The state of ipv6 on the internet

While reading stories over the last couple of years about ipv6, and how isp's are working to implement it, I was wondering what needs to actually happen for ipv6 to fully kick in, and for ipv4 to drop to a secondary role?

How much of the internet is currently ipv6 compatable? is there any percentage figure?

I'm just wondering how much progress is being made.

Apparently it's up to 20% according to Google. As for what should be done about it - nothing. IPv4 still works just fine.

Edited by Andrue (Sat 30-Dec-17 15:30:53)

And ipV6 just works fine as well. Been on Sky ipv6 for the past year or so, looks like I am among the 20%.

Akamai by country and network estimates at https://www.akamai.com/uk/en/about/our-thinking/stat...

While there appear to be "enough" IPv4 addresses for the UK, helped by DWP selling off chunks of their vast (/8) holding to UK and other ISPs, UK IPv6 usage is slowly increasing. See https://www.internetsociety.org/resources/doc/2017/s...

For most, the crunch will come in that far off day when they find that a site they want to access is only accessible with IPv6. I gather that there are a few already.

Personally, I gave up waiting for BT to actually roll out IPv6 to me (HH5) and Plusnet to start at all, and am moving my lines to an IPv6 capable ISP (AAISP). There are other reasons. I admit that I want IPv6, but do not currently need it.

intrigued by you comment that you gave up waiting for BT to get IPV6. on one of our relatives lines which is on BT infinity using Asus router which I installed, ipv6 is working just fine.

Edited by choppersrock (Sat 30-Dec-17 18:09:14)

Yep, it�s been on my BT Retail line for a year now.

In reply to a post by Zarjaz:

Yep, it�s been on my BT Retail line for a year now.

Agreed and the same for me.

Paul

I've had IPv6 on Sky for 18 months now.

IPv6 transition is more of an issue for service providers than consumers (aside from CGNAT), because in many cases new services and servers require unique IP addresses, which are mostly exhausted on IPv4, but practically infinite on IPv6. The highly inflated cost of IPv4 addresses may be insignificant to the likes of Facebook and Twitter, but it is very much a factor for fledgling service providers, non-profits, enthusiasts and community projects for instance.

But there's no point in service providers providing services on IPv6 addresses if consumers can't access them, creating something of a chicken and egg situation. It therefore requires consumer ISPs to "do their part" for the good of the internet industry as a whole, and some of them are better at it than others.

In reply to a post by dsergeant:

And ipV6 just works fine as well. Been on Sky ipv6 for the past year or so, looks like I am among the 20%.

Me too. I first got IPv6 when I joined IDNet four years or so ago. Then I left for Plusnet and was without it for 3.5 years. I didn't miss it. Now I'm back with IDNet and have it again. It's made no noticeable difference.

Obviously we need to transition eventually but we're a long way from it being essential.

And for those whose ISP is really dragging their heels (here's looking at you PN) and would like to try IPv6 there's always the option of using one of the free IPv6 tunnel brokers. Been using Hurricane Electric's tunnelbroker.net service since 2008 on a couple of routers and it's been amazingly incident-free.

However - have noticed recently that as IPv6 rollout continues some of the smaller tunnel brokers have withdrawn as their services are no longer required.

In reply to a post by mrc99:

And for those whose ISP is really dragging their heels (here's looking at you PN)

Which is really bad given that they apparently rebuilt their network recently. The server upgrade even killed off their limited IPv6 trial. How do you upgrade servers and leave yourself with less functionality?

Apparently PN know how :-/

IPv6 is insecure.
Why would an entity that has been allocated an IPv4 address space then only use an IPv6 address and risk losing out on advertising revenue by not allowing IPv4 clients to connect?
If you think that IPv6 is the way forward, you either need to use a search engine other than Google and /or do some research beyond consumer 'news' sites.
Google have an interest in moving it's revenue stream (users) onto IPv6 - you can be uniquely identified more easily, that's why it provides a 'fast' DNS, to track and sell you.
Remember, if it's free, you are the product

In reply to a post by 10forcash:

IPv6 is insecure.

