IPv6 discussions

[hwzlite]

FYI for those wanna self-host: "DNS64 is already supported by dnsproxy which AdGuardHome uses under the hood"

 

[Mach3.2]

FYI for those wanna self-host: "DNS64 is already supported by dnsproxy which AdGuardHome uses under the hood"

Still need to setup Tayga/Jool as your NAT64 gateway.

I mean either way you'll still need IPv4 access so kinda unnecessary in a home setting unless you're setting it up to learn.

Dual stack less headache and you'll keep a full head of black hair.

 

[xiaofan]

Still need to setup Tayga/Jool as your NAT64 gateway.
I mean either way you'll still need IPv4 access so kinda unnecessary in a home setting unless you're setting it up to learn.
Dual stack less headache and you'll keep a full head of black hair.

Already full head of grey hair, so no problem for me. Ha-ha.

 

[bert64]

Then adding nat64.xyz DNS64 server and then legacy IPv4 seems to work fine. But the latency is very bad and ping can even fail. For example, I can open IPv4 only websites like this forum (I am typing the reply under Linux) and I can open up ipv4.google.com website as well. But ping will fail for both cases.

So I guess this experiment can be considered a success (at least for Linux) but those nat64.xyz listed DNS64 servers will not work well in the end.

mcuee@UbuntuSwift3 ~ $ ping ipv4.google.com -c 4
PING ipv4.google.com(lhr25s34-in-f14.1e100.net (2a01:4f8:c2c:123f:64:5:8efa:bbee)) 56 data bytes

--- ipv4.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3064ms

mcuee@UbuntuSwift3 ~ $ ping forums.hardwarezone.com.sg -c 4
PING forums.hardwarezone.com.sg(2a01:4f8:c2c:123f:64:5:98c7:1175 (2a01:4f8:c2c:123f:64:5:98c7:1175)) 56 data bytes

--- forums.hardwarezone.com.sg ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3053ms

Yeah the public NAT64 servers are all located in europe or usa, the latency from asia will be high, i'm not aware of anyone providing a public NAT64 anywhere closer. Also being public services they are heavily loaded.

IPv6-only server hosting is very common as it's cheaper, so there's a lot of people using these public gateways to access things like github and wordpress updates. I have several v6-only servers at hetzner (germany), and one of the public NAT64 gateways is there too so it's pretty fast locally.
AWS charge for legacy IP, and they also charge for NAT processing so it's a good way to reduce your bills.

The M1 implementation on the other hand is very good, since it's local you're just replacing NAT by your router with NAT64 by the device M1 have (which is likely to be a lot more powerful than a typical home router) so it doesn't add any noticeable latency.

I believe some of the NAT64 gateways explicitly dont allow ping.

Weird that it doesn't work for you on macos, i've got no problems on several macbooks and been running with DNS64 for years now. Are you pushing only legacy DNS resolvers and no v6 resolvers as that would break it..
If you run a v6-only network with DHCP108 or PREF64 it actually checks the resolvers and wont switch to v6-only unless the resolvers check out.

 

[bert64]

You'll need to use M1's DNS server too. i'm not sure if you can hit their NAT64 gateway from outside their network.

M1's DNS servers:
- 2401:7400:8888:41::37
- 2401:7400:8888:42::5
DNS64 prefix:
- 2401:7400:8000:0:3:0::/96

https://forums.hardwarezone.com.sg/...band-discussion-part-2.5658375/post-133693958

Edit: in the DNS resolver's advanced setting, you can specify the DNS64 prefix and see if it works. I didn't have to use M1's DNS servers in this instance.

Edit2: M1's DNS server and NAT64 gateway doesn't seem to accept request from outside M1's network.

They have at least two NAT64 gateways:

2401:7400:8000:0:3:0::/96
2401:7400:8000:0:4:0::/96

You get DNS64 automatically if you're on mobile (including tethering), on fibre you don't so you'd need to manually set the prefix (eg the way @Mach3.2 showed above with pfsense). I'm not sure if mobile is using different resolvers - it may be possible to just change to the same ones used on mobile?
You can also return both prefixes so you have load balancing/failover.

And yes you need to be on the M1 network, it's not open from outside.

