this post was submitted on 10 Nov 2024
32 points (92.1% liked)

Explain Like I'm Five

14276 readers
14 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
 

Seriously, my knowledge ends with:

  • It offers a shitload of IP addresses
  • They look really complicated
  • Something about every device in your local network being visible from everywhere?
  • Some claim it obsoletes NAT?

I get that it's probably too complicated a subject for an ELI5, so if there are good videos or resources explaining it in less than half an hour, feel free to share.

top 31 comments
sorted by: hot top controversial new old
[–] [email protected] 29 points 1 week ago (1 children)

I'll give it a shot. Not quite ELI5 but "Explain like I know what a phone number is". For the most important answer, see the last paragraph.

IP addresses are a bit like phone numbers. To send data to some computer, your computer attaches that number and sends the data packet on its way. With IPv4, an address is four bytes long, usually represented as four numbers from 0-255 separated with dots. That gives us a bit under 4.3 billion possible addresses which seemed enough when the system was invented and larger organizations could even reserve entire address ranges and some ranges got reserved for special purposes (for example, all 127.x.x.x addresses mean "send this to myself" while 192.168.x.x and 10.x.x.x are meant for local, non-public networks). Reserving these ranges is convinient when you need multiple machines connected to the internet but is very inefficient as these ranges need to be a power of two in size (256 is common), so you may get more addresses than you need and the rest stays unused.

The first solution was "Network Address Translation" (NAT). Basically, every household or organization gets a single public IPv4 address and every device on your network has a private address. On outgoing connections, your router replaces the (private) sender address with its public address and remembers which private address belongs to that connection so it can correctly forward any replies. For incoming connections, the router needs a list of rules to tell it what to do. For example something like "Everything on port 80 goes to 192.168.0.42". This worked for a while as most people make only outgoing connections and even many organizations can simply decide locally what to do with an incoming connection based on the received data so they wouldn't need multiple addresses.

After a while, it was clear that even with this workaround we would run out of addresses sooner or later. Providers tried giving their customers a different address every time they connected to the internet so they could reuse the address for someone else when the customer disconnected. This worked well when people only connected when they needed it but these days we're usually online 24/7.

So in the end, the only solution was to add more addresses. For our current needs, doubling the length would be more than enough but to be on the safe side, it was decided to quadruple the address length to a total of 16 bytes. This gives us about 340 undecillion unique addresses. Still not enough to give a unique address to every atom in the universe, not even enough for every atom on earth but still a lot. We can give every human an address range many times larger than the total address space of IPv4.

Does this mean that NAT is dead or that all your devices are visible from outside your network? Absolutely not. It means you can do that if you want. If your provider gives you a large address range, you can give each of your devices a different one and tell your router to forward everything. But you can also still use a single public address and/or tell your router to apply certain rules for what to do with incoming connections. There are also still address ranges that are meant purely for local use, equivalent to what 192.168.x.x and 10.x.x.x were in IPv4.

[–] [email protected] 1 points 1 week ago (1 children)

Honestly, the biggest concern I have with IPv6 is how do I get to my router? Because I know if I purchase a new router to go to 192.168.1.1 or 0.1 or 2.1 etc. to get to it to configure it. With IPv6, this seems like it would be much harder.

[–] [email protected] 6 points 1 week ago* (last edited 1 week ago) (1 children)

Just because you have IPv6 enabled doesn't mean you don't have IPv4. Both can coexist on the same network and the same device so your router can be 192.168.0.1 and some IPv6 address at the same time.

On top of that, many routers can be reached by a well-known hostname or domain, depending on their manufacturer. For example, AVM Fritz!Box routers (extremely popular in Germany) automatically resolve http://fritz.box to their own IP address no matter what that IP address is.

In the end, read the manual or the sticker on the device, same as you would have to do with IPv4 to figure out which subnet it is configured with.

[–] [email protected] 4 points 1 week ago (1 children)

Fair enough, I guess I'm thinking quite far into the future when IPv6 is just the absolute dominant form of connection and most people are turning off IPv4 or operating systems aren't really shipping with IPv4 support.

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (1 children)

Assuming you only have one router you'd probably be fine with ff02::2 (that's the well-known-multicast for every IPv6 router on the link).
Otherwise your ISP or vendor should have the default value in some kind of setup instructions I'd guess.

Edit: Oh, and then there is the Neighbour Discovery Protocol, a router advertises itself on the link. It can even give you a valid configuration through it. If not, you can at least look up the advertised address via a simple command line command.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (1 children)

I wonder if default gateway might work. Because at least in an IPv4 network, if you go to like your settings and look at the network information, the default gateway is your router's IP address. I'm thinking like the Wi-Fi settings in the Android system, for example.