That's a bit oxymoronic. IPv6 is a suite of networking protocols, just as IPv4 is. "Security" belongs elsewhere.

In reply to a post by 10forcash:

Why would an entity that has been allocated an IPv4 address space then only use an IPv6 address and risk losing out on advertising revenue by not allowing IPv4 clients to connect?

For one thing, not all sites rely on advertising revenue (or even carry adverts), for another they may not have been able to get an IPv4 address- eg link.

Edited by billford (Sat 30-Dec-17 23:07:03)

In reply to a post by billford:

not all sites rely on advertising revenue (or even carry adverts), for another they may not have been able to get an IPv4 address

Show me a website that does not use advertising (including itself) or tracking its users for profit, while you're at it, show me a commercial website that is IPv6 only.

In reply to a post by choppersrock:

intrigued by you comment that you gave up waiting for BT to get IPV6. on one of our relatives lines which is on BT infinity using Asus router which I installed, ipv6 is working just fine.

Some BT HH5 users have been unable to have IPv6 enabled. Waiting for new firmware is the most common interpretation.

Yes, I could have bought another router with the expectation that IPv6 would have worked. I chose the price increase to get out entirely, shedding the BT TV contract too. So many channels that I seldom watched.

Post deleted by seb

Edited by deleted (Sat 30-Dec-17 23:42:55)

In reply to a post by 10forcash:

so it's fine to expose *every* internet connected device to the internet by a unique address by default?

Exactly what IPv4 does. Devices on your (IPv4) LAN are not connected to the internet- they are connected to your router and gain IPv4 access to the internet via a fudge known as NAT.

IPv4 is a mature transport, security has been hardened within it's constraints over it's lifetime

Because people have designed firewalls etc to provide needed security, neither protocol includes or requires them.

Edited by billford (Sun 31-Dec-17 00:25:27)

Here also.

The link below indicates some of the reasons why IPv6 is not mature enough to be used 'in public', certainly not in any of the networks I have responsibility for, which are very far from being 'public'.
https://www.cisco.com/c/en/us/about/security-center/...

So, tell me how exposing every device on your LAN to every other device connected to the internet can be considered a good thing?
NAT is not a 'fudge' - next you'll be telling me there's no reason to use vLANs and every network should just have a flats topology, oh, security is very much baked into layer2 protocols, if you care to look.

In reply to a post by 10forcash:

The link below indicates some of the reasons why IPv6 is not mature enough to be used 'in public', certainly not in any of the networks I have responsibility for, which are very far from being 'public'.
https://www.cisco.com/c/en/us/about/security-center/...

Interesting. The document is undated¹ but it appears that Cisco found a potential weakness in the protocol... the first link under References takes you to a page telling you (surprise, surprise) how Cisco can ease the transition of your systems to IPv6. See my comment re firewalls etc earlier.

The rest either don't work (404) or are between 5 and 15 years old.

So, tell me how exposing every device on your LAN to every other device connected to the internet can be considered a good thing?

Perhaps because it allows full communication between devices, wherever they are? Isn't that the whole point of the internet?



¹ eta- although the page source suggests it's about 4 years old.

Edited by billford (Sun 31-Dec-17 12:12:57)

In reply to a post by 10forcash:

NAT is not a 'fudge'

Yes, it is: https://blog.webernetz.net/why-nat-has-nothing-to-do...

NAT does not add any real security to a network while it breaks almost any good concepts of a structured network design.

The usage of NAT has several disadvantages, mainly because it breaks the end-to-end communication model which is essential for proper IP connections.

NAT adds a burden to all (network) administrators that have to configure and administrate it.

Time to move into the 21st century my friend, after all, we are nearly 20% of the way through it already.

https://www.youtube.com/watch?v=v26BAlfWBm8

Edited by deleted (Sun 31-Dec-17 12:03:28)

There's a whole load of statistics in this PDF document. It starts with the state of IPv4 allocations and follows with IPv6 figures.

