Full support for IPv6 Networks

I read several threads about IPv6 and Storj in this forum now and often saw the same conclusion. Because of Googles lack of IPv6 support Storj-Satellites are not capable of handling IPv6 requests.
But in terms of a Node Operators and even Customer point of view this is something that is just not acceptable in the Year 2021. 10 Years since the RIPE has no publicly available IPv4 Addresses anymore and many people have to deal with CG-NAT. NAT is already a pain in a technical perspective but Double NAT and not to have a publicly available IPv4 address is even more annoying.
Therefore I am writing this suggestion as Storj Customer and Node Operator. At home I have a fully featured IPv6-Network and all connections work over the same Internet Protocol. Because I have CG-NAT I have to deal with a VPS with an public IPv4 address to build a VPN to my Home-Network in order to reach it from IPv4 only networks (witch Sucks!) and to get Storj hosting up and running. Every part of my workaround is const intensive and requires a lot of maintenance.
So please give us Customers and Node Operators the chance to simplify our networks and give us IPv6 Support.
This shouldn’t sound like a rant and I love the concept of Storj but I hope it shows the frustration I have. And we have to begin somewhere with the IPv6 expansion. Germany has already 52% adoption according to https://www.google.com/ipv6

IPv6 support for Storj would be perfect for such a lovely project.

I hope you understand my point of view.

Have a nice day everyone!

3 Likes

I am not a node operator but curious. My ISP in the US is Spectrum, my router is kinda old, and while it supposedly does support IP6, it doesn’t work with http://whatismyv6.com when I try to enable it.

If satellites did support IP6 and you only had an IP6 address, Storj customers like me, apparently with only IP4, could not use your node, right? Would it be okay to lose that traffic, or would you probably keep the IP4 thing going to get the extra business?

My storage node has IPv4 and IPv6 support. Customer should pick what he prefers.

1 Like

Probably I would run both first, but I would track the traffic for both Protocols and maybe shut down IPv4 if the traffic is high enough and I don’t need it for other services anymore.

1 Like

Our network protocol itself supports IPv6 fully, in fact my satellite in the past ran with full Dual Stack.
As you correctly mentioned, we are currently relying on Google GCP for our satellites which do not / or just partially support IPv6.

Besides that as mentioned from other answers above it is not “just a switch”. It involves lots more than just adding an IPv6 address to the satellite/storagenode (eg. equal chances for nodes regardless of the protocol, making sure IPv4 only clients can sill upload, not getting just IPv6 only nodes returned for it)

All this said, i can give you a little of an light at the end of the tunnel. I am working on exactly this at the moment, trying to fix more fine grained details such as keeping track and returning both IPs to clients/storagenodes, managing audit/repair problems if any of the two IPs advertised by a node is not reachable properly, etc.

EDIT: I also know, that more and more ISPs stop handing out IPv4 for free, but hoping IPv6 will solve the problem is also a little foolish to believe in. Many, many, many companies are not using/supporting IPv6 in their network thus drastically reducing the amount of traffic you might receive when only serving via IPv6. As mentioned before, it is not “just enable” or “just switch”. :slight_smile:

9 Likes

Thank you for your answer. Yes I know that it is a lot more involved into this than just a switch. Migrating my home network was a lot of work and I don’t want to imagine how much work is involved for a big project like this. But in return my network is now far more easy to manage
I am happy to hear that you are working on this. As you mentioned many Business Networks rely on IPv4 only but this is (for my experience) to change.
And as I see Storj not as one of those old Googles and Amazons out there I thought it would be nice if the new technology (from the 1990s ;D) found its way into a fairly new company/project (Storj).

The main point - both sides (the customers and nodes) should support and use IPv6.
Even if the satellites will fully support IPv6, and your node too, but some big customers still use IPv4 only, you will not see their traffic on your IPv6-only node…

2 Likes

Other than the issues already mentioned for UPv6 support (GCP/ISPs/customers/Satellites) the SNO side can be quite a challenge as well. Firewall and router support for IPv6 is not consistent yet and configuration can be daunting. Host systems often rotate IPv6 addresses as a security measure as the assumption is that most host nodes will be clients and not servers.

I think it would be helpful to have a guide to enable both IPv6 and IPv4 that includes some of the problems running both protocols with Storj as a SNO.