 

[bert64]

Thanks. So in the end I can not use M1's NAT64 resolvers.

Even if it accepts request from Singtel, that does not help due to the poor latency from Singtel IPv6 to M1 IPv6 which we already discovered before.

mcuee@UbuntuSwift3 ~ $ ping -c 4 2401:7400:8888:41::37
PING 2401:7400:8888:41::37(2401:7400:8888:41::37) 56 data bytes
64 bytes from 2401:7400:8888:41::37: icmp_seq=1 ttl=48 time=280 ms
64 bytes from 2401:7400:8888:41::37: icmp_seq=2 ttl=48 time=303 ms
64 bytes from 2401:7400:8888:41::37: icmp_seq=3 ttl=48 time=223 ms
64 bytes from 2401:7400:8888:41::37: icmp_seq=4 ttl=48 time=247 ms

--- 2401:7400:8888:41::37 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 223.041/263.251/302.661/30.425 ms
mcuee@UbuntuSwift3 ~ $ ping -c 4 2401:7400:8888:42::5
PING 2401:7400:8888:42::5(2401:7400:8888:42::5) 56 data bytes
64 bytes from 2401:7400:8888:42::5: icmp_seq=1 ttl=47 time=260 ms
64 bytes from 2401:7400:8888:42::5: icmp_seq=2 ttl=47 time=281 ms
64 bytes from 2401:7400:8888:42::5: icmp_seq=3 ttl=47 time=303 ms
64 bytes from 2401:7400:8888:42::5: icmp_seq=4 ttl=47 time=541 ms

--- 2401:7400:8888:42::5 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 259.640/346.194/541.260/113.670 ms

That latency is absolutely horrific especially for something so close by, the public servers in europe should have less latency than that.

It's down to a difference in business models. With singtel they want to sell peering, so the users are the product sold to content providers.
For any ISP which isn't trying to sell peering, they want as much local peering as possible because it reduces their transit costs and improves the customer experience.

 

[joeltng]

Wanted to ask cause I haven't really seen this really (if at all) being anwsered, what actualy tangible benefits does ipv6 actually give the layman now? I've seen some reports that no more NAT so less overheads, but from my own (somewhat limited exp on this with Singtel) The experience ranges from mostly the same at best, to slower/less repsonsive at worse.

Moving to SH soon and wondering if worth setting up my router to do both ipv6 and ipv4 at the same time or wait for the future to final-final.psd arrive and just stick to ipv4 for now

 

[xiaofan]

That latency is absolutely horrific especially for something so close by, the public servers in europe should have less latency than that.

It's down to a difference in business models. With singtel they want to sell peering, so the users are the product sold to content providers.
For any ISP which isn't trying to sell peering, they want as much local peering as possible because it reduces their transit costs and improves the customer experience.

In this particular case, both Singtel (main culprit) and M1 are to be blamed. As per @Mach3.2, somehow M1 buys IPv6 transit from Singtel. No issues with IPv4 between Singtel and M1. The issue is only with IPv6.

Reference:
https://forums.hardwarezone.com.sg/threads/singtel-1-gbps-fibre.5930834/page-223#post-151772651

 

[Mach3.2]

Wanted to ask cause I haven't really seen this really (if at all) being anwsered, what actualy tangible benefits does ipv6 actually give the layman now? I've seen some reports that no more NAT so less overheads, but from my own (somewhat limited exp on this with Singtel) The experience ranges from mostly the same at best, to slower/less repsonsive at worse.

Moving to SH soon and wondering if worth setting up my router to do both ipv6 and ipv4 at the same time or wait for the future to final-final.psd arrive and just stick to ipv4 for now

Each device get a globally addressable address so none of the port forwarding ******** that you have to deal with like on IPv4, just allow the traffic through your firewall and Bob's your uncle.

But IPv6 adoption still isn't as widespread esp on M1 and Singtel when we check APNIC IPv6 adoption stats.

Then you have some ISPs like MyRepublic and Viewqwest that doesn't support IPv6 on their consumer service, which really works against IPv6 adoption.

 

[joeltng]

Each device get a globally addressable address so none of the port forwarding ******** that you have to deal with like on IPv4, just allow the traffic through your firewall and Bob's your uncle.

