this post was submitted on 10 Nov 2024
32 points (92.1% liked)
Explain Like I'm Five
14276 readers
14 users here now
Simplifying Complexity, One Answer at a Time!
Rules
- Be respectful and inclusive.
- No harassment, hate speech, or trolling.
- Engage in constructive discussions.
- Share relevant content.
- Follow guidelines and moderators' instructions.
- Use appropriate language and tone.
- Report violations.
- Foster a continuous learning environment.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
IPv6 has several changes to the specification, but since this is ELI5:
When you were a child, your friends would call your house and a parent would answer the phone. They'd ask to talk to you, and your parents would hand the phone off to you. That might have been because you were too young to have a phone, but IPv4 with NAT works the same way because there are so many "houses" and only enough phone numbers for the houses, not all the people that live in them.
For IPv6 it's like your friends can call you directly on your cell phone. And they can call your brothers and sisters, your cat, your dog, your TV, your refrigerator, and the backyard squirrels. There are so many phone numbers that everyone can have their own.
How do I handle whether I want my phone number to be known to the world?
Does my phone number ever change on its own or can I freely change it?
Who has the phone book?
Feel free to turn this into an ELI5years in general IT after a career change where I started from scratch.
Mostly dropping the analogy as it falls apart quickly once you try to talk about more specific details.
If you don't want people to be able to call you then you can block incoming calls. This is sort of the like IPv4 NAT case, people can't connect in (unless you forward ports). Or if you want to you can allow incoming calls. The choice is up to you now rather than being forced by a technical limitation.
Generally you will be provided a "prefix" by your ISP. In v4 this would typically be a full address. In v6 there are a huge number of addresses inside this prefix. In both cases how often the prefix chances is up to your ISP, but for v6 you can chance the suffix you use inside of the prefix as often as you want.
There are two main parts of "the phone book". There is "Who owns this address?" and "How do I get to this address?" Both of these are basically identical between IPv4 and IPv6.
For "Who owns this address?" there is a global directory of assignments. This is typically done in multiple layers.
For "Who do I get to this address?" A protocol called BGP is used to advertise where an address is available from. So I may say "If you want to get to addresses 32 to 64 come talk to me". This is sort of like in a hotel how there are signs saying which room numbers are in which direction. When two networks are connected they share this information between them to establish a "routing table", so they know how to get to everywhere else on the internet.
This may look something like this:
Overall no single places knows how to get to every other address. But they know the best next step. So you don't know where 17 is, but you know to send it to your ISP, your ISP doesn't know where 17 is but knows that their partner tier 1 ISP knows how to get there, the tier 1 ISP doesn't know where 17 is, but knows that it belongs to your friend's ISP, your friends ISP doesn't know what device 17 is, but knows that it is in your friends house, then finally your friends home router actually knows that 17 is your friends desktop.
You can sort of imagine this like delivering mail. If I send mail in Canada that is addressed to England, Canada Post doesn't really care where exactly I am sending the letter. It just knows that it needs to forward it to Royal Mail and they will handle it from there.
Thank you so much, this really cleared things up for me!
I didn't know about that part, doesn't that make it necessary for everyone to have a firewall? What's stopping someone from port scaning my Chinese smart microwave and attack it?
This is getting out of ELI5 territory, but the way it works with IPv4 is when something on the internet needs to access your devices, it sends a request to your IP address (your house) along with a port number. Your router (that runs your firewall) decides if it should forward the request to the device inside your network. By default, it usually says "no" unless you tell it otherwise.
With IPv6, you'd still have a router, most likely, but it would be "watching" all of the IP addresses for your devices, not just a single one for your entire home.
This does add a fair bit of complexity, but my guess is that if we ever do start getting blocks of IPv6 addresses as home users, most routers will probably come with default firewall blocking rules pre-configured.
I'm already on a connection where I don't get an ipv4 address, just a block of ipv6 addresses.
My ISP-supplied router comes with a firewall that I can't configure or disable.
Really? Just out of curiosity, what kind of connection are you on? I have two ISPs, one of which provides a single IPv4 address only, and the other provides one IPv4 and one IPv6 address.
It's a coaxial cable connection from Vodafone in Germany, using Dual Stack Lite.
Based on this reply, I get the distinct impression that you know a LOT more about networking than your original ELI5 post lets on, and almost certainly more about the subject than I. I work in tech, but not with networking specifically; most of my knowledge is from way too many years and dollars spent on homelabbing.
One of my internet connections is a DSL connection; by default, they provide a single IPv4 address. My DSL modem has an option to enable IPv6 tunneling through IPv4, but I was never able to get it to work, and customer support was completely clueless. I suspect this isn't something their network supports and they're just counting on their users not caring. My other connection is over satellite (Starlink), and as far as I am aware, they're only providing a single IPv6 connection, not a block of addresses.
To make things easy, I've just blocked IPv6 at my firewall, and I use policy-based routing on my PFsense box to send traffic to either connection depending on latency/bandwidth requirements (Streaming goes to satellite, VoIP goes to DSL, etc). I know that IPv6 has improvements beyond just "more addresses," but at this point I can't really justify enabling it on my network. It would only be used internally, and I just don't see any tangible benefit.
I’m on FiOS and I just had to turn on IPv6 on my router (it’s disabled by default on older Quantum Gateways). It works and they are assigning /56 blocks, I think it’s DHCPv6 but I haven’t looked in a while.
NAT sort of accidentally includes what is called a "stateful firewall". It blocks inbound connections because it doesn't know where they should go. IPv6 eliminates the need for NAT but doesn't prevent stateful firewalls. It is just as easy to implement stateful firewalls (actually a bit easier) for IPv6 without NAT. The difference is that the choice is yours, rather than being a technical limitation.
For example if I had a smart microwave I would want to ensure that there is some sort of firewall (or more likely for me not connect it to the internet at all, but I digress). However I may want my gaming computer to be directly accessible so that my friends can connect to my game without going through some third-party relay, or maybe my voice chat can be direct between me and my friends for extra privacy and better latency.
Also relying on network-level protection like this is a good idea in general. Eventually a friend is going to come over with an infected network and connect to your WiFi. With just NAT this will allow the malware on their computer to access your microwave as they are "inside the NAT". If you were applying a proper stateful firewall you would likely apply it to all traffic, not just internet traffic.