2d ago

IPv6 for self hosters

So what is IPv6 and why should you care? IPv6 is intended to be the successor of IPv4 and most people know it for the very large address space. However, it has many other benefits as well and is worth learning for self hosting purposes.

IPv6 features

Huge address space

With IPv6, you no long need to be concerned with the limited address space of IPv4. In IPv6 land devices can have many different IPv6 addresses. You can have a different IPv6 address for each service and with the privacy extensions you can have a different IPv6 addresses for each outgoing connection on your computer.

Simplified subnetting

In IPv6 land everything is done via prefixes. An IPv6 prefix is simply the first half of the address which is used in routing to send traffic where it needs to go. A prefix is typically assigned to a vlan and the prefix is then delegated to all devices in that vlan. Because each device can have multiple addresses you can have each device get a public address and also a private address. A prefix is a /64 and if you want multiple prefixes you can get something like a /56, /48 or /32. (CIDR notation) To get a prefix from an ISP you use something called DHCPv6-PD. This is a lot like normal DHCP but it requests one or more prefixes from your ISP.

SLAAC (Stateless address autoconfig)

With SLAAC, devices pick an address and then verify it isn't duplicated. From there a router will send out a RA (router advertisement) which tells the device what prefix to use. The device then drops the link local prefix and replaces it will a public prefix. The major benefit of this is that you no longer need to keep track of DHCP leases. SLAAC allows networks to self assemble without much setup.

IPv6 security and privacy

IPv6 still needs a firewall to be secure. You should not expose things to the internet without properly securing them and anything that is publicly accessible can be compromised. IPv6 also can create major privacy issues since each device has a public IP. SLAAC and the privacy extensions help a lot as they randomize IPs which makes tracking harder. However, devices still share a public prefix so there still could be privacy issues.

NAT64 to eliminate IPv4

One of the technologies to help eliminate the need for IPv4 is NAT64. NAT64 works by mapping IPv4 address to IPv6 ones by setting a prefix that fills in the upper space of the address. To delicate this prefix to devices you can either use Pref64 or DHCPv6 opt 108. On the device applications see a working IPv4 address since the operating system translates IPv4 to IPv6 before it goes onto the network. You can absolutely keep using IPv4 and NAT64 is only for those who want to be IPv6 exclusive networks.

52 comments

Thanks for posting this. The idea of individual services having their own IP address had never occurred to me and would solve so many issues.
- I always thought it's kind of odd how frivolous we are with IPv6 addresses given the problems that gave us with IPv4. US DoD has like 200 million IPv4 addresses and they probably only use a tiny fraction of that. There's also a bunch of old companies like HP, IBM, and Apple, that have entire /8s, so that's 16 million IPs each. I know IPv6 is ridiculously bigger but we're talking about giving IP addresses to our lightbulbs now at a time we're also looking to inhabit other planets.
  
  You may know IPv6 is ridiculously bigger, but you don't know it.
  There are enough IPv6 addresses that you could give 10^{17 addresses to every square millimeter of Earth's surface. Or 5×10}28 addresses for every living human being. On a more cosmic scale, you could issue 4×10^15 addresses to every star in the observable universe.
  We're not going to run out by giving them to lightbulbs.
  
  But it's 2⁵² addresses for each star in the observable universe. Or in other words, if every star in the observable universe has a planet in the habitable zone, each of them got 2²⁰ more IPs than there are IPv4 addresses.
  
  Going to other planets would require a total re-architecting of our communications infrastructure anyway. There's such distance too it's not really viable to have a shared internet. Even Mars would have up to 22 minute latency at peak. So I don't think it makes sense to plan our current internet around potential future space colonization.
  Even so, IPv6 is truly massive. We could give a /64 to every square centimeter of the Earth's surface and still have IPs to spare. Frankly, I think the protocol itself will be obsolete before we run out.
- Wha??

I reject the notion that a shared prefix raises privacy concerns because the alternative is they all share a single IP address as they do in v4.
Anyway, been v6 for years. Love it. It's just easier to work with, to be honest. It took me a while to get it, but once I rotated my brain a little and stopped thinking in v4 logic then it all clicked. My ISP is insane and gave me a /48, so I have a lot of addresses.
I know my prefix by head, something everyone is still telling me is too hard for them (skill issue). You also don't have to remember 8 hextets, just your prefix. In my case that's only 3, but for you it won't be more than 4. It's not that hard. I zero out all the hextets between my prefix and the last so my v4 and v6 addresses just look like this 192.168.78.160 and 2a05:f6c7:8321::160 respectively. Don't have to remember two addresses when dualstacking.
- Giving a /48 is spec, but a lot of ISPs are too stingy :/
  
  It is spec, but so is /56 and even /64. It's kind of crazy to give me, a residential costumer, a /48
  I appreciate it, though. I like my 3 hextet prefix!
- My ISP only used 6rd ಥ_ಥ

I think I'll die using IPv4 behind NAT along with VPN. 😂
- Why?
  
  What is the impetus for change?
  The things you listed are nice but not game changing for most people.
  
