Why dynamic IPv6 subnet allocations for home users are evil

23 June 2009

Currently, a typical home Internet user will be assigned one IP address from their ISP, and then use NAT (Network Address Translation) to share the Internet connection among all their computers. The IP address assigned by your ISP is dynamic, and that is not a problem for the average home user, or even your typical power user.

Setting static IPs on computers is not all that uncommon, even among home users, excluding only the very most technically-illiterate ones. For example, your home router might be 10.0.0.1, and the other desktops in your house might be 10.0.0.10, 10.0.0.11, and so on. Then, if somebody drops by and wants to use your WiFi, they might be assigned an address via DHCP, such as 10.0.0.121.

This won’t work in IPv6 if, and only if, ISPs choose to make your subnet allocation dynamic. I urge ISPs to assign static IPv6 subnets to all their customers.

Why? Well, let me give my reasons. In IPv4, all the home machines in the above example are behind a NAT. This means the private IP address (10.0.0.121) gets dynamically translated to your public IP address (123.12.134.78).

Because of the absence of NAT in IPv6, this can’t happen! Your machine’s IPv6 address is tied to the subnet allocated to you by the ISP. And if your ISP changes your subnet every time you connect to the Internet as they currently do with IPv4, your static IPs will break horrendously.

I am aware of site-local and unique local addresses. These addresses are designed to be used only in a local situation, and not routed to the Internet. In theory, this could solve the problem, by allowing you to have a static local address, and a dynamic global address. In practice, this will not work because:

  • Site-local addresses have been deprecated by RFC 3879.
  • Unique local addresses are considered to be global addresses by current OSes. Wikipedia says that “despite the restricted, local usage of these addresses, they have a global address scope”, which means that your computer will assume either one can get to the Internet.
  • Thus, your source IP may be wrong, and your packet may be filtered and rejected by your ISP, or you may never get a reply, as the message won’t be able to get back to you.
  • Having both unique local and global addresses are confusing to the end-user, unlike link-local addresses, which are clearly marked as such, and are generally non-routable.

Finally, we must look at the reason why dynamic IPv4 addresses are assigned in the first place. I believe the main reason for this is to conserve space. With most of their address space used up, ISPs would have to count on all of their customers not using their Internet connections at the same time. Dynamic IP addresses means they can effectively over-subscribe their puny IP allocations.

In IPv6, this is not necessary. ISPs typically get a /32 allocation, which if you’re not familiar with CIDR notation, is bleeping huge! With a /32 allocation, an ISP could allocate more than 4 billion /64 subnets (which are suitable for a typical household) to each of their customers. I don’t think any ISP in the world has 4 billion customers, and if they did, they could get a /31 allocation, which would give them about 8 billion /64 subnets. Plenty of space for static allocations for everyone!

In conclusion, I’d like to summarise what I’ve been trying to bring out:

  • People that like to set static IPs on their machines will have them break if their subnet changes.
  • Site-local and unique local addresses only add to the problem, not solve it.
  • There is enough IPv6 address space in a /32 for everybody to have a static subnet.
  • There is no business advantage in giving out dynamic subnets. Do the best thing by your customers and go static.

So, dear ISPs of the world, please make static IPv6 subnets a part of your standard offering — not a “paid upgrade” or anything silly like that. It might work in the NAT’ed world of IPv4, but you will do your IPv6 customers a disservice.

Thanks for reading. :)

Tagged: , , | 11 Comments »

IPv6-only OpenArena/ioquake3 server — anyone interested?

21 January 2009

I’m interesting in running a test IPv6-only Australian OpenArena or ioquake3 (with Quake 3 data files) server as a showcase for the (relatively) new IPv6 support in the ioquake3 engine, and as a demonstration of a serious game being run over IPv6.

I imagine this being a single event — I cannot imagine that a continuously-run server will garner much traffic over the weeks, so a single weekend could be organised for people to connect up on.

I have 256K (32kB) of bandwidth available here, which can support up to 6 or so players. It’s connected via a tunnel broker from Sydney to Adelaide, so the minimum ping time will be 50ms — though ping times of 100ms would be more typical. For international players, it would be virtually unplayable, unfortunately.

If anyone else has spare server space with good IPv6 connectivity, perhaps they could offer to host a server instead.

With the current status quo of IPv6 connectivity, there’s no way anybody would get a good ping time. That’s not the point. The point is to connect over IPv6 — i.e. do something geeky cool.