I started at this site, followed the link to the IPv4 countdown plan in the body text at the bottom, from that took the Statistics link in the right-hand menu, then the NRO Number Resource Status link in the right-hand menu there. The top document in the list is what I link to above.

In reply to a post by 10forcash:

So, tell me how exposing every device on your LAN to every other device connected to the internet can be considered a good thing?

It's not a bad thing, and that's why firewalls exist. For instance the Sky Hub IPv6 firewall blocks unsolicited incoming connections by default, and allowing incoming connections has to be explicitly configured.

That makes IPv6 no less secure than IPv4 NAT.

In reply to a post by Andrue:

In reply to a post by dsergeant:

And ipV6 just works fine as well. Been on Sky ipv6 for the past year or so, looks like I am among the 20%.

Me too. I first got IPv6 when I joined IDNet four years or so ago. Then I left for Plusnet and was without it for 3.5 years. I didn't miss it. Now I'm back with IDNet and have it again. It's made no noticeable difference.

Obviously we need to transition eventually but we're a long way from it being essential.

Its already essential.

Parts of the world have no ipv4 to end users due to running out of ip blocks.

For these user's services need to enable ipv6 access, but services are waiting for isp's to enable for end users, hence the importance of isp's rolling out ipv6.

Your view is sort of "selfish" in that if it works for yourself its all fine, but the ipv6 rollout is for "the good of the internet" rather than an immediate need for day to day operations.

More than once google have considered turning of ipv4 for a day on some of their services to "encourage isps" but backed out each time.

Its also now much harder to get ipv4 blocks from datacentres, so hosting content can be hard on ipv4 as well. But has to be done because too many isp's are stubbornly not rolling out ipv6, such as virgin media.

I actually now consider ipv6 as "current" and ipv4 as "legacy".

Its a shame this site still is only single stack for the forum, it cannot be too hard to add a dns record and vhost for ipv6 to forums.thinkbroadband.com as its done already for the home page. Same with kitz stuck on ipv4 as well.

Also ipv6 performs faster due to not having NAT complexity.

Edited by Chrysalis (Mon 01-Jan-18 18:06:54)

In reply to a post by Chrysalis:

Its a shame this site still is only single stack for the forum, it cannot be too hard to add a dns record and vhost for ipv6 to forums.thinkbroadband.com as its done already for the home page. Same with kitz stuck on ipv4 as well.

Think there may be a bit more to it than adding DNS records.

In reply to a post by 10forcash:

In reply to a post by mrc99:

"Security" belongs elsewhere.

Ahh... an IPv6 apologist, so it's fine to expose *every* internet connected device to the internet by a unique address by default? IPv4 is a mature transport, security has been hardened within it's constraints over it's lifetime, IPv6 appears to be some utopian vision where 'do no evil' still means something. In the real world, there's several valid reasons why it's been sidelined for the last ~20 years. It's fine for hobbyists and hipsters to talk through their manicured beards about, the reality is, it's c r a p.
Security starts with the meatware, then layer0

I think the point of IPv4 was also to expose every single device, they just didn't realise it would become so widely adopted so then you ended up with NAT, which, true as you say does provide a great deal of security as a by-product of what it is for.

Though you can mimic the security provided by a NAT configuration very easily on IPv6 by using a firewall, so preferring IPv4 to IPv6 due to security by NAT is not really a valid point. For example my Draytek 2860 has an option called "Block routing connections initiated from WAN" which is enabled by default for IPv6 and basically provides the same security that NAT does for IPv4 to the IPv6 side.

In reply to a post by Chrysalis:

Also ipv6 performs faster due to not having NAT complexity.

Really? As I have the option of both ipv4 & native ipv6 with my ISP,my ping times increased by a few ms when i tried ipv6 so went back to ipv4 for the better ping times. Actual throughput on the connection remained the same, just worse latency on ipv6.

In reply to a post by baby_frogmella:

In reply to a post by Chrysalis:

Also ipv6 performs faster due to not having NAT complexity.

