When can we disable IPv4
Posted by evanvelzen@reddit | sysadmin | View on Reddit | 32 comments
I'm managing a server with multiple VM's and applications.
I find that IPv4 leads to a lot of complexity. The lack of address space means I need to set up things like NAT, port forwarding, loopback routing and reverse proxies. All the while avoiding conflicts between subnets and ports.
When will the time come to say goodbye to IPv4 and take advantage of IPv6's large flat address space?
Firefox005@reddit
When IPv6 gets NAT.
Currently IPv6 sucks for a lot of common use cases simply because it either requires you to except and support renumbering or to have PI addresses and get an internet circuit that supports that.
ie. to support an extremely common use case today where a business can purchases two or more circuits from an ISP and have seamless failover between them is a nightmare on IPv6 or requires that you pay more and bring your own IP's and do BGP.
Then add on top of that lacking support basically everywhere and massive inertia to even attempt a change usually means by the time the change is implemented everyone has moved past it. For instances with ATT you only get EIGHT /64's so if you have ATT and want to have more than eight subnets I guess you are just SOL.
Plus tons of vendors will claim they have support for all the things IPv6 related, until you actually start using those features. Then you will hit limitation after limitation or even worse weird bugs. And don't even get me started on the whole SLAAC vs DHCPv6 shit.
You can look at https://www.google.com/intl/en/ipv6/statistics.html its basically stalled out, all the people who HAD to adopt IPv6 did and everyone else looked at it and said the juice ain't worth the squeeze. In addition people are slowly realizing that maybe having a globally unique identifier for a device on the public internet is not the best thing in the world, so now you get stuff like devices rotating their IPv6 address
So despite being almost 30 years old IPv6 still feels very immature compared to IPv4 and its mostly because IPv6 wanted to kill NAT. The world runs and depends on NAT, long live NAT!
heliosfa@reddit
Beside the fact that IPv6 already essentially has a type of NAT in the form of NPT (which there is discussion about moving from experimental to proposed standard), just no. That article comes from a boat load of IPv4 thinking by the looks of it.
prefix delegation is the way to achieve what that author is on about there, and there is a lot of work on this in the SNAC working group. I don't get the aversion to /64s. We have more than enough address space for this.
NPT works for this in a pinch, which is why there is talk about it becoming a proposed standard. There is also a lot of talk about other ways to do it. PI and BGP is the "gold standard".
This is an ISP problem, not an IPv6 problem. Get a better ISP.
Stop thinking in IPv4.
There is still an upward trend on that graph. Plus if you look at APNIC labs plots (which do more indepth gathering than "people who use Google services", which excludes a lot of the world...) and Facebook's stats both show upward movement still.
Clearly you have only ever experinced IPv4 with NAT. There was a time when IPv4 had globals everywhere, and this is the end-to-end connectivity that the Internet was designed around.
Tracking by IP address is also largely irrelevant with browser and other forms of fingerprinting. Ephemeral privacy addresses and interface-stable privacy addresses do still have their place though.
IPv4 is geriatric and on so much life support. Of course IPv6 is going to feel less mature...
Stop trying to justify irrationaly prolonging the use of a decrepit 1970's tech that was intended for a single experiment. NAT kills user experience, especially with CGNAT being rolled out more and more.
Firefox005@reddit
So IPv6 is getting NAT but without calling it NAT, long live NAT! And again wow 30 years on and still at the proposed standards stage for a common use case. Lightning speed of development and adoption!
So again a common use case that works with IPv4 is going to be pushed into the 'gold' level? I am sure network operators everywhere would love to spend even more money on TCAM for their routers.
Classic! You are holding it wrong! ISPs are tied to geographical locations, so if all my options are equally bad I guess I just have to move. lmao.
Not sure how you 'clearly' get that I have no "experince" I use IPv6 everyday and have my own ASN and IPv6 allocation. IPv6 was designed as well around GUA's, if its good enough for IPv4 its good enough for IPv6 or are we still calling it NPT.
