If you are already running a VPS, the SSH -J option is useful if you don't want to expose your SSH to your home public address.
You create an SSH reverse tunnel (-R option) from a server in your home network to your remote VPS. This gives you a localhost port on your VPS to your server SSH port. Something like:
ssh -NT -R 2222:localhost:22 vpsuser@yourvps.com
From your laptop, use your your VPS address and localhost port in the -J option. Something like:
> Home internet in the 90s felt simple. You plugged into Ethernet, got an IPv4 address, and you could expose a service directly.
Maybe the 2000s, yes. This experience in the 90s was reserved for businesses and schools that could afford a T-carrier connection. The rest of us had dialup.
Even on dialup it was common to get a public IPv4 address, depending on what service. The service I had in like 95-98 didn't promise static IPs but I effectively got the same address for weeks at a time, I'm assuming due to whatever logic was mapping accounts to addresses. They also gave you access to a FreeBSD shell if you wanted to read email via elm or pine or the like, one of the first places I saw SSH!
This looks like an excellent overview of the current state of things, and some nice practical instructions on getting end to end connectivity working.
Personally I don't think IPv6 will ever supplant IPv4. As far as big tech is concerned, NAT solves the problem well enough for clients and SNI routing solves it well enough for servers.
What incentive do they have to make things better for small orgs and p2p use cases? Better from their perspective to retain control over IPv4 real estate and extract rent.
For one, most major governments have told them to do it or else. I'm not sure which year it will be but there's already a mandate that US federal client systems can't have IPv4, and contractors must support IPv6, and a later deadline is for servers and websites to not have IPv4, at which point if your ISP doesn't provide access to federal government websites then all your customers can sue you into oblivion for failure to provide contracted services, including damages for any missed federal government interactions, which your liability waiver will not limit since your lack of IPv6 support by that time is intentional gross negligence. Google and Apple both require apps to work on IPv6-only networks or they get removed from app stores, and the majority of mobile networks are IPv6-native (with a slow translation layer for IPv4). Over 50% of internet traffic is IPv6 right now.
I'm not sure why you guys keep saying IPv6 won't happen, when it's already happened. Just ostriching, or incentivized to keep IPv4 address prices high, or what gives?
Major internet centers are US (V6 mandate), Europe (V6 mandate, I think - and if not already, they will), China (V6 mandate) and to a lesser extent the west Pacific rim (Japan, Korea, Singapore, Australia). Other countries will do whatever they have to do to remain connected to these, unless they want to make their own isolated BR(not I)(not C)S internet with blackjack and hookers.
What else do you foresee? A country like Chile just decides it doesn't want to be in the global internet and more, and separates? No, I think that's completely unrealistic.
If it can't upgrade in time, it might remain connected using some kind of translator or proxy. Even if not official, someone would surely run one - it's too useful and we're not talking about a censorship scenario where it would be illegal. Experience shows this is very annoying and will quickly be upgraded to native level. Note that tunneling is native.
Most end-user ISPs today use some kind of tunneling to separate the architecture of their network from the architecture of the services they deliver to customers. If you use DSL, your connection is (usually) a PPPoAoE tunnel with one endpoint at your house and another endpoint at one of your ISP's POPs - the entire access network feels transparent to you. If you use a cellular network, it does something similar with GTP.
And considering that fact, it's not as hard to upgrade a network to IPv6 as you might think. Some core routers and edge routers must be upgraded, but the majority of the network is tunneled over. Perhaps during a transitionary period, your CPE (home router) will encapsulate your IPv6 packets in IPv4. This doesn't require a new router because most of them do routing in software and can just get a firmware update.
Accusation of malice is a little far, I think the ipv6 transition isn't obvious to people because it has mostly been on mobile networks and the big datacenters. There are a lot of large organizations yet to implement it internally.
It's bizarre to me that there is still so much effort spent on resisting IPv6 implementations, we were converting some industrial control networks to it almost 10 years ago and those organizations are basically defined by ancient equipment. Rather than byzantine v4 NAT coordination we mapped entire plants and substations to V6 addresses and put in 6to4 for the PLCs that were old enough to vote, so that multiple sites that all used the same 10.x.y.z blocks because of course they did could be routed together. Had V6 available from my house to pretty much anywhere I cared about in 2017.
