IPv6: Why End-to-End Connectivity Matters and How It Benefits You

  Рет қаралды 42,883

apalrd's adventures

apalrd's adventures

Күн бұрын

Пікірлер: 294
@pr0way
@pr0way Жыл бұрын
Probably the best explanation of IPv6 i've ever seen. When I started in IT no one know how to explain NAT traversal in simple words - now when NAT is less mysterious for me IPv6 was this type of topic. Until now when I watched this video. Thanks!
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Glad you like it!
@TheExard3k
@TheExard3k Жыл бұрын
Yeah he nailed it. He got me into Ceph and now I'm rethinking my home network. I have to stop watching this channel or I get even more ideas ;)
@James_Knott
@James_Knott Жыл бұрын
I'm allergic to NAT. 🙂
@claytsjohnston1253
@claytsjohnston1253 Ай бұрын
Man I'm a starlink user trying to set up a few services (nextcloud, pihole, jellyfin etc) in docker containers on ubuntu server solely using ipv6 based of this video. Makes no sense to me that ipv6 isn't completely ubiquitous by now. It cuts so much of the complexity out, however finding info on how to implement it is ironically difficult! So thank you for this
@wildekek
@wildekek Жыл бұрын
I was adding manual split horizon DNS entries for all my homelab stuff. I kept saying to myself "there must be a better way". I thought ipv6 was "cheap but unreadable" and discarded it as something for mobile operators. You convinced me to try it out.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
If it's going in DNS, readability isn't really important, and DNS is the place for services anyway
@ronaldvargo4113
@ronaldvargo4113 Жыл бұрын
Thanks you are the only person that is focusing on IPv6 in the home lab that is making sense. Whenever I post a IPv6 question on forums there is usually a "expert" that will say you don't need IPv6 why bother. Why bother? Because IPv4 NAT really broke how things are supposed to work on the internet and many of the admins and network guys just seemed to forget how great things were without translations. Yes there are new new things to learn with IPv6 such as self configuration, SLACC, RA etc but in the end it so much easier. Also I don't have to run split horizon DNS services anymore. There is one problem of course all those cheap IOT devices that never will use IPv6 we have to account for them and continue to run dual stacks because of that.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Glad you appreciate it! I'm definitely trying to be forward-looking with my networking content
@thewhitefalcon8539
@thewhitefalcon8539 Жыл бұрын
At some hacker events you can get a taste of this with IPv4 because they have a long history and have enough public IPv4s to allocate one to everyone at the event
@d_techterminal
@d_techterminal 9 ай бұрын
So India is almost having 78% IPv6 coverage and the biggest operator in India started with IPv6. They also don't provide static IPv4 addresses hence the only option to host services is by using ipv6. Thank god for them i was forced to use ipv6 and ipv6 with a good firewall like pfsense is the best thing ever.
@SUNGOLDSV
@SUNGOLDSV 5 ай бұрын
​@@d_techterminalif you're talking about Airtel, then I have bad news to share. I had been self hosting for the past 2 years with a dual stack ipv4/6 connection from Airtel. I connected to my server using ipv6 regularly when I was outside my home network. This year, I moved places and even though I continued my Airtel connection, the new LCO doesn't provide ipv6 in my area. I'm stuck with ipv4 only and I've tried Tailscale for NAT traversal but it's very flaky and fallbacks to their relay servers most of the time with 10mbps limit so my streams fail. Due to the CGNAT, I've stopped self hosting and just switched to using Debrid for my torrenting needs. So yeah, Airtel is still using ipv4 at some places and it's not all sunshine and rainbows for ipv6 usage in India
@SUNGOLDSV
@SUNGOLDSV 5 ай бұрын
​@@d_techterminalalso Airtel does provide a static IPv4 address as a paid service if you want to host something, so IPv6 is not the only way.
@Timi7007
@Timi7007 Жыл бұрын
Simplest v6 explainer I've seen, thanks! Now if only my ISP moved with the times...
@Felix-ve9hs
@Felix-ve9hs Жыл бұрын
3:48 there is also loopback NAT and reflexive NAT, where your client will be redirected to the internal server when accessing the external IP, but now you might have 2 firewall rules and 3 NAT rules ...
@Renzo747
@Renzo747 Жыл бұрын
I love how you demystify the supposed 'complexity' of ipv6 in your videos and show how easy it actually is. To everyone still holding out: there's really no reason to not do v6 any longer!
@apalrdsadventures
@apalrdsadventures Жыл бұрын
The addresses are longer (and harder to memorize). That's really the 'complexity'. Other than that, it's the same routing and subnetting we've always done, but we get rid of so many things we're used to 'needing' all the time.
@koenvanduffel2084
@koenvanduffel2084 Жыл бұрын
I was afraid of ipv6 as I didn't understand how it routes. This was as many others say a very welcome and necessary explanation! Thanks.
@michaelheimbrand5424
@michaelheimbrand5424 Жыл бұрын
I needed this one. I have designed and built IP based networks (and other dead protocols) since the mid 90´s. And my MO when it comes to ipv6 is "disable, run, don´t look back" as many other oldies. I always thought that I never had to learn ipv6. But this video actually made me wanting to do something with it. NAT/SAT has been a good companion, but like you said, end-to end is what TCP/IP always was meant to be. So thanks.
@isithardtobevegan53
@isithardtobevegan53 11 ай бұрын
Intentionally disabling IPv6 or not using it in 2024 is a crime against humanity
@RoxzinGaming
@RoxzinGaming Жыл бұрын
your explanation was amazing. That's exactly what I was trying to understand, as i'm currently working on my homelab. Thanks a lot! Love the channel!
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Glad you enjoyed it!
@PatrickDunca
@PatrickDunca Жыл бұрын
So good! Currently setting up a homelab. After this video I'm gonna have to figure out IPv6. (Hopefully software defined networking too.)
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Thanks! IPv6 is awesome!
@FlaxTheSeedOne
@FlaxTheSeedOne Жыл бұрын
The benefit of having everything go through a proxy like caddy is the Certificate managment for the respective services. Its central its easier to automate or has been automated in many pre done application. However I agree with everything else.
@damiendye6623
@damiendye6623 Жыл бұрын
You should be issuing certs from the service anyway. That's how certs are designed to work. If it that much of an issue use certbot for let's encrypt certs job done
@autohmae
@autohmae Жыл бұрын
are you saying you have caddy connect over HTTP to your backends ? Are they on an other server ? Ohh, that makes that HTTPS not that secure after all.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
On my network I only terminate TLS on the final server. Sometimes that means running Caddy in the container to front a basic web application server (in Python or Ruby), which also brings with it automatic TLS and HTTP/3 (QUIC). I try to keep this as close to the application server as possible and prefer to limit the actual backend app to only accept connections from localhost if I’m doing the caddy for tls approach. For ipv4 I’m using haproxy since it has good layer 4 support, it’s inspecting sni headers and then passing through the encrypted traffic without terminating tls. For port 80 you can either have a blanket redirect to 443 or a layer 7 proxy (no tls to worry about) For web servers using acme protocol (either to let’s encrypt or to your own local organization CA) is the way to go. Fully automated.
@autohmae
@autohmae Жыл бұрын
@@apalrdsadventures Something I've been wondering is UDP/QUIC SNI routing possible like with previous HTTPS versions ?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
I only run quic on v6, I’m not aware of any software which can layer 4 proxy it currently. Even nginx still lists quic in general as experimental. So ipv4 clients get http/2 at best. Encrypted SNI requires more than just using tls 1.3, so it’s not a default thing. It doesn’t look like very many servers support it yet (caddy and haproxy both didn’t show up as supporting it), but the ech header has a separate encryption key so it’s still possible to distribute that to the frontend proxy without the tls private key.
