All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Providers, *please* assign a /64 per server, otherwise your IPv6 will be worthless
It's about time I posted about my pet peeve that I keep encountering with many providers here: (lack of) RFC6177-compliant IPv6 assignments, aka "a /64 per customer".
Even if the main reasoning behind RFC6177 (assigning the subnet size required to use features like stateless address autoconfig) doesn't apply to a VPS, the recommendations from RFC6177 are considered an industry standard and as such are the basis for things like blacklists — i.e., Google, Freenode, and so forth will assume that all addresses of a /64 belong to the same person, and thus block the entire subnet when a single address appears abusive:
A large hosting company did that recently, assigning each of their customers a small range of IPv6 addresses out of a single /64 – and they discovered why it’s a terrible idea. They had no more than the usual level of email delivery problems on IPv4, but all of their IPv6 mail was blocked at a lot of destinations. Bad behaviour by one of their customers got the /64 that customer was sending from blocked – along with all the other customers sending from other parts of that /64.
So don't do that.
(That's a quote from IPv6 Email is a little different, posted by an actual email delivery consulting firm. I'm not affiliated with them, but they're right on that one.)
So here's the deal: I got tired of repeating the same thing on every offer thread where they "generously" offered 10 IPv6, and more on request or something like that, so I created a summary:
slash64.net — A concise reminder why /64 is the smallest sensible IPv6 sub-assignment size
Feel free to point all "IPv6 offenders" you encounter to that page, and submit pull requests if/when you find any mistakes/inaccuracies/additional examples and references.
Comments
I'm pretty sure it was you who mentioned this to us before as well, however, we have started offering /64 however, it is by request only otherwise we just assign a single ipv6
/64 should be default, not by request. You break so many things by only offering a single IPv6, and it's is just plain not standards compliant. Does it really hurt to give out a /64? What do you actually lose by doing it?
Many suppliers offer /64 or even up to /48 for a Customer site. It doesn't make this thread an advertising one.
@piohost, the gist of it is anything less than /64 is like giving out a single shared NAT ipv4 because sites treat and ban them by /64.
Oh and @clouvider this is in no case advertising us as a company I was simply pointing out that a lot of companies will do this by request, I my self have a lot of reading to do on ipv6 however im no network guy so a lot of it is just above my head, I jave not noticed a mssive on taking of ipv6 in the uk though, for instance my isp for home and office still dont offer ipv6 which fyi sucks, how do you find it were u are located ?
You're a service provider who assigns to end users, you shouldn't be using the DC IP space in the first place, you should become a LIR.
Zen, Sky, BT, AAISP, are the UK eyeballs that peer with us over V6 and exchange some amount of traffic, perhaps worth changing the ISP ;-)
Hint: Zen is great.
@clouvider my area is not goid for internet, I have lived with 1mbps downloads for the last 5 years untill fibre was fitted and even now on bt's highest packages I only get 20, of course though I meant home connection not work however thats a little off topic, I will be reading up on everything once I finish school run though and will make a nice document for the MD to read about the whole ipv6 issue
@ucxo I hope your website doesn't give people the impression that just a single /64 is all you need to provide on a home broadband connection though. With just one, people are screwed by not being able to separate their private WiFi, guest WiFi and wired LANs into separate networks for better security.
You need to focus this complaint at the next level up, the problem is usually that many DC's will only assign a /64 per PHYSICAL device which strictly speaking is correct.
But you know its 2017, there is a small percentage of people who even pay attention to IPv6 to begin with and an even smaller percentage that are IPv6 only.
It's the IPv4 vs IPv6 problem, no one gives a shit, so it will never change and no one is taking business advice from a loud minority on public forums.
Naturally, that's what I was referring to.
See: http://www.ispreview.co.uk/index.php/2016/08/uk-isp-bt-confirm-ipv6-officially-go-live-network-autumn.html
OVZ does not work that way. You cannot add much more than a few tens or things will become very sloooow.
Also, if you want to add rDNS to them, that is a serious endeavour.
There is a point here, though, i.e. not share a /64, but, if the host does it's job and keeps spammers out or other abuse, whatever, there wont be such problems. We should not treat this as "isolate from host's tolerance to illegal stuff", eventually all /48 will be blocked, but rather sign up with a host that cares. Unless "your business" depends on "email marketing".
