Context:
People have been asking for IPv6 Support on GitHub since years (probably a decade by now)
… and someone even got so annoyed that they decided to setup a dedicated website for checking this: https://isgithubipv6.live/
Context:
People have been asking for IPv6 Support on GitHub since years (probably a decade by now)
… and someone even got so annoyed that they decided to setup a dedicated website for checking this: https://isgithubipv6.live/
2 months ago I thought I’d start learning IPv6 and started watch some intro videos on YouTube.
Holy crap… It’s a beast and it just felt like if you don’t know what you’re doing you might lose all control over your network. Ok. So a device didn’t get a dhcp address? No problem… It creates it’s open IP address and starts talking and try to get out on internet on its own…
Normally that’s not a problem since your normal home router wouldn’t route 169.254.x.x… But it just seems like there’s A LOT to think about before activating IPv6 at home. I’ve got a Creality K1 Max… Fun thing: factory reset also creates a new MAC Address… So there’s no way in hell thay I just let her lose by activating IPv6.
Ps. Yes, I most likely panic because I haven’t figured out IPv6… But until I understand IPv6 there’s just going to be IPv4.
Generally, a device cannot get an internet facing IP address unless something else on your network is advertising the prefix. In fact, I’d argue there’s little point using DHCPv6 now. Some devices are only interested in SLAAC. But, if you have a router that gets an IPv6 prefix from your ISP (usually /48 or /64, but you can get other sizes) it will usually then advertise that onto your local network.
As for the IP addresses. I would say that you should definitely still have a firewall in place. But the setup is the same as IPv4 just without NAT. e.g. you set a blanket rule for your prefix to allow outbound and block unrelated inbound. Then poke holes through for specific devices and services.
By default, IPv6 implementations make an assumption that they’re not going to be a server (if you want a device to be a server, you can just set a static IP) and their “main” IP will be a random looking one (and the configuration will depend on whether it uses an interface identifier to create the address, or if it is random) within your (usually huge) allocation. But more than that, they will usually be configured to use the IPv6 privacy extensions (RFC4941). This generates extra temporary addresses per device, which are used for outbound connections and do not accept incoming connections. That is, people cannot see your IP address on their host from your connection and then port scan you, since no ports will respond. You could still have ports open on your “real” IP address. But, that one isn’t ordinarily used for outgoing connections, so no-one will know it exists. To discover it they would need to scan your whole prefix (remember that the /64 allocation you will generally get is the internet * the internet in terms of address space, that is much harder to brute force scan).
I think the differences between IPv4 and IPv6 might seem scary, but most of them are actually improvements on what we had before, making use of the larger pools we have available. Once you work it out, it’s really not so bad.
I would like to see routers setup to firewall ipv6 by default to give the same protection as NAT though, meaning users need to poke holes into the firewall for incoming connections. Maybe some do. I know mine did not and it was one of the first things I did.