This Blog Is Now Available via IPv6

Faster speeds are the only benefit I received from my recent Internet upgrade. One of my biggest gripes with having to use CenturyLink when I bought this house was the complete lack of IPv6 support. Brightspeed, not surprisingly considering their incompetency, didn't add IPv6 support when they took over for CenturyLink. Lakeland Communications, however, has full IPv6 support, which means this blog is now available via IPv6.

I consider this a major milestone. It's something I've wanted for many years now. I always envied people who had an IPv6 enabled Internet connection. I also hate network administrators who have an IPv6 enabled Internet connection and refuse to utilize it. Therefore, I'm going to use this occasion to rant about those network administrators and explain why their refusal is laziness at best and idiocy at worst.

Even though IPv6 has been formalized by the IETF since 1998, there remains a lot of misconceptions about the protocol. The biggest misconception is that the only major difference between IPv6 and IPv4 is that the former has a significantly larger address space. This misconception leads to some stupid objections to implementing it. The first is that IPv6 addresses can't be memorized like IPv4 addresses. Anybody who has worked with large networks knows that IPv4 address can't typically be memorized for very long either. This is why DNS exists. You shouldn't refer to your systems by their IP addresses regardless of the version you're using. You should have a DNS server that provides memorable names to your systems.

Another objection to implementing IPv6 is that it's complicated to setup. It's actually much easier to setup an IPv6 network than an IPv4 network. My home network is a good example. IPv4 interfaces don't generate their own addresses (technically they can, but those addresses aren't useful in most cases) so you need to either statically assign an address to each device or use a DHCP server. I use DHCP to assign addresses to my devices. I operate two Kea DHCP servers configured in high availability mode for redundancy. Meanwhile, IPv6 can utilize protocols like SLAAC to automatically generate their own addresses. My ISP provides me an IPv6 prefix, which my router automatically receives and advertises. Every IPv6 client can then generate an IPv6 address for itself based on that prefix. The addresses they generate are also globally routable.

The last part is important. There are no more unclaimed IPv4 addresses, which makes them a scarce commodity. Not every ISP is willing to provide a static IPv4 address. Those that do typically charge a monthly fee per static IPv4 address. I rent my single static IPv4 address and have no interest in paying for more. I need to play tricks to provide all of my services via that single IPv4 address. When you connect to this blog via IPv4, several things happen. First my router uses port forwarding to connect your browser to my reverse proxy server. My reverse proxy server then uses <abbr="Server Name Indication">SNI to determine where to route the connection. The connection is then proxied to the server that actually hosts this blog. This tower of redirection is necessary to host multiple websites and other servers via a single IPv4 address.

There are effectively (obviously not literally) unlimited IPv6 addresses. My ISP provides me a /48 prefix. This gives me more IPv6 address than I could ever use. I could dole out 10 IPv6 addresses to every network enabled device in my house and still not make a dent in the number of addresses available to me. And all of those addresses are globally routable. This means when you connect to this blog via IPv6, you're connecting directly to the server hosting it.

This fact frightens a lot of network administrators because they have this false concept that their local network is trustworthy whereas the Internet isn't. They like all of the redirection and games IPv4 requires because they believe it establishes are strong barrier between their trustworthy network and the untrustworthy Internet. Anybody who has read the news about network exploits knows this is false. Local networks aren't trustworthy. Every system you setup should be setup as if it were connected directly to the Internet. This is how I design my network.

Even though my router has a firewall, every system I setup also has a firewall. Those firewalls are configured with the minimum number of open ports necessary. I also ensure SELinux is enabled on all of my systems (many network administrators disable SELinux rather than learn how to use it). I minimize the amount of unencrypted traffic on my local network. For example, my reverse proxy has a dedicated WireGuard connection to each of my servers is proxies. All traffic between it and the proxied servers goes through those WireGuard connections. The main sources of unencrypted traffic are my DHCP servers and that's because DHCP can't be secured. My networking equipment does use DHCP Guard to ensure only my DHCP servers can provide leases through. IPv6 eliminates the need for those WireGuard connections by eliminating the need for the reverse proxy. It also eliminates the need for DHCP since devices can configure their own IPv6 addresses.

I've heard a few network administrators complain that providing websites via IPv4 and IPv6 complicates setting up TLS. This might have been the case when getting signed certificates was largely a manual task, but it's no longer the case now that getting signed certificates is largely automated. I've automated the task of getting signed certificates ever since Let's Encrypt's signing certificate was added to every major browser. Originally I did this via certbot, but now that I use Caddy, my HTTPS servers do it automatically (a few of my servers like my e-mail server still use certbot). Certbot and Caddy both operate perfectly well via IPv6. In fact this blog is secured by separate TLS certificates depending on if you connect via IPv4 or IPv6. If you connect via IPv4, you use the certificate obtained by Caddy on my reverse proxy. If you connect via IPv6, you use the certificate obtained by Caddy on the server hosting my blog.

I'll end my rant here since this post is getting longer than I anticipated. In summary, IPv6 is better than IPv4 in every way. Every objection to implementing IPv6 is dumb. Network administrators who have the option to implement IPv6 but don't are wrong.