You have IPv6. Turn it on.

By on 4 May 2016

Category: Tech matters

Tags: , ,

16 Comments

Blog home

Thanks to a massive amount of time and effort, there are now a large number of ISPs, data centres, cloud services, and software that now support IPv6 in the United States and around the world. Actual adoption of IPv6 in production is slowly increasing globally, but is still lower than it could be.

With this post, I not only want to convince you to start looking into beginning to use IPv6 on your own computer, but show that in many cases, enabling IPv6 can be as simple as clicking a button on your WiFi router.

You might already know the reasons why IPv6 is so important: we’ve now run out of available IPv4 addresses, and it’s now very expensive to acquire new IPv4 addresses (in the ARIN region, you likely have to buy them from others), hampering the ability for network operators to provide infrastructure services at reasonable costs.

There are also significant security benefits to IPv6. One of the ways exploits are propagated is they scan the entirety of the IPv4 address range looking for vulnerabilities. As the IPv6 address range is so large (128 bits), it becomes impossible to scan the entire range. There was a great recent blog post on The Internet of Stupid Things that highlights the serious security problems we’ll have with IoT if we don’t deal with the address scanning problem, to say nothing about the problem of not even remotely having enough IPv4 addresses to support that many devices.

Considering the many benefits of IPv6, you may be wondering when you’ll be able to start using it. The answer is, probably now. And it might be easier than you realise.

Getting my feet wet with IPv6

I wanted to see if I could get IPv6 support for Neocities, which started my investigation into the current state of IPv6. At that point, I didn’t really know a lot about actually using IPv6. Before I enabled it on my servers, I wanted to get it working on my laptop and home network. I didn’t just want to ping the server from another server, I wanted to test the complete end-user experience myself.

The first thing I did was contact my ISP to see if they supported IPv6, and it turns out they did. Surprisingly to me, this is already true for many (if not the majority) of ISPs in the USA. Comcast, Time Warner Cable, Verizon, Cox, AT&T, Charter, and CenturyLink all have active support for IPv6, and that’s just the largest ISPs in the United States, representing approximately 78 million subscribers.

The way these ISPs provide IPv6 today is with a “Dual Stack” configuration, essentially providing both an IPv4 and IPv6 address at the same time. This allows you to start getting your feet wet with IPv6 while still supporting sites and software that haven’t switched over yet.

After confirming support from my ISP, my next goal was to figure out how to actually turn it on.

Configuring your WiFi router

If your ISP supports IPv6 and you have a modern WiFi router, this may be the only thing you need to actually configure to get IPv6 working on your home network.

My personal computer only had an IPv4 address being assigned to it from my WiFi router (which I confirmed by visiting an IPv6 test site), so something clearly needed to get configured on it to enable IPv6.

I started by logging into my WiFi router (a D-Link DIR-868L) and quickly realised that it not only supported IPv6 but that I was one click away from enabling it. The router informed me that it would go into an automatic setup mode which would take a few minutes, then it would reboot with IPv6 support. I clicked the button and went for a cup of tea. Before I came back, the WiFi router had rebooted, and my local network now magically had a dual stack IPv4 and IPv6 address assignment and had bound seamlessly to the modem’s IPv6 address assigned by my ISP.

D-Link’s firmware was the easiest I saw for IPv6 configuration, but I also upgraded a network running a CenturyLink router that was fairly easy (though a few steps were somewhat obtuse), and another router running OpenWRT, which has excellent IPv6 support.

Most routers provide pretty good IPv6 support at this point but unfortunately, there are exceptions. Notably, I was surprised to learn that DD-WRT IPv6 configuration was ridiculously complex, and I didn’t feel bold enough to try to enable it. I’m hoping that DD-WRT can work to improve this in the future.

Trying it out

Now that my home network was set up, I focused my attention on enabling IPv6 for my laptop. At this point I braced myself for a headache, assuming the process would be a harrowing effort of digging through complicated config file muck, fixing broken, incomplete or badly configured software.

Here again, I was pleasantly surprised at how easy this process was. I simply rebooted my computer and had IPv4 and IPv6 support running on my machine. Great! But now how do I actually use it with my web browser?

It turns out that was seamless, too. In fact, it’s so seamless that it took me a while to figure out if it was even working. This is possible because most web browsers (I tested Firefox and Chrome) automatically determine whether they should use IPv6 or IPv4. When you type in a domain name, they automatically look for an AAAA record (the DNS A record for IPv6). If it exists, it tries using IPv6, falling back to the A record and IPv4 if necessary. I noticed no performance reduction in this process, though there could be a minor, unnoticeable difference.

The new “problem” was that I couldn’t visually tell when a site was loading with IPv4 or IPv6. To give me better insight into this, I installed the IPvFox add-on, which put a small icon in my address bar that would tell me if the site was loading with 4, 6, or with a combination of the two (Chrome also has a similar plugin called IPvFoo). I strongly recommend installing these plugins to assist you with testing IPv6 support. In addition, it also provides an interesting insight into which websites currently support IPv6 (a surprisingly large number), and which currently don’t.

