I my experience, they all did. I'm not even sure how you could possibly deploy IPv6 without it, manually handing out prefixes?
> you could have 2-3-4 levels of routers/firewalls at a business.
It seems just a bad design, but I still don't see how IPv6 would not allow it.
> Why? Not all ISPs give static IPv6 prefixes, not all PCs/servers/devices support DHCP6 for static leases, and then there’s IPv6 privacy addresses
1. you don't need a static prefix to write a firewall rule: you can simply remove the dynamic prefix with a mask and match the EUI-64 suffix. For example with ip6tables it's something like this `::e2ab:8fff:fe12:3b6b/-64`.
2. All IPv6 devices do support SLAAC with a stable address mechanism, either EUI-64 or stable privacy address and you can use that in the firewall rule.
3. IPv6 privacy extensions, when enabled, don't preclude listening and accepting connection on the EUI-64 address. So, an inbound traffic firewall rule will just use the stable address: you shouldn't listen on a privacy address, they are for outbound connections.
> Each has different IPv6 addresses. How do you ensure the right ISP is used at any given point? IPv6 shifts this decision to the client.
I honestly don't understand the difference with IPv4. You can have multiple addresses and do load balancing on the router with both.
> IPv6 shifts this decision to the client. This makes load balancing and policy based traffic routing
I can't comment on this because I never tried it, either on IPv4 or IPv6. On top of my head, I'd say it would be possible by updating the routes priorities with an RA, if you don't want or can't do a NAT66 with a ULA prefix.
> At the cost of not having dedicated unique public IPs but these places simply don’t need them.
Wrong! Everyone needs routable addresses, even if they don't know it because they need VoIP, video calls on webRTC, FTP, p2p file sharing, online games, etc. All of these barely manage to work in a NAT by using workarounds like ALGs, UpnP, NAT-PMP, relay servers and other atrocities that greatly complicate the network design and are a security nightmare.
Sorry I could have stated the DHCP-PD issue more clearly. Comcast doesn’t support it. [1]
> I honestly don't understand the difference with IPv4. You can have multiple addresses and do load balancing on the router with both.
A PC cannot easily have 2 different IPv4 subnets in the same NIC, which is what IPv6 permits with RA. Even if a PC did have 2 networks, how does the router tell the PC to use fibre for everything except backups, and cable for backups, and cellular only if the others fail? These decisions are best made by the router, not an arbitrary client device connected behind it. With IPv6 and no NAT, how does the client PC know what IP to use as its source at any given time? Yes NAT66 works- and for a very very long time the IPv6 community has resisted any NAT, which has resulted in poor NAT support in IPv6 stacks across many vendors.
> Wrong! Everyone needs routable addresses, even if they don't know it because they need VoIP, video calls on webRTC, FTP, p2p file sharing, online games, etc. All of these barely manage to work in a NAT by using workarounds like ALGs, UpnP, NAT-PMP, relay servers and other atrocities that greatly complicate the network design and are a security nightmare.
I didn’t say a routable IP isn’t required. I said a dedicated unique public IP is not required.
A gas station or fast food business doesn’t need online games or p2p file sharing. Their VoIP is done over VPN or uses NAT ALG in the firewall. Their web browser and payment systems are happy with a NAT’d IP on a LAN behind their router (which may or may not have a public static IPv4).
I my experience, they all did. I'm not even sure how you could possibly deploy IPv6 without it, manually handing out prefixes?
> you could have 2-3-4 levels of routers/firewalls at a business.
It seems just a bad design, but I still don't see how IPv6 would not allow it.
> Why? Not all ISPs give static IPv6 prefixes, not all PCs/servers/devices support DHCP6 for static leases, and then there’s IPv6 privacy addresses
1. you don't need a static prefix to write a firewall rule: you can simply remove the dynamic prefix with a mask and match the EUI-64 suffix. For example with ip6tables it's something like this `::e2ab:8fff:fe12:3b6b/-64`.
2. All IPv6 devices do support SLAAC with a stable address mechanism, either EUI-64 or stable privacy address and you can use that in the firewall rule.
3. IPv6 privacy extensions, when enabled, don't preclude listening and accepting connection on the EUI-64 address. So, an inbound traffic firewall rule will just use the stable address: you shouldn't listen on a privacy address, they are for outbound connections.
> Each has different IPv6 addresses. How do you ensure the right ISP is used at any given point? IPv6 shifts this decision to the client.
I honestly don't understand the difference with IPv4. You can have multiple addresses and do load balancing on the router with both.
> IPv6 shifts this decision to the client. This makes load balancing and policy based traffic routing
I can't comment on this because I never tried it, either on IPv4 or IPv6. On top of my head, I'd say it would be possible by updating the routes priorities with an RA, if you don't want or can't do a NAT66 with a ULA prefix.
> At the cost of not having dedicated unique public IPs but these places simply don’t need them.
Wrong! Everyone needs routable addresses, even if they don't know it because they need VoIP, video calls on webRTC, FTP, p2p file sharing, online games, etc. All of these barely manage to work in a NAT by using workarounds like ALGs, UpnP, NAT-PMP, relay servers and other atrocities that greatly complicate the network design and are a security nightmare.