I sure wish Starlink supported IPv6. They're a brand new ISP planning for millions of customers and decided from the start they couldn't get enough IPv4 addresses for everyone. Fair enough! But we're stuck with Carrier Grade NAT and it is a drag.
On Starlink it's impossible to host a server socket directly, which makes any peer to peer networking a PITA. Geocoding IP addresses doesn't work so I have to bend over backwards to convince, say, Youtube TV that I'm in the Sacramento metro and not LA where the POP is. Also the shared IP addresses seem to trip a lot of DDOS protection; I fill out 10x as many CAPTCHAs on Starlink as I do on my other ISP. And I sometimes get random network stability problems; a few weeks ago Starlink screwed something up so no one could keep a persistent connection up more than a few minutes. Seems to be fixed now, but I bet it was their CGNAT system.
I realize half the world lives with CGNAT. It's not unusable, at least web browsing works more or less. But IPv6 would solve all these problems. A little surprised that a new ISP created in 2021 wouldn't have IPv6 support as one of their launch features. There's hints they are trying to get it working but it's not an official thing now. Some discussion: https://www.reddit.com/r/Starlink/comments/tjr90n/starlink_i...
This a feature, not a bug. You can now identify a traffic light on a subconscious level 3x further away than the average driver that has an assigned IPv4.
Where average drivers hesitate upon seeing a yellow light, wondering if they have enough time to go or not, you just know that a slight uptick in speed will get you through the intersection right as that yellow flashes over to red.
That’s a non-sequitur argument. Simply because your parent comment can identify the state of lights faster does not make them any faster at deciding whether to cross them because it doesn’t influence them to make different decisions based on the speed of their vehicle and then distance from the light.
A local ISP told me that they want to get into IPv6 as soon as possible. NATs are getting costly and moving just YouTube traffic to IPv6 would actually help a lot.
The problem is with end user devices that do not use a stable DUID and when the client hits the reset button, it changes. We are probably going to work around this by responding from the closest hop and taking the MAC into account.
The prefix delegated to you does change in many consumer ISP setups, like the upthread poster reported and I've seen in many cases in well, I think repeating your assertion doesn't really advance your argument.
Are you thinking of a scenario where the ISP customers share a single prefix? This would be contrary to all the estabilished best practices and deployment guidance for IPv6 since it wouldn't let you easily subnet. And may get the ISP in trouble with your RIR since it's just extorting customers for access to v6 addresses.
To do NAT, you need to map (external) port numbers to (internal) IP addresses. This is done using connection tracking: tracking the state of the connection and the appropriate mapping.
$470k for a license to do CGNAT at 100gbit/sec. Surely these guys are opening themselves up to be replaced with some cheaper open source based software solution?
> $470k for a license to do CGNAT at 100gbit/sec. Surely these guys are opening themselves up to be replaced with some cheaper open source based software solution?
Good. CGNAT needs to die. Addressing is fundamental and customers deserve not just an address, but their own RANGE, especially now that it's feasible.
i'd love to be able to also ask for the reverse-dns zone to be delegated... if i've got a public subnet, it would be lovely to be able to use it properly.
Software-defined networking is slowly becoming more popular, but it’s always going to be more resource intensive than these enterprise-grade routers that are typically implemented using FPGA / ASICs.
Having said that, I’m often equally baffled at just how expensive modern networking hardware is, but as it’s pretty much all of these carrier grade networking solutions being this expensive, I’m assuming it’s somewhat justified.
That doesn’t take away the fact that NAT just adds an expensive layer of complexity on top of it, and I can imagine that in the long term, IPv6 is starting to become much more attractive.
in a sense, yes.
People claiming software based solutions can match performance of hardware basic ASIC's are simply not thinking about the scale and speeds of modern core routers and switches.
For instance, taken from the blog of ivan pepaljnak[0]
> It’s hard to imagine how fast switching ASICs have to work – a modern data center switching ASIC can forward billions of packets per second. For example, the throughput of Broadcom Tomahawk 31 is 12.8 Tbps, and it can switch 8 billion packets per second, or 8 packets every nanosecond.
Another thing which makes routing at large scales with large traffic flows expensive is the separation of the control and data plane. most modern datacenter routers can continue forwarding traffic inside the ASIC while its control plane encounters a failure. (usually for a few 100ms to a second, after that the forwarding table will become stale, and this cannot be refreshed without a control plane).
Having a redundant control plane isn't that expensive, but it becomes harder and harder to keep this failover fast enough if your forwarding plane is pushing more and more individual traffic flows.
Then there are still other items which one can add to a modern router to make it do more but also cost more. (think about accelerated IPsec encryption, MACsec at line rate or DWDM functionality).
I’m not sure the price is justified, however the ISP market is extremely difficult/impossible to break through for startups or any company capable of building their own. It’s a self-fulfilling prophecy, the market is hard to break into (for other reasons besides networking equipment cost) so nobody who can actually do something about it is able to get in.
the cheaper solution is IPv6. if an organization is too resistant to change to implement IPv6, they're going to find themselves subject to exorbitant licencing fees in order to keep using the technology they are stuck on.
That's a laughable low limit. Even the "pro" plan would be marginal for a single person without running into limits from time to time. And nevermind power users that might do something with p2p or have a couple more devices connected to the network.
But that's besides the point. Your home router can easily have millions of connections open (if they didn't skimp on the ram anyway), but if you have CGNAT boxes that do the same for tens of thousands of customers you also have to take into account that they have to move a lot of traffic. This means routing and doing NAT in software won't cut it anymore, but you need dedicated hardware coupled with very fast specialized memory to handle that traffic.
You do realise that almost all connections are long-lived, and burst up and down in throughput? So the 10,000 “heaviest” connections right now are not the same as in, say, 3 seconds from now ?
So you propose constantly swapping in and out connections from “hardware NAT” to “software NAT”? What heuristic will you use to decide which connections go where?
Such a heuristic will probably look a lot like QoS, which is even more (much more!) resource hungry than NAT.
At which point will the obvious conclusion be, “maybe the carriers who actually deal with these problems have a point, NAT is indeed a significant amount of complexity, and let’s be happy IPv6 starts to make actual economic sense?”
You’ve basically proposed an absolutely horrible solution, for both the end-user and the ISP. Something tells me you haven’t actually done any actual low level network engineering, and just brush all this off as “how hard can it be”.
how are you going to keep this counter? Do you identify the bytes that are processed in individual flows? Which system will keep track of this? the control plane of the router maybe? great... you just added additional complexity instead of just pushing packets through a forwarding plane.