As a business, especially a small business, there is no financial reason to do so in the United States for the vast majority of businesses. This gets talked about on NANOG all the time.
It doubles the workload and knowledge required, doubles the security attack surface, and because of the 2nd part, doubles the security risk.
Right or wrong that's the calculation for most spots.
re: the attack surface, I will say that I see such a tiny fraction of probe attempts and common exploit scripts hitting V6 spaces that I open some services on V6 only.
At my house I've had SSH open to the V6 internet for 8 years and have the logger set up to email me for any connections, and I have never once seen an attempt that wasn't me. For popular sites with well known DNS names that's obviously different, but I keep DNS current and can SSH by name to that V6 listener from anywhere so it's not my ISP trying to save me from myself either. And that's not even a host with the normal automatic temporary addresses, it's been a fixed interface id portion with an effectively static V6 prefix for years.
For a while I had several other services open as well, at one point we even played around with using NFS and iSCSI over IPv6 on the internet just for giggles, no actual important data. I can imagine some sysadmin's face twisting in horror just reading that knowing the carnage that would have ensued doing that with V4, where we commonly drop entire geo-blocks just to curtail the log spam of all the various automatic admin portal and VPN login scans.
There are of course techniques to gather live V6 addresses but between the vast space and temporary addresses on most end-user devices it really has been a night and day difference.
It's the same bullshit everywhere it seems. There goes the CGNAT with their router where the "advanced" options are basically defining DHCP settings - through a shitty phone app. There is also the stupid TV that no one asked for but it's part of the package.
And when they do give you v6 its a /64.
I wish there might be a category of prosumer friendly ISP of sorts. Those exist but they are hard to find.
If you are already running a VPS, the SSH -J option is useful if you don't want to expose your SSH to your home public address.
You create an SSH reverse tunnel (-R option) from a server in your home network to your remote VPS. This gives you a localhost port on your VPS to your server SSH port. Something like:
From your laptop, use your your VPS address and localhost port in the -J option. Something like: I only allow ssh key auth and only my laptop is trusted by my home server. The home server doesn't need to trust the VPS "jump server".> Home internet in the 90s felt simple. You plugged into Ethernet, got an IPv4 address, and you could expose a service directly.
Maybe the 2000s, yes. This experience in the 90s was reserved for businesses and schools that could afford a T-carrier connection. The rest of us had dialup.
Even on dialup it was common to get a public IPv4 address, depending on what service. The service I had in like 95-98 didn't promise static IPs but I effectively got the same address for weeks at a time, I'm assuming due to whatever logic was mapping accounts to addresses. They also gave you access to a FreeBSD shell if you wanted to read email via elm or pine or the like, one of the first places I saw SSH!
I had dialup with a static IP and inbound access to listening ports.
This looks like an excellent overview of the current state of things, and some nice practical instructions on getting end to end connectivity working.
Personally I don't think IPv6 will ever supplant IPv4. As far as big tech is concerned, NAT solves the problem well enough for clients and SNI routing solves it well enough for servers.
What incentive do they have to make things better for small orgs and p2p use cases? Better from their perspective to retain control over IPv4 real estate and extract rent.
For one, most major governments have told them to do it or else. I'm not sure which year it will be but there's already a mandate that US federal client systems can't have IPv4, and contractors must support IPv6, and a later deadline is for servers and websites to not have IPv4, at which point if your ISP doesn't provide access to federal government websites then all your customers can sue you into oblivion for failure to provide contracted services, including damages for any missed federal government interactions, which your liability waiver will not limit since your lack of IPv6 support by that time is intentional gross negligence. Google and Apple both require apps to work on IPv6-only networks or they get removed from app stores, and the majority of mobile networks are IPv6-native (with a slow translation layer for IPv4). Over 50% of internet traffic is IPv6 right now.
I'm not sure why you guys keep saying IPv6 won't happen, when it's already happened. Just ostriching, or incentivized to keep IPv4 address prices high, or what gives?
I wish I had an IPv4 block to hoard.
Far more important than current adoption is rate of adoption, which is slowing.
US mandates will certainly help and may be enough, but the US can't force other countries to follow. Many countries have far lower adoption rates.