Really? As I have the option of both ipv4 & native ipv6 with my ISP,my ping times increased by a few ms when i tried ipv6 so went back to ipv4 for the better ping times. Actual throughput on the connection remained the same, just worse latency on ipv6.

That's because it takes the routers longer to read the longer IP addresses.


[/joke]

Edited by RobertoS (Mon 01-Jan-18 19:12:24)

In reply to a post by RobertoS:

In reply to a post by baby_frogmella:

In reply to a post by Chrysalis:

Also ipv6 performs faster due to not having NAT complexity.

Really? As I have the option of both ipv4 & native ipv6 with my ISP,my ping times increased by a few ms when i tried ipv6 so went back to ipv4 for the better ping times. Actual throughput on the connection remained the same, just worse latency on ipv6.

That's because it takes the routers longer to read the longer IP addresses.


[/joke]

LOL

In reply to a post by Pipexer:

I think the point of IPv4 was also to expose every single device, they just didn't realise it would become so widely adopted so then you ended up with NAT, which, true as you say does provide a great deal of security as a by-product of what it is for.

Though you can mimic the security provided by a NAT configuration very easily on IPv6 by using a firewall, so preferring IPv4 to IPv6 due to security by NAT is not really a valid point. For example my Draytek 2860 has an option called "Block routing connections initiated from WAN" which is enabled by default for IPv6 and basically provides the same security that NAT does for IPv4 to the IPv6 side.

Indeed. IPv6 just takes us back to pre-NAT days when every IP address ( RFC1918 aside ) was potentially contactable on the internet and everyone needed to think a little more about firewalls. The way NAT is typically implemented means that new connections from the internet to the consumer's LAN are possible. Outgoing connections automatically set a return path for the replies to use so unless port-forwarding is used NAT provides basic security.

In pre-NAT days when a class C-network was routed down a leased line unless the router implemented some firewall rules (or an extra firewall installed) the entire class C-network would be directly accessible from the internet. IPv6 is no different and these days IPv6 routers typically set-up a basic firewall rule to allow no incoming connections which provides the same basic security as NAT.

Thinking about other attacks such as auto-configuration attacks this is little different to the type of attacks possible on an IPv4 LAN. I could configure a device with the same IP address as the router and connect it to the LAN or a bogus DHCP server giving out rubbish information.

IPv6 autoconfiguration can use the ethernet MAC address to generate a static IPv6 address which does not change and allows for tracking. This is little different from pre-NAT IPv4 except that IPv4 DHCP might allocate the IP address from a fixed pool rather than hand out the same number each time.

These days, with all the tracking information available in browser cookies and capabilities it's not the only source of identity tracking.

In reply to a post by bsdnazz:

IPv6 autoconfiguration can use the ethernet MAC address to generate a static IPv6 address which does not change and allows for tracking. This is little different from pre-NAT IPv4 except that IPv4 DHCP might allocate the IP address from a fixed pool rather than hand out the same number each time.

Another nice thing about IPv6 is temporary addresses. Typically every time an IPv6 client reconnects to a router, a new IPv6 address will be assigned from the pool (typically one of 18,446,744,073,709,551,616 addresses). This limits the ability of websites to track by IP address. The client can revert to the MAC-derived "permanent" IPv6 address if need be, e.g. if it's a server.

Under IPv4 the router will usually only have one IP address for WAN, so unless the router is rebooted the same IP address will be presented to websites for weeks or maybe months.

Whilst I do agree that IPv6 will be an improvement and I think the privacy complaints can be ignored I have never been able to sit idly by while someone has a go at NAT.

First of it provides significant security. It is impossible to launch an unsolicited attack against a machine behind a NAT router. Even assuming a bug in the router (just as likely with a firewall) that allows the packets onto the LAN the attack is not going to succeed because the IP address will be invalid. And whilst it is fairly easy to imagine the complex code of a firewall having a bug it is harder to imagine how the relatively simple routing logic of NAT could be flawed.