@Mikesco3
@Mikesco3 Жыл бұрын
I know you have a video that explains IPv6, but more are always welcome. I'm still stuck with needing learn how to assign static addresses in a network.
@hl321662
@hl321662 Жыл бұрын
I'm a simple man. I hear the sound of buckling spring keyboard and I upvote.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
It's such a pleasant sound that KZbin has subtitled it as 'applause'
@blevenzon
@blevenzon Жыл бұрын
One of the best ipv6 explanations
@nickpetrovsky
@nickpetrovsky Жыл бұрын
Thank you for video! Can you discuss application of v6 in docker? For different scenarios: 1) dedicated /64; 2) NAT
@nickpetrovsky
@nickpetrovsky Жыл бұрын
Also v6 local network end-to-end works until your prefix is 64, many isp provide /56. Two /64 subnets will link through the router locally. The problem is how to handle docker subnet to avoid routing.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
The way docker handles networking is a big reason why I hate docker. But a bridged network (I think docker calls it macvlan) which puts containers directly on the network is a solution.
@frzen
@frzen Жыл бұрын
I wish I could use ipv6 at work. We have several port forwards on every one of our public ipv4 addresses and run into issues with devices that want to use stun for Webrtc. We also have ipv4 turned off internally. I'd love if there was a guide of the gotchas if you want to upgrade one of these lazy sysadmin networks to ipv6
@apalrdsadventures
@apalrdsadventures Жыл бұрын
A Discord member of mine has been testing Active Directory in a v6-only network (not dual stack), without any issues. He has NAT64/DNS64 running on the edge of the network. In general the gotchas are mostly old IoT devices which won't do v6, or maybe old software. But for modern web-based stuff (both client and server side), v6 is extremely well supported or can be made well supported easily.
@frzen
@frzen Жыл бұрын
@apalrdsadventures thanks for this reply, I didn't get a notification but I was rewatching the video and noticed
@hansaya
@hansaya Жыл бұрын
Thank you for this video. One of the best once I have seen. Brief and informative. Only thing, can you cover few topics around how can you do security around ipv6? Firewall etc..
@Tntdruid
@Tntdruid Жыл бұрын
I'm been using IPv6 for over 7 years now from my ISP.
@mouduge
@mouduge Жыл бұрын
Awesome video, very clear, definitely switching to IPv6 for my homelab after watching this, thanks so much!
@probablypablito
@probablypablito Жыл бұрын
What if you change ISPs / IPs? On IPv4 NAT takes care of this so if your public IP changes then no device needs to be reconfigured. With IPv6 however you'd have to reconfigure every single device. DHCP wouldn't work either unless you have a DDNS client embedded in every device / service with an IP (not feasible, esp for IoT).
@apalrdsadventures
@apalrdsadventures Жыл бұрын
It depends. Changing ISPs would mean a new prefix delegation, so the router would advertise the new prefix. Clients will pick that up and be fine (as they would in DHCP). Virtually all consumer IoT devices are doing mDNS now, so they would be fine too internally. A lot of them are probably speaking IPv6 to each other already, since mDNS can use link-local addresses and those always exist if the interface is up in most OSes. On server networks it's definitely more tricky since the addresses need to be fixed (although they can be random) and need to go in DNS, but that's not really different from needing to update DNS now if you have a public IP change. So only DNS should need to change.
@probablypablito
@probablypablito Жыл бұрын
@@apalrdsadventures Oh wow! Didn't know that machines could pick up a new prefix while not changing the end bit. The solution I'd seen before was with NAT, where you'd assign fd00::1, fd00::2, etc to the machines (private ips), then later have a rule in the router that publicprefix::X -> fd00::X. That way you still have 1:1 addresses but don't have to worry about changing prefixes.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Using ULA addresses (fc00::/7) means the clients treat the network as having no public IPv6 access, since ULAs aren't globally routable, the order of precedence is IPv6 global, then IPv4, then IPv6 ULA. So it's a good practice to use ULAs on networks which are actually isolated from the internet and to NOT use them on networks which can route to the internet. The host identifier *could* change depending on how the OS implements privacy extensions. Most server Linux distributions have privacy extensions disabled by default, so the host identifier will be generated from the MAC address and fixed per interface. Client OSes, especially mobile OSes, often keep a different permanent host identifier for each 'network', some identify that by wifi SSID similar to how they keep a different unique MAC address for each network. So those devices are more likely to generate a new permanent address on a changing prefix, but they would probably also usually generate a new MAC address in the same scenario.
@deepspacecow2644
@deepspacecow2644 7 ай бұрын
@@probablypablito That is incredibly cursed, and a crime against humanity.
@jeytis72
@jeytis72 Жыл бұрын
Interesting. Are you going to make a few videos to explain how IP6 works? Thanks
@autohmae
@autohmae Жыл бұрын
he already has bunch of videos on his channel
@thewhitefalcon8539
@thewhitefalcon8539 Жыл бұрын
It's literally exactly like IPv4 except with longer addresses and a couple of little tweaks that aren't too important
@UnderEu
@UnderEu 7 ай бұрын
It’s like the ancient protocol but bigger addresses, automatic at its core and no translation shenanigans
@markhowell4003
@markhowell4003 Жыл бұрын
Thanks for this video. You do a really great job explaining things!
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Glad it was helpful!
@drunkbear889
@drunkbear889 Жыл бұрын
I wish more of the incumbent SP's would have had supported IPv6 at least by the end of the previous decade. 😐
@apalrdsadventures
@apalrdsadventures Жыл бұрын
If only they'd have seen this coming for 25 years now
@kwaradio22
@kwaradio22 6 ай бұрын
Ok I'm sold! Great explanation.
@benfreeman9717
@benfreeman9717 Жыл бұрын
Unless things have changed in the last 5 years or so, IPv6 implementations still haven't been fully completed or standardized. I've tried to set up IPv6 in a couple different environments and I've never gotten it to work properly. Not sure if it's a Microsoft thing, or maybe the specific network vendors I was trying to use (Cisco, Juniper, Palo Alto, Windows server 2016, and Ubuntu 18), or perhaps it was something on the ISP's side, but I was never able to get simple things to work, i.e., being able to ping an IPv6 address inside my network from the internet. I've been working full time doing IT/networking for over 20 years and even with support from the ISP I was not able to get any devices working on v6. It makes a lot of sense for corporations and mobile network operators to use v6 because of the sheer number of addresses needed, but in literally every network install I've ever done it makes no sense. As for split horizon DNS, that is easily fixed by putting your devices which need remote access in a DMZ subnet and let the router do what it was designed to do. No DNS tricks needed. When you host a device on-premises without using a DMZ there's no way to get around hairpin routing if you want to use a single IP for your server/device. IPv4 is getting old and it's not perfect, but it's still FAR easier to work with than IPv6. Maybe when device manufacturers get on board and fully support v6 and ISPs in rural areas get serious about v6 it will be different. For now it's more of a novelty. IPv6 is kinda like 5G cellular. I am told that 5G has all these great features and can support more bandwidth and connections, but if you live in a state that has terrible mobile connectivity, the number of Gs doesn't really matter. I would absolutely love to be able to make phone calls while driving multiple hours to jobs sites, but most places I drive don't have any cell coverage at all, except by quaint local telephone companies that are 10 years or more behind the technology curve. I guess I've said all this to say that it's all relative. You can upgrade your customer's phones to whatever technology you want, but if they live in an area where you don't want to provide service, it doesn't help them at all. If you provide virtually unlimited IPv6 space to corporations, they'll use it and it will be the greatest thing ever. If you offer those IPv6 addresses to overworked hospital, school, library, etc. IT staff, you're going to have to come up with a damn good reason why they need to renumber their networks for virtually no gains. The people that need IPv6 will figure it out and make it work. The people that don't need it will very likely continue for many more years without it and get by just fine.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
There could be a lot of reasons for this, the biggest of which is that enterprises are the slowest to adopt IPv6 so enterprise-only solutions are also the slowest to have good IPv6 support. ISPs and hosting companies are the most eager to get traffic on v6, since they are legitimately very much out of addresses and it costs them a lot of money to continue to buy v4 blocks to provide to customers. Businesses can afford to buy a small block and hide behind that, but even then you will eventually run out of 10/8 space in a large enterprise if you aren't careful with it, and mergers / acquisitions become a nightmare when you are both using 10/8 in overlapping regions. As to the 'needs' of deploying v6, going v6-only in a large organization means you can fully access everything over both v4 and v6 (using DNS64/NAT64 or 464xlat, depending on your client devices), while deploying v4-only means you can't access v6 at all. It also means your network design is very significantly simpler, as you have a massive amount of address space to subnet from, and can use that to encode things like site, subnet within the site, the vlan id, ... in a readable form in the address directly. This also means routes will aggregate as you go up from the subnet level to the site level, leading to a single route per site. So for a deployment which is new or being re-done today, going v6 will be much easier than v4. As to upgrading from v4 on an existing large network, it's mostly an longer term issue that will need to be addressed at some point in time, like any other major network refresh.
