[olug] I seem to have an Omaha Cox Residential IPV6 address

[Eric W. Biederman]

Lou Duchez <lou at paprikash.com> writes:

> Also a n00b; I was looking into IPv6 the other to not get caught out in the cold
> when it finally descends on us.
>
> From what I could tell, of that 128 bit address, the first half (roughly) would
> be permanently assigned to you by your ISP, with no practical risk of them
> running out of IP addresses.  The second half would be the part that would come
> from a DHCP pool, and if it's a well-managed pool, it would re-issue the same
> addresses to the same devices unless a conflict arose ... and in IPv6 that
> shouldn't happen.  So in theory, IPv6 addresses issued by DHCP should be
> functionally permanent, unless something happens to the DHCP server and it gets
> amnesia.

A couple months to a year is what I was seeing when I was looking.
People keep reorganizing their networks.

> I still think it's a bad idea that IPv6 doesn't support NAT, though.  It's good
> that IPv6 isn't built to require NAT -- VoIP is a case where NAT causes endless
> problems -- but NAT is darn handy a lot of the time too.  When I'm configuring
> my internal network (servers, printers, etc) it's good to keep that independent
> of the carrier I'm using.  And I don't have statistics on it, but I would bet
> one of the leading reasons malware hasn't fried every (non-Linux) computer out
> there is the inherent firewall that you get with NAT.  It's not a complete
> firewall of course, and in some quarters you'd be flayed alive for saying that
> NAT does any firewalling whatsoever; but if there's a thing between my computer
> and the Internet that keeps unsolicited traffic from getting at my computer, I'm
> going to call it a firewall.

With respect to NAT.
A) Devices may have multiple IPv6 addresses so that you can have two
   upstreams giving you two different prefixes (residential should be a
   /48 or a /56) and your devices can work with either of them
   simultaneously.

B) Additionally there are unique local addresses which are roughly the
   equivalent of private IPv4 addresses.  Anyone can use a random number
   generator to get a /48 prefix that is almost guaranteed that no one
   else will use.  These addresses are good for your internal machines.

C) There is also IPv6 Prefix Translation that as it passes through your
   router converts your internal IPv6 prefix to the prefix your upstream
   has provisioned you with IPv6.  This is ideal for the dual upstream
   scenario.  On a good day IPv6 prefix translation is clever and
   performs an ip checksum agnostic translation so that only the IPv6
   prefix needs to be changed.  So your router does not need to crack
   anything beyond the IPv6 header.

Port translation as is common in IPv4 NATs is truly nasty, and can be
said to be what keeps us from having nice things.  The change in port
number as you go through a machine that performs NAT translation keeps
many protocols like SIP (AKA telephone calls) from working on public
internet.  There are techniques that get through NAT but there
effectiveness through port translation is only perhaps 80% so today you
need a server in the middle introducing latency and bandwidth issues,
when you have a voice or video conversation.

At the same time simply having a firewall that implements the same
policy as IPv4 NAT open on outgoing traffic can be communciated through
100% reliably for end-to-end protocols with an introduction server.

Eric

p.s. Centurylink aslo has a native IPv6 path.