Dual Stack home network pros and cons

[Frank Monroe]

Keep in mind that IPv4 isn't going anywhere, it will be around for a very long time...

IPv6 adoption will be mostly driven by two forces - the carriers, and the content providers... and efforts there are increasing at an accelerating scale.

Most folks are on IPV6 and don't even notice it...

View attachment 38116

Interesting read here...

Why is IPv6 faster?

Why is IPv6 faster than IPv4? Lee Howard, founder of Retevia, explores this question and shares his findings following his recent presentation at NANOG 76. He also provides detailed instructions for how to enable IPv6 on your website based on your web host.

www.arin.net

ARIN.NET is about as an authoritative source as anyone, perhaps even more that IETF/IEEE...

Yes. A lot of people are using IPv6 without even knowing it. For example, Comcast installs their home routers to customers with both IPv4 and IPv6 enabled. So, if you are a Comcast customer and you are using their equipment, you were setup with dual stack.

 

[sfx2000]

It was set to:
IPv4 - 208.67.222.222, 208.67.220.220
IPv4 - 2620:119:35::35, 2620:119:53::53

Fixed now changing to Google DNS servers.

That is odd - OpenDNS should know better on the IPv6 side

 

[sfx2000]

Since most of us can't read source code, all we can do is test what the code does, right?

Yep, yep...

Folks should be testing, if at all possible... that way things can get fixed up, and everyone wins!

 

[Tech9]

Most folks are on IPV6 and don't even notice it...

Are they using IPv6? Looks like CG-NAT to me with IPv4 addresses. Routers in 2021 still come with IPv6 disabled.

See the table below. What's the IPv4 issue in USA in particular?

List of countries by IPv4 address allocation - Wikipedia

en.wikipedia.org

 

[Frank Monroe]

Are they using IPv6? Looks like CG-NAT to me with IPv4 addresses. Routers in 2021 still come with IPv6 disabled.

Comcast isn't using CG-NAT. They have both IPv4 and IPv6 running to houses. At least they do in my region. So, if you use their equipment, you get a dual stack setup with public IP's unless you do something to turn it off. This benefits everyone as many of the streaming services and CDN networks offer IPv6.

 

[sfx2000]

Yes. A lot of people are using IPv6 without even knowing it. For example, Comcast installs their home routers to customers with both IPv4 and IPv6 enabled. So, if you are a Comcast customer and you are using their equipment, you were setup with dual stack.

And at some point in the future - the carriers will start selling off blocks of public IP addresses, as they have very real value, and push everyone into NAT/CG-NAT for IPv4..,

T-Mobile has pretty much telegraphed this already as their entire North American packet core is IPv6 only... as I mentioned previously, they use the 464XLATE transition path for IPv4, which is a bit of a pain for IPv4 only users, as the CLAT/PLAT relationship breaks the end-to-end network relationship - going IPv6 on those applications, it is better in my experience...

 

[Frank Monroe]

And at some point in the future - the carriers will start selling off blocks of public IP addresses, as they have very real value, and push everyone into NAT/CG-NAT for IPv4..,

T-Mobile has pretty much telegraphed this already as their entire North American packet core is IPv6 only... as I mentioned previously, they use the 464XLATE transition path for IPv4, which is a bit of a pain for IPv4 only users, as the CLAT/PLAT relationship breaks the end-to-end network relationship - going IPv6 on those applications, it is better in my experience...

I am a T-Mobile Home Internet customer.

 

[sfx2000]

Comcast isn't using CG-NAT. They have both IPv4 and IPv6 running to houses.

My understanding is that at present, Cox and Spectrum are still dual-stacked with public IPv4 addressing for now.

 

[sfx2000]

I am a T-Mobile Home Internet customer.

Same here - decent product for the price if one is in an area where it is offered..

Too bad they filter everything on IPv6 inbound...

But on a OS that is IPv6 native, it's a wonderful thing

 

[Tech9]

Folks should be testing, if at all possible...

Some folks are forced to become testers. Some others have no time to test. Some don't know what IPv6 is. I have number of employees working for me and I can do this all day long (well, not in work days), but I fail to see the benefits so far. With no real need of IPv6 in my location, I'm actually losing services just to say IPv6 is running on my network. It's not faster and it's not more secure. Just the opposite - two networks mess with the same devices.

 

[sfx2000]

But on a OS that is IPv6 native, it's a wonderful thing

This was on ChromeOS - do note that the IPv4, google is doing their internal network between Android and Crostini (both which are effectively containers running in ChromeOS).

But each one of those 2607:: addresses are public IP's

 

[Frank Monroe]

Mmm... in Asuswrt IPv6 settings you have Manual or Automatic options. If I don't use Manual, it will use ISP's IPv6 DNS. No? DNSFilter won't stop IPv6 lookups, as far as I understand. I would like to test IPv6 everything, if possible.

Unless you change the settings on the DHCP Servers tab, your clients will get both the IPv4 and IPv6 address of the ASUS router as the DNS server. The ASUS router then performs the actual lookups based on the DNS servers that were passed to it by the ISP. What the ISP actually passes to the ASUS router is up to the ISP. You can override what the ASUS router uses by changing the IPv6 DNS setting in the IPv6 tab and the Connect to DNS Sever Automatically setting in the WAN tab. You can also change the behavior by using the DNS Privacy Protocol setting on the WAN tab. This setting overrides the other two settings and is what I use. The DNSfilter setting intercepts any DNS query from a client and forces it to a DNS server of your choice. The server you select has to be reachable by IPv4. That doesn't mean it will only return IPv4 address. Clients can still request AAAA lookups. It will just be intercepted and sent the server you chose.

