Freed from the office, home workers roam sunlit uplands of IPv6... 2 metres apart The long-awaited IPv6 train may finally be pulling into the station as Google reported a spike in usage. The Chocolate Factory has long published statistics on the adoption of IPv6 by users accessing its services and, from the ad giant's perspective at least, a heck of a lot seem to be staying at home. The percentage of users …
I've noticed that when I use my phone as a hotspot and connect to it with my linux laptop, the connection to the outside world tries to go over IPv6 first. Given the chart's spikes on the weekends, that suggests to me it's mobile users. Add SARS-CoV-2 keeping people at home and I suspect mobile usage is much, much higher, which would account for the increase at the right edge.
It's not so much mobile as it is non-corporate traffic.
Many domestic ISPs now hand out IPv6 addresses (even without most end users knowing) whereas statistically probably fewer corporate networks do. That means that home traffic is more likely to visit Google.com, YouTube.com, Gmail.com etc. over IPv6. We've been seeing this on evening and weekend traffic for at least a decade.
Exactly. Many ISP provided CPE also now come with IPv6 enabled, again without knowledge of the home users. Mobile providers have been doing IPv6 native connections for quite some time. My Mom has had an IPv6 enabled connection for over 5 years, she just has no idea.
It is really the Corporate users that never bother to setup IPv6 (due to fear, ignorance, etc) in their corporate firewall that prevents greater adoption of IPv6.
Everything seems to come with IPv6 enabled by default these days (as it should) but security compliance is way behind. Not one of the 3 PCI-DSS scanners I have to deal with can cope with IPv6. If you scan doesn't include a report on IPv6, it is NOT complaint even if you thought you turned it off.
"It is really the Corporate users that never bother to setup IPv6 (due to fear, ignorance, etc) in their corporate firewall that prevents greater adoption of IPv6."
it's not as simple as just turning ipv6 on in a corporate environment.
most places with an eye towards good practice and security will be carved up like pulled pork in their data centres, HO and key sites & entities they've borged or been borged into.
Someone needs to understand the mess & rewrite for ipv6 and make sure it all still works. Those ACL's on WAN sites need rewriting for the new ipv6 zones, fw rules need rewriting, load balancer policies need rewriting. If the business is at least 10 years old then chances are that the original people who put the network in are long gone & the outsourcers have further mangled things to justify their charges.
IPv6 in a fresh environment makes sense, so does SDN. changing your home to IPv6 when you've no customisation makes sense, changing old network where the original architects are long gone and no one fully understands all the quirks requires much bravery and deep pockets.
Not just carved up, but done so with a heaping side of static configurations. My employer has well over 20,000 servers (physicals and VMs) in five data centers, all of which have static IPv4 addresses. Those addresses are hard-coded in DNS, firewall rules, load-balancer pools, monitoring groups, and so on.
We now have IPv6 configured on the vast majority of network devices, so the current plan is to run hybrid IPv4 & IPv6 from clients to our forward facing load-balancer devices, which will then deal with all of the translating. They don't care if a server pool is all IPv4, IPv6, or a mix, so we can slowly migrate the back-end during the next scheduled tech refresh. We can also kick the can down the road if problems arise. But since tech refreshes are about 4 years apart, that may be a while.
>>It is really the Corporate users that never bother to setup IPv6 (due to fear, ignorance, etc) in their corporate firewall that prevents greater adoption of IPv6.
You are surely unaware that the IPv6 standard did not include network-level resiliency for end users, unlike IPv4. It was never too difficult for corporations, until lately, to obtain a PI (Provider Independent) block of public IPv4 addresses and "advertise" it to multiple telcos (known as multihoming). It means, telcos could be added, dropped or changed easily without the need to change public IP addresses (re-addressing is painful).
The original IPv6 standard did not explicitly allow Provider Independent IPv6 address blocks and early deployments were effectively locked to a single telco and its IPv6 address space. When corporate network engineers and IT managers realized that, IPv6 became extremely unpopular among corporate networking pros for many years due to a telco lock-in.
It is now possible to obtain a Provider Independent IPv6 address block, and with IPv4 PI space exhausted, corporate networking is slowly moving to IPv6. This is a slow process because many self-hosted resources are being moved to the cloud in parallel and many companies are quite happy with their existing IPv4 PI space.
