New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
IPv6 Hall of Shame
This discussion has been closed.
Comments
Nonsense; I've happily run websites on IPv6-only VPSes, sitting behind Cloudflare(*)
(*) other CDNs are available, and also solve the same issue of luddites accessing your website
Yeah no one save for a few hobbyists seems to have nailed down how they want to do mail over IPv6. Oddities everywhere.
I was trying to very careful thread how I phrased the security part of my reply. NO, I am not saying IPv6 is fundamentally more prone to security issues than IPv4. That is not a problem with such standards these days, though I'll admit the occasional IPv6 thing comes up, but it mostly relates to this next part, which I tried to make clear: admins don't know IPv6 as well as they do IPv4, not even close. You will find a larger share of IPv6 networks, misconfigured or not configured with deep knowledge as to what the levers do.
Also yes, especially from my point of view, everything is an attack surface. That's not to say something is bad, it's a simple acknowledgement that the more services, more protocols, etc, the bigger the attack surface.
To the last thing you said: in the real world, if you have IPv4&6, an attacker who knows IPv6 has a much higher chance of using that because you are more likely to have misconfigurations. My last reply was really trying to emphasize that sysadmins by and large don't know IPv6 and don't care to learn it, and relatedly there's a smaller pool of attackers who know IPv6— but the ones that do know it well enjoy themselves.
First off you must do ipv6 properly as stated here: https://slash64.net/
If you do it properly then you will get some nice features that are not available in ipv4. If you don't do it properly and still come here to bitch against ipv6 then it's your choice albeit not a particularly smart one and it will just make you look like a bozo. Sorry!
Advantages:
1) In IPv6 IPsec is mandatory.
2) ipv6 done properly is faster than ipv4, according to data from google(https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption) in the US ipv6 shortens latency by 10ms and in France by 20ms. I can attest to a -10ms latency benefit, it's real!!!
3) You can give individual addresses to all your devices, ALL OF THEM, if you want to make any of them reachable from the internet that will be very easy and a very clean procedure.
4) You can perform address rotation on your services to protect yourself from attackers.
5) Do you need more? There are more.
And, if you try to suggest that address rotation can benefit malicious actors then I'm sorry to disappoint you because ipv6 done properly attributes the same reputation to all addresses inside a /64 block so if just one address in a block is considered malicious then the whole /64 block will be considered malicious. Reputation analysis and block lists done properly operate at /64 level.
Disadvantages:
1) Requires more expensive hardware.
2) Not all ipv6 hardware in the market is fully compliant.
I am not convinced that's an advantage, but nobody cares about it anyway. Why can't we let IPSec die and disappear completely?
There will be always some weirdos out there
ipv6 is the superior spec, there are lots of people who say they do ipv6 but keep doing it wrong because they don't care to learn it properly and put in the effort, that is not ipv6 fault and despite ipv4 having received all the security enhancements that were not there initially you should at least try to offer ipv6 and do it right.
If you are a lowend hosting provider then offering ipv6 might not sound very appealing but there are scenarios where ipv6 will be the only viable option, scenarios where ipv4 does not even count as a viable option.
The question wasn't about alleged or real advantages but it was
.
Wrong. RFC 6434 made it only a recommendation
The question wasn't about allegedly or really higher speed/lower latency (which seems to be doubtful anyway) but it was
.
Not even worth a reply, sorry, plus that wasn't the question anyway.
The question wasn't about the ability to rotate addresses but it was
.
So far not even a single response to my question.
And kindly note that I'm not even pondering who looks like a bozo. I prefer to discuss the matter, not people.
Uhm ... thanks for your effort I guess
RFC 6434 (2011) was obsoleted by RFC 8504 (2019) you are referring an obsolete spec, geez.
You're still living in 2011, what a clown!!!!
A propos "clown":
...
Translation: Not only did you, fragile idiot, NOT provide tangible and credible evidence for your loud-mouthed assertion that ipv6 is more secure than IP4, but, worse, you either didn't even read the RFC or you failed to understand what's written there.
But thanks anyway for demonstrating zealotry albeit quite cluelessly, bozo!
Just (kindly) hold a sheet of glass with a silver plated back in front of your face, it will help you spot the bozo.
You're wasting your time. He is incapable of self-education and doubles down on being wrong. He thinks he's a genius instead of a fucking idiot.
He's not a Network architect. He's not even an engineer. He's received ZERO education in networking and doesn't do networking design as part of his career, so no hands on experience.
He's dead set on limiting IP's for some reason and then whines like a fucking baby when American institutions retain IPv4. He's ignorant of solutions. Full. Stop.
He's the IPv6 equivalent of a flat earther.
Irony is my favorite seventeen letter word, I'm no genius, LOL.
Children for instance, fail to grasp irony, they interpret every word literally just like you seem to do. They are not geniuses either, they are just like you.
I have no fucking clue what corner you turned to suddenly be talking about irony and children. I'm guessing you've started drinking for the day.
https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption
ipv6 traffic to google properties in the US: 52.87%
ipv4 traffic: ~47%
American institutions may be retaining IPv4 but they are actively transitioning to ipv6 and leaving ipv4 on for backward compatibility.
Except for a few laggards, of course. And then they claim to have technical expertise, ironic!
Well, to be completely fair they do have technical expertise, being proficient in yesterday's tech should make you an expert, right, why not?