When an unrecognized flow shows up, punt it to software. Handle the counter there, and if it overflows then you drop the packets. No need to add anything to the control plane.
"punting it to software" from a router with seperate control and forwarding planes perspective, is forwarding it to a control plane, instead of relying on the logic programmed inside the ASIC to forward traffic.
because maintaining state for GCNAT tables is far more complex then just forwarding packets. routers doing NAT are thus more expensive then those just doing simple forwarding.
Also, in some countries ISP's need to map the use of a specific ip address to a specific subscriber for law enforcment purposes. GCNAT is no exception to this and creates a large amount of overhead because the public IPV4 prefix space is shared between multiple customers.
compared to rolling out IPv6? definitely, especially on the longer term.
For instance, most Core/Edge routers (my experience is mainly with juniper MX series, but i assume the model is roughly the same for other vendors), you need specific licenses or interface card's to do stateful services like NAT.
Compared to doing IPv6, which is "just forwarding packets" and doesn't require the hardware to track state in nearly the same manner.
Most serious core/edge hardware vendors also do not put IPv6 behind licenses compared to CGNAT and other NAT-like features, because packet based forwarding is the most basic functionality a router should provide.
Routers which are able to do less state, also are frequently far less expensive.
You’re presenting a false dichotomy. The choice for an ISP today is not “v4 or v6”, it’s either “v4 or v4+v6”. A v6 only connection in the US is unusable.
The v4 fallback can operate on slower equipment if needed. The majority of bandwidth-heavy services support IPv6 (and the slowness will encourage outliers to migrate).
The more traffic you can get onto ipv6 the less stress is on the v4 infrastructure. Each v6 connection is one your CGNAT doesn't have to provide an ipv4 port for.
You don't have to beef up your v4 infra as much though. Think 4 powerful v4 routers instead of 5 or something. If the traffic to the big streaming providers doesn't have to run through these routers, you can save a lot. Same goes for the ipv4 address space you have to rent/buy. The more connections are on ipv6, the less public ipv4 addresses you need to have.
So ipv6 support might be saving you costs already in a dual stack setting.
Take a step back to the wider context of a brand new ISP though. If you’re rushing to market like Starlink appears to be, you either implement just v4 and scale later or implement both v4/v6 up front.
Until there is a bunch of exclusive v6 stuff customers will be up in arms over missing, the answer of which thing to prioritize is obvious.
Yeah I guess it's the same as with the inter satellite communication which is promised for later, but not implemented yet so that they get at least some product out to customers. I don't think dual stack is that hard to do for entirely new networks though.
Also, one of the reasons to do satellite internet is lower latency which is a bit hurt by CGNAT infrastructure.
Last, generally brand new ISPs are in the situation that they have a hard time of getting ipv4 address space. The incumbents, especially the older ones, were around when ipv4 addesses were still plenty so they usually have way less problems with ipv4 address space. Starlink only has 166k ipv4 addresses according to https://ipinfo.io/AS14593 . Compare this to AT&T which has over a hundred million for their AS 7018 https://ipinfo.io/AS7018 alone, and there are other AS numbers they have like AS20057 with 7 million ipv4s. This roughly matches the number of AT&T customers while Starlink has more than double the number of subscribers than its number of public IPs, with growth ahead.
Having your core as v6 only lets you push NAT to limited places (one of the many options for 4x6x4 NAT, including stateless options if you're willing to cut certain corners off v4).
And v6 connections help drop the pressure on NAT resources - and sites that are optimizing for mobile connections are already going to be on IPv6 where possible (due to mobile networks prioritizing v6 traffic for various reasons, including licensing - and NAT resource costs)
CGNAT is just a slightly more fiddly version of DS-Lite (and frankly at this stage your internal network is either v6 or an ad-hoc informally-specified bug-ridden implementation of half of it). You're always going to have to do messy connection tracking stuff with connections going to v4-only sites, the only question is whether you want to do it for connections to v6-enabled sites as well or not.
The same could be said about IPv6. I think the point is that IPv6 scales better with traffic increases, to the point where switching from CGNAT to IPv6 becomes financially attractive.
Unfortunately customers tend to be happier with IPv6 turned off. There are lots of ways to misconfigure IPv6 and have it kinda work but slow and unusable. This is especially the case when you let users bring their own router.
Not really: Like was mentioned upthread, with CGNAT you end up fate sharing the reputation of a single v4 address with other customers, you get CAPTCHAs or just outright lack of service (eg instagram aggressively rate limits per IP). Not to mention worse service with apps that can use end-to-end connectivity when availabe, like video calls etc.
Many of our customers are on Starlink, and use our service to bypass the CGNAT allowing them to host web servers, SMTP servers, etc. Our service is called Hoppy Network, it provides a unique and publicly accessible IPv4 and IPv6 range over WireGuard.
They recently added a bunch of IPv6 addresses to their GeoIP file, and announced more via BGP, I suspect its in the works. FWIW, they arent any more specifically Geo located, so this won't fix your issues.
Starlink was also initially promoted for gaming, where CGNAT is terrible.
Unfortunately Sony doesn't support IPv6 either.
Without the laser links Starlink also never got the latency advantages it was supposed to have for long range gaming (like US to Europe). Instead it goes down to a basestation and then through traditional means, but that may change with the new bigger satellites if the laser part works this time.
Where I live, I can try to use 4G. I get one bar of signal and when it's working I get anywhere from 0.2 to 20Mbps with 700ms (!) latency. It costs $80 for 150Gb a month.
Or I can use Starlink. I get a solid reliable signal, anywhere from 20-250 Mbps with 60ms latency. It costs $110 for unlimited bandwidth.
The real competition where I am is fixed wireless. That's 12 Mbps, 70ms latency, and $100/mo.
All your criticism is valid in the long run but right now, SpaceX'es focus is to scale up, focus on usability for majority of its customers and become profitable. Removing any unnecessary feature is a must in order to reduce risk.
IPv6 amounts to a firmware update which the current hardware is and any future hardware will be capable of. The major hurdle in scaling Starlink is fast and cheap deployment of 1000s of satellite hardware. At the moment, the sole focus of SpaceX in relation to Starlink is to get their V2 satellites to orbit in order to keep up with bandwidth demands. V2 requires the Starship system which is yet to make it to orbit.