@channel11121
@channel11121 Жыл бұрын
As someone who used to disable ipv6 on everything, you have converted me.
@travisaugustine7264
@travisaugustine7264 Жыл бұрын
How do you handle the certificate management with the two different paths?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
The v4 path is doing layer 4 proxying, so all certificates are handled by the end server. Let's Encrypt will always try v6 challenges first anyway.
@travisaugustine7264
@travisaugustine7264 Жыл бұрын
Thank you, I didn't realize that Caddy did layer 4 proxying... @@apalrdsadventures
@knightrider585
@knightrider585 Жыл бұрын
How does a private individual own a permanent IPv6 address since these are addresses of all the devices on my network? Is there somewhere I go to buy an IPv6 address block? And how do I get my ISP to route these?
@knightrider585
@knightrider585 Жыл бұрын
Okay I just googled and it appears I just need to pay A$1180 annually and and A$500 signup fee to own an IPv6 address range. Guess I will stick with IPv4 and NAT.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
You don't need to own a range. You get it delegated from your ISP (via DHCPv6). They should give you somewhere between a /48 and /60 (16 to 65536 subnets) and you assign subnets out of that dynamic pool. At least in the US, the pricing from ARIN is currently free for v6-only, but you need an ISP you can BGP peer with which a residential ISP won't do. But a small business shouldn't have a problem with that.
@knightrider585
@knightrider585 Жыл бұрын
@@apalrdsadventures So you can or can't keep your IPv6 address when you change ISP?
@UnderEu
@UnderEu Жыл бұрын
@@knightrider585 Not only you can keep your addresses but you can have multiple IP Transit Providers, be connected to all of them and, in case one link goes down, your router automatically routes traffic from/to your network to the other link you have via BGP and you won't even notice - well... you'll have a short freeze delay, a couple packets might need to be retransmitted but your connection won't drop entirely. This is called "multihoming".
@deepspacecow2644
@deepspacecow2644 7 ай бұрын
@@knightrider585 They don't belong to an ISP, when you are on BGP, you are your own ISP. They are addresses attributed to your ASN.
@mithubopensourcelab482
@mithubopensourcelab482 Жыл бұрын
Excellent... Thanks. Your topology diagram looks nice. What software you use for this ?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
www.drawio.com/
@su-ex-64
@su-ex-64 Жыл бұрын
Very helpful video, although I've used dual stack for all my server's services for a while now. Could you please make a video with details on your ipv6, where and why you use private/public subnets, how big those are and when and where you use static ips. Details about your ipv4 to ipv6 layer 4 proxying would also be great (edit: just saw you have a video about that already, amazing!)! And details how you setup quic and your certificate management as well of course!
@HaneenNaseem
@HaneenNaseem 3 ай бұрын
Your comfortable lighting made me sleepy and I didn't get any info. Or maybe am just not a morning person. I need a deep sleep 😮‍💨
@OpenEmoto
@OpenEmoto Жыл бұрын
To me the only problem to solve is how to make the Wireguard devices connect to my home dynamic address peer. That problem is about DNS and it is the same when you have ip 4 or 6. Servers with fixed ipv6 is another story, where your arguments may be applicable. Despite the fact I'm disagreeing: I love your proxmox videos and learnt a lot. Thanks!
@igorpavelmerku7599
@igorpavelmerku7599 9 ай бұрын
Very interesting. Could you kindly elaborate on the firewall part? How do you connect to the internet? I discovered that my ISP switched from public (dynamic) IPv4 addresses of client routers (consumer) to private addresses, so for the time being I had to buy a static IPv4 for my homelab services to be accessible from outside. Looks like I managed to set the static IPv6 address to my router but I am kind of lost as I don't even ping into internet ... Thanks.
@apalrdsadventures
@apalrdsadventures 9 ай бұрын
In general, in IPv4, you have a single public address (or a CGNAT, like you have now). For outgoing traffic, your router will do NAPT ('network address + port translation) to make all of the connections appear as they came from that single public address. For incoming traffic, you will port forward from the public address+port to a private address+port. In v6, the address space is public, so there's no need to translate between internal and external addresses. You'll end up with a prefix from your ISP (probably a /48 if you paid for static IPv4, but /56 is also common for residential, and /60 for some providers). Unlike in v4, the router doesn't do any NAT, so you'll break up that large prefix into smaller subnets (/64) and assign those to your LAN networks. If you are using DHCPv4 the router will probably do DHCPv6 on WAN to receive an address + a prefix, then break apart the prefix automatically for LAN interfaces (but this depends on your router). At least in OPNsense, you set the LAN as 'Track Interface' to configure this. The router advertises the subnet like in v4, but the addresses in the subnet are part of the public address space. This eventually means all clients have a v6 out of the /64 subnet they are connected to, all out of the /48 or /56 subnet your router got from your ISP. The client itself can use its address directly to connect out to the internet, as long as the router firewall allows it. Public addresses are in the 2xxx block in IPv6 (so if they start with fe80 or fdxx they are not public). Then, it's just a question of configuring the firewall to allow traffic to come in to the address+port you are hosting on, forwarding from the wan IP to an internal IP. Since the internal IPs are in the public range, the firewall just has to allow it.
@leonlazic
@leonlazic Жыл бұрын
Like most said this was a really great and useful explanation. Thank you.
@stuartmallett6334
@stuartmallett6334 Жыл бұрын
Thank you for this video, you explained that very well.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Glad it was helpful!
@therealb888
@therealb888 Жыл бұрын
3:06 what's the app with all the text on your laptop?. Is it a notes app? With the evernote death, I'm looking for any help possible.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Visual Studio Code. My website is written in Markdown, so I write out all of my scripts in the same git repository that I use for the website.