Many websites have IPv6 support and don’t even realise it. For example, cloud proxy services such as Cloudflare provide IPv6 support transparently to the site they are proxying, whether the upstream web server supports it or not. Their aggressiveness in adopting cutting-edge technology for their infrastructure is notably helping to improve IPv6 adoption, and in fact, could even be responsible for the majority of web servers that currently support it.

Enabling IPv6 for the servers

Now it was time to see if we could enable IPv6 for the Neocities servers. I first went to the server that powered our web application (the front site), and saw that an IPv6 address had already been provided by our data centre operator, and automatically configured on our server.

If your data centre or cloud provider doesn’t automatically provide an IPv6 address, they usually provide an option to get one through a web interface or by contacting support. Once the server has been assigned an IPv6 address, you need to configure your server to use it. Each operating system has a unique way of configuring networking, so follow the relevant documentation to see how to enable IPv6 for your specific OS.

Once the server has been assigned an IPv6 address, I needed to configure the web server software to use it. Like many (if not most) online providers, we use Nginx for both serving sites we host on Neocities, and for proxying our backend web application. So I needed to configure nginx to start listening on the IPv6 address, in addition to the IPv4 one.

We use a custom compile of nginx that’s tuned for our needs, so I had to enable IPv6 by adding –with-ipv6 to the ./configure before compiling, but if you use the prebuilt nginx that comes from software packages, you likely won’t need this step. Once it was compiled and installed, I only needed to add a line to nginx.conf to tell it to also listen on IPv6:

server {
listen 80;
listen [::]:80;
server_name neocities.org;
# … the rest of your server config
}

I then reloaded nginx, and voila, IPv6 support! When I was ready, the last step was to add an AAAA record for that server to my nameservers. Within minutes, users with IPv6 support started automatically using that address, perhaps without even realizing it.

Minor tooling differences

In the process of testing IPv6, I did notice some mild software differences that initially made it difficult for me to test things, and I wanted to mention them briefly. The first notable difference was that I had to wrap the IPv6 address in square brackets for my web browser.

For example, if I wanted to access http://234::3334::44, I had to type it in as http://[234::3334::44]. I also had to use ping6 instead of ping, and use -6 with curl in order to force IPv6. And SSH would fail with square brackets, so I had to leave them out.

Having to deal with these quirks was honestly a little annoying. The one thing I particularly don’t like about IPv6 is weirdness of the colon delimitation. It’s a bit annoying to have to work with it, and I agree with some other writers that think we could do better in this category. It would be nice to see some improvements here in the future, but it’s not a deal breaker for me for the IPv6 adoption we need.

The crazy things IPv6 can do

Lastly, I wanted to mention some pretty interesting experimental projects people are already using IPv6 for. Specifically, I wanted to mention Cjdns, an experimental project that uses private keys to derive IPv6 addresses, enabling trustless distributed routing networks. This works because IPv6 addresses are so large (128 bits), that it’s safe to simply derive them randomly from keypair cryptography. In the future, this could help to address problems like route poisoning and related problems with the present Internet’s trust-oriented routing infrastructure. It’s experimental at this stage, but still a very interesting example of what IPv6 could hold for the future.

IPv6 doesn’t just allow us to add more devices to the Internet; it also enables the possibility of re-architecting the Internet to improve performance, upgrade security, and increase privacy. I’m excited to see what comes next.

Conclusion

All of my ISPs, data centre operators, and cloud service providers supported IPv6. But in many cases, I had to click an extra button to enable it, or explicitly request it. I understand the motive for doing this, as they perhaps wanted to avoid creating any issues with bugs or opening up any unknown security holes. I come from a similar school of thought (don’t turn anything on unless you really need it), but I’m now going to make a rare exception for IPv6.

Router manufacturers, data centres, cloud services: I love how easy you’ve made it to enable IPv6, and I appreciate the hard work you did to enable it, but now’s the time to go one step further. No more “one extra click” or “on request” support: it’s time to enable dual stack IPv6 support by default. When WiFi routers and servers start automatically configuring IPv6 alongside IPv4, we’re going to start seeing a lot more adoption of IPv6. And the farther along we get, the closer we get to being able to finally deprecate IPv4.

This particular technology is working best when its functionality is invisible to the end user. Thanks to the amazing work everyone has put into making IPv6 seamless, most users won’t even notice they’re using it, as everything they do today will continue to work with no noticeable difference.

There’s only one thing left for you to do: Turn it on!

Kyle Drake is the founder of Neocities.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

16 Comments

  1. Gwyneth Llewelyn

    Ok, please bear with me, since I have done just minimalistic testing on this, so I might be completely wrong…

    I’m actually using CloudFlare as a front-end proxy/cache/CDN/security tool for almost all of my sites — this is also where I set up the DNS configuration for them. So, after doing the necessary configurations on the nginx side, I added, as suggested, both an A and AAAA record for, say, mydomain.com. So far, so good!