TL;DR bigger fishes to fry ATM - yes you need IPv6 to scale, no you don't need it right now.
It’s really too bad that ipv6 is only… checks notes… 26 years old now. I realize that may be an unreliable metric, so it’s roughly equivalent to 2.88 react.js lifetimes, or 3.25 vue.js lifetimes.
When the ipv6 spec was released, the latest python release did not yet support list comprehensions.
In other words, there is no reason to not support ipv6 out of the box in 2022.
> there is no reason to not support ipv6 out of the box in 2022
Use the age of a service as the metric, not the absolute year we're in. It's probably reasonable to say that there is little reason not to support IPv6 for an ISP with X years of operation. Starlink is young still.
An analogy is worldwide sales for a new laptop company. You can say that in the age of globalism, there is no reason not to ship to every continent right off the bat. But for a startup with limited cash that has lot of building blocks to lay out, it's a huge risk. They should plan for it, but only branch out when they've got a solid foundation.
A new ISP should implement IPv6 first and then run IPv4 on top of it like T-Mobile. They shouldn't "add" IPv6 because it should have been designed in from the beginning.
They already had IPv6 support while they were still using google cloud for connectivity (not sure why they went with google for their initial phase instead of a more traditional carrier) and when they moved to their own network they disabled IPv6 for some reason.
It's not a function of overlap. If they've determined IPv6 isn't a priority and instead a risk, then it makes no sense to dedicate resources to it right now. It's not as if everything else about the firmware/software is wrapped up and the software team is sitting on their hands doing nothing.
IPv6 isn't a substitution for CGNAT, it's an addition to it. You either have to keep CGNAT or replace it with dedicated IPv4 for each customer. Dedicated IPv4 is most likely too costly given the limited availability. SpaceX is also trying to cut cost aggressively.
Specifically, if a plain router stops working, BGP will route around it, and all you did was drop packets. If NAT stops working, you don’t just drop packets, you drop whole connections. Applications don’t tend to tolerate dropped connections as well as they tolerate dropped packets.
True. As an ISP you are gonna need an IPv4 stack no matter what. Even if that stack is CGNAT'd up the ass. I can't even ping news.ycombinator.com or amazon.com with IPv6.
That is the biggest problem with IPv6. Who is gonna be the first ISP to shut off their IPv4 stack? There is always gonna be some random website that is IPv4.
When all the big services become IPv6, the number of IPv4 megabits will become small.
You might just direct all the v4 traffic via a tunnel to another ISP which specializes in legacy services like IPv4, running SMTP/news servers, etc. Now you've saved all the cost of maintaining all the IPv4 peerings and config.
>When all the big services become IPv6, the number of IPv4 megabits will become small.
Well I have been hearing about the end of IPv4, and IP exhaustion for about 20 years now, and I fully expect people to still being moaning about it 20+ years from now while the majority of the interment still communicates over ipv4
Amen. I dual stacked my home network 10 years ago. 5 years ago I joined an ISP that gave me CGNATv4 and IPv6 and I opted to disable IPv6 at the router.
Why? If you have an IPv4 address, even a dynamic one, then IPv6 may not offer you a lot of practical benefit, but CGNAT-only sucks if you're at all technical.
It sucks if you're non-technical too, it's just harder for non-technical users to figure out the underlying source of any problems they have.
v6 also has better measured performance on webpage load times. Perhaps "pages load slightly slower than they could do" isn't a show-stopping problem, but faster would still be better, right?
CGNAT specifically means you can't have even temporary peer-to-peer connections, e.g. non-server multiplayer games generally won't work. And forget about trying to host anything, dynamic DNS services can't help you here. That to me is a much bigger problem than IPv4 in general being a bit slower.
And adds 20ms+ latency, another complex point of failure, and potential problems depending on the reputation of the IP address block of wherever you're hosting the endpoint. I've used VPNs to smooth over various Starlink problems since I got the service and it helps but it's not a great solution.
Most likely you wouldn't with CGNAT, unfortunately, at least I can't see how. They need to ping your IPv4 address to set up.
As an aside, they also want to ping your IPv6 daily (at least in my logs) to keep the tunnel alive; otherwise quite stable.
I'm fortunate to not have to deal with CGNAT. But still waiting for IPv6. A he.net tunnel works for now for what I need: stable IPv6 for SSH tunneling from my IPv6 mobile.
I can't tell if this is a 'by definition' comment or if you mean that Netflix is the only major service which blocks VPN IPs.
The latter isn't quite true, sometimes a site is having a bad day and sets up Cloudflare rules which make VPN access impractical or impossible, but it's more true than not: I can usually use Netflix off a VPN, just not consistently.
In Germany, where the Google statistics show 64% IPv6 adoption, mobile carriers were actually the last to support IPv6, but even the last mobile carrier enabled it around a year ago.
Now it's mostly businesses that are still not using IPv6.
Over here in America T-Mobile has been IPv6-only with NAT64/464XLAT since the early-mid 2010s.[1] My local cable internet company still doesn't support IPv6 in 2022!
yup, same for my ISP, they just completed a rebrand and finalized a bunch of mergers so maybe they'll finally see this as a cost saving measure and implement it.
Not sure why thats the case for you. I'm on Vodafone/Kabel Deutschland too and got full ipv4/ipv6 dual stack? Is that one of those regional limitations that Vodafone seems to have?
Oftentimes you can just ask the customer service of Vodafone. If you reach a good agent, they will switch you away from CGNAT and you get a proper /56 public routable prefix on your cable line. Also works great for me. Be aware, the Vodafone modem won‘t forward the prefix for you. Use a Fritzbox or one of the other few cable modems where you get full control.
I think they're extremely scared about their Enterprise github.com customers being unhappy when their IP allowlists or IP address audits are impacted by a switch to allowing v6 addresses, as this will surely lead to tons of headaches for their account managers.
Its mostly impossible to run servers only with IPv6 since for some reason Canonical/Ubuntu decided to require IPv4 for snap, after years of not having any issues with IPv6 only deb mirrors.
Go is also basically bound to IPv4 since it depends on github to pull packages
its time to make hall of shame for software that does not allow developers to build IPv6 only going forward.
Neither does DuckDuckGo. Been a feature request for >5 years now.
