A swift kick in the NATs

[Mark Kaine]

22 hours ago, jagdtigger said:

CGN equipment too, guess which one ISPs going to choose.....

They're pushing ipv6 here hard for years, of course many just turn it off, myself included, it's new, it gets heavily pushed by authorities, games lag like hell if you use it, so of course no one trusts it! 

 

Also im missing an ipv5 standard somewhere, I don't know what they did to him, but it's suspicious! 

 

Tldr: ipv6 is dead

[jagdtigger]

Its not dead, cgn is way worse in terms of breaking things.....

[Mark Kaine]

14 minutes ago, jagdtigger said:

Its not dead, cgn is way worse in terms of breaking things.....

No, because they keep trying to push it, but there are huge security / privacy concerns about it as well. 

 

This is a complicated matter and I admit I don't understand everything about it, but I do know that no one likes it and there are other issues too, like the aforementioned lag in games... That's because ipv4 and ipv6 aren't really compatible afaik, they're using some tunneling tech, which has issues? 

 

Edit:

 

Quote

Germany's Unitymedia uses DS-Lite (DS=dual-stack). It uses a variation of CGNAT. The end user gets a standard IPv6 network, and IPv4 traffic (which of course is the vast majority of traffic) runs through an IPv6 tunnel and is fed into the IPv4 Internet 

 

I can confirm this is trash, I had this ds lite thing, absolutely terrible... Canceled after 2 weeks... 

 

IPv6 is outdated (it's from 1998?) we need something better, without all the security and privacy concerns, that 'just works'. 

 

I know it's an issue with IPv4 Adress contingent also, but imo it would be best to just switch everything as fast as possible, to ipv7 or whatever, but not ipv6 (just imo!) 

[WereCatf]

1 hour ago, Mark Kaine said:

That's because ipv4 and ipv6 aren't really compatible afaik, they're using some tunneling tech, which has issues?

Neither IPv4 or IPv6 requires tunneling, it's just some ISPs that choose to use tunneling.

1 hour ago, Mark Kaine said:

but imo it would be best to just switch everything as fast as possible, to ipv7 or whatever

IPv7 doesn't exist, yet you can still magically say that it'd be better? No, you can't. Newer isn't always better; there have been plenty of cases where a newer design, a newer protocol or whatever has actually been worse the older thing it was set out to replace. Whether IPv7 would be better or not can only be answered after it actually exists.

[jagdtigger]

2 hours ago, Mark Kaine said:

security / privacy

IDK how an addressing protocol has anything to do with these.....

[Mark Kaine]

19 minutes ago, WereCatf said:

Neither IPv4 or IPv6 requires tunneling, it's just some ISPs that choose to use tunneling

What are the alternatives then? 

 

The problem I was trying to point out should be pretty clear, ipv4 and IPv6 are *incompatible*, they always need some kind of translator, which is why there are so many issues, and, well, incompatibilities. 

 

Quote

IPv4 and IPv6 are two completely separate protocols, with separate, incompatible packet headers and addressing, and an IPv4-only host cannot directly communicate with an IPv6-only host. The correct way to do this is to dual-stack one or both hosts so that they run both the IPv4 and IPv6 protocols

 

A theoretical ipv7 would ideally be compatible with ipv4, which may seem impossible, but then it should at least be designed so the switch can be done very quickly, I'm talking a year or so max. 

 

I get it, corporations etc don't want to spend the money for new infrastructure, they rather buy up ipv4 addresses, but "dual stack" isn't the solution, it's terrible (experienced it myself) and also doesn't really solve the issue with the limited ipv4 contingent. 

 

No, I don't have a solution either, but I sure hope there is one. (if we even need one, I guess some countries do more than others) 

 

 

[Mark Kaine]

4 minutes ago, jagdtigger said:

IDK how an addressing protocol has anything to do with these.....

? 

 

It's one of the touted advantages of IPv6. 

Quote

Internet Protocol Security (IPsec) was designed to provide network layer security (authentication and encryption). It was included as a mandatory feature in the IPv6 standards. Many believed, and some still believe, that this gives IPv6 an advantage over IPv4

 

(but there are studies, which I'd need to find, which say the opposite, and say that IPv6 is especially a big privacy concern as well) 

 

 

[WereCatf]

1 minute ago, Mark Kaine said:

What are the alternatives then?

Plain old routing.

