This[0] change is interesting for home deployments of IPv6: If your ISP changes advertised prefixes occasionally (which mine does), it was until now not practical to assign/use addresses with fixed host suffixes, e.g. for internal services, because you couldn't write firewall rules using those addresses (part of the address could just change and there's no automatic update of the rules).
The change now enables you to write firewall rules that use a placeholder for the ISP-assigned prefix. The rules should update automatically after a prefix change.
(What has always worked is using the fc00 or fd00 address spaces for local fixed assignments, but pfSense has had problems with that setup as well in my experience)
> If your ISP changes advertised prefixes occasionally (which mine does), it was until now not practical to assign/use addresses with fixed host suffixes, e.g. for internal services
This is actually one of the use cases where 'private addresses' make sense: when you don't have a static assignment but need static addressing.
In the IPv4 it's very unlikely that you'll get a static address unless from ARIN/RIPE/etc (or pay US$ 25+/IP on the open market), so we have everyone using 10/8 with NAT. It's quite easy for someone to get a statically assigned IPv6… unless you're a home user. So if you want static address, use the IPv6 equivalent of 10/8, ULA:
The interface portion of the IPv6 address (right-most 64b) stays the same, and only the prefix (left-most 64b) gets shuffled as they pass through the gateway.
That's good, but it's so frustrating that ISPs can't just give out a permanent address range for the lifetime of a subscription. Imagine if your telephone number changed occasionally. It's ridiculous. Some are continuing to charge for a "static IP address" under IPv6 as if they are scarce or cost them anything to implement.
I believe it's more of a) some carrier-grade routers basically not supporting static IPv6 unless IPv4 is also static (don't ask why it's like that, some NOCs also deal with buggy CG and CPE firmware in general) b) deliberately done, because in those countries privacy concern in residential connections is paramount.
While the phone number analogy does make sense on the surface, I have to agree, I don’t want my IP to be static for privacy reasons.
It’s not a great barrier, but I don’t want the bare minimum skills advertiser, hacker, MPAA consultant, web store, or whoever being able to easily rely on this IP being me.
Yes. There are tracking cookies, and fingerprinting, and whatever, but the bar being set this higher is better than lower.
The phone analogy makes sense until you realize you’re actively calling everyone all the time, and the callerid shouldn’t be easily readable. It’s not like phones at all really.
In residential connections, every marketer will just figure out that particular AS gives /64 (or /56 or /48) and bundle them up, like how they use IPv4 address to track families.
Indeed, stuff like IP blacklists, tracking, etc should never consider anything smaller than a /64, because it's trivial for the target to change its IP within that space just with SLAAC.
About damn time. Now if only they would fix their completely broken Dynamic DNS update implementation so I wouldn't need to write a cron job to make it work properly...
All the passport categories you quoted (BOTC, BOC, BPP, BS) relate to former colonies (think the status given to inhabitants of Hong Kong after it was turned over to China).
Sadly, depending on the ISP, the prefix is not necessarily static and may change on reconnect (for example, Deutsche Telekom will only keep the prefix static for business accounts). This is completely arbitrary and makes relying on GUAs for internal addresses problematic.
It’s too bad that we are inheriting the static IP policies from IPv4, because ISPs want to upsell.
My ISP in Japan (NTT Flets) is even weirder. They have sort-of static IPv6 (due to MAP-E[1] require static prefix) and assigns customer a /64, but don't do Prefix Delegation unless a customer also pay for a Fiber landline (Hikari Denwa) in which they will assign /56 and do proper PD. This has been a huge hindrance for anyone wanting to run their own home router their router must bridge IPv6 to ISP router (and thus not able to do their own firewall/DHCPv6/SLAAC)
The only workaround is to use ndppd[1] set to proxy to the upstream router. However ndppd is undergoing a rewrite right now and latest stable release (0.2.5) has few bugs causing ndppd to stop working after a while. So far, the only way to get everything work for me was to build ndppd from master (which was deprecated in favor for a new 1.0, which is still in development).
OpenWRT seems to include a working version of ndppd out of the box, but its MAP-E supports is somewhat broken.
I wish it were even an option to buy a static IPv6 block from my ISP, but they don't even offer it at all.
This is with Bell Canada with 1.5Gbps down/1Gbps up fibre-to-the-home. You'd think if they can support cutting edge last mile connectivity they'd support a 90s IP standard... Instead we're stuck with ephemeral IPv4 addresses that geo-resolve to cities hundreds of kilometres away. I guess they ran out of addresses that are registered to my actual city. Just last week an online purchase I made was flagged for fraud because my IP didn't resolve close enough to my listed address. The support team then asked me to try tethering to my mobile phone, which of course was assigned an IPv4 address that resolved to a different city hundreds of kilometres in the opposite direction.