@therealb888
@therealb888 Жыл бұрын
@@apalrdsadventures Oh cool, I had a hunch it was VSCode. It's a very efficient workflow. On a side note, what if someone wants the privacy of ipv4 cgnat or is in a public wifi network where they don't have control over the network & don't want their devices accessible from the public internet? Won't NAT be useful in that scenario? Or is it a case of firewall 's responsibility? I'm new to these so excuse if I've asked anything dumb? I'd really like you to cover privacy implications of ipv6, will it make your ip address a permanent unique identifier for tracking you? Thanks to ipv4 ad companies like google rely on cookies & browser fingerprinting more than ip addr to uniquely identify you & track you. It's easy to deal with such tracking by using free countermeasures like tracker blockers, cookieautodelete, user agent changes/script blockers like noscript etc. How does ipv6 play into this context? I imagine only paid vpns may be the solution?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
So in IPv6 by convention, from the 128 bit address, the first 64 bits identify the network and the last 64 bits identify the host. By convention also, /48 is the longest suffix that is routed on the global internet. This means that the /64 subnet can usually identify your location about as well as your single public IPv4 would have (without CGNAT) for fixed ISPs. A business connection should get a whole /48 and a residential might get a /56 or /60, with nearby houses ('nearby' as within the same headend, not necessarily physically) will be within the same /48 or /40 block. For mobile ISPs they assign a /64 when the phone attaches to the network, so it's similar to CGNAT in trackability, you can certainly identify the carrier and the point of presencce location as well as you would have in CGNAT IPv4. For the last 64 bits, you can assign them manually, sequentially, or based on the MAC address of the interface (all of which would be easily trackable), but most devices now will assign two random host addresses. The first is the 'permanent' or 'secured' address and is randomly generated and never changed for a given network, the second is a 'temporary' host address which is randomly generated and changed every ~24 hours. Outgoing connections will use the most recent temporary address, previous temporary addresses may be kept if existing connections are still using them, and incoming connections can be addressed to the permanent address i.e. via DNS. Some OSes will go as far as keep a list of the permanent address they use for each wifi network, similar to how they keep unique privacy MAC addresses for each network, so you can't be tracked across multiple networks. So for most purposes on a modern computer the IPv6 host suffix is not trackable across the internet for a long period of time.
@roopey
@roopey Жыл бұрын
Well, that's nice and all. Yet, I would rather see my stuff behind a correctly configured reverse proxy / application firewall than having to trust in jellyfin or any other service. Emby just recently messed up their implementation where quite a few users were vulnerable because they put their machines out there without proper protection...
@apalrdsadventures
@apalrdsadventures Жыл бұрын
In general a lot of vulnerable web applications are still vulnerable behind a proxy, and unless the proxy is doing MTLS or user auth on its own, it's not going to do much to solve them. Emby had a recent issue with proxy-specific headers which a proxy might have overwritten, but Emby has also had issues like file read vulnerabilities which a proxy won't do anything about. That said, Emby and friends do have more than just HTTP(S) ports and I know that historically it was a big problem with Plex where people were opening all of the internal ports as well because the documentation listed the ports the app uses. So make sure you know what the ports actually should be opened before opening every single port the app binds to.
@James_Knott
@James_Knott Жыл бұрын
I've been running IPv6 on my home network for over 13 years. Initially, it was via a 6in4 tunnel, but for the last 7.5 years my ISP has provided native IPv6. I get really annoyed at those who claim IPv4 is good enough, especially when they should know better. I just wish people would get their heads out of the sand and move to IPv6. I know a few people whose ISP provides IPv6, but they won't configure their routers to use it. Stupid!!!
@BroughamBaker
@BroughamBaker Жыл бұрын
I started looking at doing your final design at home about 5 years ago but using Docker and found out it's not good for IPv6. Came back here from your Frigate video, unhappy to see it is no better still.
@basetwojesus
@basetwojesus 4 ай бұрын
Great video! How do you handle assigning fixed IPv6 addresses to your Proxmox nodes, for example? Assuming your ISP does prefix delegation, what happens if your prefix changes? Manually reconfiguring a bunch of devices before they can work again sounds wrong. Am I missing something?
@apalrdsadventures
@apalrdsadventures 4 ай бұрын
I use slaac with mac-based addresses (privacy extensions disabled), so the suffix is consistent. then I put everything in DNS where I can find-replace the prefix in one go
@basetwojesus
@basetwojesus 4 ай бұрын
@@apalrdsadventures Ah yeah DNS could definitely help, thanks. Now I've got to figure out updating a bunch of firewall rules too lol
@apalrdsadventures
@apalrdsadventures 4 ай бұрын
Firewall rules can pull from DNS as well
@ivlis32
@ivlis32 Жыл бұрын
If your ISP assigns you a dynamic IPv6 prefix everything breaks because when your prefix rotates you need to change every single DNS record and every single firewall rule.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
If your (fixed, not mobile) ISP is following recommended practices for v6 deployment you should get a prefix delegation tied to your DHCP lease which shouldn't change as long as you continue to renew the lease. I've only had it change once, when Comcast changed the router on their end. Mobile ISPs are a bit different since prefix allocation is done by the 3GPP side and not DHCP, so it will change more frequently as sessions are allocated/de-allocated.
@cassanvo
@cassanvo Жыл бұрын
@@apalrdsadventures too bad if that happens, a lot of issues for businesses. I rather have a nated environment , until they come up with a more reliable solution, and that's just a small part of the problem.
@fanshaw
@fanshaw Жыл бұрын
You may want to think about IPv6 NAT if you have more than routed link. Typically for home users, this might be for a 4g/5g backup provided by the ISP for a landline.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
It's possible to do 4g/5g backup via manipulating router advertisement priorities, and with this architecture you don't even need the two ISPs to come into the same router (you can feed two separate routers into a switch, as long as they are v6-only). Only get one /64 from a mobile ISP, but for home users that's probably fine.
@zekicay
@zekicay Жыл бұрын
@@apalrdsadventures you can even do NDP proxying and still have separate local networks (IoT, guest) sharing the same /64, and theoretically even mix normal separate /64 from your ISP and share the /64 from 4g/5g backup. It is a hack but IMO less so than NAT as it doesn't break end-to-end.
@jeremiahbullfrog9288
@jeremiahbullfrog9288 Жыл бұрын
NAT was a blessing and a curse: it hobbled the internet along for another couple decades; however they would have had to implement ipv6 much sooner without it. Verizon FIOS still refuses to provide IPv6 in most areas. Very annoying.
@jeremiahbullfrog9288
@jeremiahbullfrog9288 Жыл бұрын
Great presentation. I should have watched the whole video before commenting and i would have seen you address this. The diagrams were very helpful.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
In the early days of NAT, some standards authors wanted to just wait for IPng to be finished (later named IPv6), but of course the internet was an absolute mess of numbering already (everyone had just chosen random numbers for private networks and now they were colliding when they joined the public internet) and they couldn't wait for the real solution so we got stuck with NAT.
@autohmae
@autohmae Жыл бұрын
@@apalrdsadventures The KZbin channel "The Serial Port" did a video on the history of NAT and the PIX firewall, In short, NAT was needed because as you said, people were just choosing random numbers for internal networks and they needed NAT to fix those situations and then NAT got used for public Internet later.
@vladislavkaras491
@vladislavkaras491 Жыл бұрын
Really great video! Thanks for it!
@MarcelodeSouzaSilva
@MarcelodeSouzaSilva 11 ай бұрын
Could you make an IPv6 "tutorial" in the OMADA ecosystem? I searched here on KZbin, but there's nothing specifically about IPv6... just generic configurations.
@apalrdsadventures
@apalrdsadventures 11 ай бұрын
I don't have an Omada router, just APs which are just acting as APs (not the whole SDN setup).