1 minute ago, Mark Kaine said:

A theoretical ipv7 would ideally be compatible with ipv4, which may seem impossible, but then it should at least be designed so the switch can be done very quickly, I'm talking a year or so max

Impossible. It can take enterprises 10 years to replace any hardware that doesn't support new protocols, or possibly even longer. Also, there's literally no way you can replace all the consumers' hardware, either, let alone in a year.

 

As for an IPv4-compatible IPv7: no, that'd require reducing MTU drastically, leading to even worse latency.

6 minutes ago, Mark Kaine said:

but "dual stack" isn't the solution, it's terrible

Dual-stack is a perfectly fine solution, there's nothing wrong with it. What you experienced was dual-stack implemented over tunneling, but that was your ISP's decision. I already said that neither IPv4 or IPv6 requires the use of tunneling. Dual-stack using standard routing without tunneling works just fine.

[Mark Kaine]

7 minutes ago, WereCatf said:

It can take enterprises 10 years to replace any hardware

Well there would of course be a law mandating it, with high fines if not done in time... Suddenly it wouldn't be an issue anymore I suppose! 

 

Of course this needed to be a worldwide decision otherwise these companies would just leave... Probably! 

 

And I don't think it would be an issue with consumer hardware (they changed how TV programs are received also without big issues for example) they'll just get a new router from ISP, no prob! 

 

 

12 minutes ago, WereCatf said:

Dual-stack using standard routing without tunneling works just fine.

Thats not what ISPs are telling though, they say it *needs* tunneling. 

 

So any idea why they do this, is tunneling cheaper? 

 

Also tbh , im not even sure what we're arguing, this is about the limited ipv4 contingent, right? 

 

Because otherwise we can just keep doing what we're doing (which includes buying up ipv4 addresses) I bet this can be working for a long time. 

[WereCatf]

1 minute ago, Mark Kaine said:

Well there would of course be a law mandating it, with high fines if not done in time... Suddenly it wouldn't be an issue anymore I suppose!

That's an absolutely horrible idea. If there e.g. turned out to be a vulnerability with the new protocol, literally everyone would be up the shit creek without a paddle. Also, that's again 100% entirely impossible.

4 minutes ago, Mark Kaine said:

Thats not what ISPs are telling though, they say it *needs* tunneling. 

 

So any idea why they do this, is tunneling cheaper?

Ask them. I'm not an ISP or in a position to make any such decisions. Besides which, not all ISPs use tunneling for dual-stack.

7 minutes ago, Mark Kaine said:

Also tbh , im not even sure what we're arguing

We're not arguing, I was correcting you. You think you know more about networking than you actually do and so you end up making false claims and assumptions. I'm not saying that to be mean, I'm just stating a fact.

[Mark Kaine]

1 minute ago, WereCatf said:

Also, that's again 100% entirely impossible.

 

 

7 minutes ago, WereCatf said:

Ask them. I'm not an ISP or in a position to make any such decisions. Besides which, not all ISPs use tunneling for dual-stack.

But if IPv4 and IPv6 are incompatible, how do they communicate? 

 

Thats exactly what they say is not possible, unless tunneling. Now I'm not saying there aren't other ways but I've never heard of them then. 

 

 

12 minutes ago, WereCatf said:

You think you know more about networking than you actually do

Nah, I already said I don't entirely understand how it works, which however doesn't mean I don't know more about it than the average person... I'm basically the network go to guy around here ...

 

(usually I just reset the router lol, but sometimes it's more difficult obviously) 

 

15 minutes ago, WereCatf said:

We're not arguing, I was correcting you

Ah, ok then, I don't mind this, I know some things I think I know about this are wrong. Still I've never heard ipv4 > ipv6 works without tunneling because that's what ISPs, router manufacturers, etc all say around here.

[WereCatf]

1 minute ago, Mark Kaine said:

Still I've never heard ipv4 > ipv6 works without tunneling because that's what ISPs, router manufacturers, etc all say around here

This is an example of you not understanding the concepts. That's not tunneling; tunneling is encapsulating one protocol inside the other, like e.g. sending IPv4-packets inside IPv6-packets, thereby allowing IPv4 to travel over an IPv6-only network. There'd be a router or other device on the other end of the tunnel unpacking those IPv4-packets from within the IPv6-packets. Tunneling does not allow for IPv4-devices to communicate with IPv6-devices or vice versa, that is not what it does.

