Why are Cloudflare still sharing IPv6 addresses, when there should easily be enough for one per website? (And then with correct reverse DNS.)
The linked site [1] has a download of 134k hostnames. Filtering for the Cloudflare prefix, 2400:cb00:2048, there are still plenty of sites sharing an IP. For example, www.monolith.agency (a design agency) is on the same IP as www.bobshouseofporn.com (porn).
Maybe the same company hosts both websites, and it's not Cloudflare's issue, but that seems unlikely for a US porn site, Quebec design agency, Brazilian health site and Spanish programming site.
Google have 13,000 sites on the same IP, 2607:f8b0:4005:808::2013, looks like Blogger.
monolith.agency has address 104.28.8.19
monolith.agency has IPv6 address 2400:cb00:2048:1::681c:813
Notice that the IPv4 address is embedded in the last 32 bits of the IPv6 address. I would assume that this allows both addresses to be generated from the same configuration, rather than trying to keep two copies in sync.
I can imagine a government that would enforce that ISPs block adult sites by default (a specfic government comes to mind), and as those sites would both use HTTPS (as websites do), the design agency's website would be blocked by default as collateral damage.
"Sorry, your website is blocked by default on all ISPs. It's to protect the children."
Cloudflare, you have my login token cookie but you are still asking me to prove I'm not a robot. Please make using a VPN not to be a punishment since all the sites that use your SSL show me the "I'm not a robot", no matter how often I verify it. I am most times under an insecure WIFI so no VPN is not an option for security. Possible steps:
1. Make me solve it only once every X minutes/hours.
2. Make the defaults to be one step down in security, probably most webmasters don't want to block legitimate people using VPN.
3. Make it dynamic, so only those under suspicion have to do it. And consider being using a VPN NOT to be enough suspicion for it.
Right now I have to choose either to:
- Compromise my security: don't like it now, cannot do it when I start working with the new company I'm going to work
That was exactly my point 2: Make the defaults to be one step down in security, probably most webmasters don't want to block legitimate people using VPN.
It is great to see IPv6 finally taking off. I remember being exited about IPv6 back in 2003. I was fortunate to be on a university network with great admins and made sure to enable IPv6 on my Linux computer. Then nothing much happened for years and years and years. Not until around 2011 did the numbers start ticking up much above 0%, and now we are in the early part of the steep slope.
Interesting that Google doesn't seem to use ipv6 for their crawlers. They seemed to be big supporters for ipv6, but they don't appear anywhere on the list. I'd expect them to cause much more traffic than Facebook.
Because their crawler is so monolithic that it would be expensive and annoying overhauling it for IPV6.
There is a great use-case for IPV6 for IOT where each device gets its own IPV6 address. IPV6 addresses are appearing more like MAC addresses at this rate as IPV6 is not exhausted yet.
But seriously, there's an astronomical # of addresses in IPv6. You're probably right that if we ever exhaust that space, we'll probably be communicating between planets by then.
There is an astronomical number of individual IPv6 addresses, but in most cases that is not really the meaningful number to look at, at least right now. IPv6 is not really supposed to be subnetted beyond /64, so that already slashes the network space quite significantly. ISPs are supposed to hand out full /48s to customers (probably does not apply to consumers though), so there goes another 16 bits. The basic unit that RIRs give to ISPs is a /32 (afaik). Which leaves far less astronomical number of individual networks left. 2^32 - 2^48 is no doubt still a pretty big number, but not really as mindbogglingly humongous as 2^128.
> There is a great use-case for IPV6 for IOT where each device gets its own IPV6 address.
Do you really want your IOT devices to be directly addressable on the internet? It's my understanding that having devices behind a router is safer. I go a step further and disable UPnP on my routers and everything still 'just works' including network printing.
NAT is not a security feature, it wasn't meant and it doesn't by itself add anything, except complicates communication.
You supposed to control access with firewall, and controlling security is much easier when computer/device has a routable address.
Though, IoT devices should probably be restricted of any Internet access based on their security track record (but again, this is orthogonal to being directly addressable).
While NAT does not provide perfect security, it is a component of security in networks where most people have no idea how to harden their systems or devices. It somehow gives me comfort to know that no one can just scan the net to find my phone, as I'm not sure if it would be vulnerable.