@Technically_Bad
@Technically_Bad 2 ай бұрын
Really appreciate your videos. I've got a question for you though, how does this End-to-End connectivity work when your IPV6 public IP address is dynamic? You'd need to use a DDNS correct? Then you'd need to set up port forwarding to access whatever service is running locally? I'm looking to start self hosting using IPV6 to get around CGNAT but I also want to use my domain name with subdomains. Thanks!
@apalrdsadventures
@apalrdsadventures 2 ай бұрын
Depends on how dynamic it is. Fixed ISPs are *supposed* to treat them as assigned to a subscriber, but not all do. DDNS is the easiest option if it's dynamic. As to port forwarding, there is no port forwarding in v6 since there is no NAT. It's just a firewall rule. I use firewall rules which are based on DNS, so when DNS updates, the firewall will update a few minutes later, and that's good enough for me.
@Technically_Bad
@Technically_Bad 2 ай бұрын
Interesting, thanks for the reply. Perhaps you can do a video on your setup?
@MaeveFirstborn
@MaeveFirstborn Жыл бұрын
Gonna watch this whole thing and I'm sure it's incredibly helpful and elucidating but first just out of curiosity, what keyboard is that? I dig it
@apalrdsadventures
@apalrdsadventures Жыл бұрын
It’s made by Unicomp - www.pckeyboard.com/page/product/NEW_M
@ByTheRiverHelge
@ByTheRiverHelge Жыл бұрын
The distinctive sound it makes comes from it's buckling spring switches. Probably the best mechanical key switches you can get.
@jonesdh63
@jonesdh63 Жыл бұрын
What happens when your ISP changes your /48 subnet?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
ISPs are not recommended to change the subnet ever, but occasionally it will change due to network changes on their end (i.e. replacing routers). Usually it will persist for at least a year. But in general, since everything is self-assigned and derived from the delegated prefix, hosts will reconfigure using the new subnet and continue working just fine. DNS will need to be updated. If the hosts are using privacy extensions their suffix will change as well, if not then the suffix will stay the same so DNS changes are easy.
@PavelMezentsev
@PavelMezentsev 10 ай бұрын
In case of hosting multiple services reverse proxy makes managing the certificates easier, plus on the firewall one only needs to allow access to reverse proxy instead of a longer list of hosts (there are some exceptions that need more ports but not too many). So the main advantage would be that locally it would skip the router hop. For high bandwidth services it could make sense to manage certificates directly by the services if reverse proxy becomes a bottleneck. Or am I missing something? Overall does not mean IPv6 is not worth it, just that it's not a silver bullet to solve all the problems.
@apalrdsadventures
@apalrdsadventures 10 ай бұрын
It Depends, of course. - In my case I use a layer 4 (TCP) proxy instead of layer 7 (TLS/HTTP), so the proxy doesn't have to decrypt / encrypt the traffic and doesn't hold the certs. The origins can do their own LE challenges to get certs, and TLS-ALPN-01 challenges will pass through layer 4 proxies even if port 80 is not open. - If you are using a layer 7 proxy, then the traffic from the proxy to the backend is either unencrypted (not good), encrypted using a self-signed cert from the origin (better but not great, unless you use cert pinning), or signed using an internal CA. Alternatively you can use a secure backend network like Nebula instead of TLS to secure backend traffic. - You're also decrypting/encrypting all of the traffic, which adds load to the proxy (even with AES-NI). For higher bandwidth traffic this means the traffic goes through AES 3 times (on the origin, decrypt on the proxy, encrypt on the proxy). - As you scale beyond a few users, all of these become significant, but on a home network with only a few users the bandwidth and CPU usage is not huge and it's not that big of a deal.
@therealb888
@therealb888 Жыл бұрын
4:00 what application are you using for the diagrams? Looks super helpful!
@apalrdsadventures
@apalrdsadventures Жыл бұрын
draw.io for diagrams. It's web based but they also have a client version.
@therealb888
@therealb888 Жыл бұрын
@@apalrdsadventures Thank you so much for answering!.
@AndersJackson
@AndersJackson Жыл бұрын
I subscribe to this channel, for IPv6 alone as primary reason. 🙂
@Rockovissi
@Rockovissi 8 ай бұрын
IPv6 makes my smart home devices randomly lose connectivity. I disabled IPv6 and never had an issue. The problem is I believe you need it enabled for Thread devices.
@red_ben3487
@red_ben3487 Жыл бұрын
problem solved with a VPN hosted on my router. all clients use local ipv4 addresses and clients outside the LAN automatically connect to VPN.
@TVJAY
@TVJAY Жыл бұрын
I have tried to setup ipv6 on my network but I couldn't get pfsense to work with it.
@rbartsch
@rbartsch Жыл бұрын
Great video! 😀 Dynamic IP addresses and NAT broke the internet and created a data privacy nightmare as the lack of end-to-end connectivity forces us to entrust our private data in plaintext to online services like Facebook, Google, Microsoft, Twitter, etc. If dynamic IP addresses and NAT had not happened end-to-end encryption would be standard and online services would just be directory services. In my opinion it's very import to show people how to get rid of the IPv4 zombie instead of wasting money and resources to develop life-prolonging techniques like NAT or Port-Control-Protocol.
@incandescentwithrage
@incandescentwithrage 5 ай бұрын
What a stupid comment. NAT doesn't infer that any leg of the route between you and the service provider will be unencrypted. I'd actually argue the contrary. Reverse proxies allow the use of free, publicly trusted TLS certs from the likes of LetsEncrypt to be used, for services that don't lend themselves to ACME / Certbot. The backend service likely uses a self signed TLS cert. Plaintext to backend just isn't a thing... it's not computationally expensive with AES-NI built into every CPU. Free Dynamic DNS exists, so no idea what you're rattling on about there either.
@WoodenPlankGames
@WoodenPlankGames Жыл бұрын
My entire ISP does not provide ipv6 in or out. I can't even use it for lan only routing due to modem restrictions.
@JohnSmith-yz7uh
@JohnSmith-yz7uh Жыл бұрын
I guess the reason why IT admins hate IPv6 is because software legacy or not has trouble with IPv4 to IPv6 translation. If everything is IPv6 no problem. I haven't used it internally but using an IPv4 to ping a device is just so simple, but I guess you should use your local DNS for that
@LampJustin
@LampJustin Жыл бұрын
If you use DHCPv6 pinging an address without DNS is equally simple. You just need your prefix and the suffix can be your choice. My prefix is the 2001:ea:970f:4f00::/56 imho that's pretty reasonable. It's not like you can just do a ip a sh dev ethX to remember it anyway.
@mrlazda
@mrlazda 4 ай бұрын
I can imagine how someone can be surprised that for port forwarding source port and destination port do not need to be same. When you discovery that all mass you made magically disappear and you just need to connect on one of your two servers on non standard port from outside.
@apalrdsadventures
@apalrdsadventures 4 ай бұрын
That means you are using a nonstandard port though, which makes it harder to put the record in DNS and have it followed by browsers. It also means you're going to a different port inside and outside, and a different IP, and again this makes it much harder to put in DNS.
@mrlazda
@mrlazda 4 ай бұрын
@@apalrdsadventures port in DNS? Can you explain me how that works.
@apalrdsadventures
@apalrdsadventures 4 ай бұрын
Usually it doesn't, which means you have to manually type it in the web browser, which makes it a lot more work to connect for the user. HTTPS/SVCB/SRV records all allow you to put in a port number, but the usage of these records client side is not common. Some services do rely on SRV records (especially DNS-SD / mDNS), but HTTPS traffic generally does not do SRV lookups, and HTTPS records are also very uncommon currently and not supported in most DNS servers let alone clients.