[Mark Kaine]

4 minutes ago, WereCatf said:

This is an example of you not understanding the concepts. That's not tunneling; tunneling is encapsulating one protocol inside the other, like e.g. sending IPv4-packets inside IPv6-packets, thereby allowing IPv4 to travel over an IPv6-only network. There'd be a router or other device on the other end of the tunnel unpacking those IPv4-packets from within the IPv6-packets. Tunneling does not allow for IPv4-devices to communicate with IPv6-devices or vice versa, that is not what it does.

No, I knew that, and it let's them communicate, just not directly, there's a translation happening, that's the whole point of tunneling.

I was asking how it would work *without* tunneling? 

[Kisai]

1 hour ago, Mark Kaine said:

 

But if IPv4 and IPv6 are incompatible, how do they communicate? 

 

They don't. All hardware and software since 2012 is IPv6 capable. Between 2008 and 2012 there was a mixture of dual-stack and 6-to-4 bridges, where the equipment is ipv6 capable but has to traverse ipv4 space. Prior to 2008 DNS didn't deal with ipv6.

 

Basically what happened prior to 2012, if you had an ipv6 capable system, you needed an ISP or a Teredo relay to access ipv6 services. Post 2012, ISP's are sitting on ip4 addresses and pushing them towards the edge of their network, while the internal networks just rely on ip4 private ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)

 

It's a question of the device "needs" ipv6 so much as wants it. My ISP offers ipv6, my ISP's equipment is ipv6, and the entire route to my servers in California are ipv6. Ipv6 is preferred when both points are ipv6.

 

Failure conditions:

1) Websites running php forums like PHPBB2.x 3.x, Simple Machines, vBulletten, etc, and other user-generated-content sites the ip6 address causes failures on their internal address tracking, so it's impossible to ban an ipv6 user, or users on ipv6 can't post comments or login as it generates a failure in the SQL query.

 

2) IPv6 AAAA records returned for unreachable ipv6 addresses. Prior to 2012 this was an issue, post 2012 this is not an issue except for ipv4 users. Work-around, have users who do not have ipv6 access to the internet, turn ipv6 off. This is caused by the ISP having ipv6 enabled on the CPE but not routing it.

 

3) IPv4 is not part of ipv6 space. ::ffff:192.0.1.1 is not a routed ipv4 address. If you have a mixture of ipv4-only and ipv6-only devices, the ipv6 equipment can not talk to the ipv4 equipment and vice versa, even if they're connected to the same switch.

 

Dual-stack is the only path forward, and ultimately what is going to happen is ipv6 will be used inside and outside so each piece of hardware that needs public internet access has a unique ipv6 address, while every device that is not (eg WAN servers, your home IoT devices) will be auto-configured into ipv6 address space and private ipv4 address, so that if they need internet access, they can only communicate via ipv6.

 

There is no 6-to-4 translation involved in routing.

 

There will also not be any kind of "IP7" or IP8" or whatever. There is literately 340,282,366,920,938,463,463,374,607,431,768,211,456 ip's. Compared to the 4,294,967,296 in ipv4. Until we start needing to assign ip addresses to extraterrestrial planets, this is enough to give every living person 34,000,000,000,000,000,000,000,000,000 IP addresses.

 

IPv6's only failing problem is that a lot of that 12+ year old hardware... is still in service. You can upgrade the OS, but licensing may prevent a practical upgrade, especially things like core routers which may take months to rewire.

[jagdtigger]

4 hours ago, Mark Kaine said:

(but there are studies, which I'd need to find, which say the opposite, and say that IPv6 is especially a big privacy concern as well) 

AFAIK it has privacy extensions, as for security never read anything about ipv6 being worse than 4.....

[jagdtigger]

3 hours ago, Mark Kaine said:

I was asking how it would work *without* tunneling? 

4 and 6 would coexist on the same medium. Like your local network (even if your router doesnt support it some devices use it anyway with link-local addresses, they can do it because L2 switches dont care about the ip).

[WereCatf]

5 hours ago, Mark Kaine said:

No, I knew that, and it let's them communicate, just not directly, there's a translation happening, that's the whole point of tunneling.

No, it's not. Tunneling does not let them communicate, period. I already told you, tunneling simply means that one protocol travels inside the other. It does NOT let the two protocols communicate.

