 

[Meeho]

If I understood correctly, privacy concerns that IPv4 "solved" with NAT are mitigated by the use of (daily) temporary IPv6 addresses. Question is, how would I block outgoing connections from certain devices if they change their IPs daily? By host names?

 

[Nobu]

If I understood correctly, privacy concerns that IPv4 "solved" with NAT are mitigated by the use of (daily) temporary IPv6 addresses. Question is, how would I block outgoing connections from certain devices if they change their IPs daily? By host names?

Hostname and/or MAC address, or you could filter by port if it's hardwired and the router/switch supports it.

 

[Ehren8879]

If I understood correctly, privacy concerns that IPv4 "solved" with NAT are mitigated by the use of (daily) temporary IPv6 addresses. Question is, how would I block outgoing connections from certain devices if they change their IPs daily? By host names?

Disable SLAAC and use DHCPv6 reservations on your network.

 

[Meeho]

Disable SLAAC and use DHCPv6 reservations on your network.

Thay wouldn't "anonymize" the devices, though.

 

[Ehren8879]

Thay wouldn't "anonymize" the devices, though.

I personally don't see the benefit of anonymizing the individual devices on a network. A good network firewall is imperative of course.

What's the use case for "hiding" devices behind a single or few public addresses?

 

[Meeho]

I personally don't see the benefit of anonymizing the individual devices on a network. A good network firewall is imperative of course.

What's the use case for "hiding" devices behind a single or few public addresses?

I don't want my ISP to know how many devices I have and what each of them is doing, nor mobile providers to control any tethering and such.

 

[Ehren8879]

perchance having privacy extensions available is enough to encourage these companies to not track the source address quantity originating for their customers?

 

[Meeho]

perchance having privacy extensions available is enough to encourage these companies to not track the source address quantity originating for their customers?

The only way they won't is if they aren't able to.

 

[Zarathustra[H]]

perchance having privacy extensions available is enough to encourage these companies to not track the source address quantity originating for their customers?

The only way they won't is if they aren't able to.

Yeah, putting that genie back in the bottle won't be easy.

Data mining is part of the built in revenue stream of absolutely anything and everything with software now. There will be kicking and screaming before any of these players give that up.

Either make it impossible for them to track you by taking increasingly difficult (in most cases impossible) precautions on your end, OR support legislation to make it illegal, battling what probably would be the biggest and most well funded lobby the world has ever seen.

 

[Ehren8879]

Yeah, putting that genie back in the bottle won't be easy.

Data mining is part of the built in revenue stream of absolutely anything and everything with software now. There will be kicking and screaming before any of these players give that up.

Either make it impossible for them to track you by taking increasingly difficult (in most cases impossible) precautions on your end, OR support legislation to make it illegal, battling what probably would be the biggest and most well funded lobby the world has ever seen.

Oh boy, thats a bit much dude

 

[Ready4Dis]

Dual-stack IPv4/IPv6 has long been the recommended setup. It allows for the introduction and integration of IPv6 while allowing the existing IPv4 network to continue to cover circumstances where the former isn't quite there yet. I don't think anyone here has called for a wholesale swap-out, or been less that forthcoming about IPv6's current shortcomings. But it does correct a number of issues with IPv4, most notably the address shortage and ubiquitous need for NAT.

One way or another, at the consumer level, you're dependent on your ISP to define and supply your IPv6 subnet. Unfortunately, much as they will not assign you a static IPv4 address, most ISPs also will not assign a static IPv6 subnet. For the majority of users this is not an issue. They're not doing anything that really requires communication between local nodes and static addressing and/or hostname resolution is not needed. For those of us that are the exception (raises hand), this is one of those instances where current IPv6 shortcomings are filled in by maintaining IPv4. And of course, there are still a lot of servers out there (including this forum) that have no IPv6 address.

A quick googling of IPv6 privacy extensions should give you a decent overview. Basically, it's the periodic randomization of the IPv6 address used by a node to connect to other nodes.

I'm not sure what you mean by "a single directory".

My ISP hands out /64 ipv6... Unfortunately it's dynamic and changed often. Pretty much a completely broken implementation. Luckily ipv4 is behind a double NAT, so absolutely no way to setup any sort of port forwarding. Was wanting to setup ipv6 on my home network but wasn't sure how easy it'd be to work around a constantly changing ip range.