Also I like how you handwave the privacy implication while its been discussed in depth in the RFC's and even has an RFC of its own https://datatracker.ietf.org/doc/html/rfc8981
Stop using all tech that was invented in the 1970's and earlier, let me know how far you get. You seem to have an axe to grind with CG-NAT which fair enough but no one is trying to prolong anything. I'm just asking for a replacement that is as fully featured as the thing it is replacing.
heliosfa@reddit
No axe to grind, CGNAT is just further technical debt and breaking of the Internet, pushing it more towards a more single-use thing of content delivery from big CDNs to users.
NAT is not a feature. It is a hack and a workaround to prolong a protocol that was dying when the Internet took off. Heck RFC 1631 states "This memo proposes another short-term solution, address reuse, ... . The address reuse solution is to place Network Address Translators (NAT) at the borders of stub domains.".
NPT was first discussed in RFC 6296 from 2011. This is not new, this is not a revelation.
You are missing the point. Other technologies invented in the 1970s have been improved and replaced over time with things that better serve their use case. For some reason, people ardently and irrationally hold onto IPv4 when it has clearly not been fit for purpose for decades.
Firefox005@reddit
You strain yourself reaching that far?
Weird how that was obsolete by https://datatracker.ietf.org/doc/html/rfc3022 which makes no mention of short term anything almost like innovation and progress is made but no that can't be IPv4 and NAT are dead at least according to you.
I'll quote some choice sentences from the opening:
Uh huh, and where is the informational RFC for NPT? How widespread is vendor support for an experimental RFC? Kind of shocking tbh that the latest and greatest 30 year old protocol is missing such a basic feature.
No I get your point just fine, I've been mocking you about it the entire time. No one is 'irrationally' holding onto anything. IPv6 has one major benefit and a whole plethora of downsides. As I said in my original post the people who have no choice but to use IPv6 do so and everyone else does not. Have you stopped to consider why?
https://i.imgur.com/EQBXZy0.png
heliosfa@reddit
If you can only see one benefit, you are beyond short sighted and clearly don't want to learn, hence "irrational".
Many ISPs and content providers have deployed it by choice as it drastically simplifies their networks, reduces overhead, improves user experience, improves performance, reduces costs and some analysis suggests it may use less energy.
Your projection is astoundingly obvious.
Firefox005@reddit
Well so far you have only named a single one, please name more I eagerly await to hear about them. Note I wouldn't consider a larger address space as a benefit as that would be table stakes for any protocol that would replace IPv4.
Yes, ISP's in countries where they were already severally constrained on addresses. What choice did they have when they don't have anymore IPv4 addresses? My original point stands the people who actually have a choice are choosing to stick with IPv4. If IPv6 is just so amazing where is the rush of adopters? Nah I'm sure all those people are just irrational.
Is it? So far it seems like the consensus is that IPv6 is still missing the mark and needs more time to bake (its only been in the oven for like 26 years).
heliosfa@reddit
I named several benefits in my last post. You just don’t want to see them.
As for ISPs having to deploy it, I’d hardly say that the big ISPs in the UK were short of global IPv4 when they started rolling out IPv6. Sure new alt bets here can’t get v4 space, but it’s the big players pushing as well. The same is true in other countries in Europe and in the States.
Note I’m purposely ignoring Africa and Asia as they really do have no choice but to use IPv6, but by sitting in the west and saying “we have enough IPv4, so…”, you are pretty much promoting a split Internet, which is bad.
Also, address space size is a benefit of IPv6. Just ask organisations that have exhausted RFC1918 space.
Firefox005@reddit
https://blog.apnic.net/2024/10/22/the-ipv6-transition/ Some light reading.
Which countries in the UK you talking about, because looking at GB on the APNIC tracker it sits at a staggering 48.76% today.
I'm not splitting anything, I certainly don't run all those ISP's and networks. I'm just pointing out the reality of the situation. Those who have to are, those who don't aren't.
Table stakes, anything that seeks to replace IPv4 must have a larger address space. Boring.
In other news, look another shitty kludge on top of IPv6 in an attempt to make it actually useable https://www.ietf.org/archive/id/draft-ietf-dhc-addr-notification-13.html I'm hopeful that in another 30 years when IPv6 adoptions might be at 80 or even 90% they will have all this stuff figured out by then.
JivanP@reddit
Hi, IPv6 just works for me, AMA. The only issues I experience are due to needing to maintain backwards compatibility with IPv4-only services.
