Comment by Spooky23

> You’re not wrong, but I have been running complicated multi-site VPNs with a small homelab multi-subnet / VLAN setup for 25 years and still have yet to have a collision.

And I've been in corporate IT networks with mergers/acquisitions where both organizations involved had 10.0.0.0/24. Ever have NAT inside a company? Fun stuff. (Thrown in some internal-only split-horizon DNS too.)

Then there's the fact that in the COVID period we had IPs for VPN clients (172.*) in the same range as what some developers used for their Docker stuff. Hilarity.

Even supposedly prosumer gear sucks at ipv6. The ubiquiti situation was awful about a year ago. I got a dynamic prefix and wanted to setup ULA. Maybe I was dumb, but I couldn't find any way to do it.

Heck, I couldnt even see which prefix I was handled, nor could I see any ipv6 address anywhere in the gui. This was with a self hosted up to date controller though. YMMV.

> So I have to run a ULA in parallel to the publicly accessible networks specifically for internal routing, and then use a DNS server to try and correct it. Which works great! ...except when you run into this little niche operating system called Android. Which by default doesn't obey a network provided DNS server if you've got privacy DNS enabled. So if I've got guests over and I want them on a network in my place to access some sort of internal resource, then I've got to walk them through disabling privacy DNS.

This also sounds like it would be a problem for v4? I'm not clear on how this is a v6 problem. If I'm picturing it correctly, it's a difference of handing the guests a local v4 address vs disabling privacy DNS and handing them a DNS name. I'd think the latter would be easier

Using a public domain for TLS certs for private networking is pretty standard in /r/selfhosted and /r/homelab at least.

Fair point on ISPs handing out /64 prefixes, but this is the first I've heard of them varying the prefix length once you know what you've got. I don't doubt it though

> Either that or I need to go out and buy a domain... for my internal network...and then get a TLS certification for my private internal domain.

TBF, if you are on HN that should be extremely simple for you. I use a subdomain of my primary email domain I own, and use LetsEncrypt to issue TLS certs on my internal network. Well beyond the means of my mom and sister, but probably pretty easy for most people here.

It still helps. I have a 1U in a colo which gives me a /64 for ipv6 and ~5 addresses for ipv4. I just set up a dual stack kubernetes cluster on 6 virtual machines. When I want to ssh into one of the machines, my options are either:

  1. Use IPv6 which works and goes directly to the virtual machine because each virtual machine grabs its own address from one of my 18446744073709551616 addresses.
  2. Use IPv4 and either have to do a jumphost or do port forwarding, giving each virtual machine its own port which forwards to port 22 on the virtual machine.
  3. Use a VPN.

I have all 3 working, but #1 was significantly less setup and works the best.

Also being able to generate unique ULA subnets is super nice.

If you are an ISP running dual stack ipv4 with NAT plus ipv6, the more connections happen via ipv6 and the more traffic happens via ipv6, the better, because it doesn't have to go through the NAT infrastructure which is more expensive, and cost scales with traffic (each packet needs its header to be modified) and number of parallel open connections (each public v4 address gives you only 65k port numbers, plus this mapping needs to be stored in RAM and databases).

> Adopting IPv6 doesn't alleviate the pain of IPv4 exhaustion if you still need to support dual-stack.

Sure it does: the more server-side stuff has IPv6 the fewer IPv4 addresses you need.

If you have money (or were around early in the IPv4 land grab) you have plenty of IPv4 addresses so can give each customer one to for NATing. But if you don't have money to spend (many community-based ISPs) you have to start sharing addresses (16:1 to 64:1 is common in MAP-T deployments). You also have to spend CapEx on CG-NAT hardware to handle traffic loads.

Some of the highest bandwidth loads on the Internet are for video, and Youtube/Google, Netflix, and MetaBook all support IPv6: that's a lot of load that can skip the CG-NAT if the client is given a IPv6 address.

If you can go from 1:1 to 16:1 (or higher) because so few things use IPv4 that means every ISPs can reduce their legacy addressing needs.

On company/university wifi networks, v6 cuts your v4 DHCP pool address usage by something like 70%, without hurting connectivity to v4 hosts.

You can run a V6 first network with a tiny bit of v4 sprinkled in on the edge where it's needed. The tech to do this is mature and well understood.

> The widespread deployment of NAT and VPNs has counter acted the market forces that were assumed to make IPv6 appealing.

Tell that to everyone who is behind CG-NAT and has issues with (e.g.) video games. Or all the (small(er)) ISPs that have to layout CapEx for translation boxes.

IPv4 addresses are still expensive. NAT is a value add for a lot of cloud platforms.

IPv6 has arguably done more to counteract market forces related to IPv4 address exhaustion.

Yep, iot would be a tremendously worse security problem if everyone wasn't actually operating a household subnet without knowing it.

When your washing machine, fridge, etc all come with ipv6 5g modems is when your house becomes part of the future IT battlescape between lots of different entities that do not wish you well.

> Enough addresses for what? Nobody needs or even wants all of their devices to have globally routable addresses.

They do if they have applications, such as Xbox/PS gaming applications, broken VoIP in gaming lobbies, failure of SIP client to punch through etc. And if an ISP does not have, or cannot afford, to get enough IPv4 to hand each of their customers at least one to assign to the CPE's WAN port, you're now talking about CG-NAT, which a whole other level of breakage.

Enough addresses for proper P2P connectivity, which is kinda useful for newfangled things like video chat?

I think the western world very much revolves around:

* The internet

* Linux servers

* Automation

I get your point, but it falls on deaf ears to me since most people don’t feel the benefits until some passionate nerd makes something that scratches an itch.

For a practical example: peer-to-peer sharing like Airdrop is much easier to implement in a world with ipv6.

The world at large doesn't care what I love, correct. But my users care about whether they have to remember that they're supposed to use port bla instead of the standard port foo, which is a common scenario with v4. Not enough addresses, and / or you can't get them to the VM or container or VPN client or whatever that needs them. IPv6 can often fix these kinds of issues.

Does the world at large care? No.

Do I care? Yes.

Do my users care? Yes, albeit indirectly.

Does my organization care? Yes, in the sense that it removes friction from what it needs the employees to do.

And that's all the justification that's needed, I'd say. The world very clearly doesn't need to revolve around what I love for IPv6 to be a good thing.