Secondly that moan about end-to-end connectivity is bearded geek territory if ever I heard it. I use Skype at home. I've played multi-player games at home. I run a mail and FTP server from home. I provide my Dad with technical support and telework from home. I do all of that without any great technical knowledge (mail and FTP being the exception but I found it a lot more difficult to get IPv6 working for those). Think of all the things that people now do every day around the world and most of them are being done through NAT. So exactly what end-to-end protocol is NAT not compatible with?

Yes, a full firewall is also a great idea. And if forced to choose an intelligent firewall would be what I'd go for (one that can understand protocols and maybe even perform virus checking). But NAT on its own provides significant security and probably as much as your average home connection needs.

Edited by Andrue (Tue 02-Jan-18 14:03:49)

In reply to a post by Andrue:

First of it provides significant security.

That may be true (although some would differ) but it has nothing to do the original bald statement that "IPv6 is insecure".

It was introduced to get around the shortage of IPv4 addresses, and from that point of view it's a fudge. Simples

Excellent thread, OP. Would read again. 5/5.

Post deleted by seb

In reply to a post by 10forcash:

The link below indicates some of the reasons why IPv6 is not mature enough to be used 'in public', certainly not in any of the networks I have responsibility for, which are very far from being 'public'.

NAT is not a 'fudge' - next you'll be telling me there's no reason to use vLANs and every network should just have a flats topology, oh, security is very much baked into layer2 protocols, if you care to look.

Really? Connect to the same layer 2 Ethernet network as me with nothing configured on top. See what happens if I have my machine gratuitously ARP the gateway your machine is using. Thanks for the frames.

Not only is this behaviour desirable it's necessary to ensure VRRP / HSRP work as they rely on it. To prevent this takes active configuration.

ARP is a layer 2-ish protocol, it couldn't care less about security. It's there to convert layer 3 addresses into layer 2.

Connect to an open WiFi network. See what happens if I have a machine start gratuitously ARPing the access point's address. Security doesn't seem very baked in there.

All rely on additional mechanisms for protection.

VLANs were not baked into Ethernet.. They are 802.1q, and were introduced to the standard back in 1998. Ethernet had been about a while before then.

In your considering IPv6 to not be ready for deployment are you saying that know better than the network architects at Apple, Google, Comcast, etc? They all use IPv6 for both internal and external services.

Do you know why Comcast enabled IPv6? They ran out of RFC1918 address space. Should they have started using internal NAT, maybe borrowing IPv4 address space that didn't belong to them and use route maps / filtering to ensure they don't advertise it?

IPv6 has been slow to deploy due to cost of replacing legacy hardware, occasionally flaky support by vendors, especially of CPE, and, well, that IPv4 continues to be 'okay'.

Security has not been a significant consideration anywhere that I'm aware of, though I welcome links to where operators made the decision not to deploy due to security considerations. On the whole, much as with IPv4 networks, if a bad actor is on the same layer 2 network as an endpoint and its default gateway they can have fun.

Hang on, didn't you just claim security was baked into layer 2 protocols? Looks as though it neither helps with ARP poisoning or indeed the, outdated, caveats with IPv6 described in your link.

If you're needing to mask language then it's not for this forum.

In reply to a post by billford:

In reply to a post by Andrue:

First of it provides significant security.

That may be true (although some would differ) but it has nothing to do the original bald statement that "IPv6 is insecure".

It was introduced to get around the shortage of IPv4 addresses, and from that point of view it's a fudge. Simples

"The bottom line is that NAT is not a security feature and removing NAT from your network will NOT make it less secure."

I'd agree with that.

"In fact, it may actually increase your overall security."'

The use of the word may means I won't argue against that statement either

But there are security advantages in not having a WAN address on a device and extensive use of NAT does not appear to have broken or even inhibited internet use.