How are you defining "having to"? In the UK, Sky doesn't have to, BT doesn't have to. In the US, Comcast doesn't have to. Yet... they all are.
Firefox005@reddit
Good for you, must have a fairly simple use case or are willing to put up with renumbering or are paying for BGP with an ISP that supports that.
I am defining have to as they have to because they ran out of IPv4 addresses, the largest adopters of IPv6 are mobile networks, ISP's with more internal nodes than private IP's could support, and countries with limited IPv4 addresses.
Comcast had to they literally could not fit all their subscriber appliances in IPv4 https://arstechnica.com/tech-policy/2010/01/comcast-running-out-of-ipv4-addresses-beginning-ipv6-trial/
So literally the only driver for most of these networks is necessity, not because they wanted to but because they had to.
JivanP@reddit
Nope to all of that. Just a customer of a residential ISP that has the sense to delegate a static /56. I have multiple VLANs, VMs, and Kubernetes clusters hosting various services, no issues with anything specifically IPv6-related. Even if my ISP did renumber, all of the addressing is put into DNS using dynamic DNS anyway — I obviously don't want to have to manually enter and update the addresses of numerous cattle VMs and Kubernetes pods into DNS, given that those are subject to change (SLAAC everywhere, no DHCPv6) despite the network prefix remaining constant.
Being forced to deal with IPv4 really is the only chore I encounter.
Funnily enough, it's the other way around in Europe; the vast majority of mobile networks are using CGNAT exclusively, no IPv6, and it's the FTTP ISPs that are deploying IPv6 for both residential and business customers, because it's simpler that way.
Firefox005@reddit
Sorry but that is a simple setup. Also as you say your ISP gives you a /56, many ISP's in the States will give you a /60. As I have stated many times IPv6 has nothing to support the common business use case of having two ISP connections for fail over.
What frustration do you have with IPv4, because it has been my experience that IPv4 works in all cases while IPv6 requires special handling and exceptions.
Again I would ask you to question WHY these giant companies which obviously CAN implement IPv6 are choosing NOT to.
JivanP@reddit
What setup in your mind warrants being called complex, and where would you legitimately see it in the wild? It's never supposed to be any more complicated than this.
So these ISPs are ignorant of best practices. So what? That doesn't mean IPv6 is the problem any more than a single bus company preventing more than 10 people from boarding their double-decker buses means that public transport is a problem, or any more than an ISP giving you a single IPv4 address and single TCP port number means that IPv4 or TCP are problems.
This is trivial by using the strategy described in RFC8678. For residential networks with multi-homing, there is the IETF Homenet Working Group, which is rolling out standards to allow end-user devices to choose which of several upstreams to use, just like mobile devices today can choose whether to use WiFi or mobile data depending on the task when connected to both at the same time.
Not enough addresses, resulting in the need for NAT. NAT is a consistent nuisance. I want to play a multiplayer game and host the server, NAT is a problem. I want to have a peer-to-peer VOIP call, NAT is a problem. I want to host multiple web servers on hosts with different RFC1918 addresses behind the same single globally routable address, NAT is a problem. With the first two, it's often not even my NAT that's the issue, but the other parties'.
For businesses, NAT is also a nuisance: STUN servers, TURN servers, other kinds of relays, running out of RFC1918 addresses and needing to use two layers of NAT, needing to use MPLS when IPSec or Wireguard would otherwise suffice, the list goes on and on...
A combination of ignorance, apathy, and the cost of migration now vs. 20 years ago. This is nothing new, it's just the age-old story of short-sighted businesses being short-sighted businesses. Why is the UK only now moving mobile telephone networks from PSTN/POTS to VOIP? Same reasons, and it's only finally happening now in totality because of regulatory intervention.
Firefox005@reddit
An actual business? I have multiple physical locations all around the country with multiple ISPs. Not a single setup at your house.
So what am I supposed to do? Move my business to a location that has better ISPs? Did you even read my other comments on this thread you are re-treading old ground. I have tons of locations that don't even have ANY ISP's that even OFFER IPv6. What am I supposed to do in that situation?