Edit: Also, thanks for the multicast address. I'm at least somewhat new to IPv6 networking myself, and so I was not aware of that address. About the most I've been able to do with IPv6 so far is set my own DNS server and Configure a static IP address for one of my Systems to act as a server By doing like ISPPrefix::1

[–] [email protected] 1 points 1 week ago

Yes, if you get a standard gateway defined, either through a DHCP server (pretty much all consumer router should have one running by default too) or SLAAC, you should be able to look it up through the settings in the GUI, too.

You're welcome. I'm no big expert myself, but I'd say that most things aren't so different from v4, once you understand how v6 addresses work and are configured (and that there is no broadcast address anymore).

[–] corroded 14 points 1 week ago* (last edited 1 week ago) (2 children)

IPv6 has several changes to the specification, but since this is ELI5:

When you were a child, your friends would call your house and a parent would answer the phone. They'd ask to talk to you, and your parents would hand the phone off to you. That might have been because you were too young to have a phone, but IPv4 with NAT works the same way because there are so many "houses" and only enough phone numbers for the houses, not all the people that live in them.

For IPv6 it's like your friends can call you directly on your cell phone. And they can call your brothers and sisters, your cat, your dog, your TV, your refrigerator, and the backyard squirrels. There are so many phone numbers that everyone can have their own.

[–] [email protected] 7 points 1 week ago (1 children)

How do I handle whether I want my phone number to be known to the world?
Does my phone number ever change on its own or can I freely change it?
Who has the phone book?
Feel free to turn this into an ELI5years in general IT after a career change where I started from scratch.

[–] [email protected] 3 points 1 week ago (1 children)

Mostly dropping the analogy as it falls apart quickly once you try to talk about more specific details.

How do I handle whether I want my phone number to be known to the world?

If you don't want people to be able to call you then you can block incoming calls. This is sort of the like IPv4 NAT case, people can't connect in (unless you forward ports). Or if you want to you can allow incoming calls. The choice is up to you now rather than being forced by a technical limitation.

Does my phone number ever change on its own or can I freely change it?

Generally you will be provided a "prefix" by your ISP. In v4 this would typically be a full address. In v6 there are a huge number of addresses inside this prefix. In both cases how often the prefix chances is up to your ISP, but for v6 you can chance the suffix you use inside of the prefix as often as you want.

Who has the phone book?

There are two main parts of "the phone book". There is "Who owns this address?" and "How do I get to this address?" Both of these are basically identical between IPv4 and IPv6.

For "Who owns this address?" there is a global directory of assignments. This is typically done in multiple layers.

  1. The whole address space is split among reserved addresses and continental registries.
  2. The continental registries distribute addresses to organizations or individuals.
  3. The organizations and individuals distribute addresses to customers/devices.
  4. This may continue, for example if your home internet connection is assigned multiple addresses (rare on v4, expected on v6) then you can assign addresses to devices in your house.

For "Who do I get to this address?" A protocol called BGP is used to advertise where an address is available from. So I may say "If you want to get to addresses 32 to 64 come talk to me". This is sort of like in a hotel how there are signs saying which room numbers are in which direction. When two networks are connected they share this information between them to establish a "routing table", so they know how to get to everywhere else on the internet.

This may look something like this:

  1. Your laptop wants to talk to address 17. It has learned that addresses 1-8 are "local", everything else goes out your home internet connection.
  2. Your residential ISP is connected to 4 different other networks (likely a Tier 1 ISP), two of these have access to address 17, but one is "closer" so your ISP sends it there.
  3. This tier 1 ISP knows that a network it is connected to serves addresses 16-32. (Maybe this is your friend's residential ISP.) So it sends the traffic there.
  4. Your friends residential ISP knows that addresses 16-20 are assigned to your friends house, so it sends the traffic there.
  5. Your friends router knows that address 17 is their desktop, so it sends the traffic there.

Overall no single places knows how to get to every other address. But they know the best next step. So you don't know where 17 is, but you know to send it to your ISP, your ISP doesn't know where 17 is but knows that their partner tier 1 ISP knows how to get there, the tier 1 ISP doesn't know where 17 is, but knows that it belongs to your friend's ISP, your friends ISP doesn't know what device 17 is, but knows that it is in your friends house, then finally your friends home router actually knows that 17 is your friends desktop.

You can sort of imagine this like delivering mail. If I send mail in Canada that is addressed to England, Canada Post doesn't really care where exactly I am sending the letter. It just knows that it needs to forward it to Royal Mail and they will handle it from there.

[–] [email protected] 1 points 1 week ago

Thank you so much, this really cleared things up for me!

[–] TheEighthDoctor 2 points 1 week ago* (last edited 1 week ago) (2 children)

I didn't know about that part, doesn't that make it necessary for everyone to have a firewall? What's stopping someone from port scaning my Chinese smart microwave and attack it?