> Instead we're stuck with ephemeral IPv4 addresses that geo-resolve to cities hundreds of kilometres away.
Yay! This reduces the amount of information mega-corps can glean from me with minimal effort. Given that I'm in Canada, I often get French-language ads served to me because somebody thinks I'm in Quebec (I'm not).
> Why-o-why wasn't IPv4 64 bits long to begin with?
Because it was a research project whose designers didn't expect it to escape the academia and take over the world; Vint Cerf:
> As we were thinking about the Internet (thinking well, this is going to be some arbitrary number of networks all interconnected — we don't know how many and we don't know how they'll be connected), but national scale networks we thought "well, maybe there'll be two per country" (because it was expensive: at this point Ethernet had been invented but it wasn't proliferating everywhere, as it did do a few years later).
> Then we said "how many countries are there?" (two networks per country, how many networks?) and we didn't have Google to ask, so we guessed at 128 and that would be 2 times 128 is 256 networks (that's 8 bits) and then we said "how many computers will there be on each network?" and we said "how about 16 million?" (that's another 24 bits) so we had a 32-bit address which allowed 4.3 billion terminations — which I thought in 1974/3 was enough to do the experiment!
IPv4 with its 32-bit addresses was the "test" system which, if it worked, would then be turned into a production system later. "Later" turned out to be 2012 when World IPv6 Day was announced.
So per Vint Cerf, if you want to run the "production Internet", use IPv6.
And yet, despite far-from optimal allocation, no one is worried about running out of 48-bit MAC addresses, which need to be globally unique. That's because 64K the size of the Internet is more than adequate.
The original (experimental) Ethernet paper published in 1976 only had 8-bit addresses. They then went into 'production' with the DIX Ethernet II standard in 1980 with the now well-known 48-bit MAC, however the standard states that at the Physical Layer the maximum number of stations was 1024 (§1):
So while yes, the address space was bigger, the scope over which Ethernet had to work was much smaller and less ambitious (IMHO). No routing involved for example.
4.3billion computers seemed like it was enough when the world population was 3.6 billion.
But then they started assigning /8 (16.8 million addresses) to companies like Ford Motors.
Another 16.8 million addresses to represent loopback.
IPv6 is assigned similarly like that, for example /64 (18,446,744,073,709,551,616 addresses) is the smallest allocation unit for SLAAC. I'm wondering when we will need IPv7.
At that time computers/servers were immobile installations in large institutions like schools, companies, and other similar facilities.
No one could imagine that this technology basically would shrink and be available to everyone in their pocket connected by widespread and comparatively cheaper cellular technology.
There's also a privacy argument here. Changing prefixes makes user tracking harder. That's about the only win for the user.
I for one would have preferred to have a choice. I would accept the privacy issues for a static prefix in return. Supporting a dynamic prefix in a not so typical home setup is a PITA.
Honest question: What is the practical problem with having an IP address from one's ISP that changes from day to day? Dynamic seems to be a privacy win with little to no downside.
If I expect incoming connections and need to tell others how to connect to my machine, that's solved by DNS. I have a script that edits my DNS record any time it detects that my public IP changes, so it's automatic.
If you have any IoT devices that you would like to connect to, like security cameras, then a dynamic IP means that you need an intermediary like a cloud service of some kind to be able to reach those.
That's a serious down side. DNS can serve as that intermediary (I use it that way for my cameras) but there will be some time between an IP adjust and the DNS update, so it's a bit flaky.
I am on IPv6 and access IPv4 through bridges. For anonymity purposes I vastly prefer to have dynamic IPs to be honest.
Imagine all the tracking nightmare if we all had static IPs. All those shitty websites having you on log isn't really something I would want. I don't see advantages, getting a host with a static IP is extremely cheap today.
That's nothing compared to my experience when I got allocated static IP (IPv4) at university. I didn't even request it, the university has /16 allocated, and doesn't do any NAT, instead a stateful firewall blocks all incoming connections by default.
Anyway, the RevDNS resolved to a host containing my full name. I suppose that would discourage any abusive behavior, but even if you didn't have intention of doing that it was still a weird experience.
Yeah, I agree with how IP works, and prefer static IP over dynamic, but having my name in the DNS name is a bit too much. The only step further from that would be including my SSN there as well.
Even when walking down the street I'm not required to wear a name tag.
I'm not an expert in this area really. I've heard the argument made that even if static IP's were commonplace you would still need other fingerprinting methods as there are entire houses/apartment complexes/businesses running multiple users through NAT behind their static IP.
Also, I'm not sure what your experience has been but my IP only changes very rarely. Seems to happen about once every 6 months. My understanding that this was somewhat common, at least in the land of cable/coax-ISPs. Is 6 months not long enough to glean anything useful?