I'm 99% certain that they turn off IPv6 to avoid complaints. Implementing IPv6 on a frontend load balancer is a trivial networking change. But the only way to ensure an IPv6 connection works is for the user's OS, networking, firewall, router, modem, ISP backend network, ISP DNS resolver, target website DNS, and target website load balancer & firewall, all have IPv6 configured properly. If a single step is misconfigured, or uses IPv6 tunneling/translation, every request might be blocked until the website disables IPv6. So don't support IPv6 at all and you avoid headaches.
Avoiding an unnecessary support headache is the basic reason why IPv6 has existed for 26 years and yet Google can still barely get 40% use for its own website. Everybody loves to design a spaceship, but nobody designs for moving between spaceships mid-launch.
IPv4 servers are reachable by IPv6-only clients. ipv6test.google.com famously has only an A (IPv4) record for a reason.
> God knows what subtle breakages would happen when IPv6 requests come in.
Unless your product deals with the nitty gritty of the networking stack itself, pretty sure everything continues to hum along just fine, if the basics are covered.
Yes, there could be. But in the end, those are just parameters of the specific networks/services that make up the internet.
Considering that routing is not deterministic, you could get vastly different characteristics from point A to point B across the internet at specific times anyways.
No - but I think at some point, you or your customers will see benefits in IPv6, or your clients may require it by policy (some of mine do). No rush, just saying, it takes time, may as well start with bits and pieces now.
As a provider, the main benefit I've seen is that every user has a roughly unique IP. It's easier to audit things. It's really messy when lots of users are behind CGNat. Another benefit, eventually, is the cost of IPv4 space (but admittedly not a big problem now).
It's less likely that you will do so at a "customer" request, rather it will be ISP/Hosting provider that will start to charge you evermore increasing fees to rent your IP address. The the Ipv4 space gets more competitive you will see the fees for routable IPv4 address go up; and conveniently there will be "discounts" to go ipv6. That's when I imagine most businesses will make the switch.
It unfortunately involves CGNATted IPv4, but it's either DS-Lite (https://datatracker.ietf.org/doc/html/rfc6333) where the end-user router emulates a dual-stack network but encapsulates IPv4 traffic on IPv6 from the perimeter to the CGNAT device at the ISP or just plain NAT64/DNS64 (https://datatracker.ietf.org/doc/html/rfc6147) where IPv4 traffic is relayed at dedicated IPv6 addresses operated by the ISP with the help of special DNS (which might be the GP meant for IPv6-only networks, but it tends to be unreliable for a lot of reasons).
In practice DNS64 is now being removed from a majority of networks because some specialty applications (I say "specialty" but these are work VPNs, conference systems and the like) reacts badly (because usually they can't understand IPv6 in the first place), replaced by either DS-Lite or plain dual-stack (possibly with CGNAT for IPv4).
I forget this part of IPv6 class (I've literally gone to several IPv6 classes throughout the years but then end up forgetting details because I've yet to use it in production), but since the IPv6 space is so large, it's trivial to put an IPv4 address into it, and so they make NAT 6to4 type gateways that map the IPv4 internet into a block on the IPv6 network.
I'd be surprised if users ever asked you to do that. The driver is usually about your infrastructure reaching the most clients most efficiently, not about users seeing it's 4 instead of 6 and asking for numbers go up.
If your site is largely centrally hosted and doesn't require many IPs then nobody, including you, is going to care if it's v4 or v6 until ISPs stop providing v4 gateway services in the far far future as whether your site supports IPv4 isn't going to change anything for anyone. Well, unless your site is like the HN crowd where hacking for hacking's sake is the point in which case that's actually odd you haven't received an email.
Google is obviously the exact opposite of this use case hence their interest and monitoring of IPv6 support and the latency impact numbers.
Question for the peanut gallery: Suppose I have a legacy ipv4 host which simply cannot do ipv6. Why couldn't I put some black box on my network connection in between my host and my uplink, which translates my host's IPv4 into a 4-over-6 IPv6 address? The black box can accept either v6 traffic and translate it for my host, or v4 and pass it straight through. The host only ever sees v4 traffic. V6-only clients can resolve an AAAA record against my host, and V4 clients can still resolve an A record.
As long as there is sufficient penetration of these black boxes, virtually everything should be able to talk to everything over v6, and the v4 shim can be removed.
I imagine this black box could be a relatively inexpensive ASIC or FPGA that could be a stand-alone widget, baked into hardware network adapters, or just built into routers, middleboxes, etc.
It is easy to make an IPv4 server accept IPv6 connections. It is relatively difficult to make an IPv4 client connect to IPv6 servers, because there aren't enough bits in the 'destination' field.
> I imagine this black box could be a relatively inexpensive ASIC or FPGA that could be a stand-alone widget, baked into hardware network adapters, or just built into routers, middleboxes, etc.
It's not that simple:
- The box has to translate IPv6 address space into IPv4 address space, but it's too big to fit. So the box has to be some kind of stateful reverse NAT, with all the problems that that involves, and the hardware requirements go way up.
- The IPv4-only host might make all sorts of assumptions about IPv4 addresses that are no longer valid. E.g. it might cut off addresses that it detects an attack from - but now as soon as two IPv6 addresess get mapped to the same IPv4 address you're going to block a legitimate user (in fact, since changing IPv6 address is easy, you're probably going to pretty quickly block the whole internet). E.g. it might expect to use an IPv4 geoIP database. E.g. it might be speaking a protocol like FTP where it's supposed to make an outbound connection to the client, so now your middlebox has to not only keep track of TCP streams but also the details of every protocol you want to be able to support.
At waipu.tv (Video streaming) we have 64% of users connected via IPv6. Compared to 2021 adoption has stalled. 2020 was 56%. waipu.tv is germany-only traffic.
In the UK at least one of our main providers Virgin Media has still not enabled support for IPv6, to the extent that websites such as https://www.havevirginmediaenabledipv6yet.co.uk/ exist to vent frustration
Just a small anecdote (I’m usually based in Asia); Recently I’ve been building a network analysis tool (like mtr) and I wanted to test it on macOS with IPv6 and struggled to find _anywhere_ where I could (i.e. home broadband, office, Internet cafes, mobile hotspot etc).
Of course, spinning up a cloud VM is an easy solution these days, but I was surprised at how poor the IPv6 adoption was where I live.
I appreciate IPv6 link local. mDNS + ipv6 ll addresses on my home network means I can connect to local devices, by name (mydevice.local) regardless of whether or not the router or DHCP/RA+DNS is working.