I don't believe there is any reason that NAT couldn't be used with IPv6 as well. So if people were that worried they could NAT their network with IPv6 - that is fine if they have no need for those devices to be accessible from the outside. However, it is the firewalls job to provide the security - even on a NAT'd network if one device is accessible externally then any flaws on that devices software could be used to gain a foothold as a bouncing off point to other devices inside the network even if they don't have public IPs.

Spot on, Ian. The university I study through has the best Information Security group in the country, one of the handful of best in the world, and a great big public address block that's well used internally.

I did a very simple process diagram that was deleted due to my careless quoting.

A NAT gateway does this:

Outbound packet -> add to state table -> rewrite source IP / port per configuration -> send to WAN
Inbound packet -> consult static rule set, if no match consult state table, if still no match drop, else -> rewrite destination IP / port per configuration / state -> send to LAN

A stateful firewall does the exact same security functionality without the layer 3 and 4 header rewrites.

The only real benefit from NAT is that it's by default stateful and deny all else, though firewalls seem to have that as default now, too, and have for a while. Yay.

Either way that addresses are routable hasn't impacted on many organisations' use of public IPv4 addresses or on their use of IPv6, and as long as CPE manufacturers keep the default stateful IPv6 firewalling in place there shouldn't be problems.

If there's a worry about modification of firewall rules rendering networks reachable, well, that can be done through static NAT rules so RFC1918 offers no real protection. If someone pwns your firewall firstly either you or your firewall vendor fail, secondly the version of IP you have running through and behind it is academic, unless you've a multi-layered security mechanism with multiple firewalls and/or IDP in addition to the bastion firewall facing the public..

In reply to a post by ian72:

I don't believe there is any reason that NAT couldn't be used with IPv6 as well. So if people were that worried they could NAT their network with IPv6 - that is fine if they have no need for those devices to be accessible from the outside.

Yip.

https://www.juniper.net/documentation/en_US/junos/to...

I'm not suggesting that we should incorporate NAT into IPv6. I'm just defending it because I feel it comes in for a lot of unjustified stick particularly of the 'it breaks the internet' variety. It never broke my internet

The point is IPv6 can do NAT so even if people think not having NAT is an issue then it isn't because they can use NAT.

BT HH5 should be able to do IPv6 if enabled (by BT)
The Line has it present and in the status/ event log it shows that it was assigned on the WAN side. But because the LAN side was not enabled (option set by BT TR69 management of the hub) you won't get it on the LAN

if you have a BT Smart Hub 1 (AKA HH 6)
then you should get IPv6 enabled on the LAN.

The BT Business versions the user can enable/disable in the menus
Though currently if you have a Static IPv4 range setup (and a Dxxxx login) that infrastructure does not supply IPv6 yet.
(go back to Green-light or bthomehub logins to get it)

Likewise, if you use a non-BT router, that is IPv6 capable, it all works fine.

so it was there... just not visible.

no there isnt.

You add a dns record, add a vhost and its done.

never said it broke the internet, but it is a large factor in router performance bottlenecks

of course things like double natting, cg-nat etc. can break things quite easily.

Like it or not, ipv4 has hit its end, the top end suppliers of the ip address space have mostly ran out of address space to allocate, it is used up. Some individual organisations have horded addresses so they "yet" have a crisis. But that doesnt mean we shouldnt migrate to ipv6.

Organisations such as EE who have moved large swaths of their customer base to ipv6 have reported consistent performance improvements on ipv6 to ipv6 endpoints.

Also as pointed out if its a user preference NAT can be used on ipv6.

I also agree with ignition's comments, prior to the widespread use of NAT, the state of firewalls on routers was poor, as well as back then windows would have no firewall enabled by default as well. Times have of course changed since then, routers do have stateful firewalls now and windows also has inbound filtering enabled by default.

Having had IPv6 on my Sky line for the last year or so I was a bit disappointed when I switched to BT (AdSL) that they sent me the HH4 with IPv6 disabled as described by Andy88. Originally they were expected to enable all lines and routers a year ago. If they insist on sending new customers non-IPv6 hardware, and with support seemingly knowing nothing about it, we have a long way to go before it gets widespread use.