Also mobile devices that connect to different networks would get different IPs. Your cell phone would get a different IP address at home, cell, work, friends house etc... Thus there would still need to be some tracking/fingerprint to follow across networks.
I think it's possible to have the best of both worlds. Assign your dynamic prefixes to your wifi devices etc, and receive also a static allocation for any servers.
> Sadly, depending on the ISP, the prefix is not necessarily static and may change on reconnect
I'm happy that my ISP does this, as I have my router reboot every night so that I can get a new IPv4 address every day to reduce tracking. I already surf with cookies disabled by default, and only enable them to log into web sites.
I like the fact that I get a new IPv6 prefix every night as it ties into the above tracking avoidance nicely.
I'm sure there are further browser-based fingerprinting techniques being done, but it's nice to take out some low-hanging fruit.
I've had my IPv4 address from my cable ISP for years. They give me a new IPv6 prefix every time my cable modem loses connection.
For privacy I think it would be nice if the IP/prefix isn't fixed per household for long periods of time, but there seems to be a lot of IPv6 software out there designed with the assumption that the prefix is static.
Mostly the same here. My cable modem IPv4 address would stay the same for about a year. It only changed when we had an extended power outage of more than 6 hours about once a year during a bad storm.
Hurricane Electric provides free static /64 and /48 tunnels: https://tunnelbroker.net/ I've been using one for years, it's great, albeit with the occasional hiccup connecting to picky CDNs.
There are a few ISPs that rpovide proper, static, end-to-end IPv6 networking, with decent documentation, but they are unfortunately few and far between and are usually relatively expensive (bargain-basement ISPs don't tend to support IPv6, at least for their customers, at all).
Here in the UK AAISP (Andrews & Arnold) are the usual example that springs to mind for doing dual-stack IPv4 & IPv6 right. There are others that support it to varying degrees.
There is also Zen Internet who are cheaper than AAISP. They provide a static /48 subnet allocation that you can divide up into 2^16 /64 subnets.
Unfortunately IPv6 is opt in so after getting your connection you will have to contact them, they will then assign you a /48 and enable IPv6 on your connection.
I chose my ISP for much the same reason (idnet), well the combination of IPv6, static IPv4, and not being one of the big four.
(And it's always entertaining to ask the folk trying to sell BT/Talktalk/Sky/Virgin broadband deals on the street about IPv6 for the utterly blank looks that you get).
The fixed IPv4 was a key matter when I signed up. Particularly that they offered /29s, though that is less important now that SNI is almost universally supported and due to physical line issues over the last year or few (and wanting >17Mbps upstream) I've moved most of the public bits I hosted (literally) in-house to external locations.
The question of IPv6 and fixed IPv4 is fun to raise when sales robots talk about matching other ISP's offerings. The irritating one is when they say "I'm sure we can..." and persist when I say "I know for a fact your consumer product range does not offer that".
I once asked a Virgin Media sales-droid about IPv6 on a leased line, and was told they could give us IPv6 if we handed back our IPv4 addressing... somewhat special.
If the prefix is dynamic there is a (undocumented?) feature[1] in iptables that allows to only match an EUI-64 or custom static suffix, which should be enough for home networks. I'm mentioning this here because I looked for hours for a solution the first time I had to deal with this.
Basically you specify the destination address as:
::[suffix]/::ffff:ffff:ffff:ffff
or, if you are lucky enough to get a /56 prefix and want to control a single /64 subnet at a time:
Same thing is happening with Jio in India. Is it possible that this is happening because Jio is mobile network. I think I read somewhere that mobile phones are not provided static IPs.
Would make sense for routing if the first n bits are common to the cell tower. Static IPs for phones would result in slower and more expensive routing, as we can't use prefixes for routing anymore.
As bad as our ISP situation is in Canada, there are a few smaller ones like teksavvy which will make your ipv6 assignment static of you call in and request it.
Which, by design, means that Rogers and Bell must support this capability. Yet, they likely won't offer it unless it's monetized (i.e. monthly service charge).
I’ve gotten pretty lucky with my past and current ISPs (Spectrum and AT&T fiber in the USA). The only times I’ve had my public IPv4 address or IPv6 prefix change was when the router’s MAC address or DUID (dhcpv6) changed.
For my use case, I kind of like this system since everything is (mostly) static and I can change it if I need to.
VMS isn’t an IBM mainframe OS, though. I think typical native VMS machines are much closer to normal enterprise servers than mainframes, so virtualization would make sense.
Right, it’s a great system! Concerning envelopes, here in Germany most mail I get is in DL envelopes, which also require the double fold. C5 is mostly used if double folding doesn’t work due to thickness.
https://github.com/optics-dev/Monocle