@mrlazda
@mrlazda 4 ай бұрын
@@apalrdsadventures typing port in browser is not problem and if you use it often you always can bookmark it. And I perfer using non standard ports for services that not need to be accessible by general public (in your example home asistent) for one (stupid) reason it reduce log size (much less brute forcing password attack, it is not security measure but just reduce clutter)
@shokre1984
@shokre1984 6 ай бұрын
So with one firewall I can secure my whole network . Yet when I attach every single device in my home to ipv6 I have to have firewall on every single device, otherwise I would be a target for attackers. Or you have some other idea?
@apalrdsadventures
@apalrdsadventures 6 ай бұрын
You still have one firewall on the edge of your network, this doesn't change
@InfinitismYT
@InfinitismYT 11 ай бұрын
y0 bro, great explanation. Love your video? What application are you using to create the diagram?
@nekieven8597
@nekieven8597 Жыл бұрын
What is this green lock in the topology and what is its purpose?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
that's the logo of Caddy, a reverse proxy server. HAProxy is another alternative that I use as well.
@Henfredemars
@Henfredemars 11 ай бұрын
I face three main problems with IPv6: Crap routers can't handle it. I've seen TP links that crumble with more than 100 connections on IPv6 due to really bad firewall code. Dynamic prefix from ISP makes firewall pinholes impossible to write in a portable way with some providers. Games that just won't use v6.
@jdratlif
@jdratlif Жыл бұрын
There's one point I'm not clear about here. You got your IPv6 addresses from your ISP, right? If not, I don't understand how traffic is routed to you from an external IPv6 network (e.g. Verizon mobile)
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Yes, you get a prefix delegation (at least a /64, usually larger) from the ISP. For mobile providers usually you get a /64 assigned via the 3GPP PDU, for everyone else usually you get a /48, /56, or /60 via DHCPv6-PD.
@jdratlif
@jdratlif Жыл бұрын
@@apalrdsadventures awesome thanks. Unfortunately, I don't think my ISP does ipv6, so it looks like I won't be able to do this right now. ☹️
@therealb888
@therealb888 Жыл бұрын
But what if you don't want a static unique public ip?
@JAG_UAR
@JAG_UAR Жыл бұрын
websites are working but i am unable to download files from the websites , is any solution for that
@max-is-loud
@max-is-loud Жыл бұрын
What tool are you using in these videos to draw your diagrams?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
draw.io
@pingyofdoom
@pingyofdoom 6 ай бұрын
So, I feel like when I'm using reverse proxy increases my security, is ipv6 port forwarding bad?
@apalrdsadventures
@apalrdsadventures 6 ай бұрын
Reverse proxying still has security benefits, but there's no need to centralize a single proxy for all services in v6 as there was in v4 (to share the v4 address). Some apps don't natively support TLS or don't support authentication, so reverse proxying those is still good, but you can run the proxy along with the application instead of centrally.
@craigleemehan
@craigleemehan Жыл бұрын
By using iv6, does that make all my LAN connected addresses internet routable? This seems bad for security? Thanks for the content.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Yes, all v6 networks which are connected to the internet are part of the gobal address space. This means a packet can route directly to any other host, without doing NAT traversal. It doesn't mean the firewall will allow the packet through, just that packet can be directly addressed all the way to the destination.
@jeremiahbullfrog9288
@jeremiahbullfrog9288 Жыл бұрын
One important side effect is that you will have to pay more attention to your firewall configurations, in fact if you haven't disabled IPv6 in your router, you may have silently been exposed already. A lot of home users have no idea.
@craigleemehan
@craigleemehan Жыл бұрын
@apalrd's adventures So for neophytes, like me, that sounds scary. It would be helpful to have some content on how to properly set up one's security when using iv6.
@RobinCernyMitSuffix
@RobinCernyMitSuffix Жыл бұрын
@@craigleemehan very simple, use the default firewall rule to block all traffic, and then you just allow the traffic you want to allow. The idea behind it is the same, no matter if it's legacy IP or IPv6.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Most (all?) of the popular firewall distributions I've seen (Unifi, OPNsense/pfSense, OpenWRT, ...) block all by default on WAN, so there's no change to security if you are using one of those.
@GameP0rt
@GameP0rt 9 ай бұрын
How do I host services, like a dns server or a webserver when my prefix changes every day ?
@apalrdsadventures
@apalrdsadventures 9 ай бұрын
Are you in Germany? Apparently German ISPs love changing prefix every day. ISPs are suppose to keep them stable without making them static, but some ISPs just ... don't Other than that, you can use link-local addresses (fe80) within the same subnet and unique local addresses (fdxx with a randomly-generated /48) for communication within your network. Link-local addresses are usually used with mdns and ULAs are used by some new home automation protocols that rely on IPv6 if they don't have an existing IPv6 network.
@GameP0rt
@GameP0rt 9 ай бұрын
@@apalrdsadventures yes 😄 you are right. Im from Germany. I asked the ISP to make it static but they said its not possible because of privacy reasons. It is only possible for business customers. Your idea is great but if i want for example host a reverse proxy or something like that I would need to do 6to6 nat i guess. That would ruin all the benefits from ipv6.
@apalrdsadventures
@apalrdsadventures 9 ай бұрын
If your DNS side can deal with prefix updates, you can use a static suffix instead of a nat66 setup and let the prefix change. Another option is to continue relying on v4 for hard addresses and give clients v6 to get out to the internet only, so the addresses don't matter.
@GameP0rt
@GameP0rt 9 ай бұрын
@@apalrdsadventures yes, thats what I do for now. Thanks for your replys :)
@immortalmyth5685
@immortalmyth5685 Жыл бұрын
Pls make a video "How U set up your ipv6 homelab" How service change to ipv6 How to config wireguard Etc... Thanks
@apalrdsadventures
@apalrdsadventures Жыл бұрын
I'm working on an OPNsense basic setup video that fully covers both v4 and v6, then I'll go from there
@immortalmyth5685
@immortalmyth5685 Жыл бұрын
@@apalrdsadventures hope video will come soon I wanna learn how to manager my service under ipv6 and much more. Thanks again
@bjarnenilsson80
@bjarnenilsson80 7 ай бұрын
Not to mention protocols emeding ip addresses in higher level headers (see SIP et all) not having to deal with algs and TURN/STUN on ipv6 will be mice onece ipv4 turns into a small minority. On the subject of IPv and containers (docker in my case), is it possible to set things up so that the contaners get IPv6 adresses via autoconfiguration (router solicitation + router advertisement) this can pe rather handy in a hom lab cenario when you isp depsides to give yo a different PD (which for home internet can, depending on ISP; be rather frequently) it would be nice not to have to change ipv6 addresses for numerous containers manually, and not evryone hase orcestartion rolled out,. It might just be me being an idiot but i can't seeam to get it to work
@pawelk1337
@pawelk1337 Жыл бұрын
what are you using for the "explaing" program
@apalrdsadventures
@apalrdsadventures Жыл бұрын
draw.io
@pawelk1337
@pawelk1337 Жыл бұрын
thanks for the fast reply! @@apalrdsadventures
@daniel29263
@daniel29263 Жыл бұрын
IPv6 was not designed to bring e2e connactions back, it was designed to preserve it, IPv6 was released before NAT (and obviously CGNAT too). Good video though.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Definitely a fun history trip to the early internet. Laughably, RFC 1631 (the original Network Address Translation, what we now call 1:1 NAT) notes that it's just a short-term solution, and the long-term solution is a new protocol with longer addressing. The IPng working group was already active at that time, but wouldn't publish for a few years. RFC 3022 for network address and port translation (NAPT, what we now know as NAT / Masquarade) did come out in 2001, after v6 published in 1998. Maddeningly, they already knew back then that NAPT would break IPsec and FTP and we still struggle with those things today.