As for the internal network, RFC1918 "grey" IP addresses are more than sufficient for the internal network addressing in most corporate networks. Separation between the internal network and the Internet is most often desired and mandatory.
Anybody know which mobile networks are/aren't IPv6 enabled (or is it geographical)? I'm with Smarty, a Hutchinson cheap and cheerful MVNO(*), running over Three's network and have never seen anything other than a 10/8 address.
(*) It has the great advantage that if you don't use your data allowance you get a refund. My mobile use is very bursty(**).
(**) Not that I'm going to be anywhere away from the home WiFi for the foreseeable future(***).
(***) Well, I hope not. The local hospital WiFi is as crap as my chances of survival if I get infected.
it must be their ISP. Though for some odd reason, in the past, I've had problems with IPv6 connectivity via their cloud content provider, something about not honoring MTUs during https/SSL key exchange (or something like that). Well, maybe that's fixed now, haven't seen that pop up its ugly head in a while (ALSO not El Reg's fault).
It might actually explain the entire problem, depending on how you look at things.
It's more stupid than that...
They use cloudflare, and cloudflare fully support IPv6 by default, for some reason they've got it turned off or just not bothered to create the AAAA record.
From here the latency to cloudflare over ipv4 is usually over 3x higher than over ipv6, because of the overloaded nat gateway imposed on me by the isp.
It's disabled because of the forums and logging / posting IP etc.
You can access the main site over www if you add the IP manually. See my post about it, and the official response here:
https://forums.theregister.co.uk/forum/all/2019/11/25/ipv4_addresses_gone/#c_3923843
"It's disabled because of the forums and logging / posting IP etc."
4 months ago they said "(which is part of what we have yet to finish updating for full IPv6 support)." I realise that bringing a software fix into production takes time and won't happen during lockdown, but this is a fairly poor excuse when IPv6 has been production-ready for so many years.
Many ISPs now provide IPv6 by default, and many providers are now using NAT for IPv4 connections - especially for mobile users...
As a consequence of this, connections going over IPv6 are generally faster and more reliable.
The more traffic goes over IPv6 the better for the ISP and the customers, as NAT gateways are considerably more expensive to operate than routers.
The lack of a NAT gateway can also reduce battery usage on mobile devices, as they can use longer sleep times for protocols like activesync without the gateway terminating the connection for being idle.
A lot of the users still stuck with IPv4 have explicitly turned it off, or are using antiquated equipment.
Yup. A couple of years ago they rebuilt their core network but the only impact it had on their IPv6 offering was to kill off the beta program because it wasn't compatible with the new network. That was when I finally left. I went back to an ISP that had been running dual-stack for over ten years.
Hmmm, I've got IPv6 with Plusnet (via John Lewis Superfast Fibre). The Zyxel router actually wouldn't let me disable it either which turned into a lot of messing around last year with pre-configured VPN apps to try and stop them leaking. Fortunately the apps have improved greatly since then.
Plusnet have failed to provide me with just about everything it should have in the way of service, not even half of the advertised speed which is an ongoing issue, but I definitely have IPv6.
You know that actual firewalls work as a firewall too, it's not just NAT. My shiny new IPv6-capable router from the NBN update had the obvious firewall installed (no incoming connections), just like the NAT default. I'd be very surprised if any ISP's specified or supplied router came with no firewall. That would be mad.
it's not as simple as just turning ipv6 on in a corporate environment.
most places with an eye towards good practice and security will be carved up like pulled pork in their data centres, HO and key sites & entities they've borged or been borged into.
Someone needs to understand the mess & rewrite for ipv6 and make sure it all still works. Those ACL's on WAN sites need rewriting for the new ipv6 zones, fw rules need rewriting, load balancer policies need rewriting. If the business is at least 10 years old then chances are that the original people who put the network in are long gone & the outsourcers have further mangled things to justify their charges.
IPv6 in a fresh environment makes sense, so does SDN. changing your home to IPv6 when you've no customisation makes sense, changing old network where the original architects are long gone and no one fully understands all the quirks requires much bravery and deep pockets
It's usually easy enough to build out an IPv6 DMZ and run some proxy servers to pip data in and out of the core IPv4 stuff. Esp for web traffic. You can even buy/rent this as a upstream service.
Convincing manglement that they need to budget some time & money is a whole different kettle of fish.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