But IPv6 adoption still isn't as widespread esp on M1 and Singtel when we check APNIC IPv6 adoption stats.

Then you have some ISPs like MyRepublic and Viewqwest that doesn't support IPv6 on their consumer service, which really works against IPv6 adoption.

ah yea, I get that, but lay man (like older folks or less tachy folks really won;t see the benefit much outside of a few fringe cases (maybe they get a scurity system, now don;t need forward port etc) really hard to see the benefit or heck even "selling point"for the normal people

Just like our gov now push into 10Gbps i sincerely hope they have ipv6 as a requirement not just pure speed.

IPV6 gonan be like HL3 liao coming soon for how long liao xD

 

[bert64]

Wanted to ask cause I haven't really seen this really (if at all) being anwsered, what actualy tangible benefits does ipv6 actually give the layman now? I've seen some reports that no more NAT so less overheads, but from my own (somewhat limited exp on this with Singtel) The experience ranges from mostly the same at best, to slower/less repsonsive at worse.

Moving to SH soon and wondering if worth setting up my router to do both ipv6 and ipv4 at the same time or wait for the future to final-final.psd arrive and just stick to ipv4 for now

The singtel implementation of ipv6 is not very good, starhub's is fine on fibre assuming you only want a single network (ie no separate guest network, separate wfh network etc), same with m1 and they also have very good mobile ipv6 support.

1. Lower cost (IPv4 is expensive, NAT is expensive) - in singapore the market is largely stagnant, and ipv4 was much cheaper when it was expanding in the past. in countries like india the market is growing fast and its not cost effective to buy ipv4 for every customer so you see much higher ipv6 deployment
2. The use of CGNAT (all mobile providers, some fixed line providers) carries a performance hit as well as other potential problems (eg you can get the shared ip of the nat gateway banned from sites and then other customers lose access too, or have to complete captchas)
3. Every user that doesn't have ipv6 is forcing content providers to shoulder the cost and security burden of ipv4
4. The costs borne by the isps and hosting providers are passed on to users one way or another, some hosting providers now offer cheaper ipv6-only services, including major ones like aws.
5. Faster routing assuming it takes the same path (no need to compute the checksum for each packet, no need to worry about fragmentation etc)
   1. this makes the routing equipment cheaper and more energy efficient
6. Every device has its own address(s), no nat so p2p can work much more effectively, although most p2p apps these days have a failover mode which will work with nat so users are likely to see reduced performance rather than complete failure
   1. The usual failover mode is to route the traffic via a central server, if the central server is close to you then the added latency is not very high, for big services like whatsapp or telegram the central servers for asia are in singapore so the added latency is small for local users, but much higher for users in thailand, myanmar, india, malaysia etc.
   2. The service provider has to pay for these servers and the traffic they carry, this costs them a lot and incentivises them to limit bandwidth (eg reduced video quality etc)
7. every device has its own address, but only you know which address is which device... if someone reports malicious activity from one of your devices (ie one of your devices is infected with malware and is sending spam) you get the device address with ipv4 and the router address with legacy ip, with v6 you can quickly track down the infected device
8. some governments have mandates to move to ipv6-only - china, usa, czechia and possibly others, there are sound technical reasons behind these mandates
9. There are some ipv6-only websites already, and new ones come online regularly, if you try to access an ipv6 only site from a legacy connection you will just get a generic failure so it won't be obvious why the site has failed to load
10. modern devices are designed to use ipv6, if you force them to use ipv4 then you're forcing them into a backwards compatibility code path.. there are potential security risks with this setup
11. if you have a public ipv4 you will be subjected to constant scans/junk traffic, not so with ipv6
12. No address conflicts - every ipv6 address is globally unique, if you try to connect to a vpn that uses the same address range as your local network problems ensue
    1. this becomes a major problem in larger organisations, and all kinds of workarounds are used with associated (financial, security, stability) costs
13. Many isps are ipv6-only these days as it makes for a cheaper, faster and more secure network.. backwards compatibility is generally achieved by having a NAT gateway or some other transition mechanism which tunnels legacy traffic over the ipv6 core, as such legacy traffic is slower... M1 has such a mechanism on their mobile network, t-mobile usa, ee uk, jio india, ntt japan, sky uk, sky italy, starlink and many more do this.
14. Major tech companies like microsoft, google and facebook are running ipv6-only internal networks, they don't do this for fun but because there are real tangible benefits to be had, and such companies generally have a sufficiently strong understanding of the technology to realise this

Basically for a non technical user, look at what major tech companies and government are doing. They understand the benefits of ipv6, they are actively using it, actively promoting it and actively working to get rid of ipv4. If you don't understand the benefits, defer to those who do.