I recently disabled it on my router because dns would fail to work after a day or 2. When I did more research, it looked like others were running into the same issue, but there was no known fix, so the easiest solution was to disable ipv6 entirely.
I used to go out of my way to get ipv6 working (back when it was "new" I used a bridge service to get access), but I simply do not have the time to figure out what might be wrong with it anymore.
Firewalls are more complex on IPv6 (you need to pass a bunch of ICMPv6 through, to make it work), and some residential routers have very bad or even zero firewall support for ipv6, so your devices, that would otherwise be "protected" (not really) by NAT are now directly visible to everyone on the internet.
This usually isn't a problem for power users (who know how to set up and (re)confgure a firewall) nor for most basic users (windows firewall does that for them), but people "in the middle", who install some service and just fully disable the OS's firewall to be able to connect to it, are now vulnerable.
> Firewall rules work exactly the same in IPv6 land as they do in IPv4 land.
Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.
> Indeed you shouldn't block ICMPv6, but that is not really making anything "more complex".
But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890
> Is there a proven set of routers that go through the trouble of supporting IPv6 routing but not include a firewall?
Yeah, a bunch of ISP CPEs have just a single checkmark "IPv6 firewall" on/off, and some older ones not even that (i'm talking about old sagem and innbox equipment i came in contact with, not sure about other telcos and the shity cpes they give out to the customers).
> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.
The same is typically true of IPv6 for default configurations. You aren’t required to allow IPv6 hosts to accept unsolicited incoming traffic.
> But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890
With the exception of home agent, mobility and other IPv6-specific messages, many of these recommendations also hold true for IPv4. It’s just that nobody really bothers to think that deeply about it, block all ICMP and then are shocked_pikachu_face when Path MTU discovery etc don’t work.
> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back
Yeah and? How do you think IPv6 works, it’s exactly the same.
My router’s firewall’s ipv6 section help: “All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic. Any other inbound traffic must be specifically allowed here.”
People keep saying "the sky is falling, with ip6 all the hosts are open to the internet" but not really it is usually one rule.
on openbsd pf
block outside connections from initiating connections to your hosts
block in on $external_if from any to $ip6_network
on ip4, if the world was just you would have the same rule(in ip4). however the world is not just and you usually only get one address so you have to pull some shenanigans to spoof that address across all your hosts
match out on $external_if from $internal_net to any nat-to $external_if
Really we all have a sort of Stockholm syndrome and think yes, this is normal, this is correct and being able to end to end address a host is weird and wrong.
But it is not, because you have to let ICMP pass through, for IPv6 to work (eg. for path MTU discovery to work (no more "classic" fragmentation in ipv6)).
So it's one rule to block incoming traffic, and a bunch of rules to properly allow ICMPv6 to pass through to the internal network (look at the RFC linked above)
This is what stops me from turning on IPv6 from my provider. The modem has a reasonable IPv4 firewall but jack for IPv6 and I don’t have the time to figure it out.
Not a residential user, but I ran a small p2p gateway for a few hundred users, and I ended up having to disable ipv6 resolution for remote servers because so many servers would just advertise an AAAA address that didn't work, so we got tons of timeouts. I would say this affected maybe 10% of servers. A lot of them seemed to be hosted on Hetzner, but I never got a good sense of the root cause—mostly seemed to be lack of testing or usage, like users who had typoed an ipv6 address or moved their servers and updated their A record without remembering to update their AAAA.
I've disabled it on my router. My reasoning is that I don't know what kind of firewall rules, if any, the router has for ipv6 traffic. If it's just going to forward any valid incoming ipv6 dst address, that would seem like a new risk. I'm happy to be convinced otherwise by knowledgeable folks.
Yes, there are situations like "The crap VPN (hello AnyConnect) my work makes me use doesn't work if IPV6 is enabled. And I could troubleshoot it, but it's easier to disable IPV6 on my PC".
Default config, last I checked, for AnyConnect is to block all ipv6 even if split tunneling it enabled, the client will block all ipv6 unless it has been specifically configured to allow
There's all sorts of things controlled at the head end. As mentioned, didn't troubleshoot it. But, disabling ipv6 on my PC, and then everything works. Turn it back on, nothing works.
Even worse, to this day, Ubiquity still does not support Android IPv6 clients because their internal-facing RA dnsmasq configuration has a bug. It would take an engineer a few hours to fix it; it's a one-line change. It's been reported and tracked internally in their support queue for more than two years; nothing has come of it.
Stuff breaks. I fought this fight a few years back just to educate myself, and the mere presence of IPv6 on the network, DHCPv6 addresses being handed out, AAAA records being returned from the local caching DNS, etc... made all sorts of software loopy. One I remember in particular was that if you hit a default openssh configuration from the local (!) network, even on a link-local address, it would try to do a RDNS lookup and take 6 seconds or somesuch to time out.
I remember a coworker telling me about a TV that would request and accept a DHCPv6 address and then fail hard getting to the internet. Wifi router firmware likewise messes things up, etc...
It frankly just wasn't worth the hassle. Mobile networks that can control and enforce the full stack have been able to make it work. My guess is home/wifi environments will be IPv4/NAT until the end of time, frankly.
Because its an over-engineered pile of shit. The only thing required was an increase in the address space, but we got IPv6 instead, which everyone sane resists to this day. Defaulting to hex addressing only a sheltered engineer would do.
It's not very over-engineered; most parts of it work the same as v4 does, just with bigger addresses.
Writing the addresses in hex is because doing so is easier. It lines up with the binary better which makes subnetting easier, and do you really want to deal with addresses that look like "32.1.13.184.133.163.0.0.0.0.138.46.3.112.115.52"?
In the past there have been cases where firewall defaults were configured incorrectly for IPV6 and stuff would get inadvertently exposed. I don't think that's as common now but I could see just entirely disabling ipv6 to avoid this if you don't want to specifically test to make sure the configuration is correct.
We're still at a point where at least 60$ of users (according to Google) are still IPv4-only. I imagine we're still a little far from the tipping point where IPv4 becomes less valuable.
I recently disabled IPv6 on my home network to make firewall rules more manageable, and I was always under the impression IPv6 adoption was slow. So I was pretty surprised to check and see Google user's adoption has reached 40%. I feel like ISPs are a big push for that.