    CloudFlare’s DNS propagates blindingly fast, which is great for testing purposes. By sheer luck, I started doing my tests on a connection that does not have IPv6 activated yet. What I saw happening was that about half the time the IP address returned for mydomain.com was IPv4, the other half of the time it was IPv6. So, on an IPv4 connection, this meant connection failures about half of the time; actually, it’s a bit worse than that, since modern browsers tend to stick to a cached IP address and hold it for far too long than it’s reasonable, so that meant that once I got the IPv6 address, it was hard to get rid of those error pages — and, needless to say, everyone out there would suffer from the same problem.

    On a double-stack connection, of course this is not visible: sometimes the connection would go through IPv6, sometimes IPv4, but it would work in either case. But this is clearly not what I wanted. I wanted that IPv6/double-stacked users would connect only through IPv6 (falling back to IPv4, of course, if something went wrong), while ‘legacy users’ on IPv4 would just get the IPv4 address and continue to connect as usual.

    This seems to be tricky to achieve. Elsewhere, I saw a suggestion of using the priority field on DNS to put IPv6 as a higher priority, with IPv4 a lower. What happens in that case is that IPv6/double-stacked users will, indeed, get only the IPv6 address as intended — but this will cut out the IPv4 users. These will only get the IPv6 address and be obviously unable to connect. Priorities in DNS are trickier than they look, and I have only managed to get them working for mail servers…

    I guess this could be an exceptional case and not the way DNS ‘usually’ works. After all, I was using CloudFlare’s DNS — maybe other implementations respond differently. And the IPv4 connection I used for testing purposes used Google’s 8.8.8.8 and 8.8.4.4 DNS servers for name resolution — which might be configured to reply round-robin to any request, no matter if they came from an IPv4 or an IPv6 connection — other DNS nameservers might work differently.

    What I do know is that other tutorials use a different address for the site (e.g. ipv6.mydomain.com). That way, there is no conflict in the name resolution. It’s reasonably easy to get a WordPress installation to reply to two different addresses (there might be some issues with older plugins, though), but what is not so obvious, in this case, is how exactly traffic gets directed to the ‘correct’ server address — I guess you can do those kinds of tricks easily with a Cisco router/load-balancer, but doing it with nginx… is a bit trickier.

    Reply
  2. Steve

    My ISP (Frontier Communications) does not support IPv6 yet for FiOS. Am I doomed?
    I was thinking of implementing it on my home network without the ISP’s settings, but I fear I’d need to configure IPv6 for all hosts that joined the network. This would make it difficult if guests wanted to join the network though 🙁

    Reply
  3. Vl

    >And SSH would fail with square brackets, so I had to leave them out

    why fails? it works fine for me, for example I enter smth like this
    scp -6 -P 6622 goo user@[2a00:1fa0:42b0:571:0:1:2:3]:/sdcard/tmp
    and it copies ‘goo’ to my phone immediately

    Reply
  4. nope

    Ipv6 is the worst. I wish it would go away. Like a virus infecting my network, keeps popping up everywhere ruining browser experience for users. poisoning my DNS records and generally mucking up and slowing everything down.

    Does it really have to be this way?

    Reply
  5. dave

    Waste of time. I had it enabled, did nothing useful, disabled it.

    Port scanning? Pleeeze don’t even talk about that if you can’t lock your ports down with a firewall/router/banana/whutevar.

    No, I am not running out of IP4 addy. My ISP has a contractual obligation to provide one so I have service. Not my problem, don’t try to pretend that it is, cuz….. it ain’t, lol.

    Reply
  6. glnz

    Error in article above:
    Verizon is NOT supporting IPv6 on its FIOS network for home users.
    I am now on 1Gbps Vz FIOS, If I try go to an IPv6 test web site, I don’t get there – my Firefox gives me an error page.
    Pretty outrageous.
    Now that the FCC has ruined net neutrality, could it at least require IPv6 connectivity? MUST we be behind South Korea and other countries?

    Reply
  7. ikomrad

    Is there a guide to turn on ipv6 on a home network? I have about 30 devices / servers on my home network. They currently have statically assigned private ipv4 addresses , using NAT to share a public IPv4 address.

    It would be nice to have a guide for switching from my current NAT’d setup to an ipv6 un-NAT’d setup. However, I haven’t any guidance on how to do this.

    Reply
  8. Zeke

    No one here even know’s what they are doing. Again showing me proof that all forums are bull!!!!!!!!!!!!!!!!!!!

    Reply
  9. Oldman

    One thing that this article doesn’t mention is that you don’t have private and public addresses in ipv6, so you lose the automatic “security” you got with ipv4 home networks. When an attacker tries your public IP, your router does not know which computer to forward the request to (unless you explicitly set up port forwarding). Since all ipv6 addresses are directly reachable, you need to BLOCK unsolicited incoming connections to your network using a firewall. A firewall is a necessity in the ipv6 world even for home use.

    Reply
  10. Blair Sadewitz

    No, I do not have it. I’ve wanted to “turn it on” for years, but I have Cablevision/Optimum Online. Not only do they not support it, but they refuse to even talk about whether they plan to implement it or not. Only “lighhpath” business fiber customers can get ipv6.

    I pay too much for my internet to slow it down by using a tunnel. If you guys can convince Cablevision to provision ipv6 to residential serfs like me, I’d be delighted.

    Regards,

    –Blair

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please reload CAPTCHA.

Top