@Superturisto
@Superturisto Жыл бұрын
Would be great video how to build IPv6 network in home lab, with caddy :)
@apalrdsadventures
@apalrdsadventures Жыл бұрын
I'm using more than just Caddy, but I definitely like it for dealing with TLS especially
@Superturisto
@Superturisto Жыл бұрын
@@apalrdsadventures I have many services in my home lab and I am not sure yet all of them will work with IPv6
@-felt
@-felt 7 ай бұрын
Im in australia, and neither my mobile isp nor my home isp assign me an ipv6 address. with the exception of my isp when i was opted in to their bullshit gcnat. Is it just better in that case for me to continue using ipv4 since i have absolutely no exposure to ipv6 regardless of where i am and what device im using?
@isithardtobevegan53
@isithardtobevegan53 7 ай бұрын
If you want to have IPv6 you can use a VPN that offers IPv6
@-felt
@-felt 7 ай бұрын
@@isithardtobevegan53 i think youre entirely missing the point. The devices have an ipv6 assigned by the router and can be addressed or spoken to directly from the internet using just the ipv6. Using a vpn just adds unnecessary tunneling just as cgnat does, and requires all other uses to be using that vpn. You then run into the trouble of having to separate local and internet traffic, and even further, what parts of the local network a device should still have access to, which yes can still be done with a vpn, is extremely limited and not as flexible. All thats to say, the vpn would just be doing ipv6>ipv4 conversion for absolutely all traffic, so at that stage youre just ipv4 with a gucci belt anyway.
@isithardtobevegan53
@isithardtobevegan53 7 ай бұрын
@@-felt I did not say that this method of obtaining a global IPv6 address is better than as if your ISP gave you IPv6. Of course it would be better if your ISP gave it to you but, getting it from a VPN is at least better than nothing.
@rong9554
@rong9554 4 ай бұрын
if everything can route directly through ipv6, great however, huge loss of privacy and much more security exposure. ipv4 nats still have their place and will continue for a long time. I'm not excited about a DDOS attack on any private device on my network. If history has taught us anything it's that if you give the bad guys a foothold or a target to hit, they will.
@arnoldsmit3289
@arnoldsmit3289 2 ай бұрын
Ipv6 has the same protection out of the box as nat. Your devices aren't reachable from the outside unless you make a rule on your firewall to allow it, similar exposure as a port forward. Same for DDOS if my public IPv4 address is getting flooded, I experience a slow or unusable connection, if an IPv6 address is getting flooded, I experience a slow or an unusable connection
@elalemanpaisa
@elalemanpaisa 5 ай бұрын
I use only V6 internally unfortunately I have to do nat64 and dns64 because my isp doesn't provide v6 to us although the next peer is set up with V6. Ah yes.. for V6 we have cgnat. So tunnelbrooker is not an option and there are no hyperscaler in the country like oracle Microsoft or aws
@StephenBuergler
@StephenBuergler Жыл бұрын
do all ipv6 routers block incoming traffic by default?
@legendaryzfps
@legendaryzfps 7 ай бұрын
Yeah your firewall will block anything unless whitelisted or out going request
@StephenBuergler
@StephenBuergler 7 ай бұрын
@@legendaryzfps are all routers firewalls?
@legendaryzfps
@legendaryzfps 7 ай бұрын
@@StephenBuergler router and firewall are different things BUT: your "Router" is most lilely an IAD (integrated access device) which combines Router, Firewall, Access Point, Switch and in some cases VoIP Gateway in one device. So the devices known as Routers in public are IADs in 99% of the cases which have a firewall included, so has yours i think
@StephenBuergler
@StephenBuergler 7 ай бұрын
​@@legendaryzfps back in the old ipv4 nat days I feel like you could more easily rely on there being a firewall because there isn't really another way that could work. traffic comes into the router/switch/dhcp/wifi thing and there wouldn't be an obvious place to send it. now it's a matter of configuration. incoming traffic could be forwarded to the computer, it's just that it should be configured to block it. another thing that I thought was true was that you couldn't really trust the software on these things. they would have these vulnerable wps buttons, default passwords everyone knew, telnet ports on the lan side with a known default password, a upnp action to disable routing to the internet, wep, previous owners could have configured them poorly, dns rebinding attacks, foreign actors messing with them, never updated firmware... Is being configured to not forward incoming ipv6 traffic not in this set of things to worry about? edit: I just find it hard to trust these things very much if at all.
@legendaryzfps
@legendaryzfps 7 ай бұрын
@@StephenBuergler NAT is NOT a security feature. If you dont trust IPv6 which is the only protocol being run being run by the ISP ive worked for and a swiss ISP i know of (there is no IPv4, youre able to access the IPv4 Internet via a 6to4 gateway at the ISP). If you wanna tell me that millions of customers have insecure internet connections by default i dont know what else to say. I as a Network Engineer know, that IPv6 is secure and turning on the firewall if it isnt by default for some reason takes 5 minutes just as IPv4
@Kilraeus
@Kilraeus Жыл бұрын
One thing i will say, a lot of the new hotness in enterprise WAN and Security, has little, poor or no ipv6 support, which is going to be a roadblock. E.g. zscaler, vmware sdwan, cato networks, netskope. Also, unfortunately IPv6 NPT seems like the best approach for multi internet links at a site
@apalrdsadventures
@apalrdsadventures Жыл бұрын
As to multi-WAN, if you're at any sort of business scale you get a (currently free from ARIN) provider-independent prefix and do BGP multihoming. You can get a prefix big enough for the whole operation and split it into /48s for each site. At the very small scale but still multi-WAN, you can advertise both prefixes to clients in RAs and manipulate the lifetime / router priority fields to force clients choose a prefix for outgoing connections. Moving to a more end-to-end model (relying on TLS all the time and not trusting the 'internal' network blindly) can also reduce the need for large scale overlays also
@Kilraeus
@Kilraeus Жыл бұрын
@apalrd's adventures multi-wan at the dc or large offices sure, I deal with a lot of redundant connection sites. Most cellular and satellite services will not allow bgp advertisements, and most numbers registries need fairly stringent requirements for organisations to use multiple ASNs as would be suggested with retailers sites and the like.
@ThaOriginalGangsta77
@ThaOriginalGangsta77 Жыл бұрын
So what is ipv6 native mean on my router
@wcoile
@wcoile Жыл бұрын
native IPv6 just means not tunneled
@OzyMandias359
@OzyMandias359 8 ай бұрын
Excellent, thank you
@ukyoize
@ukyoize Жыл бұрын
On my work they just force people working remotly to use VPN
@LampJustin
@LampJustin Жыл бұрын
7:53 I just hate these people. Why don't they see the chances of V6, instead of being annoyed by their "length". As if anyone types their public v4 addresses manually... It's beyond me...
@Blueaankh
@Blueaankh Жыл бұрын
Guys I need help , I want to convert my ipv4 to ipv4/ipv6 , I have 0 clue on how these work , can someone just please help me out, it’s been days I’ve been trying to figure this out, my Wi-Fi customer care doesn’t even seem to care
@mindshelfpro
@mindshelfpro Жыл бұрын
My home ISP, nor cell phone internet service offer IPv6 😢
@thewhitefalcon8539
@thewhitefalcon8539 Жыл бұрын
Most cellphone devices use ipv6. Your provider is incompetent
@VileStorms
@VileStorms 9 ай бұрын
I don't have the time to change the ipv6 every 3-6 months when my ISP decides to change it. Thus I disabled it completely, If theres enough IPV6 addresses for trillions of devices why do ISPS insist on changing them so frequently. One would think static IPs would be default with IPV6...