Yes I turn it off because it's always causing unpredictable problems. I actually tried to switch to all IPv6 and that was worse than ipv4 because you still need to run a full ipv4 stock to visit almost anything on the web without a proxy
I did it before because I assumed it was causing issues and not configuring things on my network properly.
I was wrong and the issues were elsewhere, but it remained disabled on the router for a long time.
I’m generally a person who resists change and I can’t tangibly see the benefits of ipv6; until I realised that “port-forwarding” is an exclusively NAT problem and it’s much easier with ipv6 to just natively open a port on the firewall if I want.
I do. I don't know why, but when debugging some network issues I discovered just shutting IPv6 down fixed the issue. Could it have been a buggy implementation on a single device on the network messing everything up? Maybe. But since I have no real benefit for IPv6, it was trivial to turn off.
It also lets me wait until other people (hopefully) build better privacy systems.
IPv6 has had privacy built in for years now, on every OS available. Your inbound address will remain static and possible MAC address derived, but unless you're hosting anything on it (or disabled your firewall) your network traffic will be perfectly private.
I've noticed several websites where IPv6 has lower latency than IPv4. The ease of accessing different VMs on cloud providers that will hand out a single IPv4 address, though alternatives like Betternet/Tailscale/Tor will also work around that problem.
"IPv6 has had privacy built in for years now, on every OS available. Your inbound address will remain static and possible MAC address derived, but unless you're hosting anything on it (or disabled your firewall) your network traffic will be perfectly private."
I've tested with IPv6 on and off on several machines over the course of months. Google's search results become wild and unpredictable on the same machines soon after switching to IPv4.
My theory is that they rely on that IPv6 address to know exactly who they are providing results to and thus selling to.
If that theory didn't hold water, there would be exactly zero difference in search results after switching to all IPv4.
I've switched between IPv4 and IPv6 and Google's search results are practically equally bad after switching between either. Unless you're behind CGNAT, I suppose.
I've noticed that many IPv6 address blocks have more up to date location information from parties like Maxmind.
RFC3041 (Privacy Extensions for Stateless Address Autoconfiguration in IPv6) and it's successors have been around for 20 years now and are supported in every major operating system.
In fact, macOS is so aggressive about using temporary addresses that I had to turn off SLAAC in order to be able to ssh back into my desktop.
Yeah, we've disabled it at our SMB at the router-level. No real benefit from using it and it causes DNS issues. We were actually advised to do this by our commercial ISP.
Yep, I do. About once a year I try IPv6, and give up after a couple weeks when I keep having weird transient errors that I can't pin down accessing websites and other remote hosts, all of which go away the moment I turn off IPv6.
Maybe it's me, maybe I have a bad config or bad hardware, but it just doesn't work for me.
I have AT&T fiber. I've been running IPv6 for about 2 years now and haven't had any issues at all. iCloud Private Relay also works via IPv4/IPv6, but I have had to disable it once or twice. Who is your ISP? How do sites like https://ipv6-test.com/ and https://test-ipv6.com/ score your connection when you have IPv6 enabled?
Yes. Actually no, not disable, I use Local-Local, there's a rare application here and there that needs to see an IPv6 stack is available then connects normally over IPv4. Google and anyone touting IPv6 can take IPv6 and have a nice day.
I run a personal tech website containing OSS projects, and have been supporting v6 for more than a decade. Currently seeing few hundred unique visitors per day.
IPv6 has been steady at ~15% of all inbound requests for the past 5 years, with zero signs of increase.
Both my own fixed adsl service and a different mobile carrier do not offer v6, so I have to jump through hoops to verify my server setup.
I realize there are a million ways to leak addresses, but in theory is a private ipv6 space brute forceable? ie: I have every service listen on a port on some IP, they all discover each other through some specific channel (like dns). Assuming the attacker doesn't have access to that channel, they would have to start scanning every ip to try to discover services, yeah?
On a local link, if you know the ipv6 address of one machine you can guess others by getting their device ID (MAC address) and then modifying the known address. So you can use neighbor discovery to find the other MAC addresses to craft the IP addresses.
I think you can also take advantage of router advertisement or client solicitations somehow but I’m not familiar with the details (i.e. passive listening on multicast vis a vis broadcast)
Whoa. I have no idea. I absolutely, 100% certainly, do though. I have Sonic gigabit fiber, and can use IPv6 to connect to remote hosts (and can connect to my LAN from remote hosts on specific ports I have open).
The peaks are on Saturdays so my guess is residential ISPs/personal traffic peaking on weekends while the mon-fri 9-5 are on older legacy IPv4 systems. But that's just a guess as the reason why.
v6 actually has longer headers on average (40B instead of 20B) but is generally more efficient to process because it's a fixed header length.
ON the other hand, theoretically IPv4 header length could vary depending on the presence of IP options, so you'd need to compute the offset to continue processing the packet.
(I say theoretically because conventional wisdom is that IP options are unreliable in the face of middleboxes, so they're mostly unused. But compliant IPv4 processors have to calculate the header size anyways...)
"More addresses" has a handful of knock-on benefits; or, perhaps more accurately, ipv6 would let greenfield systems skip out on some workarounds made necessary by not enough addresses.
I just hope ipv6 doesn't have privacy nightmare that 1 device will always get 1 IP. Currently, the isp I use provides dynamic ip, so on every router restart my ip gets changed. If they starts to provide ipv6, I hope they give options to rotate it frequently, so toxic companies like meta, facebook, microsoft can't connect my device & ip.
It rotates about once a day in most operating systems. Called ipv6 privacy extensions. This is of course defeatable, but it provides a nice black hole for a device. It moves on and you can't connect to it anymore.
On a protocol level, there is nothing in ipv6 preventing you from doing NAT. There are only less implementations of that, but it doesn't need buy-in from your ISP, as long as you control the router (and if not, you put a second router behind the first one which has your actual network).
I work for a large online service. We barely need your IP to track you. There are _so_ many other variables sites can use to track you. Even when you switch networks completely.
It's not a privacy nightmare. You could just run a proxy on your gateway and your connections would legitimately end up coming from it, but it wouldn't actually do much for your privacy.
Rotating the IP to get similar privacy to what NAT/PAT gave you is annoying I know with v6 we need to use DNS but I hate to say it. I miss Nat I hope the just give us nat66.
You are mixing up IPv6 prefix rotation and IPv6 privacy extensions, and you don't seem to take into account that IPv4 from most ISPs is much worse (typically, you get an IPv4 address from your ISP via DHCP and keep it nearly forever, nothing to defeat).