Show my any ISP that even offers that, I'm not aware of any. Also that RFC requires NPT which is still experimental and doesn't have widespread vendor support. Again I am talking about the situation as it is today, these solution are either incomplete, not implemented, or not offered.
I don't have any of those problems with IPv4 in a business setting.
That does not explain why this is a global phenomenon, its not apathy it is practicality. If the only tangible benefit to IPv6 is more addresses then they only time IPv6 will get implemented is in places where that is an issue. If anything IPv6 didn't go far enough as the only major benefits being no NAT and more addresses, its just not compelling enough to make the switch. I am sure in a perfect world we would have all switched to IPv6 20 years ago, but we live in an imperfect world. Like I said maybe in another 30 years IPv6 will be good enough.
JivanP@reddit
Pleae elaborate. Where does the deployment/technical complexity come from beyond needing to peer with these other sites? There is no difference in your scenario between IPv4 and IPv6; peering is peering. Each site is "simple" in its own right, to use your notion of simple.
My comments so far have not been about what you're supposed to do given unreasonable constraints, they're about how things are supposed to be — how they were designed/standardised. If all vendors available to you break standards, then obviously you have to play with the broken goods that they're selling if you can't convince them to get their act together and provide a sound product.
This isn't an ISP concern, it's a site network admin concern. If you want failover, you need to configure it. When you have two IPv4-only ISPs serving a site and want failover, do you ask them to set it up for you, or do you configure that yourself?
As for the residential multi-homing I described, the standards haven't been pushed heavily because demand is low. How many houses do you see where there is a single border router with multiple uplinks provided by different ISPs? The Homenet Working Group is being forward-thinking here. You didn't even ask about residential multi-homing, I merely brought it up as an aside. That being said, the relevant standards have been published for at least 4 years.
NPTv6 works and doesn't break end-to-end connectivity. Many-to-one NAT is the problem child, not one-to-one NAT, though no NAT at all is still desirable for simplicity's sake (and flexibility's sake in the case of the aforementioned residential multi-homing solutions).
An RFC having Experimental status does not mean you shouldn't use it or that it's somehow risky to use, definitely subject to change, or likely to break. IPv6 itself retained Draft Standard status (similar to Experimental) until 2017, when it was finally given the status of Internet Standard. Indeed, not even Internet Standard status means that something is not subject to further review and change.
Many protocols that are widely used today without issues have Experimental status, such as DNS over DTLS, DANE bindings for OpenPGP, 4rd, secure email headers, RADIUS over TCP, support for UTF-8 in POP3 and IMAP, even IRC of all things. RFCs are promoted from Experimental to a higher status, such as Standards Track or Best Current Practice, when it becomes clear that the feature or behaviour that they describe has caught on — it's a descriptive system, not a prescriptive one.
Obviously you just have to suck it up and deal with NAT in that situation. If you don't think NAT is a problem, then obviously you're not going to be bothered by this. If I were in your shoes, I would be, and I would be having discussions with vendors and service providers accordingly.
Yes, it does. I can't help it if you don't see that reasoning; you are the very sort of NAT-apathetic (or even NAT-preferring) person that I am talking about.
Firefox005@reddit
I already have please read my other replies.
What unreasonable constraints? I have a typical use case and the other stuff is out of my control I'm not seeing anything unreasonable about that.
I already have working failover today with IPv4, I cannot achieve the same thing on IPv6. So no this is an IPv6 failure.
Again I am speaking about businesses, it is an incredible common setup to have two or more 'business class' circuits that both use PA IP's and NAT makes failover seamless and simple between them. If you are going are going to only provide solutions for residential customers why would any business ever switch to IPv6. This is a forum for systems administrators not home users.
Again I'm not the one who decides what protocols my networking equipment supports.
I love NAT, I ask frequently when vendors will be adding NPTv6 support to their products. Sadly the adoption of IPv6 is so low in most enterprises that their is very little support dedicated to it outside of checking a box that says they support IPv6. As an example Palo Alto firewalls only very recently got support IPv6-PD which meant that it was basically unusable unless you had PI addresses.
Yup, nothing wrong with NAT. The world where NAT doesn't exist ended decades ago and isn't coming back.
levyseppakoodari@reddit
When you deploy a IPv6-only network and provide way to reach legacy IPv4 access to it, you ”NAT” the entire internet to the translation network.
