A few months ago, the awesome provider Init7 has released their
awesome FTTH offering Fiber7 which provides
synchronous 1GBit/s access for a very fair price. Actually, they are by
far the cheapest provider for this kind of bandwith.
Only cablecom comes close at matching them bandwidth wise with their 250Mbits
package, but that’s 4 times less bandwith for nearly double the price. Init7
also is one of the only providers who officially states that
their triple-play strategy is that they don’t do it. Huge-ass kudos for
that.
Also, their technical support is using Claws Mail on GNU/Linux – to give you
some indication of the geek-heaven you get when signing up with them.
But what’s really exciting about Init7 is their support for IPv6. In-fact,
Init7 was one of the first (if not the first) providers to offer IPv6 for
end users. Also, we’re talking about a real, non-tunneled, no strings attached
plain /48.
In case that doesn’t ring a bell, a /48 will allow for 216 networks
consisting of 264 hosts each. Yes. That’s that many hosts.
In eager anticipation of getting this at home natively (of course I ordered
Fiber7 the moment I could at my place), I decided to play with IPv6 as far as
I could with my current provider, which apparently lives in the stone-age and
still doesn’t provide native v6 support.
After getting abysmal pings using 6to4 about a year ago, this time I decided
to go with tunnelbroker which these days also
provides a nice dyndns-alike API for updating the public tunnel endpoint.
Let me tell you: Setting this up is trivial.
Tunnelbroker provides you with all the information you need for your tunnel
and with the prefix of the /64 you get from them and setting up for your own
network is trivial using radvd.
The only thing that’s different from your old v4 config: All your hosts will
immediately be accessible from the public internet, so you might want to
configure a firewall from the get-go – but see later for some thoughts in that
matter.
But this isn’t any different from the NAT solutions we have currently. Instead
of configuring port forwarding, you just open ports on your router, but the
process is more or less the same.
If you need direct connectivity however, you can now have it. No strings attached.
So far, I’ve used devices running iOS 7 and 8, Mac OS X 10.9 and 10.10,
Windows XP, 7 and 8 and none of them had any trouble reaching the v6 internet.
Also, I would argue that configuring radvd is easier than configuring DHCP.
There’s less thought involved for assigning addresses because
autoconfiguration will just deal with that.
For me, I had to adjust how I’m thinking about my network for a bit and I’m
posting here in order to explain what change you’ll get with v6 and how some
paradigms change. Once you’ve accepted these changes, using v6 is trivial and
totally something you can get used to.
- Multi-homing (multiple adresses per interface) was something you’ve rarely
done in v4. Now in v6, you do that all the time. Your OSes go as far as to
grab a new random one every few connections in order to provide a means of
privacy. - The addresses are so long and hex-y – you probably will never remember them.
But that’s ok. In general, there are much fewer cases where you worry about
the address.- Because of multi-homing every machine has a guaranteed static address
(built from the MAC address of the interface) by default, so there’s no
need to statically assign addresses in many cases. - If you want to assign static addresses, just pick any in your /64.
Unless you manually hand out the same address to two machines,
autoconfiguration will make sure no two machines pick the same address.
In order to remember them, feel free to use cute names – finally you got
some letters and leetspeak to play with. - To assign a static address, just do it on the host in question. Again,
autoconfig will make sure no other machine gets the same address.
- Because of multi-homing every machine has a guaranteed static address
- And with Zeroconf (avahi / bonjour), you have fewer and fewer oportunities
to deal with anything that’s not a host-name anyways. - You will need a firewall because suddenly all your machines will be
accessible for the whole internet. You might get away with just the local
personal firewall, but you probably should have one on your gateway. - While that sounds like higher complexity, I would argue that the complexity
is lower because if you were a responsible sysadmin, you were dealing with
both NAT and a firewall whereas with v6, a firewall is all you need. - Tools like nat-pmp or upnp don’t support v6 yet as far as I can see, so
applications in the trusted network can’t yet punch holes in the firewall
(what is the equivalent thing to forwarding ports in the v4 days).
Overall, getting v6 running is really simple and once you adjust your mindset
a bit, while stuff is unusual and taking some getting-used-to, I really don’t
see v6 as being more complicated. Quite to the contrary actually.
As I’m thinking about firewalls and opening ports, actually, as hosts get
wiser about v6, you actually really might get away without a strict firewall
as hosts could grab a new random v6 address for every connection they want to
use and then they would just bind their servers to that address.
Services binding to all addresses would never bind to these temporary addresses.
That way none of the services brought up by default (you know – all those
ports open on your machine when it runs) would be reachable from the outside.
What would be reachable is the temporary addresses grabbed by specific
services running on your machine.
Yes. An attacker could port-scan your /64 and try to find the non-temporary
address, but keep in mind that finding that one address out of 264
addresses would mean that you have to port-scan 4 billion traditional v4
internets per attack target (good luck) or randomly guessing with an average
chance of 1:263 (also good luck).
Even then a personal firewall could block all unsolicited packets from
non-local prefixes to provide even more security.
As such, we really might get away without actually needing a firewall at the
gateway to begin with which will actually go great lengths at providing the
ubiquitous configuration-free p2p connectivity that would be ever-so-cool and
which we have lost over the last few decades.
Me personally, I’m really happy to see how simple v6 actually is to get
implemented and I’m really looking forward to my very own native /48 which I’m
probably going to get somehwere in September/October-ish.
Until then, I’ll gladly play with my tunneled /64 (for now still firewalled,
but I’ll investigate into how OS X and Windows deal with the temporary
addresses they use which might allow me to actually turn the firewall off).
gnegg 