[leadeater]

1 hour ago, WereCatf said:

No, it's not. Tunneling does not let them communicate, period. I already told you, tunneling simply means that one protocol travels inside the other. It does NOT let the two protocols communicate.

Well I think if we circle back to one of the original complaints, I'm pretty lost at this point, pure/native ipv6 communication will not make online game slow or laggy  and there is actually no functional difference when talking about that sort of thing between ipv6 and ipv4.

 

You can have an ipv4 address and an ipv6 address and the game server could also have an ipv4 address and an ipv6 address then you could preference increase each protocol to test them and there will be no difference, if the same route path and layer 2 paths are used going through the same equipment. It's the internet, you can never count on your traffic following the same path from one day to the next using the same protocol. If either ipv6 or ipv4 happens to go on a slightly worse path for what ever reason that isn't a protocol problem.

 

Tunneling on the other hand is entirely different thing, this is only applicable if one end of the communication (or a hop somewhere in the path) does not support either one of the protocols and thus has to be tunneled. However you should never encounter a in path tunnel if both the destination and source support the same protocol. Basically you will only have problems if you only have ipv6, if you have both then you likely won't as anything you want to talk to that does not have an ipv6 address will use ipv4, ipv6 and tunneling will not be used in that situation.

[Mark Kaine]

2 hours ago, jagdtigger said:

AFAIK it has privacy extensions, as for security never read anything about ipv6 being worse than 4.....

 

I really think partly this is a misunderstanding of terminologies, and implementations, like I still don't understand how 4 and 6 connect when they're incompatible, for example in my router it says something like "without tunneling you can't connect to ipv4 if you're only using ipv6" 

 

And that's what I call communication, which might be the wrong way to say it but the thing in my router isn't lying I suppose and is pretty clear "you cannot connect" 

 

As for security, I randomly found this. So they're not saying ipv6 is s security issue, they say tunneling is one. 

 

And that's where I say, without ipv6 there's no reason for *me* to use that tech and it could probably be completely blocked from my firewall. Which it now can't because then I can't connect to ipv6 addresses (if the info in my router is correct) 

 

https://tools.ietf.org/html/rfc6169

 

Also interesting 

 

Quote

The most popular dynamic tunneling technique is 6to4. It has the advantage of not requiring an explicit tunnel set-up. Instead, it uses dedicated relay routers to forward encapsulated IPv6 packets over IPv4 links. A significant advantage of 6to4, is that it lets you set up Ipv6/V4 tunnels without requiring a lot of manual effort. 6To4 uses IPv4 unicast to create point-to-point links over the IPv4 backbone for transmission.

To be used safely, your vendor and network engineers must be sure to set its security up carefully. It's all too easy to hide bad traffic inside the encapsulated packets and to spoof addresses within the IPv4 and IPv6 headers, which can lead to DDOS attacks 

Source: https://www.zdnet.com/article/five-ways-for-ipv6-and-ipv4-to-peacefully-co-exist/

 

So again it's not really ipv6 that's dangerous, it's the "most popular" way of connecting the two protocols. 

 

The question is really is what I said really wrong, or maybe just a misunderstanding of terminologies when I say ipv6 is a security risk. (to me it obviously is because of the ways it's *defacto* implemented ...) 

 

 

1 hour ago, WereCatf said:

No, it's not. Tunneling does not let them communicate, period. I already told you, tunneling simply means that one protocol travels inside the other. It does NOT let the two protocols communicate.

 

So again, I'm not saying this is wrong, I'm simply asking how does a ipv4 only adress connect to a ipv6 only adress...? 

 

You aren't addressing the question, you just say I'm wrong. How is asking questions wrong... 

 

 

For example this is pretty much what I've been saying 

 

Quote

Finally, there's Network Address Translation-Protocol Translation (NAT-PT) aka RFC-2766. This works just like the name says, software or a device translates IPv6 packets into IPv4 packets.

I said things get *translated* then you could have simply said, yes, but not when tunneling... 

 

I'm not even sure there doesn't exist a combination of all those techniques, since somehow they all have to work on the same "network", you know... 

 

[Mark Kaine]

19 minutes ago, leadeater said:

Well I think if we circle back to one of the original complaints, I'm pretty lost at this point, pure/native ipv6 communication will not make online game slow or laggy  and there is actually no functional difference when talking about that sort of thing between ipv6 and ipv4

Thats a good example where I think there's a misunderstanding, and not necessarily my fault, I said this from the beginning I don't use ipv6, so the "question" has always been "how does only ipv4 connect to (only) ipv6? " 

 

 

Maybe that doesn't even work and you need at least one of the two have both? (just guessing) 

 

 

Basically what I think a router does if you choose ipv6, it'll always somehow piggyback ipv4 with the data, could be wrong tho! 