Major internet centers are US (V6 mandate), Europe (V6 mandate, I think - and if not already, they will), China (V6 mandate) and to a lesser extent the west Pacific rim (Japan, Korea, Singapore, Australia). Other countries will do whatever they have to do to remain connected to these, unless they want to make their own isolated BR(not I)(not C)S internet with blackjack and hookers.
I hope you're right
What else do you foresee? A country like Chile just decides it doesn't want to be in the global internet and more, and separates? No, I think that's completely unrealistic.
If it can't upgrade in time, it might remain connected using some kind of translator or proxy. Even if not official, someone would surely run one - it's too useful and we're not talking about a censorship scenario where it would be illegal. Experience shows this is very annoying and will quickly be upgraded to native level. Note that tunneling is native.
Most end-user ISPs today use some kind of tunneling to separate the architecture of their network from the architecture of the services they deliver to customers. If you use DSL, your connection is (usually) a PPPoAoE tunnel with one endpoint at your house and another endpoint at one of your ISP's POPs - the entire access network feels transparent to you. If you use a cellular network, it does something similar with GTP.
And considering that fact, it's not as hard to upgrade a network to IPv6 as you might think. Some core routers and edge routers must be upgraded, but the majority of the network is tunneled over. Perhaps during a transitionary period, your CPE (home router) will encapsulate your IPv6 packets in IPv4. This doesn't require a new router because most of them do routing in software and can just get a firmware update.
Accusation of malice is a little far, I think the ipv6 transition isn't obvious to people because it has mostly been on mobile networks and the big datacenters. There are a lot of large organizations yet to implement it internally.
Call me a tailscale simp, but since it was launched I honestly stopped caring about any of such issues.
They've built such an incredible product I actually feel guilty I pay absolutely nothing for it.
public ip abundance of the internet should not depend on mappings in the tailscale servers owned by tailscale or self hosted by other people
New fiber provider across town does CGNAT and no IPv6.
I guess that works for most people except gamers and people who get rate limited because of the actions of others.
Article is correct, IPv4 didn’t die hard.
It's bizarre to me that there is still so much effort spent on resisting IPv6 implementations, we were converting some industrial control networks to it almost 10 years ago and those organizations are basically defined by ancient equipment. Rather than byzantine v4 NAT coordination we mapped entire plants and substations to V6 addresses and put in 6to4 for the PLCs that were old enough to vote, so that multiple sites that all used the same 10.x.y.z blocks because of course they did could be routed together. Had V6 available from my house to pretty much anywhere I cared about in 2017.
As a business, especially a small business, there is no financial reason to do so in the United States for the vast majority of businesses. This gets talked about on NANOG all the time.
It doubles the workload and knowledge required, doubles the security attack surface, and because of the 2nd part, doubles the security risk.
Right or wrong that's the calculation for most spots.
re: the attack surface, I will say that I see such a tiny fraction of probe attempts and common exploit scripts hitting V6 spaces that I open some services on V6 only.
At my house I've had SSH open to the V6 internet for 8 years and have the logger set up to email me for any connections, and I have never once seen an attempt that wasn't me. For popular sites with well known DNS names that's obviously different, but I keep DNS current and can SSH by name to that V6 listener from anywhere so it's not my ISP trying to save me from myself either. And that's not even a host with the normal automatic temporary addresses, it's been a fixed interface id portion with an effectively static V6 prefix for years.
For a while I had several other services open as well, at one point we even played around with using NFS and iSCSI over IPv6 on the internet just for giggles, no actual important data. I can imagine some sysadmin's face twisting in horror just reading that knowing the carnage that would have ensued doing that with V4, where we commonly drop entire geo-blocks just to curtail the log spam of all the various automatic admin portal and VPN login scans.
There are of course techniques to gather live V6 addresses but between the vast space and temporary addresses on most end-user devices it really has been a night and day difference.
It's more likely when you have public DNS pointing to ipv6 enabled hosts, not so likely with a random scan because of the sheer number.
You're banned from being a federal contractor if you don't. Isn't that pretty important since that's where all the money is?
All the money is in federal contracting?
Did it for a decade, and that's news to me.
It's the same bullshit everywhere it seems. There goes the CGNAT with their router where the "advanced" options are basically defining DHCP settings - through a shitty phone app. There is also the stupid TV that no one asked for but it's part of the package.
And when they do give you v6 its a /64.
I wish there might be a category of prosumer friendly ISP of sorts. Those exist but they are hard to find.