So…any interest? Let me know in the comments if you’d be willing to have a frag.

Tagged: , | 9 Comments »

IPv6 certification

20 January 2009

I’ve just become an “IPv6 Sage” according to Hurricane Electric’s free IPv6 certification program.

The program is a series of tests that encourages you to learn about IPv6, and put your skills into practice by setting up tunnels, web servers, mail servers, and DNS configuration that is all IPv6-enabled.

Signing up is easy and free. Just register on the site, and you can begin right away through a series of automated tests. It begins easy, with setting up a tunnel, having your computer pinged, and gets progressively harder with tasks such as setting up an IPv6-enabled web server and mail server. When you have set up each task (e.g. web server), the certification website will connect to your server to verify that it’s all working, and award you the relevant level.

Doing the tests gives you loads of fun (if you are that way inclined), and I highly recommend it to anybody who is remotely interested in system or network administration.

Tagged: , | No Comments »

Internode provides 6to4 (but don’t announce it)

9 January 2009

I’ve used 6to4 in the past, which impressed me because of the simplicity of its configuration. It uses the specially assigned anycast IP address 192.88.99.1 to magically find the nearest 6to4 router.

Well, most of the time (like when we were signed up with iiNet), if you do a traceroute to 192.88.99.1, you’ll find that the nearest 6to4 router is somewhere in Antarctica, or some lunar base on the Moon — and latency is terrible.

If you’re an Internode customer, you’ll know that they already provide IPv6 access to their customers, but the only documented way for non-Ethernet customers to get on IPv6 is via a Gateway6 tunnel broker that they provide, which is a bit painful to configure.

Well, just out of curiosity, I thought I’d do a traceroute 192.88.99.1, and lookie what I found:

traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  1.026 ms  3.103 ms  3.774 ms
 2  lns10.syd7.internode.on.net (150.101.197.27)  30.188 ms  34.723 ms  39.424 ms
 3  vl114.cor2.syd7.internode.on.net (150.101.120.166)  44.651 ms  49.756 ms  54.390 ms
 4  gi6-0-0-102.bdr1.syd7.internode.on.net (150.101.120.169)  82.688 ms  87.482 ms  92.403 ms
 5  pos2-3.bdr1.adl6.internode.on.net (203.16.212.22)  98.641 ms  111.468 ms  111.975 ms
 6  gi1-22.cor1.adl6.internode.on.net (150.101.225.94)  120.101 ms  50.369 ms  52.897 ms
 7  fa0-0.sixtofour.adl6.internode.on.net (150.101.1.165)  53.626 ms * *

Looks like Internode provide their own 6to4 router, of which the ping time is around 50msec. Awesome!

Tagged: , | 6 Comments »

How to access Gmail and Google Reader over IPv6

25 November 2008
This post is outdated! You probably shouldn’t use this method to access Gmail over IPv6. Instead, find a DNS resolver that is part of the Google over IPv6 program, such as SixXS, Internode, or Hurricane Electric.

I just figured out a really simple and obvious way to access Gmail and Google Reader over IPv6 that doesn’t require the use of hacky portals such as IPv6Gate.

Google already offers their search engine service via IPv6 at ipv6.google.com. This works fine, although it doesn’t work with Gmail or Google Reader, as for some reason, they have not added those services to the ipv6.google.com domain — they only work if you are on the www.google.com domain.

However, there is a way to access Google’s IPv6 server and still retain the www.google.com domain: edit your /etc/hosts file.

To access Gmail and Google Reader via IPv6, add the following line to your /etc/hosts file (if you are on Windows, add it to your C:\Windows\System32\drivers\etc\hosts file):

2001:4860:c003::68 www.google.com mail.google.com

If you are using Firefox, you will need to restart your browser before it picks up the changes (as it uses an internal DNS cache).

You can add support for other services such as Google Images by adding the respective domain names to the end of that line. However, adding Google Maps gets a little tricky, as the map images are served off several different servers. In the comments below, Jari K gives us an /etc/hosts line that adds the map image servers, which apparently works.

Please note that the above IPv6 address may have changed since I wrote this post. To find out the most current IPv6 address that Google uses, use the following command:

dig +short aaaa ipv6.google.com

If the IPv6 address that you get from that command is different from the one I posted above, please let me know in the comments!

I wonder what the likelihood of Google adding AAAA records to the main www.google.com domain is.

Tagged: , , , | 8 Comments »

Older Entries
Newer Entries