With IPv6 each device getting a unique IP is not a bug but a feature -- what will probably happen is that your ISP will lend out a /64 range to you, which your devices will use to assign a unique IP to themselves. This completely removes the need for NAT (also, keep in mind that a NAT is not a firewall or a security feature). BTW, dynamic IP rotation was never a guarantee and is only used because the pool of IPs were small. Use a VPN to avoid FAANG.
NAT itself doesn't provide any protection at all. You can set up NAT in dozens of different configurations (1:1 NAT comes to mind), but in the way consumer routers generally set up NAT, I can see why you'd say that (despite there being standard ways to forward ports without any user intervention such as uPnP). There's nothing "secure" about NAT.
Not having client devices accessable via unique IPs is a great security feature. Certainly an unintended side effect but NAT is what is dropping unwelcomed incoming traffic on consumer devices.
You mean a firewall? NAT doesn’t have to drop any packets. It can translate unknown flows into broadcast packets, forward them to a set ip (dmz), or drop them. NAT is not a firewall, even if some configurations make it kinda sorta, if you squint, look like one.
I don't think that works. A router should decrement the TTL of the frame, and thus showing that there is a router between the host device. The linux default is 64 and windows is 128 IIRC, so you can easily deduce the OS just from looking at the TTL. This can tell you whether an ipv4 device is directly connected. From there, you just need to look at IP ID in the packet and figure out which ones are increasing independently to determine individual devices behind the NAT.
Every ISP I know has their routers set to block incoming traffic by default. With most consumer router SIP ALG being defeated easily (NAT slipstreaming attacks etc) I'd argue that NAT is actually worse for security than just a simple firewall.
1:many NAT requires an affirmative choice on where to route incoming packets that aren't part of an existing stream.
In adaptation to that, most attacks are malware spread by email, or attack browser vulnerabilities, or attack services running on network devices, especially remote management systems.
It's not even technically correct; it's just wrong.
NAT doesn't make any choices on where a packet gets delivered. For packets that aren't part of an existing steam, NAT will simply not edit the packet. Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
> For packets that aren't part of an existing steam, NAT will simply not edit the packet.
A 1:1 NAT should generally just swap IP for IP and not know about streams or ports at all.
> Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
I would call that a routing rules error, even in the absence of a firewall.
It's sad how much has changed in the past 10+ years. I remember arguments advocating for ipv6 for exact reason. 1 device per 1 ip. Back then, it was seen as something great.
I agree with what you said. It's just interesting how it illustrates how different things are now.
> I remember arguments advocating for ipv6 for exact reason. 1 device per 1 ip. Back then, it was seen as something great.
I remember a bunch of people being horrified by the idea of 1 device per IP. I think it's more a matter of who you were around then the group changing their mind, but maybe that happened too.
The first link mentions no more NAT as an advantage, but I think it's actually one of the big issues holding up adoption. Rightly ot wrongly, since the 00's the perception is that sitting directly on the internet with a public address is a big security no-no.
I assume for mobile operators there are advantages for location roaming. I'm not sure when you change cells if IP stays the same, but must be a routing nightmare.
Ooooh, this is actually fun. Your IP does not change, even when switching from LTE, 3G, 4G and 5G. There's an excellent post in the old Sprint forums where a company network engineer explains how it works. I can't find it though, but it's pretty wild.
In brief, it is because internet connectivity on most cellular networks goes through single gateways and devices are effectively "tunnelling" to those gateways. As long as the tunnel stays up and the mobile device is still identifiable on the RAN then the IP address assigned from the internet gateway doesn't need to change.
What I found especially interesting is how it keeps track of the device, especially when transferring from say a LTE capable station to a station that only supports 3G.
What happens to games and in general applications, which are old and only have an IPv4 input field? How is it bridged to IPv6? If a friend only has an IPv6 address, how can I connect to them?
I guess I will have to set up a VPN, which internally uses IPv4 addressing?
I am surprised of such a low number. ISP and mobile carriers have been supporting ipv6 for years already.
Is it because a large portion of the traffic is done through corporate enterprise networks and proxies? Enterprises are the ones slowing down the adoption of ipv6.
Around 2008, my university (utwente.nl) supported IPv6. Google contacted us, asking if they could wishlist our network for IPv6 Google services. We agreed.
iCloud Private Relay is helping here. The network I’m on right now doesn’t have IPv6 but with iCloud Private Relay enabled visiting the IPv6 testing sites shows IPv6 in use.
Edit: my mind might been blurred by too many 4s and 6es, whoops. I thought it said "6 IPv6 addresses".
This still doesn't explain why it's six though, although I can think of four simultaneous IPv6 addresses - transient and persistent GUAs (which are accessible to the internet) a ULA (equivalent to IPv4 private address but which is rare in practice) and a link-local address (for communication to the router).
Why can't we paste aan ipv6 address into the browser address bar and have it go to that address? I'm forced to open [long brackets ] and the it works. Why!????
Because of colons. Colons separate the different sections of an ipv6 address but HTTP URLs also use colons for the port, so the ipv6 IP must be encompassed in brackets to differentiate between IP and port.
If IPv6 had used dots instead, then addresses like "2001.db8.1.2.3.4.beef.de" would be ambiguous between an IP address and a hostname.
Perhaps they could've required every IPv6 address to use ".." exactly once for zero compression. Then you'd have "..2001.db8.1.2.3.4.beef.de", "2001.db8..beef.de", etc.
I guess the nullary ".." could go in the middle, but that would enshrine the /64 boundary into the addressing scheme, which seems like a leaky abstraction.
Is "2001::0:8080" 2001::0 port 8080, or 2001::0:8080 port 80? There you go. Of course you can argue for automatic conversion when there's no ambiguity.
It's 2001::0:8080 port 80. Require the brackets for specifying a port number with a v6 address, and don't accept a port without the brackets. That way there's no ambiguity.
For added fun, Firefox on Android doesn't even accept the bracketed form. They use a regex to determine if what you entered is a URL and they haven't bothered to add IPv6 support to it. There was an attempt, that got rejected because the regex became too slow, and then the issue was left open.
The “breakage” is happening. It’s just in the form of crappy solutions like CGNAT and DS-lite to work around the shortage rather than the internet just not working at all.
also, ipv4 address space is becoming intrenched by large players because address pricing is becoming very expensive.