Full disclosure: I was hired as a network engineer in 1994 to convert businesses to IPv6 as the IPv4 address space was almost out of addresses. We had no customers and 27 years later there is little appetite in the enterprise world to convert given that NAT solves any pressing problems and the process of rewriting applications is untenable.

3 Likes

Also, some equipment (like some home routers) misbehave (actually harming the service for other clients) if IPv6 is not blocked in the switches.

If i get this right, you are talking about software that ist written for the use of IPv4 only. Reading this drives me crazy because the IP-Adress is on a different Layer of the TCP/IP or OSI Model. The Idea was to create those layers to swap protocols without a big hassle.
Beside that my main point is that we have no IPv4 Addresses left. The Internet was built with peer to peer communication, after IPv4 was not capable of handling addresses for every single device NAT was introduced and we had now around 3 Billion public addresses. Since we have way more Networks connected to the Internet CG-NAT was the idea for all non-commercial Internet-connection. Now we have multiple NATs before we actually addressing our devices which introduces Latency and we accept that our Network Packets are manipulated multiple times before they get delivered.
Instead of building new workarounds for legacy protocols we could focus on implementing a solution: IPv6.
I know it sounds a little bit naive but I know that we have no other chance in future other than retire IPv4 to have a Internet which is actually “free” fore everyone. Because it gets harder to host something if we have to think about how to get a ipv4 address, instead of just using one of a few quadrillion IPv6 addresses.
Don’t get me wrong. I don’t want storj to stop using ipv4 form tomorrow on. I just want to have full ipv6 support so the the journey to a free internet for everyone can continue.

I can live with that. My transition is also not fully over but I am on a good way.
Storj is not the only one I criticize for their IP behaviour (and some reasons are out of your hand Google).

PS: I know that probably all network-admis hate me, but this is all right ;D

And thank you for actually replying to this thread because I know this is a very annoying topic. Everyone of you: Have a nice day!

2 Likes

There are problems with that. Implementing IPv6 suffers from “it’s better to be the last”. Let everyone else work out all the problems and then do it easier. There is pretty much zero reason to be the first.

Also, some of the people were too concerned about principles. For example, for a while there was no way to do NAT with IPv6, because “nobody should need it”, even though NAT has other uses beyond just making many deices share the same public IP address. Linux can do NAT with IPv6 now.

Also, there is little demand from subscribers - most people are happy as long as they can access Facebook, Twitter and Youtube.

IPv6 has significant security concerns and relies on everyone else also using IPv6…

There’s another solution which may sound a little weird - using IPFS connections to overlay a network on top of any IP layer v4 or v6…

The Storj network could have a built in private IPFS node which would store no data, just provide a connection point. Any protocol or service can be piped through an IPFS connection. And IPFS utilizes NAT traversal techniques similar to a STUN service which will ensure that traffic reaches the Internet backbone whether or not the node is behind a CG-NAT, regular NAT, or direct connection.

IPFS uses E2E packet encryption, so all user data would still be encrypted on the wire. The Storj algorithm for splitting and encrypting files would remain unchanged.

Could you please explain what security concerns you actually mean. IPv6 has no additional security concerns compared to IPv4. As for IPv6 and IPv4 knowledge about the Protocol is the key to improve security.

And instead of providing another workaround we could just directly address our nodes and satellites. pragmatically speaking, how hard can it be to add a AAAA record to your domain and address the server?

1 Like

IPv6 has no additional security concerns compared to IPv4.

IPv6 networks have a much larger attack surface since there are no NATs. Every host is accessible from every other host. This is not the case in IPv4. This is one of the main reasons given for ISPs not supplying general consumer level Internet accounts with IPv6 access. With an IPv4 network, the LAN can be a bit sloppy and still provide decent security from the WAN. In IPv6, if the host can access the WAN… the WAN can access the host.

As for IPv6 and IPv4 knowledge about the Protocol is the key to improve security.

I agree… but this statement is directly in opposition to the previous statement. IPv6 and IPv4 are vastly different beasts. The security of each is a separate topic and IPv6 does indeed have additional and different security concerns than IPv4.

For more information see here:

2 Likes

I am discussing real world applications. Most developers have little knowledge about networking and far fewer understand the OSI model (the IP model is usually considered a 4 layer model whereas OSI has 7 layers). Developers generally use a language that abstracts the network details and although the OS handles this, the determinations are always made by developers such as the choice of (routing layer) ports and whether to allow users to determine ports. This is a fundamental difference with IPv4 and IPv6 application design. Developers in an IPv4 world had little to worry about, it takes far more effort to include IPv6 compatibility when writing an application particularly a server based application.