The benefits only increase the more widespread ipv6 becomes, the sooner everyone gets on board the better.

Note the singtel ipv6 implementation is a tunnel over ipv4, unless you are lucky enough to be able to use the native implementation which they recently deployed in a few select areas. It's slower precisely because its a tunnel, but ipv6 over 4 tunnels are super rare these days, and a lot of isps now use ipv4 over v6 tunnels (ie the opposite). A tunnel is always going to be slower than the native transport which carries the tunnel. Hosting providers like azure and gcp also tunnel v4 over v6.

 

[xiaofan]

The singtel implementation of ipv6 is not very good,

That has changed. Actually SIngtel is one of the best right now -- native IPv6 and /56.

I am not so sure if that has been deployed to all the users or not though. But I tend to believe that is the case since the deployment started towards the end of last year. Reports show that people with Singtel ONR also got IPv6.

 

[bert64]

That has changed. Actually SIngtel is one of the best right now -- native IPv6 and /56.

I am not so sure if that has been deployed to all the users or not though. But I tend to believe that is the case since the deployment started towards the end of last year. Reports show that people with Singtel ONR also got IPv6.

As far as i'm aware it's still opt-in on the ONR, and only deployed in certain areas/nodes. Outside of those areas if you explicitly request IPv6 you get the 6rd tunnel (and switched to a huawei ONR if you don't already have one because the nokia models don't support 6rd).

If you look at the apnic stats there is a sharp climb this year from <0.2% to about 1.6%, which is probably a handful of users trialing the service plus anyone who happens to be in a trial area and has their own router setup for it.

I'm not aware of anyone other than you who's got the native service.

They also seem to have a spike (just over 3%) on their mobile service. That's got to be opt-in too because almost all modern phones will default to ipv6 when its available so if a provider has a separate AS# for their mobile service and enables v6 by default you typically see >90%.

Thailand is a good example:
https://stats.labs.apnic.net/ipv6/TH
AIS have v6 by default on both their fibre and mobile services.
Mobile uses AS131445 and is at 95% because the vast majority of handsets will use it by default, and handsets are connected directly to the network.
Their fibre service is AS133481 and sits at 66%, v6 is enabled by default if you use the ais-supplied router with current devices, but some users still have older routers, customer supplied routers where they didnt enable v6, daisy chained routers or all manner of other random setups.

Starhub you can see 60% on fibre (similar to AIS) and <1% on mobile.
M1 use the same AS# for both mobile and fibre so you can't separate them, i would expect their mobile to be in the 90% range on its own.
Although one thing to note with M1 is that you only get v6 if your on a 4g/5g connection, if your on 3g you don't.

If singtel enable v6 by default on mobile and their supplied ONR, expect those stats to climb massively overnight - 90+ for mobile and probably a bit lower for fibre depending on how many customers have current ONR models compared to custom devices or old equipment.

Interestingly M1 have another AS# which is v6-only:
https://bgp.he.net/AS132915
It doesn't show up in apnic stats, and probably isn't used for end users - perhaps some kind of internal test?

 

[Mach3.2]

If singtel enable v6 by default on mobile and their supplied ONR, expect those stats to climb massively overnight - 90+ for mobile and probably a bit lower for fibre depending on how many customers have current ONR models compared to custom devices or old equipment.

Singtel's cellular bundle for my iPhone 13 enables IPv6 by default and I do get IPv6 without making a service request on my new sim only plan, although I have to say it's a little buggy because sometimes I don't get an IPv6 address unless I toggle airplane mode.

