That's because people don't realize how useful it is in network ops because they re not used to it. This thread is an example were a glaring advantage of ipv6 wasn't immediately obvious.
Anybody who ever tried the VPC+ElasticIP+VPN braindeadness once should immediately file a feature request for ipv6; it's just that they don't probably think of it
Right, but if everyone used IPv6 there would be no need to use non-routeable private IPs for anything, you could just use non-conflicting IPv6 addresses and not route them.
That's basically what a ULA is for though - see RFC 4193. If I'm not big enough to acquire my own allocations from ARIN, I'd prefer not to have to renumber every piece of equipment (even those not externally accessible) when changing ISPs.
Even if you did use non-routeable private IPs, IPv6 provides enough different private address ranges - more than there are individual addresses in IPv4 - that it's unlikely they'd conflict.
I kind of like having standard private subnets. My router is always 192.168.1.1, or sometimes 10.0.1.1, and so is my friend's, my parent's, and my grandparent's.
After spending some time as a contractor doing systems work for a few companies I've stopped ever assigning an internal network to 192.168.0.0, 192.168.1.0, or 10.0.0.0.
The number of times I found myself attempting to VPN into a clients network, only to find it conflicted either with my home network, or whatever coffee shop I was sitting in, was ridiculous. Depending how many hosts you need to run on your network there are huge numbers of possible subnets you could use for an internal network - do yourself a favour and keep off the ones set up be default on every router sold.
This is also important advice if you're thinking about setting up VPN access to your home network: Do not pick the most common/default subnets, i.e. 192.168.0.0/24, 192.168.0.1/24, etc. Picking a somewhat-random subnet as suggested would mitigate the problem and it's what I did for my home network.
It creates a lot of pain when you need to connect these networks to each other, though. Admittedly, that's probably not a problem for parents, friends, etc.
At my Old Job I demanded we keep a "registry" of the RFC1918 address space we allocated to Customers. We never allocated Customers in overlapping address spaces. It made VPN connectivity to Customer A while on-site with Customer B much easier. It also helped out in one case where one Customer acquired another.
You can have that in IPv6 too, with link-local addresses (fe80::/64). In fact, it's becoming quite common to assign fe80::1 to a subnet's default gateway.
The range of non-conflicting IPv4 private addresses is not really small. Everyone just happens to use the same two or three blocks, the easiest to remember.
Actually, when you're working at Facebook scale, the range is quite small. One of the reasons Facebook started moving to IPv6 was that they were running out of RFC1918 addresses.
Service-net (https://github.com/mesosphere/service-net/) is a proof-of-concept
for service routing and discovery with IPv6 and DNS. The underlying mechanism
is similar -- IP tables is used for routing and load-balancing -- but DNS and
IPv6 tunneling are integrated as well.
One downside of IPv6 on AWS is that the IPv6 tunneling protocol -- protocol
number 41 -- is only available in VPCs. The EC2 classic network allows only 3
IP protocols -- TCP, UDP and ICMP -- to pass through it.
But I can recall ip4 addresses en mass in my head. I can't memorize ip6 addresses easily. Plus, I'd like to keep pockets of private IPs that are never accessible as routable targets.
Can you explain why I wouldn't to do this or why I should evolve my understanding of ip6 better?
IPv6 address don't have to be long or publicly routable. ULA addresses (fd00::/8) are the IPv6 analogue to RFC1918 and you could theoretically use ULA addresses as short as fd00::1, fd00::2, fd00::3, and so on. Of course if you do this you run the risk of colliding with other people, so you're encouraged to randomly generate the next 40 bits after fd, which leaves you with addresses like fd32:5e26:381d::1. That's longer than IPv4 addresses, but it's a pretty fair tradeoff to get a globally unique address.
Even non-ULA IPv6 addresses need not be long. 2600:3c00:e000:6c::1 is the address of my server over at Linode, and I don't find that bad at all.
There's no real need to memorise IP addresses, that's what DNS was made for. If your servers are on the internet at large then they probably have DNS already, and if its a local network then most operating systems will now automatically work out where machines on the .local domain are (I'll be honest, I don't fully understand how that works).
I've had only a very limited exposure to IPv6, but it seemed to me that the slogan "DNS solves it for you!" doesn't really pan out. It solves it if you're on a well-set-up network and have your DNS up and running happily, but with the ad-hoc networks my [limited] experience has seen, it hasn't been trivial. Essentially, it means you have to run an interpreter service (the DNS) to understand the network - one more bit of software to configure and troubleshoot... though to be fair, IPv4 was also quite confusing when I first started playing with it.
The word you probably wanted to use was “Zeroconf”.
“Zeroconf”¹ is a name for the sum of two interacting standards, namely mDNS”² and “DNS-SD”³. Avahi⁴ is a free software implementation (for Linux and BSD) for a service where programs can register Zeroconf services (name & port number) and have Avahi announce them on the network. The other major implementation of a daemon of this kind is from Apple, and it is called “Bonjour”⁵.
This often gets confused, so, again: Zeroconf = standard. mDNS and DNS-SD = component standards. Avahi = A specific free software implementation. Bonjour = A specific proprietary implementation.
Why does it matter if an address is public or not? Whether the address is publicly routable has nothing to do with whether the host is accessible... Or don't you have firewalls?
You can always create multiple routing instances (namespaces) for overlapping IPv4 blocks with a VRF-based strategy. This would create separate FIBs and IMHO is a cleaner approach than mangling packets with iptables.
Facebook supports ipv6, but maybe it is external only? I know Google is ipv6 internally too. Although as EC2 has no ipv6 maybe that was the blocking issue.
Interestingly enough, last week when they had their 45 minute outage worldwide with some kind of routing problem, it was still up and running on that address
Agree in principle, but it's unlikely for Amazon to ever force customers to allocate addresses from their own IPv6 block to begin with. Like many other startups, Instagram started with the bare-minimum setup outside of VPC, and scaled from there, not even knowing the benefits of VPC before it was too late for a simple cutover.
Amazon doesn't have to force customers to use their own IPv6 blocks. EC2 instances, whether inside or outside VPC, would be assigned unique IPv6 addresses from Amazon's address space (which would be extensive). If this were the norm when Instagram started out, it would have been just as easy to use, and there would have been no clash of addresses when migrating to Facebook.
Are you saying that Amazon would divide up it's own IPv6 address space and provide a subnet for each customer? That's really the only way it would work for our situation. I'm not sold that Amazon would actually have any motivation to go through the trouble to provide this as it would probably only impact 1% of their customers at best. The most rational path for them is to just assign addresses from a big pool and not bother with the all the fancy subnetting unless the customer asks for it (VPC).
Yes, Amazon should allocate a static /64 to each customer, possibly even more on (free) request. That would also make for very easy firewalling rules where you can whitelist connections from your own instances with just one simple firewall rule.
>The most rational path for them is to just assign addresses from a big pool and not bother with the all the fancy subnetting.
That's what he's suggesting, though (I think). Except because it's IPv6, Amazon's big pool of addresses would never conflict with Facebook's big pool of addresses.
One thing that may not have come across in the post is that one of the reasons we moved into VPC first is that Direct Connect is basically just a big dump pipe to AWS without VPC in place. Without VPC, there's no way to advertise routes for just your instances or to ensure that only traffic to/from your instances goes across the Direct Connect.
IPv6 adoption could not happen soon enough.