 

[Tech9]

Unless you change the settings on the DHCP Servers tab

Left blank.

You can override what the ASUS router uses by changing the IPv6 DNS setting

In use to Custom IPv6 servers.

Connect to DNS Sever Automatically setting in the WAN tab.

Set to the same DNS provider IPv4 servers.

The DNSfilter setting overrides any local setting for DNS server on the client.

Even IPv6 lookups by Google devices, for example? Some have hardcoded DNS servers.

 

[Frank Monroe]

Even IPv6 lookups by Google devices, for example? Some have hardcoded DNS servers.

Yes. Thats the whole point.

 

[Tech9]

There is a small issue - no DNSFilter in stock Asuswrt. I have to load Asuswrt-Merlin to test this. How is the request interception done? @RMerlin

Switching to dual stack is like painting a black wall with very thin white paint. Even after 5 coats applied you still don't have good enough coverage.

 

[Frank Monroe]

Some folks are forced to become testers. Some others have no time to test. Some don't know what IPv6 is. I have number of employees working for me and I can do this all day long (well, not in work days), but I fail to see the benefits so far. With no real need of IPv6 in my location, I'm actually losing services just to say IPv6 is running on my network. It's not faster and it's not more secure. Just the opposite - two networks mess with the same devices.

I didn't realize this thread is to try to convince you to enable IPv6 on your network. If you have no need or benefit for IPv6, why enable it? The reason why I started replying to posts in this thread was to disagree with the view that enabling IPv6 itself is a security issue, other than in the context of having unnecessary components running on your router. The other reason was to disagree with the view that there is no benefit or need for anyone to run with IPv6 enabled.

 

[Tech9]

I didn't realize this thread is to try to convince you to enable IPv6 on your network.

No. This thread was started because some folks claimed questionable IPv6 benefits in Asuswrt-Merlin beta testing thread.

The only benefits found after 9 pages discussion are:

- access to devices behind CG-NAT
- gaming on multiple consoles
- getting connected with IPv6 only ISP
- testing and sharing experience

Everything else is drawbacks - including security. My advice from what I've seen so far - if IPv4 is working for you, don't enable IPv6.

I'm open to test other benefits, before I wipe the routers clean and put them back on the shelf.

 

[Frank Monroe]

No. This thread was started because some claimed questionable IPv6 benefits in Asuswrt-Merlin beta testing thread.

The only found benefits after 9 pages discussion are:

- access to devices behind CG-NAT
- gaming on multiple consoles
- getting connected with IPv6 only ISP
- testing and sharing experience

Everything else is drawbacks - including security. My advice from what I've seen so far - if IPv4 is working for you, don't enable IPv6.

I'm open to test other benefits, before I wipe the routers clean and put them back on the shelf.

Well, like I said from the start, I agree you should not turn it on unless you have a need or a benefit from it. But, I don't agree that enabling it when you have a need is a greater security risk. And, I don't see where the security issue has even been demonstrated in this thread. I have only seen speculation or instances where security could be considered better under IPv6. Also, any "drawbacks" that were demonstrated were not due to IPv6.

 

[Tech9]

Also, any "drawbacks" that were demonstrated were not due to IPv6.

Here is what I found, including Asuswrt-Merlin specifics:

- more complicated setup
- unclear differences between Native, Passthrough and Tunnel
- harder to read and understand IPv6 addresses
- untested IPv6 firmware options, use at your own risk
- increased attack surface, IPv4 + IPv6
- ICMPv6 Inbound to hosts must be Allowed (as per ISP)
- potential DNS/VPN IPv6 leaks
- Diversion with double size blocklists
- Skynet on IPv4 only
- DNSFilter on IPv4 only
- potential DNS related location issues
- potential slower DNS resolution
- no custom categories filtering to popular free OpenDNS
- not enough information to make proper security assessment
- NAT acceleration issues on AC86U (perhaps, model specific)

I didn't have to deal with any of the above before enabling IPv6.

 

[Frank Monroe]

- unclear differences between Native, Passthrough and Tunnel

The differences are pretty clear in the documentation. This is no different than the 3-4 different configurations possible for IPv4 setups with various ISP.s and ASUS and other routers.

- increased attack surface, IPv4 + IPv6

This is true for anything you enable on your router. Like I said, if you don't need it, don't turn it on. The same argument could be made for turning off IPv4 if you have IPv6 enabled or, any other feature you enable on your router.

- ICMPv6 Inbound to hosts must be Allowed (as per ISP)

Not true. While router ICMP may be required, ICMP replies from internal devices are not and in fact, on an ASUS router, aren't allowed by default.

- potential DNS related location issues

This has nothing to do with IPv6. In addition, like I said, you don't have to use their IPv6 DNS servers because IPv6 is enabled.

- potential slower DNS resolution

I have never expired this nor have I seen it demonstrated. In addition, like I said, you don't have to use their IPv6 DNS servers because IPv6 is enabled.

- no custom categories filtering to popular free OpenDNS

Thats an issue with OpenDNS. IPv6 is not the issue here. In addition, like I said, you don't have to use their IPv6 DNS servers because IPv6 is enabled.

- not enough information to make proper security assessment

I"m not even sure what this means? Are you question the security of IPv6 in general, I guess that means a big part of the internet is in trouble.

- NAT acceleration issues on AC86U

IPv6 doesn't use NAT.