The question above for the most part, been reading up on it. Also want to it for learning purposes.
Definitely dual stack if you do. The real benefit of IPv6 is that, supposedly, each of your internal devices can have its own address and be directly accessible, but I don’t think anyone actually wants all of their internal network exposed to the internet. My ISP provides IPv6, but only a single /128 address, so everything still goes through NAT.
Setting it up was definitely a learning process - SLAAC vs DHCP; isc’s dhcpd uses all different keywords for 6 vs 4, you have to run 6 and 4 in separate processes. It’s definitely doable, but I think the main benefit is the knowledge you gain.
Your ISP is doing it wrong, which I guess you already know. I get a /64 net via DHCPv6 for my LAN which is pretty standard.
+1 to dual stack. Too much of the internet is v4 only, missing AAAA, or various other issues. I’ve also had weird issues where a Google/Nest speaker device would fail 50% of the time and other streaming devices act slow/funky. Now I know that means the V6 net is busted and usually I have to manually release/renew. Happens once every few months, but not in a predictable interval.
Security is different, but not worse IMO. It’s just a firewall and router instead of a NAT being added in. A misconfigured firewall or enabling UPnP is still a bad idea with potentially worse consequences.
Privacy OTOH is worse. It used to be that each device included a hardware MAC as part of a statelessly generated address. They fixed that on most devices. Still, each device in your house may end up with a long lived (at least as long as your WAN lease time) unique IP that is exposed to whatever sites you visit. So instead of a unique IP per household with IPv4 and NAT, it’s per network device. Tracking sites can differentiate multiple devices in the house across sites.
This has me thinking I need to investigate more on how often my device IPv6 (or WAN lease subnet) addresses change.
I get a fat /48 network, just in case I need one septillion, two hundred and eight sextillion, nine hundred and twenty-five quintillion, eight hundred and nineteen quadrillion, six hundred and fourteen trillion, six hundred and twenty-nine billion, one hundred and seventy-four million, seven hundred and six thousand and one hundred and seventy-six individual IPs.
IPV6 is pretty wild, we could effectively give every service connecting to every client, in every direction, for every single individual bit its own dedicated address without getting anywhere near using that address space.
Just wait until IoT takes off and every key on your keyboard has a unique address
There’s a bunch of advantages. IPv6 can be useful since your devices can have the same IP both internally and externally. No dealing with port forwarding. No split horizon DNS (where you have different DNS entries for internal vs external). No NAT. No DHCP required for client systems (can just use SLAAC to auto-generate addresses). Much simpler routing. It’s a bit faster. Proper QoS.
I used to use Comcast, who actually have very good IPv6 support. They were the first major US ISP to roll out IPv6 to everyone, around 10 years ago. Unfortunately my current ISP doesn’t have IPv6, but they’re aiming to roll it out this year.
How does that work, having the same IP internally and externally?
A good ISP that supports IPv6 will give you a /64 range. That’s a huge number of IPs, 2^64. Easily enough for every device on your network to have a lot of public IPs. If you use Docker or VMs, you could give each one a public IPv6 address.
When every device on your network can have a public IP, there’s no longer a reason to have private IPs. Instead, you’d use firewall rules for internal-only stuff (ie allow access only if the source IP is in your IPv6 range).
This is how the internet used to work in the old days - universities would have a large IP range, and every computer on campus would have a public IP.
Of course, you’d still have a firewall on your router (and probably on your computers too) that blocks incoming connections for things you don’t want to expose publicly.
A good isp would give you something bigger than a /64 - /56 or /48. something that you can subnet.
old post, but I so wonder why you got downwoted for saying it like it is. a good isp will give you a /56, the minimum best practice. a great isp will give you a /48 you’r router will also participate in the wan /64, but that is just the uplink, and not something that will be used on the lan. https://www.ripe.net/publications/docs/ripe-690/#4--size-of-end-user-prefix-assignment---48---56-or-something-else-
wouldn’t /64 still leave you with 64 bits for you to do whatever? Ipv6 has a 128 bit address. If you can do subnets with a small usable portion of 32 bits, then you certainly can with a full 64 bits
Because devices in your LAN will all be accessible from the internet with IPv6, you need to firewall every device.
It becomes more of a problem for IoT devices which you can’t really control. If you can, disable ipv6 for those.
It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.
Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.
The argument for IPv6 that there could be a unique address for 200 devices for every person living on the planet was much more compelling when network security was a more simple space.
Nothing has changed about why that is compelling: NAT sucks and creates nothing but problems.
Network security is almost the same with IPv6.
If you rely on NAT as a security measure you are just very bad at networking.
I mean that, when IPv6 started filtering out to non-specialists, network security wasn’t nearly as complex, and nor was the frequency of escalation what it is today. Back when IPv6 was new(ish), there weren’t widespread botnets exploiting newly discovered vulnerabilities every week. The idea of maintaining a personal network of internet-accessible devices was reasonable. Now maintaining the security of a dozen different devices with different OSes is a full time job.
Firewalling off subnets and limitting the access to apps through a secured gateway of reverse proxies is bot bad networking. That’s all a NAT is, and reducing your attack surface is good strategy.