[–] corroded 2 points 1 week ago (2 children)

This is getting out of ELI5 territory, but the way it works with IPv4 is when something on the internet needs to access your devices, it sends a request to your IP address (your house) along with a port number. Your router (that runs your firewall) decides if it should forward the request to the device inside your network. By default, it usually says "no" unless you tell it otherwise.

With IPv6, you'd still have a router, most likely, but it would be "watching" all of the IP addresses for your devices, not just a single one for your entire home.

This does add a fair bit of complexity, but my guess is that if we ever do start getting blocks of IPv6 addresses as home users, most routers will probably come with default firewall blocking rules pre-configured.

[–] [email protected] 2 points 1 week ago (1 children)

I'm already on a connection where I don't get an ipv4 address, just a block of ipv6 addresses.
My ISP-supplied router comes with a firewall that I can't configure or disable.

[–] corroded 1 points 1 week ago (1 children)

Really? Just out of curiosity, what kind of connection are you on? I have two ISPs, one of which provides a single IPv4 address only, and the other provides one IPv4 and one IPv6 address.

[–] [email protected] 2 points 1 week ago (1 children)

It's a coaxial cable connection from Vodafone in Germany, using Dual Stack Lite.

It uses IPv6-only links between the provider and the customer, but does not use NAT64 translation. When a device in the customer network sends an IPv4 packet to an external destination, the IPv4 packet is encapsulated in an IPv6 packet for transport into the provider network. At the LSN, the packet is decapsulated and NAT44 is performed

[–] corroded 2 points 1 week ago

Based on this reply, I get the distinct impression that you know a LOT more about networking than your original ELI5 post lets on, and almost certainly more about the subject than I. I work in tech, but not with networking specifically; most of my knowledge is from way too many years and dollars spent on homelabbing.

One of my internet connections is a DSL connection; by default, they provide a single IPv4 address. My DSL modem has an option to enable IPv6 tunneling through IPv4, but I was never able to get it to work, and customer support was completely clueless. I suspect this isn't something their network supports and they're just counting on their users not caring. My other connection is over satellite (Starlink), and as far as I am aware, they're only providing a single IPv6 connection, not a block of addresses.

To make things easy, I've just blocked IPv6 at my firewall, and I use policy-based routing on my PFsense box to send traffic to either connection depending on latency/bandwidth requirements (Streaming goes to satellite, VoIP goes to DSL, etc). I know that IPv6 has improvements beyond just "more addresses," but at this point I can't really justify enabling it on my network. It would only be used internally, and I just don't see any tangible benefit.

[–] [email protected] 1 points 1 week ago

I’m on FiOS and I just had to turn on IPv6 on my router (it’s disabled by default on older Quantum Gateways). It works and they are assigning /56 blocks, I think it’s DHCPv6 but I haven’t looked in a while.

[–] [email protected] 1 points 1 week ago

NAT sort of accidentally includes what is called a "stateful firewall". It blocks inbound connections because it doesn't know where they should go. IPv6 eliminates the need for NAT but doesn't prevent stateful firewalls. It is just as easy to implement stateful firewalls (actually a bit easier) for IPv6 without NAT. The difference is that the choice is yours, rather than being a technical limitation.

For example if I had a smart microwave I would want to ensure that there is some sort of firewall (or more likely for me not connect it to the internet at all, but I digress). However I may want my gaming computer to be directly accessible so that my friends can connect to my game without going through some third-party relay, or maybe my voice chat can be direct between me and my friends for extra privacy and better latency.

Also relying on network-level protection like this is a good idea in general. Eventually a friend is going to come over with an infected network and connect to your WiFi. With just NAT this will allow the malware on their computer to access your microwave as they are "inside the NAT". If you were applying a proper stateful firewall you would likely apply it to all traffic, not just internet traffic.

[–] [email protected] 5 points 1 week ago

I'm going to just answer each point in turn. Maybe it's useful. I don't know.

It offers a shitload of IP addresses

It does. Generally most ISPs assign each user the equivalent of the IPv4 address space multiplied by itself. There's a lot of address space to go around.

They look really complicated

This is true. But you rarely need to remember a full IP address. Most resources you access via DNS. If you have servers on your own network you will probably need to remember your own prefix (first 3 or 4 blocks of 4 hex numbers) and your servers you want to access would likely be ::1 and ::2 etc in that allocation. So you'd learn them. Also most routers allow for local DNS entries and there's other things that will help here.

Something about every device in your local network being visible from everywhere?

This is a concern, but that's mostly because router makers now are often badly configuring their routers. The correct way to configure a router is to allow outgoing/established connections by default and block all incoming (until you specifically open a port). Once this is done the security is very similar to NAT.

Some claim it obsoletes NAT?