The issue I was pointing out is that there are millions of legacy applications that were designed to work on IPv4 and rewriting them for IPv6 compatibility is a significant undertaking (including the security aspects that @beast mentions). In most cases it is simply not tenable (most importantly because the people needed to make such a change are in short supply and not attracted to such unglamorous work. It is far easier for service providers to just add a gateway to convert IPv6 traffic to IPv4 if the application can support it.

1 Like

From a security perspective, IPv6 is also a bit of a nightmare in client-server architectures. Most of the modern infrastructure uses layer 7 awareness and are rather immature relative to IPv6 applications. Many modern firewalls offer support for both IPv4 and IPv6 but the feature sets for IPv6 are very thin compared to the IPv4 feature sets.

Yes, devices are theoretically directly available on the Internet, but this is only true if you have no Firewall. Every Firewall I have worked with had not just passed every connection request from the internet to my devices, except my Firewall Rule specified so. And now I am at a point where I have to say it is much much easier to work with Firewall Rules than with NAT. NAT should never been seen as a Security Feature because it is just the translation of addresses to connect 2 separate networks. It was never designed to increase Security. And Internet-capable devices are than (with IPv6) not protected by NAT but by Firewall Rules. Easy as that.
In addition IPv6 means a little bit of Freedom for me because IPv4 is nowadays a privilege where as IPv6 could and is (speaking for Europe) accessible to everyone (and I am sorry this is Fact and not an opinion). The Internet was build in mind with direct peer to peer connections without NAT and NAT was the answer to the question: “How to get more IPv4 Addresses” - (Oversimplified, I know). Now we could bring this back if we transition to IPv6.
I see we have different opinions.

AND

Maybe this is true for your ISP but speaking for Germany I am not aware of a ISP that is not providing a /56 IPv6 Network for consumers. And even preconfigured Routers from the ISP has IPv6 Enabled by default with common security features enabled. See here how IPv6 is adopted in Germany: IPv6 – Google. And as you can see we have an Latency Impact of -10ms so IPv6 connections are faster than the IPv4 Counterpart maybe because Routing is not needed anymore.

To conclude: IPv4 has no adresses left. We developt many workarounds like NAT and CG-NAT. Those have their own problems. In 1998 we definded the next generation of adressing: IPv6. It has many new features, takes a bit to learn but is actully not difficult to handle. Instead of build workaround after workaround we could just use what we have standardised over 20 years ago.

PS: As I am writing this @stuberman replied so: If your 6to4 tunneling works for your application I am fine with that, but I hate excuses like “My Application was not written for this Internet Protocol” because this speaks not for the quality of an application and like you said can be worked around with the tunnel technique you mentioned.


To conclude (now for Real):
I don’t now directly now your relation to IPv6 but as you see I really like this Technology. It was absolutely interesting to hear your opinion and you gave me new inputs like IPFS, the developers perspective and other thinks. Personally I see IPv6 not as a security concern because now I know to handle it but this applies to everything. AND above of all I see it as the solution for the IPv4 Address Exhaustion.

I wish everyone of you a nice day.

1 Like

I am talking about commercial firewalls such as Fortinet FortiGate and PaloAlto Network as well as Web Application Firewalls which are used to protect enterprise scale applications.

IPv6 is a direct end to end connection and we do not use NAT for IPv6. The application proxies built into modern high end firewalls are not mature. Your ISP does little, if anything, to firewall your traffic.

1 Like

You can have NAT with IPv6 - the purists hate it and it was a while until Linux supported it, but it does now and, in theory, it should work.

When I have to use IPv6 for my network, I will be using NAT for it, just like with IPv4. I have some devices that do not support IPv6 and I am in no rush to use it anyway. As I said, IPv6 suffers from “it’s best to be last”.

3 Likes

If you will use NAT there is no need for IPv6 in most cases. Sure the cellphone networks (LTE/5G) need it and other specialty networks. It means more headache with almost no gain.

Personally I have enabled both IPv6 and IPv4 in my home and devices use the protocol that works with the Internet based application. Despite some statements to the contrary, IPv6 is widely available to users in the US; ISPs such as Comcast and ATT fully support it.

2 Likes