Want to start a new service and require global connectivity, good luck winning IPv4 auctions because AWS is buying up all address space, even if they are not using it.
They buy it up because they expect it will be needed by their customers, among whom is the US federal government. However, the world did not end, addresses can still be had, and things are still functional. I would say that the doom saying press was alarmist.
What fearmongering? There were a bunch of articles about how we were going to run out of IPv4 addresses, and we have now essentially run out of IPv4 addresses. There's a reason everyone is being a dynamic IP address and hosting servers is hard these days.
Any given resource, as it becomes more scarce, goes up in price thus preventing there ever being zero of the given resource. The “world ending” result that fear mongering press outlets pushed is therefore not possible.
The world isn't going to end just because v4 addresses are scarce (...and I don't think anybody was arguing that it would...), but that doesn't make the problems any less real, expensive or damaging.
The whole removal of nat and directly connecting to the destination with the source address seems like a privacy and security nightmare.. imo..
The security extension thing seems a bit wack. I'd still like all my traffic to originate from a single source and be tagged with that address only. This possible?
Nothing stops you using site- or link-local addresses and NATing to a single (or several) public IPv6 addresses, just as you do with IPv4. There was no "removal of NAT", it's just not necessary any more.
A proper firewall without NAT is generally fine, especially in combination with privacy extensions (which likely overall give better privacy than IPv4+NAT), but if you want to completely conceal the network layout behind your router, go nuts with NAT, no problem.
You can use NAT6 if you insist but there's no reason to. The aforementioned privacy extensions keep you from being tracked long-term based on address alone and your firewall is still blocking incoming traffic.
None of the computers I own personally use IPv6. IPv6 is a bad idea. IPv6 is a straight connection from the Internet through everything in the network, right to the individual machine.
I know it's been repeated a million times by now, but NAT is not a replacement for a firewall. Most residential routers are deny in by default so you get zero incoming connections from the internet unless you open the relevant ports, exactly as with NAT.
NAT is id10t proof though. It takes a concerted effort to set a static internal IP then NAT traffic to it and then allow that traffic through the firewall. The other advantage is that it obfuscates the internal addresses. IPV6 is is unnecessarily complex for what it solves. How hard would it have been to just add an additional octet? Pretty sure a large number of those that embrace it just love the opportunity to change something for the sake of change or their boss said do it. I’ll be sticking with IP4 as long as I can or until there is an actual benefit to IP6.
Quite hard, actually, since that's mostly what v6 already does and you can see how many things need to change to accommodate it. Most other parts of v6's design are the same as v4, so it's not really very complicated compared to what we've already got.
(Of course v6 adds more than just one octet, since one additional octet wouldn't be enough even for the current size of the Internet, let alone for future growth. It would be really stupid to go through all this effort, only to have to turn around and do it all again immediately afterwards because you forgot to add enough the first time around.)
Yeah I don’t buy the argument that we would have to do it again immediately. Unless i’m wrong- which I may be - adding an octet would increase the number of IP addresses x 255 give or take. Using the excuse of running out of addresses to do an unnecessary wholesale change is my definition of really stupid.
>IPv6 is a straight connection from the Internet through everything in the network, right to the individual machine.
It's not though. It goes through a router which has a firewall, which is the exact feature you're presumably wanting from a NAT but without any of the annoying downsides.
It's not as simple as that. There's no just "extending" the IPv4 stack unless you're going to "extend" every device that supports IPv4 with it. By that point you'd might as well just have IPv6.
IPv6 is perfectly backwards compatible with IPv4 with the IPv4-in-IPv6-address embedding and other technologies.
The problem is that IPv4 is not forward-compatible with anything that has a larger address space. Thus a IPv4-only host will never ever be able to communicate with a non-IPv4 host, since there is no way to encode more than 32-bit of information in the IPv4 header.
So you will always end up in this situation where people just won't bother implementing the IPv4-replacement and you cannot simply switch to it.
But why couldn't we just put a middlebox in front of the host which translates a 4-over-6 address to a plain ipv4? The host box still sees only v4 but v6-only devices can still connect to it.
Like I could envision a simple router-like device doing this.
That's not the direction that's the problem - like I mentioned (IPv6 is backwards compatible), NAT64 and so forth boxes exist (but still not great since you have to hold state).
But the problem is that the inverse is not possible. How would a IPv4-only box connect to a non-IPv4 box? How do you encode more than 32-bit of information into the 32-bit destination address field of the IPv4 packet?
> What we needed was an internet protocol with the benefits of IPv6 that runs as an extension to the IPv4 stack.
My understanding is that the reason it's a new version is so existing IPv4 infrastructure would not need to be changed. This "ships in the night" approach has pros and cons, of course, but I'm personally happy to give folks who thought about this problem for many years the benefit of the doubt.
> The current approach to duplicate everything into IPv6 is wasteful and time consuming, proven by the extremely slow adoption rate.
The beauty of the IPv6 approach is that it doesn’t matter how long it takes.
I don't understand how it's "wasteful". Is it wasteful to support 3 versions of HTTP?
Would you care to elaborate what "an internet protocol with the benefits of IPv6 that runs as an extension to the IPv4 stack" actually looks like at the technical level that would give the "backward compatibility" that IPv6 you claim is lacking ?
I read all of the IPv6-ish proposals at the time, and they all had major problems of one kind or another. The chosen proposal "really harmed adoption" when compared to a pie in the sky, not to the other proposals.
On Starlink it's impossible to host a server socket directly, which makes any peer to peer networking a PITA. Geocoding IP addresses doesn't work so I have to bend over backwards to convince, say, Youtube TV that I'm in the Sacramento metro and not LA where the POP is. Also the shared IP addresses seem to trip a lot of DDOS protection; I fill out 10x as many CAPTCHAs on Starlink as I do on my other ISP. And I sometimes get random network stability problems; a few weeks ago Starlink screwed something up so no one could keep a persistent connection up more than a few minutes. Seems to be fixed now, but I bet it was their CGNAT system.
I realize half the world lives with CGNAT. It's not unusable, at least web browsing works more or less. But IPv6 would solve all these problems. A little surprised that a new ISP created in 2021 wouldn't have IPv6 support as one of their launch features. There's hints they are trying to get it working but it's not an official thing now. Some discussion: https://www.reddit.com/r/Starlink/comments/tjr90n/starlink_i...