Fe80:: is essentially your ”NAT” network.
The experience isn’t seamless but it sure sucks less than being stuck behind carrier-level NAT without public IP address.
JivanP@reddit
When everything that you need to access supports IPv4 or a suitable transition technology. Personally, as someone who is trying very hard to use as little IPv4 as possible, I am currently required the still use IPv4 in a few places for the following reasons:
Chrome OS doesn't yet properly support DHCP(v4) option 108 ("Use IPv6 only if you can, please"), and I have a Chromebook in my house.
Linux desktop OSes don't yet have a native CLAT implementation, and clatd is often unreliable. I am waiting for SystemD to implement this, hopefully someone within the next year or two.
Docker's networking implementation doesn't play nice with clatd, so despite me having a NAT64 gateway on my network, I can't employ 464XLAT on machines running Docker. If services crucial to the operation of my Docker servers, such as GitHub, all supported IPv6 (GitHub doesn't), then I could just disable IPv4 entirely and not need to worry about having a working CLAT at all.
Point (3) could be addressed with the use of DNS64, but I refuse to use it on principle, one morale practical reason being that it breaks DNSSEC.
BrainWaveCC@reddit
We're been trying to get rid of IPv4 since the late 90s... If it goes away in broad usage in North America, it won't be in this decade, unless it is related to some event as yet unimagined...
rdesktop7@reddit
IPv4 adds complexity? Lack of address space?
Are you allocating /8's to networks that might only ever host a few VMs or something?
Anyhow, to get to your question, there is a switch to disable IPv4 in netplan. You can probably set that if you really want to.
evanvelzen@reddit (OP)
I have all the VM's sharing one IP currently but I don't think it's a tenable situation so I'll probably end up buying a few more IP's.
rdesktop7@reddit
Okay, cool.
Best of luck!
Heracles_31@reddit
So many things pretend to support IPv6 but in fact, they don't. Like in Kubernetes, I tried for a long time to configure a /64 (or larger) as an IPv6 subnet for Services. After failing with Talos, I moved to Ubuntu and Kube Admin where I got better error messages. It ends up that the service subnet can not be any larger than /108.
Or for phpIPAM... That one too announces IPv6 support. The thing is, when you give it a range (either v4 or v6), it converts it in the background in a list of IPs to change individually. For that, it can not do more than a /12 at a time (do not confuse ranges and subnets here...). It is fine for IPv4 because when you need to handle larger than a /12, it is for subnets. But in IPv6, ranges have to be much larger.
IPv6 is buggy, not supported in way too many cases. Half supported in most cases and not fully supported by enough component to become universal.
Here, I consider that IPv6 is ready to use only between clients and external services. Because there are still IPv4 clients, the logical space between clients and frontend services is dual stack. For whatever supports it internally, I dual stack whenever I can but in the end, for the backend and infra, it is either IPv4 only or Dual Stack with IPv4 first.
srirachastephen@reddit
The same day Real ID becomes a requirement, aka delayed indefinitely.
SmokingCrop-@reddit
The question is more like: when should I start caring about IPv6 in the SMB space?
alter3d@reddit
The answer is the same it was in 2002 -- "5 years from now".
Edgeforce@reddit
Full decommissioning of IPv4 could take another 20-30 years. Most of us will be retired by then.
RiseOfTheBoarKing@reddit
What you do in your internal network is between you and your gods, and if you think you've accrued enough karma to make that change in a production network, you're a holier man than I.
HellDuke@reddit
If your environment fully supports ipv6 now then you can probably internally try to move over. If it's for public facing infrastructure then probably not for a nother 20 at least if ever. I suspect that legacy devices that do not support IPv6 isn't common enough for it to be a root cause. Instead it's that most everything sits on IPv4 and when you start mixing in IPv6 stuff breaks and nobody wants to deal with it untill the lack of address space becomes a bigger issue than sitting down and hammering out the rollover.
gabacus_39@reddit
ipv4 isn't going anywhere
Gods-Of-Calleva@reddit
I don't think I'll see the retirement of ipv4 in my working lifetime (hopefully that's about 15 years).