If your ISP supports it, I would terminate IPv6 at my router. This way you get the best of both worlds. Most ISPs only give one IPv4 per account with residential service. But they give you more than one with IPv6. With IPv6 to the router, allowing more than one device to internet if you needed to is possible with NAT.
I’m interested in this topic as well. As someone who’s used IPv4 since the early 90’s and it’s familiar and comfortable to me. I find IPv6 to be strange and uncomfortable because I’m not so familiar with it.
Now I’m sure I’ve collected some misconceptions in my attempts to learn more so if someone can help correct me, this is what I’ve picked up on:
Each device gets its own unique (in the world) IP direct to the internet meaning that NAT and a normal firewall setup somewhat out of the picture. One of the things that makes IPv4 comfortable to me is that my firewall decides where traffic comes and goes (to some extent) and I can control which ports to go to specific machines. By default my firewall blocks all incoming connections unless I decide to open up a port. With IPv6, the risks would seem to be much greater and more difficult to manage as I would think it would be very easy to expose vulnerabilities in your devices out on the internet.
Is this accurate or am I way off base here?
I’d be interested in learning how to set up an IPv6 network securely for a home environment. At least for learning purposes. I’ve got a pfSense router so it supports it.
That’s a pretty big misconception. v6 traffic has to go through your firewall to get from the scary internet into your local network. All the UDP/TCP rules that you set for v4 are of course available for v6.
Assigning a globally routed v6 address to a host, does not mean that host is accessible without first being routed passed your firewall. And you don’t have to assign a globally routed address if you don’t want. There are of course non-routed v6 address ranges that mirror the functionality of the familiar v4 local ranges. And just like with v4, if you want those hosts with only local v6 addresses to be able to reach out, you can SNAT them at a router with a global address and the router will take of the return traffic for you, just like v4.
I, myself, was curious about this. My ISP does not as yet support residential IPv6 service. In this situation, there are some alternatives. I set up an account with Hurricane Electric (IIRC). They assigned a block of publicly facing IPv6 addresses to me and I configured a tunnel between them and my pfSense box. I then spent more time than I am comfortable to admit, learning how the IPv6 address space (types of addresses, types of address allocation and subnetting) works. Finally, after a weekend long ordeal, I was able to connect to the outside world without the archaic, outmoded and mouldy IPv4 protocol.
What did I gain for my trouble?
A lot more latency!
Obviously, if my ISP supported IPv6 natively and there was no need to tunnel all of my traffic, latency would not be an issue. But, at this stage of the game, where we effectively have two Internets (one IPv4 and one IPv6) running in parallel, there is no reason for the casual user to prefer one protocol over the other. Also, be aware that virtually nothing that you know about IPv4 networking is transferrable, apart from general concepts. IPv6 is an altogether different beast. It was definitely an interesting learning experience, if this is the sort of thing that trips your trigger and I did learn a lot, but I can’t say as I would recommend this sort of experiment, unless you have too much free time on your hands and you are in need of a new hobby.
Well, the best source of information would be the RFC’s, but they can sometimes be rather impenetrable … and there are seemingly dozens of them which deal with IPv6. Additionally, I watched the odd youtube vid and did some duckduckgo-ing. Honestly, it’s been just over a year since I performed this little experiment, so I can’t say as I can recall any particularly good sources of information … apart from the RFC’s, of course.
If you are already familiar with IPv4 networking concepts, you’ll probably only need to focus on IPv6 subnetting and address allocation. You might start with an article like this one, which will help you narrow your reading list:
There’s probably no clear reason to do it, other to get comfortable with it. IPv6 is the future. Switching now will give you more experience once it’s coming wide spread.
Additionally, i think, the move to IPv6 is also a move away from trying to know IP Adresses. Ideally your Network should be set up in a way, that you, as a human, only have to know hostnames. If you dig through all the big stuff, you internal home addresses start to look much more reasonable.
::1 is localhost
fe80::12 is a device on your network
fc00::23 is a device on a different subnet
That’s about all of the IPv6 Patterns you’ll ever need as plain Addresses. Ideally you should let your Router manage all of this for you. The days of micromanaging IP’s are over. You give Names to stuff and your Gateway worrys about the rest.
If you want IPv6 to work you need to run dual stack.
This should be relatively automatic if your ISP supports it. It should mostly auto configure.
“terminating it at the router” will mean only your router can use IPv6. Given that NAT isn’t really a deployment scenario for IPV6, that means that your internal clients can’t reach the IPV6 internet.
The short version:
if you have IPv6, enable it. Assuming you’re setting up an IPv6 firewall, be sure to allow ICMP messages for fragmentation and other routing decisions to work (can’t remember specific types off the top of my head)
if you don’t have IPv6, leave it enabled anyway
if you have IPv6 and try to cripple it in various ways, expect more frequent “weird internet problems” due to sites and operating systems attempting to connect with ipv6 in preference to ipv4 and failing.
NAT is bran-damaged (in general, but definitely now) in an IPv6 world. What you want to do is just set up a firewall rule-set to allow inbound sessions with established state and block connection requests inbound.
You don’t need NAT to do that and NAT defeats the entire purpose of IPv6, and breaks/weakens encrypted transport due to the hacks to make VPNs etc. work around it. The only way to make ipsec work through nat is with nat-traversal hacks, for example.
Yes, NAT weakens security over “doing things properly”.
Unless you’re doing say, NAT64 to enable IPv6 only machines to reach the ipv4 internet.
This would only work if my ISP would give me more than one IPv6 Adress.
After their support told me that “they don’t sell fixed IPv6 Addresses to private households, because there aren’t that many”, i gave up.
So, with a single public IPv6 Adress, how should i do this properly?
IPv6 needs to die in a fire, whoever thought : was an acceptable character between the address need to be shot having to hit shift is fucking stupid for typing ip addresses and makes things take 1000x longer
Should have done , instead imo (I get you could change this all pretty easily with just a front end change but it kills me still
I’ve been thinking this since the day i first typed a IP Adress, 4 or 6. Having “,” on the numpad, but using “.” or “:” in IP Adresses never made sense to me. To the point, where i remap “,” to “.” on my Numpad. I I’ll just remap it.
But, again, afaik the intent is, that you basically never use the actual Adress, but hostnames instead. So the amount of times you’d have to type the v6 Address should be very few.
Never dig in splunk logs, examine packet capture? I get that you can just have your local DNS map everything to even SSH wouldnt require it but, for whatever reason I always type the IP address when i do almost everything even for IPv4 minus browsing the web.
OP sorry for slight derail, but yeah if you want just dual stack it at home if you get IPv6 from your ISP. I also dont like the default everything gets its own IP makes tracking super easy(everything has its own public IP).
Are you sure they only allocate a single address, and it isn’t a router issue with your equipment to do with prefix allocation? Sounds like you should get another ISP, as they do not support IPv6 properly, if that is the case.
IETF suggests a minimum subnet mask of a /64, even for link addressing and at least a /56 for say, a home user xDSL, which would give you 256 IPv6 subnets.
Even a /56 is considered stingy to be honest. Several ISPs out there allocate a /48, which is the suggestion for a campus IIRC.
Not doing sensible allocations like the above breaks a lot of IPV6 features (e.g., privacy, automatic configuration, etc.)
No one should be getting less than a /64… if your ISP is doing that, they’re run by fuckwits.