 

 

21 minutes ago, leadeater said:

You can have an ipv4 address and an ipv6 address and the game server could also have an ipv4 address and an ipv6 address

Tho I was thinking of peer to peer, I don't usually play games that use game servers, they do however somehow need to make the matchmaking, think fighting games for example. 

Edited November 5, 2020 by Mark Kaine

[leadeater]

14 minutes ago, Mark Kaine said:

Basically what I think a router does if you choose ipv6, it'll always somehow piggyback ipv4 with the data, could be wrong tho! 

Your router won't make a choice unless it needs to and an example of that is if the destination is on a different protocol. However that's not really a situation you were encountering because if you only have an ipv6 address the router cannot do any translation as it has nothing to translate to, there is no ipv4 address that is has. So in that situation traffic is getting routed as normal over ipv6 and your router will have no understanding that the traffic is going to be tunneled or translated at some point along the way, and it doesn't need to know.

 

Where the performance problems come in is these tunnels are not widely deployed, there are only a limited amount of them, so they are going to be many hop away from the destination you are wanting to talk to which will add latency and the equipment doing the translation is likely very busy so that will also add latency.

 

If you are able to do the translation locally on your network at your router you will actually find the performance will be very good, NAT-PT won't be any slower practically than the NAT that is already being used on your private ipv4 address to your routers public ipv4 address. You can only do this however if your router has an address for both protocols.

[WereCatf]

9 minutes ago, Mark Kaine said:

So again, I'm not saying this is wrong, I'm simply asking how does a ipv4 only adress connect to a ipv6 only adress...?

There exists hybrid dual-stack ( https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses ), but almost no one actually uses that, they just use dual-stack proper. Dual-stack means that the devices have both IPv4- and IPv6-addresses and can communicate with other devices using either protocol. NAT-PT is really only suitable for very specific, limited situations and is not widely used, either.

[Mark Kaine]

2 minutes ago, leadeater said:

Where the performance problems come in is these tunnels are not widely deployed, there are only a limited amount of them, so they are going to be many hop away from the destination you are wanting to talk to which will add latency and the equipment doing the translation is likely very busy so that will also add latency.

That makes sense I guess. 

 

I mean for this discussion I do care obviously but when I had "DS-Lite" I didn't really care why, I only understood that every game was laggy as hell and I couldn't do anything about it ...! You know, it was really terrible lol. 

[WereCatf]

4 minutes ago, leadeater said:

Where the performance problems come in is these tunnels are not widely deployed, there are only a limited amount of them, so they are going to be many hop away from the destination you are wanting to talk to which will add latency and the equipment doing the translation is likely very busy so that will also add latency

It's not just the number of extra hops the traffic has to take, but also the reduced MTU and the packing and unpacking of one protocol in another that adds latency. If you have a full IPv4 packet that's going to be sent over an IPv6 - tunnel, that packet has to be split into two, then put inside two IPv6 - packets (assuming typical MTU) and then those two packets have to travel over the tunnel, be unpacked and only then the IPv4 - packets can continue their merry way to their destination -- that's a lot of extra steps.

[leadeater]

16 minutes ago, WereCatf said:

It's not just the number of extra hops the traffic has to take, but also the reduced MTU and the packing and unpacking of one protocol in another that adds latency.

Speaking of I'm not sure why we also don't transition to internet infrastructure allowing jumbo frames, pretty well everything supports that now. For the most part it won't cause problems for clients either as we run all our servers with 9000 and clients with 1500. I think network techs just don't want to add to their workloads for having to calculate new/more MTU when configuring things.  It can already be a bit of a head bender when you are using a backhaul wireless bridge while also using PPPoE clients at each end. So many ways things can clip that MTU ticket and you end up with a rather small effective usable size for actual data/communication.

 

Edit:

My internet connection is on VLAN10 so my firewall has a sub interface for that and then the connection is PPPoE authenticated so that sub interface has a PPPoE sub interface then I have a Site-to-Site IPSec VPN to another house I have servers at, the usable MTU across that VPN is a bit LOL.