I still don't see a reason for the average consumer to have a static, reachable IP for their devices. I see privacy concerns but no advantages.
Why does 'directly addressable' mean 'not behind a router'? Unless you've got a weird ISP that's delivering you Ethernet, you're going to need a router.
I have a gigabit fiber (to the home) connection which terminates at a device with 4 Ethernet jacks. They all work, I've tested connecting directly to them with a laptop, but I plug a router into it and all devices connect through that router instead. It's the 'stateful firewall' aspect of using a router that I want for improved security. https://en.wikipedia.org/wiki/Stateful_firewall
My ISP delivers me Ethernet... I doubt it's that uncommon in midrise/highrise buildings. But they will only route to a single IP address (incl for 64-bit) so then again I still need a router.
But why do they do that? That's what I don't understand. Google was one of the companies advertising ipv6 as the future, why don't they use it for their crawler?
Because web sites won't be moving to ipv6 (only) any time soon, and the limiting factor here is residential connections, not Google?
Are you proposing that Google should crawl ipv6-only web sites? And then serve those results to whom, exactly? (I don't think there is any reliable way of knowing whether an HTTP client that's connecting to you via ipv4 is also capable of ipv6?)
> Another effect of the default policy table is to prefer communication using IPv6 addresses to communication using IPv4 addresses, if matching source addresses are available.
If only v6 is available there is no point for them to include the site in their general index.
If both v4 and v6 access is available, what is the extra value of doing the indexing using v6 rather than v4? (The indexing process itself would add very little to the global usage of v6, comparatively speaking.)
Because otherwise we don't need ipv6. Google advertised the use of ipv6 heavily. If everything still works fine with ipv4 and NATs, why should we ever switch? It's a serious question, I know that the ipv4 space is somehow exhausted, but I can still get very cheap ip addresses (one is included in every $5 vps at major providers).
If even Google with its huge network of crawlers doesn't see the need to communicate via ipv6, why should there be any demand?
I guess they could also move this checking to the user agent (because they control Chrome) to have the check performed before the user is actually waiting for results and milliseconds matter. Introduce some ugly but pragmatic HTTP header, like "Accept-IP: v6". :)
So, this way they could serve v6-only results reliably to clients that can access either both v4 and v6. (People who can only access v6.. that must be a very special kind of people.)
Interesting to see that Greece is the third (possibly second?) largest IPv6 deployment per-capita in the world. One of the ~3 large providers here still hasn't added IPv6 (although I might just have an old router).
I'm still trying to figure out how to set up static IPv6 so I can access my computers at home without a NAT, but it's very convenient otherwise!
Do you? I have Cosmote as well but I'm on IPv4, I guess the router is old. I don't think Cyta has IPv6 yet either (they didn't when I switched away to Forthnet last year, exactly for this reason).
All Compute Engine networks use the IPv4 protocol. Compute Engine currently does not support IPv6. However, Google is a major advocate of IPv6 and it is an important future direction.
Not anytime soon. Asked them about it just the other week. We would love to get the IPv6 support as Google is not very eager to allocate IPv4 to us in any larger quantities.
Yeah, same issue. I'm a bit surprised that they didn't bake this in from the start with GCP. Can't even terminate IPv6 on a Google Cloud load balancer and then do v4 internally. At least GCS does IPv6.
> IPv6 is faster for two reasons. The first is that many major operating systems and browsers like iOS, MacOS, Chrome and Firefox impose anywhere from a 25ms to 300ms artificial delay on connections made over IPv4.
He forgot to add that this only applies to dual-stack hosts...
The linked site [1] has a download of 134k hostnames. Filtering for the Cloudflare prefix, 2400:cb00:2048, there are still plenty of sites sharing an IP. For example, www.monolith.agency (a design agency) is on the same IP as www.bobshouseofporn.com (porn).
Maybe the same company hosts both websites, and it's not Cloudflare's issue, but that seems unlikely for a US porn site, Quebec design agency, Brazilian health site and Spanish programming site.
Google have 13,000 sites on the same IP, 2607:f8b0:4005:808::2013, looks like Blogger.
[1] http://www.employees.org/~dwing/aaaa-stats/
Something like: