I have seen some Youtube Videos about IPV6. In theory, it has some advantages from IPV4. But I am a normie home user with a PFsense box, and got me thinking.
Is there any benefit for a home user to switch to IPV6? Should I prepare for future adoption now? What security benefits will it bring me?
Note:
-I live outside the US and my ISP is still on IPV4.
I wanted to open the discussion. Thanks for the support.
I donât think ipv6 makes sense right now for internal networking at home.
If your isp supports it, then sure, use it for your devices that connect to the internet, but donât just throw out ipv4, use both in that case.
I just donât see any real world advantages for v6 in a small network, when your isp does not support v6. If you had a network with thousands of devices then yes, it would make sense.
I wouldnât discourage you if you wanted to do it for fun or for a learning experience though, setting it up wonât do any harm, it just costs time.
If your ISP supports it, I would terminate IPv6 at my router. This way you get the best of both worlds. Most ISPs only give one IPv4 per account with residential service. But they give you more than one with IPv6. With IPv6 to the router, allowing more than one device to internet if you needed to is possible with NAT.
Iâm interested in this topic as well. As someone whoâs used IPv4 since the early 90âs and itâs familiar and comfortable to me. I find IPv6 to be strange and uncomfortable because Iâm not so familiar with it.
Now Iâm sure Iâve collected some misconceptions in my attempts to learn more so if someone can help correct me, this is what Iâve picked up on:
Each device gets its own unique (in the world) IP direct to the internet meaning that NAT and a normal firewall setup somewhat out of the picture. One of the things that makes IPv4 comfortable to me is that my firewall decides where traffic comes and goes (to some extent) and I can control which ports to go to specific machines. By default my firewall blocks all incoming connections unless I decide to open up a port. With IPv6, the risks would seem to be much greater and more difficult to manage as I would think it would be very easy to expose vulnerabilities in your devices out on the internet.
Is this accurate or am I way off base here?
Iâd be interested in learning how to set up an IPv6 network securely for a home environment. At least for learning purposes. Iâve got a pfSense router so it supports it.
Thatâs a pretty big misconception. v6 traffic has to go through your firewall to get from the scary internet into your local network. All the UDP/TCP rules that you set for v4 are of course available for v6.
Assigning a globally routed v6 address to a host, does not mean that host is accessible without first being routed passed your firewall. And you donât have to assign a globally routed address if you donât want. There are of course non-routed v6 address ranges that mirror the functionality of the familiar v4 local ranges. And just like with v4, if you want those hosts with only local v6 addresses to be able to reach out, you can SNAT them at a router with a global address and the router will take of the return traffic for you, just like v4.
I, myself, was curious about this. My ISP does not as yet support residential IPv6 service. In this situation, there are some alternatives. I set up an account with Hurricane Electric (IIRC). They assigned a block of publicly facing IPv6 addresses to me and I configured a tunnel between them and my pfSense box. I then spent more time than I am comfortable to admit, learning how the IPv6 address space (types of addresses, types of address allocation and subnetting) works. Finally, after a weekend long ordeal, I was able to connect to the outside world without the archaic, outmoded and mouldy IPv4 protocol.
What did I gain for my trouble?
A lot more latency!
Obviously, if my ISP supported IPv6 natively and there was no need to tunnel all of my traffic, latency would not be an issue. But, at this stage of the game, where we effectively have two Internets (one IPv4 and one IPv6) running in parallel, there is no reason for the casual user to prefer one protocol over the other. Also, be aware that virtually nothing that you know about IPv4 networking is transferrable, apart from general concepts. IPv6 is an altogether different beast. It was definitely an interesting learning experience, if this is the sort of thing that trips your trigger and I did learn a lot, but I canât say as I would recommend this sort of experiment, unless you have too much free time on your hands and you are in need of a new hobby.
Well, the best source of information would be the RFCâs, but they can sometimes be rather impenetrable ⌠and there are seemingly dozens of them which deal with IPv6. Additionally, I watched the odd youtube vid and did some duckduckgo-ing. Honestly, itâs been just over a year since I performed this little experiment, so I canât say as I can recall any particularly good sources of information ⌠apart from the RFCâs, of course.
If you are already familiar with IPv4 networking concepts, youâll probably only need to focus on IPv6 subnetting and address allocation. You might start with an article like this one, which will help you narrow your reading list:
Thereâs probably no clear reason to do it, other to get comfortable with it. IPv6 is the future. Switching now will give you more experience once itâs coming wide spread.
Additionally, i think, the move to IPv6 is also a move away from trying to know IP Adresses. Ideally your Network should be set up in a way, that you, as a human, only have to know hostnames. If you dig through all the big stuff, you internal home addresses start to look much more reasonable.
::1 is localhost
fe80::12 is a device on your network
fc00::23 is a device on a different subnet
Thatâs about all of the IPv6 Patterns youâll ever need as plain Addresses. Ideally you should let your Router manage all of this for you. The days of micromanaging IPâs are over. You give Names to stuff and your Gateway worrys about the rest.
This doesnât mean you have to do it like that.
You are free to give out IPv6 Adresses in your Internal Network however you please and still use a NAT router to hide them from the actual Internet.
Just because we now HAVE enough Adresses for every grain of sand to be connected to the Internet, doesnât mean we have to use it like that.
Plus Security through obscurity never is a good idea. IPv4 or 6, securing your devices from external access is required with both.
If you want IPv6 to work you need to run dual stack.
This should be relatively automatic if your ISP supports it. It should mostly auto configure.
âterminating it at the routerâ will mean only your router can use IPv6. Given that NAT isnât really a deployment scenario for IPV6, that means that your internal clients canât reach the IPV6 internet.
The short version:
if you have IPv6, enable it. Assuming youâre setting up an IPv6 firewall, be sure to allow ICMP messages for fragmentation and other routing decisions to work (canât remember specific types off the top of my head)
if you donât have IPv6, leave it enabled anyway
if you have IPv6 and try to cripple it in various ways, expect more frequent âweird internet problemsâ due to sites and operating systems attempting to connect with ipv6 in preference to ipv4 and failing.
NAT is bran-damaged (in general, but definitely now) in an IPv6 world. What you want to do is just set up a firewall rule-set to allow inbound sessions with established state and block connection requests inbound.
You donât need NAT to do that and NAT defeats the entire purpose of IPv6, and breaks/weakens encrypted transport due to the hacks to make VPNs etc. work around it. The only way to make ipsec work through nat is with nat-traversal hacks, for example.
Yes, NAT weakens security over âdoing things properlyâ.
DONT
DO
NAT
Unless youâre doing say, NAT64 to enable IPv6 only machines to reach the ipv4 internet.
This would only work if my ISP would give me more than one IPv6 Adress.
After their support told me that âthey donât sell fixed IPv6 Addresses to private households, because there arenât that manyâ, i gave up.
So, with a single public IPv6 Adress, how should i do this properly?
IPv6 needs to die in a fire, whoever thought : was an acceptable character between the address need to be shot having to hit shift is fucking stupid for typing ip addresses and makes things take 1000x longer
Should have done , instead imo (I get you could change this all pretty easily with just a front end change but it kills me still
Iâve been thinking this since the day i first typed a IP Adress, 4 or 6. Having â,â on the numpad, but using â.â or â:â in IP Adresses never made sense to me. To the point, where i remap â,â to â.â on my Numpad. I Iâll just remap it.
But, again, afaik the intent is, that you basically never use the actual Adress, but hostnames instead. So the amount of times youâd have to type the v6 Address should be very few.
Never dig in splunk logs, examine packet capture? I get that you can just have your local DNS map everything to even SSH wouldnt require it but, for whatever reason I always type the IP address when i do almost everything even for IPv4 minus browsing the web.
OP sorry for slight derail, but yeah if you want just dual stack it at home if you get IPv6 from your ISP. I also dont like the default everything gets its own IP makes tracking super easy(everything has its own public IP).
Are you sure they only allocate a single address, and it isnât a router issue with your equipment to do with prefix allocation? Sounds like you should get another ISP, as they do not support IPv6 properly, if that is the case.
IETF suggests a minimum subnet mask of a /64, even for link addressing and at least a /56 for say, a home user xDSL, which would give you 256 IPv6 subnets.
Even a /56 is considered stingy to be honest. Several ISPs out there allocate a /48, which is the suggestion for a campus IIRC.
Not doing sensible allocations like the above breaks a lot of IPV6 features (e.g., privacy, automatic configuration, etc.)
No one should be getting less than a /64⌠if your ISP is doing that, theyâre run by fuckwits.