My handle, stable_genius, don't you find that choice a bit ironic? Wait... you did not notice that?? Damn I failed, I was hoping it would be obvious to everyone.
I failed miserably.
Because it's not a complaint about address-based architecture. AARNet built the internet in australia. I think they have a few new and shiny routers.
This is questionable. Is that 52.87% of connections or actual users? And it's unknown how much of that is Googles' own automated traffic from their systems. They don't even mention but for last 30 days IPv6 connection failure rate in US is around 13%.
If it helps, I see a roughly similar proportion of v6 / v4 traffic going out of my router at (UK) home; very little of that will be automated traffic from Big Corporate...
Bro you can't just start pulling excuses to ignore the data out of your butt, as soon as it's data you don't like.
IPv4 hall of.shame next. It's obviously useless since it's only 47% of traffic.
No it's not.
Turns out what the "clown" said is actually correct. rfc6434 made it a recommendation and rfc8504 retained that recommendation.
From rfc8504: "Previously, IPv6 mandated implementation of IPsec and recommended the key-management approach of IKE. RFC 6434 updated that recommendation by making support of the IPsec architecture [RFC4301] a SHOULD for all IPv6 nodes, and this document retains that recommendation."
IPv6 is not inherently faster or slower than IPv4. Seems you don't know they invented an algorithm to give advantage to IPv6 on dual stack systems. Works something like this: first dns is queried and if IPv4 wins then a timer is started to put a delay and wait for IPv6. Then you wait again and only if IPv6 fails miserably then IPv4 is used. And in most cases, like over 90% this will use IPv6 even when it's slower.
And you will properly secure them and perform IP address rotation to protect yourself from attackers.
There's actually a list floating around the internet of about 3-4 billion accessible IPv6 addresses and we know scanning doesn't work. ??
There's just longer addresses "with only a few annoying stupid differences".
The "superior spec" even after more than 30 years doesn't like UDP packet fragmentation and so how is DNS doing in IPv6?
Also, https://x.com/Jerome_UZ/status/1145136294835523584
"So Airtel AS9498 announced the entire IPv6 block 2400::/12 for a week and no-one notices until @tstrickx finds out and they confirm it was a typo of /127. Below is @GTTCOMM happily accepting the prefix. The state of routing security is 😱. "
Part of the IPv6 traffic growth is because of that algorithm that gives it advantage on dual stack so it will use IPv6 even if it's slower, just not if it's miserably slow. Tho in UK IPv6 failure rate is pretty low.
And there's that large scale APNIC measurement I posted in this thread. And the failure rate of 13% is also from APNIC measurement. Just that on dual stack IPv4 will save your ass and you will not notice it. I think they are doing those large scale measurements since 2011 or something like that.
Malicious scanning means trying to find private addresses not AAAA records and stuff that is being advertised. What those lists show are advertised adresses, there's no need to scan those.
For private addresses (IOT devices, etc) just keep rotating you ipv6 address and watch your attackers bite the dust.
And then you see malicious probes to addresses from those lists. It's just one of many ways to narrow the search space as no one will do brute force IPv6 scanning. Like I said, can't rely on security through obscurity.
Lets Encrypt gives precedence to ipv6 too, that's the way things are.
But hey, this isn't a competition, I think we should use both, use ipv6 where ipv6 works better and use ipv4 in those cases where ipv4 is the better option.
Sticking to ipv4 and ipv4 alone, as you seem to be doing, is not the best path.
IPv6 traffic - on a fairly rudimentary test - looks to be fractionally faster than IPv4 to most destinations. I've definitely never seen scale v6 "failures" any more often than v4.
Yes, there are providers who treat v6 as the unloved second child and have to be poked when it screws up, but that's hardly an indication of a systemic problem with the protocol.
The fact that you invent conspiracy theories to discount data that doesn't fit your world view tells us more about you than about the issue.
Try that and you will IMMEDIATELY hit a wall.
Math is not on your side my friend, and as you should know when math disagrees with what you're trying to do it can turn into a real bitch.
You say what you say but you have never attempted to do it, now go and try, put your money where your mouth is. Then we'll talk.
If IPv6 would be used when it's faster and IPv4 when it's faster. But that's not the case, the algorithm will use IPv6 even when it's slower as it puts an unnecessary artificial delay. That's not something fair or ok to do to people who are paying for it.
Conspiracy theories? The algorithm works that way and is well known, there's a rfc actually and i think three versions by now. That algorithm is implemented in browsers and libraries.
For the dns and udp fragmentation on IPv6, that's a known problem for a long time and there are measurements, if i remember correctly it said failure rate somewhere 40-50 percent.
For BGP IPv4 is very stable but for IPv6 convergence is unstable and that points to structural instabilities given that IPv6 network is a lot smaller than IPv4 network.
I also said the 13% failure rate for US is from APNIC measurement. I also said for UK the failure rate is low, also from the same measurement. It's not a big secret.
What am I suppose to say to you to make you happy? I have pointed you to the NIST publication and I have explained it to you more than once. You just keep repeating the same ad nauseam. It's pointless.
I made a small wireguard network then i have different ipv6 proxy on each node to feed my browser in ipv6 only.
The irony is the majority of mainstream ipv6 tester work only in ipv4 dual stack only.
They don't like i don't have a ipv4 failover to show.
ipv6 will be ready in 2063, not before