Yes, NAT was created to make a small address space work in an era of multiple internet consumers behind a single connection. But when each device can get a routable IPv6 address, NAT is not needed. However the security I talk about above IS essential to apply to consumer routers.

Now, I'll elaborate on some of the features of IPv6 (a lot of which are just not being used when they could have been).

IPv6 privacy extensions (RFC4951)

This allows normal client machines (the kind that would usually be behind NAT entirely) to have a similar level of security and privacy provided by NAT. One concern with just plain IPv6 with a fixed IPv6 allocation is that people could ID a specific machine from web logs etc and could be used against you in privacy terms. This extension ensures that you have multiple active IPv6 addresses. One could be the one you perhaps have some ports open on. That address will not be used for outgoing connections. A random IP will be used for outgoing connections and this IP will not have any ports open and will change frequently. I think on windows this is enabled by default (when you look in ipconfig you will often see multiple "temporary addresses").

Harder to portscan

Currently it doesn't take THAT long to portscan the whole IPv4 address space. And because almost every public address is hosting multiple hosts behind it, there's a good chance ports will be open on a lot of the IPs scanned.

With IPv6 the public address space is huge. With normal machines having their allocations made randomly within a huge allocation per user and every IP would still need every port scanned. This makes active port scanning much harder. The above privacy extensions also mean that passive port scanning (port scanning IPs found in web logs for example) is harder too.

User experience

Provided consumer routers are configured well from the factory and ISPs are making sensible decisions regarding allocation of address space, the user will benefit from the advantages and not even know they're using IPv6 in many cases. When you go to google/facebook/youtube etc you will be on IPv6 and not even know it.

[–] pelya 4 points 1 week ago

You can set up your own IPv6 server, and it will be accessible from every other IPv6 device. Do you want to create a Lemmy server using only your phone and Verizon mobile data? Yes you can! *

* Instructions for installing Linux environment on Android phone and setting up free DNS and HTTPS certificates are not included.

That's the main point. IPv4 fails because half of all existing IPv4 devices cannot access the other half of IPv4 devices directly, they have to go around using some kind of relay server, which inevitably complicates communications and costs extra money.

[–] [email protected] 2 points 1 week ago (1 children)

I guess the thing I mostly don't get is:

If it's just an extension of the address space, then why is it still such a big deal?
Why didn't they add some sort of ipv4 compatibility layer into the new protocol and flip the switch everywhere 15 years ago?

[–] [email protected] 2 points 1 week ago (1 children)

Specifically answering this question. It works transparently with IPv4. Organisations running servers can run both IPv4 and IPv6 operations with very little effort on their part. ISPs can deploy this and router makers include support with only a reasonable amount of effort.

As users AND servers get IPv6 addresses, in the background they will just be used. At some point there would be so much IPv6 adoption they could turn off IPv4. There is a thing called "6to4" but dual stack has (I think rightly) became the main way people run both.

In the UK I think at least half the ISPs provide IPv6 now. I think also in Europe it's the same or better. But still we're far from replacing IPv4 and I wonder when it might ever happen.

[–] [email protected] 2 points 1 week ago

Last time I checked the cloud flare radar about a month ago, it seems like about 38% of cloud flare traffic was occurring over IPv6 and Google commonly shows about 50% of their traffic over IPv6. So it is definitely growing, which is a good thing.

[–] Evotech 1 points 1 week ago* (last edited 1 week ago) (1 children)

It's just a larger address space, nothing particularly special. Just more numbers

If you use IPv6, you don't need to have concepts like rfc1918 / "private ip spaces, so if every ip is unique, they can be used publicly you don't need NAT

[–] [email protected] 1 points 1 week ago (2 children)

I'm guessing you don't need DHCP anymore either?
What's the difference between an ipv6 address and a MAC address then?

[–] [email protected] 2 points 1 week ago

Different network layer. MAC addresses are layer 2 iirc, whereas IPv6 is layer 3.

[–] [email protected] 2 points 1 week ago

MAC addresses are link-local device identifiers, used by the switches and routers and WiFi access points that talk directly to the devices in question. Switches and routers maintain a table of which MAC to send a packet to based on the IP address - I.e. which actual port to send the data frames down.

There is DHCP for IPv6, but the IPv6 stack is supposed to be able to detect which subnet it’s router is in and then just pick addresses on its own (it does look for conflicts before committing to an address). This is called SLACC (stateless address auto configuration).

NAT is unnecessary because there are so many addresses, as others have mentioned; but I did want to point out that NAT is not used for security. Just because it obscures your devices does not make them any safer. All IPS routers have a firewall to one degree or another (could be as simple as “no incoming connections”; which is bad and lazy but it happens). Firewalling - examining incoming traffic against a set of rules for allowing or denying - is the correct way to secure any network, IPv4 or IPv6.