  Likely because they’re old and resist change like me?
  Seriously though it’s such a shift from what I understand I’m very reticent to even start the process. I have a lab at work though that I should really start playing with it at no real risk to anything production. You know what, I’m going to do that next week! Yeah, progress.
  First docker and now IPv6. I’m so cutting edge 🤣
  
  Because I have to learn, understand what you wrote, probably more, and especially internalize its security implications. I currently understand all that for IPv4 and I'm confident I'm not leaving holes open when I self-host services. But of course it's probably a good idea to learn and use IPv6. It's just not free and when you have existing infrastructure and muscle memory on IPv4, there's that much more work. If I was starting anew, I'd probably do it. It's similar with SaltStack. If I was starting anew I'd use Ansible instead.

I was excited for IPv6 in the 90s.
- I took the networking TCP/IP fundamentals class for my first MCSE in 99, and the instructor wouldn’t shut up about how IPv4 would be replaced within 5 years.
- It took a lot of time to mature
  We made progress after the engineers excepted NAT and firewalls

Cool, thx!
For me to switch, I'd need a simple tutorial on how to do it. Something that I could learn and solve first problems within a day or weekend. I hope it's not grub level difficult
- Its really not that hard. Sadly, my ISP doesn't offer IPv6 yet, but for my vServer, enabling IPv6 was just a checkbox during creation. Then, you need to make sure that the service (e.g. webserver) also listens on the IPv6 address and maybe tweak the configuration of the webserver to actually serve websites via IPv6. Also, check your firewall settings. Lastly, you need to set the DNS AAAA records and you're done.
  
  If you need IPv6, you can get a free tunnel from Hurricane Electric. They will give you a /48 if you request it. I used it for years since my old ISP didn't have IPv6. I am close to one of their servers, so the latency was very low.
- What network hardware do you have?
  
  I have no idea. Speedport from vodafone, ipv6 is enabled but I don't use it 😅 I'm not behind some NAT

I still haven’t figured out how to make a firewall rule with slaac on pfsense, with an ISP that hands out addresses at random. It’s my understanding’s slaac is the “right” way to do things, not dhcp and reservations.
Granted, it’s been a minute since I tried so I don’t remember the issues, but as I recall, when ipv6 prefix changes, device gets new IP (and it seems not just the prefix part. I can get the firewall to register IPs into DNS and use a dns based firewall rule, but unbound restarts and blows out its cache when a device joins the network. And there another part to it but it’s all gone fuzzy.
- This is my biggest bugbear about a lot of UK isps. They are dynamically allocating ipv6 prefixes for absolutely no good reason.
  I've only ever done ipv6 using Linux directly as a firewall or a mikrotik router. So cannot help with pfsense I'm afraid.
- Actually how is your ISP giving out IPs to you? Mine uses IPv6 PD to give me a /48. And I then use SLAAC locally on the first /64 prefix on my LAN. Plus another /64 for VPN connections.
  If you mean receiving RA/ND packets from your ISP (which are used to announce IPv6 prefixes) then you need to allow icmpv6 packets (if you don't want to be able to be pinged, just block echo requests, ICMP in v4 and v6 carry important messages otherwise).
  If your ISP uses DHCPv6 Prefix delegation you will need to allow packets to UDP port 546 and run a DHCPv6 client capable of handling PD messages.
  If you have a fixed prefix, then you probably don't need to use your ISPs SLAAC at all. You could just put your router on a fixed IP as
  <yourprefix>
  ::1 and then have your router create RA/ND packets (radvd package in linux, not sure what it would be on pfsense) and assign IPs within your network that way.
  If you have a dynamic prefix.. It's a problem I guess. But probably someone has done it and a google search will turn up how they handled it.
  EDIT: Just clarified that the RA/ND packets advertise prefixes, not assign addresses.
- You probably need private addressing
  SLAAC shouldn't be used with static IPs
  
  The "correct" way to handle "static" addresses with dynamic prefix is using tokenized network interfaces (which is pretty much just the lower 64 bits of the IPv6 address). That will then be used for SLAAC in addition to the randomly generated address. The support for dynamic prefixes in firewalls on Linux and Mikrotik is however still pretty dire (obviously, as it's not an enterprise feature). No clue about BSDs/pfSense

Isn’t sharing a prefix the same as sharing a v4 /32, privacy wise?

I believe the privacy concerns are made moot if all consumer level routers by default blocked incoming untracked connections and you need to poke holes in the firewall for the ports you need.
Having said that, even knowing the prefix it's a huge address space to port scan through. So it's pretty secure too with privacy extensions enabled.
But for sure the onus is on the router makers for now.

I’ve considered using v6 as I host a lot of services from my homelab and it would be great if each had its own address. The question I have is, is v6 prevalent enough that all the clients out there are ready to go and I can just switch my lab servers to v6 and swap my A records with AAAA records, or will I still need to serve up v4 (and therefore, may as well just stick with the topology, reverse proxies, etc. I’ve already got.)
- You start by adding ipv6 and serving both. One side needs to move first. Content providers or isps.
  The big tech companies are using ipv6. In the UK the isps are mostly offering it too.
  Host both and help us move towards dropping Ipv4 some day. It's not going to happen in a day.
- You just need a network that is capable of IPv6

@possiblylinux127
: (
- That is because of the child safety act
  Nothing I can do
- https://lemmy.world/post/30459224

All of this is great but the human brain can only accurately remember a sequence of 8 digit numbers so I think that’s why IPv4 is gonna stick around for a bit. I’ve memorized too many CIDR ranges 🫠

This looks like some kind of weird AI slop, sorry.
- I'm a chat bot and I'm here to serve

No need to put some AI slop in here.
- None of this is AI generated

52 comments