 

[xiaofan]

Singtel's cellular bundle for my iPhone 13 enables IPv6 by default and I do get IPv6 without making a service request on my new sim only plan, although I have to say it's a little buggy because sometimes I don't get an IPv6 address unless I toggle airplane mode.

This is new to me. Maybe the new 5G enabled Singtel SIM Only Plus plans have IPv6.

I just checked our two Singtel SIM Only Plus phones without 5G (only first three months with free 5G) and both phones have no IPv6. One is my Poco X4GT and the other is my wife's iPhone 14.

 

[Mach3.2]

Maybe the new 5G enabled Singtel SIM Only Plus plans have IPv6.

Yeah, could very well be something they added for new subscribers only, seeing how Singtel Mobile's IPv6 preferred stats went up only in the recent months.

 

[xiaofan]

I'm not aware of anyone other than you who's got the native service.

There is a Singtel ONR user who reported that he had IPv6 in this forum (DHCPv6)
https://forums.hardwarezone.com.sg/threads/singtel-onr-settings.6531734/page-2#post-150672657

I also checked with another new Singtel ONR user and he also has IPv6.

But I guess the existing ONR users may need to configure the IPv6 feature and it may not be default. And for ONT users they also need to manually turn on IPv6 as well since most of the consumer routers do not enable IPv6 by default.

Anyway, I will check in the Singtel 1Gbps thread to see if people have got native IPv6 working or not. By right the deployment should have been finished since I got it last year.

 

[bert64]

Singtel's cellular bundle for my iPhone 13 enables IPv6 by default and I do get IPv6 without making a service request on my new sim only plan, although I have to say it's a little buggy because sometimes I don't get an IPv6 address unless I toggle airplane mode.

Oh that's certainly new, but makes sense considering the level of load that 5G users would put on the CGNAT gateways. Is it only enabled on 5G? Or does it still work if you force it down to 4/3 etc?
When are the apn settings? do they differ from older plans?

It's not uncommon for operators to enable v6 only on the newer bands due to the use of older equipment, M1 don't provide v6 on 3g for instance.

The problem you're seeing is because in dual stack mode the iphone won't keep retrying to connect once it has any (legacy *or* v6 connection), so if you go to a location with marginal signal you might find that the legacy negotiation succeeded and the v6 did not. It's likely that you're using dual stack, or dual stack is still offered as a fallback. V6-only negotiation can also happen, but only if the network has NAT64/DNS64.

The same thing occasionally happens on M1, it prefers dual stack but can sometimes end up with one or the other, the v6-only works fine because of the NAT64.

On v6-only networks the carrier settings only try a v6 connection, so if it doesn't get one it will keep trying until it does.

You can force the phone to v6-only with a mobileconfig settings profile and then it will work consistently.

One other thing to notice, VoLTE on singtel is v6-only and has been for several years, but the address you get assigned doesn't route traffic publicly. You will find that you have multiple pdp contexts on your phone (eg try the he.net network tools app to see interface information).

 

[bert64]

There is a Singtel ONR user who reported that he had IPv6 in this forum.

I also checked with another new Singtel ONR user and he also has IPv6.

But I guess the existing ONR users may need to configure the IPv6 feature and it may not be default. And for ONT users they also need to manually turn on IPv6 as well since most of the consumer routers do not enable IPv6 by default.

Anyway, I will check in the Singtel 1Gbps thread to see if people have got native IPv6 working or not. By right the deployment should have been finished since I got it last year.

Possible that it's only enabled for new users, and they haven't pushed an updated configuration to existing users. The actual ONR hardware is more than capable of handling native v6 and has been for many years.

You might also want to check the address they have, the 6rd uses a different /32 than the native deployment so it's quite easy to tell them apart. The only user i'm aware of is still on the 6rd range, and has poor performance as a result.

 

[joeltng]

**Truncated**

First off thanks for the long detailed reply. Many points are what i've already read aand known about and agree with. My exp trying out singtel on ipv6 probabyl left much to be desired (slower overall speed, latancy and responsiveness) but hearing the postiive feedback gonna give it another go when my home switches over to SH. Overall honestly i expected it to have been picked up much faster tbh, but i guess i underestimated how willing msot of our ISPs are in the move to IPv6 many years back.