Nah, this level is ok too, there's plenty of dumber than a dumbbell "providers" around here with their "5xIPv6" or "10xIPv6". The most retarded part by far is when they segregate the plans by the number of single IPv6 addresses among other things, for example the cheapest VPS gets three IPv6, and on the more expensive one you get a whopping six.
Or we could use Xen/KVM where you can actually pick any IP from the /64 and not have to depend on the host to assign you a few.
haha, fair enough, that is an all new low.
Sure, the more KVM the better, but don't hide behind "oh OpenVZ can't", there are providers doing it, and so it can be done: https://clientarea.ramnode.com/knowledgebase.php?action=displayarticle&id=103
No, nobody asks you to actually bind every single IP from the /64, just reserve it for the customer and let them add any IP as they wish.
I concede this point, however, the original point remains, because the post is made about blacklisting.
If you do not want to get blacklisted due to host's tolerance for shady things, this is not the way to proceed. As I said, eventually, the whole subnet or whole AS will be blacklisted, you cannot actually hope you will be shielded simply by having your own /64.
If the rant is about RFCs and all, sure, my whole support, but that is not the case, also, why would the IPv6 suddenly become worthless if you do not assign full /64? Worthless for spammers, or what?
You could contact the services that mistakenly banned you and request blacklist removal for your /64 at that provider. Whereas without a private /64 nobody would take your request to unban "these 5 IPv6" seriously.
If all customers share the same /64 you can pretty much be sure it's already spamlisted everywhere, but with a /64 per customer it's just the same as with IPv4, by some luck you can get a "clean" or "dirty" one, and then request blacklist removal if it's the latter.
Have you ever done that, I mean, contact a blocklist and ask your /64 or IPv4(s) be unblocked because you are innocent and got caught in the crossfire when the AS was blocked? And if you did, ever been successful?
Right, that is an extreme case of BS from the provider, however, if you choose random IPv6 from random /64 one per block, that will not happen even with OVZ. You still give only a few (more free on request, of course) but you are still shielded from other /64.
If you're gonna do IPv6 you've gotta either do it right or not at all.
I have gotten some "red" IPv4 on VPSes in the past, in which case I went to corresponding blacklists websites and successfully used their removal procedures. No reason this will be different in IPv6.
Sounds like looking for more excuses for not just doing the right thing.
Sharing from the same /64 is equal to have ports from a shared (NAT) ipv4 address. It is not a catastrophy, if you know what do you get and the issues may arise using it. There are plenty of NAT services hosting small websites or for other uses that, when running from a good provider, are monitored and not causing any problems to clients. The end user, should know the difference that a single ipv4 address has from a single ipv6 address, especially when he rent an unmanaged vps. If not, then, he is not capable to use ipv6.
@cloudvider, the sad thing is my area is always the last area to get anything, we have not long got fibre so doubt I will see ipv6 anytime soon, But using a tunnel is just as effective,
Also, id like to add here that I made a mistake and have been told for it (My own bad) seems by default new orders get a /64 and I was just not aware of that yet.
>
Ive gotten /32 IPv4 from ecatel's ip-range unblocked when I said some bullshit in the form. I also had it unblocked from malwarebytes even when the whole AS was blocked lol
By default, we don't assign IPv6. Customers can request a block for free, available upon request. (Except our Warsaw location)
is this a dejavu? we have already spoken about this many times..
Sure, nothing wrong with not knowing (everyone has to start somewhere). It's the not caring of some providers that really grinds my gears.
Luckily, you do seem to care.
(After I opened a ticket, @PioHost went straight to their DC and got me a /64.)
For anyone wanting to learn some IPv6 basics, Hurricane Electric's IPv6 certification is a great starting point.
You're totally right there.
Don't get me started about home connections, though, the situation there is just sad…
Also, if you want to add rDNS to them, that is a serious endeavour.
Noone said that you have to assign all 2^64 addresses to the VM; in fact, most people won't use more than a single address. Heck, I can live with a handful of statically assigned addresses, as long as they're from a /64 that's reserved for me, and only me.
Worthless for anyone using mail, IRC, or any other service that uses blacklisting to protect against spammers.
Spammers will use the gazillions of individual addresses in their subnet, so blacklists will have to block the entire subnet too. That I'm only using a single address for my MTA doesn't change a thing.
Yes. And yes.
To give more detail: almost all subnets used by Arubacloud are widely blacklisted at the /24 level. I went ahead and got my IPs removed at the /32 level.
We have. Unfortunately, it doesn't seem to have helped much yet…
/64 is stupid.
/56 makes more sense.
Care to elaborate on that?