@jordan70949
@jordan70949 Жыл бұрын
The reason why ipv6 has grown over the last 10 years is smart phones and cell networks using it. I reckon growth will start to slow down soon.
@thewhitefalcon8539
@thewhitefalcon8539 Жыл бұрын
Nope. IPv4 is on the decline. Addresses are getting more expensive and more clients don't need it
@genovo
@genovo Жыл бұрын
Very nice!
@crc-error-7968
@crc-error-7968 Жыл бұрын
Ciao, a very useful and clear video, but I am still skeptical about the ipv6. Maybe because of the tons of video and articles: "Hacker paradise", "less secure than.." etc.. To simplify, are you sure that my laptop is still secure with a global address that exposes it from any site and services on internet? Also if I change the ISP I have to reconfigure all the internal network (static addresses, thier matches on the unbound, etc) Don't you think that using the ULA and a virtual IP to match the prefix given by the ISP is better? Saluti dall'Italia ;)
@mirror1766
@mirror1766 Жыл бұрын
As much as I am a fan of moving forward with IPv6 and even have things on the internet not accessible to me that I try to get to without it, I've been dragging my feet in that I didn't want to solve the issue of making sure my devices stay good when no longer behind NAT (=stupid firewall). Just using an old consumer router that needs replacement and I haven't directed traffic through another computer with better firewall capabilities. Botnets try to abuse everything I let them touch; it seems fun to let them try logging in with disabled login names on services but then they pull BS like spamming login attempts that will fail with forged packets to have the service participate in a DDOS.
@deepspacecow2644
@deepspacecow2644 7 ай бұрын
Literally just set to deny/deny, like most routers come as default.
@mirror1766
@mirror1766 7 ай бұрын
@@deepspacecow2644 That's the start of my firewall rules. Need to take the time to 'unbreak' ipv6 with it as I try to learn+permit as I go..
@jabadoo5307
@jabadoo5307 Жыл бұрын
Are you Italian? It looks like every word you say has a paired hand motion to go along with it. Is there a matrix that shows you get more clicks or does this translate to more views? Really just curious, I don’t believe you do that in everyday conversation.
@apalrdsadventures
@apalrdsadventures Жыл бұрын
I do have a lot of hand movements, it probably comes from demonstrating physical things so much
@jabadoo5307
@jabadoo5307 Жыл бұрын
@@apalrdsadventures thanks for the response. While it looks a little over the top, I get it that if you are showcasing it demonstrating items, using hands is pretty effective.
@No1x3N
@No1x3N Жыл бұрын
I don't understand what's the utility on supporting ipv6 for home usage if at the end if you want to preserve the ability to access services in your home network via a proxy and ipv4 from the outside you'll have to setup all the port forwarding rules anyway, and at that point why bother with ipv6 if ipv4 is still supported everywhere?
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Within my network, I don't have to do split-horizon DNS and avoid hairpin routing. While it's not a big deal for all services, tunneling a bunch of stuff up to the router and back can really load the router and the Ethernet link to the router, and similarly it can *really* load the proxy if the proxy is terminating TLS. So now, the only traffic taking that extra step is the minority of traffic that's both outside of my network and on a legacy network.
@thewhitefalcon8539
@thewhitefalcon8539 Жыл бұрын
If you only have ipv4 on the outside you could connect to a tunneling service or your own VPN
@isithardtobevegan53
@isithardtobevegan53 11 ай бұрын
Intentionally disabling IPv6 or not using it in 2024 is a crime against humanity
@linearburn8838
@linearburn8838 7 ай бұрын
Its kinda funny I used to use untangled they still to this day don't support ipv6 properly hence why I am opnsense now. Altho I do miss there easy interface and antlitics
@NazishRais-oj8sk
@NazishRais-oj8sk 3 ай бұрын
Really good
@cassanvo
@cassanvo Жыл бұрын
great presentation, but that brings up some serious security concerns, I guess we will have to rely a lot more on vlans for network segmentation.. I'm very curious about what it's gonna look like in the future..
@apalrdsadventures
@apalrdsadventures Жыл бұрын
Why would you need to rely on network segmentation for security any more than you already do? This doesn't change firewall rules or anything, just straightens out packet routing.
@orthodoxNPC
@orthodoxNPC 9 ай бұрын
Allowing all devices to go directly to any other device without any gateways sounds a lot like an unsegmented network. One compromise you lose everything.
@apalrdsadventures
@apalrdsadventures 9 ай бұрын
Any segmentation you are using doesn't change the fact that you have less hops for traffic when you avoid proxies.
@orthodoxNPC
@orthodoxNPC 9 ай бұрын
@@apalrdsadventures yes I think you are correct that a direct connection will have the best performance in most metrics. But the problem is on the WAN side where the limitation of the propagation of signals through copper/optical media is much greater than all of the hops combined. Typical store&forward processing time of a hop is 100-600 nanoseconds... and that's on hardware from 3 generations (2016) ago
@PabloPaiva
@PabloPaiva 9 ай бұрын
If the problem was IPv4 exhaustion, you just need to add more octets. IPv6 introduces many features that no one asked for and simply makes IPv6 not backward compatible, as well as having a terrible addressing design for comfortable human reading. IPv6 is a necessity because there is nothing else for dealing with the exhaustion of IPs, that is why we have to integrate all the services that we can, because unfortunately after about 20 years with the inertia that it has, it seems that it is too late to for "someone" to recognize "ok, I think we went too far, let's make it simpler." and then propose a smoother transition alternative, perhaps even backward compatible, whose adoption could have been driven by conviction and not by imposition.
@no0ne.
@no0ne. Жыл бұрын
tell this the other channels like networkchuck or crosstalk solutions 😂
@a24fcsahu6-dv9cy
@a24fcsahu6-dv9cy 16 күн бұрын
thank you sir
Self-Hosted TRUST with your own Certificate Authority!
26:25
apalrd's adventures
Рет қаралды 38 М.
IPv6 Tutorial
16:21
Programming and Math Tutorials
Рет қаралды 259 М.
UFC 310 : Рахмонов VS Мачадо Гэрри
05:00
Setanta Sports UFC
Рет қаралды 1,2 МЛН
We Attempted The Impossible 😱
00:54
Topper Guild
Рет қаралды 56 МЛН
NAT - SNAT, DNAT, PAT & Port Forwarding
9:50
Sunny Classroom
Рет қаралды 360 М.
I spent a WEEK without IPv4 to understand IPv6 transition mechanisms
18:04
apalrd's adventures
Рет қаралды 140 М.
IPv6 на MikroTik: вчера, сегодня, завтра
52:14
Mikrotik Training
Рет қаралды 10 М.
SELF-HOSTING behind CGNAT for fun and IPv6 transition
36:12
apalrd's adventures
Рет қаралды 24 М.
DO NOT design your network like this!! // FREE CCNA // EP 6
19:36
NetworkChuck
Рет қаралды 3,4 МЛН
Why IPv6 Hasn't Taken Off
14:48
Tall Paul Tech
Рет қаралды 110 М.
IPv6 Subnetting | What you guys ASKED for!
30:46
The Networking Doctors
Рет қаралды 96 М.
THE UNTOLD STORY: How the PIX Firewall and NAT Saved the Internet
21:50
The Serial Port
Рет қаралды 425 М.
UFC 310 : Рахмонов VS Мачадо Гэрри
05:00
Setanta Sports UFC
Рет қаралды 1,2 МЛН