Intention to enable IPv6 by default in 2017

Because, among other things, the pool artificially restricts the addresses of IPv6 servers, favoring IPv4 by a factor of four.

These are my tests from last night on separate VPS servers at Linode in Texas US. They’re the same as what others have seen.

Queries per second after 1 hour

IPv4-IPv61285×565 25.2 KB

I was planning to spend some time doing data analysis to see if anything can be learned by analysing the ASN’s that are querying using IPv4 vs IPv6. After thinking for a bit, I decided that would not likely add anything to the discussion. The core issue has been known for a long time. Years have gone by with no action. With few exceptions, the volunteers in this community who run the service have been repeatedly highlighting the urgency of this issue.

Not only has nothing been done, there’s zero acknowledgement that an issue even exists. Adding IPv6 to a website is a simple task, but this website has no AAAA records and is IPv4 only. Packet (now Equinix Metal) hosts the pool’s core infrastructure, but instead of using the pool, they offer their own alternative dual-stack time service.

Bugs filed by Ubuntu devs at Canonical call out the problems they’ve had with the lack of IPv6 time servers as far back as development of Ubuntu 13.10, which went end-of-life 8 years ago. This one [Bug #715141 “Default NTP servers do not have AAAA records” : Bugs : ntp package : Ubuntu] was opened in 2011 and also raises the urgency of adding IPv6 to their time servers. It shows their concerns with having only a single hostname in the pool that supports IPv6. It ends in 2018 with a link to this thread right here.

Adoption of IPv6 was slow for years, with non-tech companies choosing to delay upgrades. Now, with IPv4 addresses so rare they cost $50 each at auction, they’re feeling the pain in their budget, and moving fast. The price of IPv4 is expected to double next year.

Big datacenters, such as Hetzner, no longer provide even one free IPv4 address with dedicated servers. A /29 IP block (6 IPv4 addresses) used to be standard and included at no charge with dedicated servers at most hosts. Now Hetzner charges €13.60 monthly with a €152.00 setup charge for the same 6 IPv4 addresses. Other providers either do the same or simply don’t offer additional IPv4 addresses, as there’s no other choice. How many volunteers here will be able to keep participating in the pool when their VPS provider starts charging an extra €5 per month just to keep one IPv4 address?

IPv4 is a legacy protocol. It’s been many years since any company or service has built their network with IPv4 at the core. I can’t find even one instance of any important internet service that isn’t already dual-stack and expecting to end legacy support as soon as possible. They’ve all upgraded their networks or they were replaced. Sadly, I’ve never seen any more appropriate use of the meme with the dog sipping coffee in a burning building and saying “This is fine” while he melts.

As I’ve gotten older, I’ve become more direct about topics such as this, and apologize if I have offended anyone. This needs to be fixed if the pool is going to survive. I hope it’s not too late.

If you refer to https://community.ntppool.org/, than I am happy to correct you.

Other than that, I couldn’t agree more.

You’re absolutely correct, Marco, I should have looked further. I checked only the bare domain ntppool.org without looking any further. The bare domain is on (or at least routed through) the ks3.nyc1.develooper.com server, hosted by Packet/Equinix, and is just a redirect to www.ntppool.org. It has one IPv4 and no IPv6.

The core www version of the site is behind a Fastly CDN, and they have setup 4 IPv4 and 4 IPv6 anycast addresses. Discourse hosts the community website, and they also have both IPv4 and IPv6.

Not true.
The ISP I use for my own internet connection offers IPv4, even static.
And my VPS-servers all have static IPv4 included at no costs at all, it’s included.

It’s far from a lagacy protocol and it probably never will be.

IPv6 has one major problem and that is NAT, it will not allow you to do NAT.
I do not want my systems to have a public IP for the internet when I go somewhere, I want them to see my routers-adres and nothing else unless I decides other.

Also, when people abuse something on your website, it’s almost impossible to block them on IP as they can change it all the time, and you do not know their block-range.

For that reason I have stopped using IPv6 for my websites, they are IPv4 only until IPv6 gives me tools to block abusive people and ranges. So far they don’t, or I’m not aware of them.
I know IPtables and how it works, but how do I block and abusive user that has /48 or /64 or whatever IP-ranges? How do you know their range?

On this part, IPv4 is better to manage and kick nasty people out. Sorry it is.

The core issue in this thread is this: is there any reason not to add AAAA records to the pool’s DNS to support users on IPv6, while also keeping the IPv4 A records in place? That has been the configuration on 2.pool for years, and there have been no issues. That’s also the configuration for nearly all large Internet services, and Google still works. To maintain compatibility, many systems use only 2.pool, such as Debian, which dropped the other IPv4-only pool DNS records in recent versions.

By definition, it is a legacy protocol, and has been for some time. It became legacy when the IPv4 runout occurred a number of years ago and IPv4 addresses can no longer be obtained through official channels. The only way to build or expand an IPv4 network now is to win IPv4 addresses at auction. That’s not to suggest that IPv4 is going away in the near future. It coexists with IPv6 without issue.

Your experience may be different than many of us in the US. I can get a static IPv4 address, but only if I spend an extra $40/month to upgrade to business service, plus an additional $19/month for a static IP. Otherwise, my connection to the IPv4 world is through NAT, then again through Carrier Grade NAT. I share the same IPv4 address with thousands of other homes, which is very common in the US. My broadband speed has gone down, and latency has gone up. Capabilities we used to take for granted (like port forwarding) are no longer available to us except with IPv6.

IPv6 does support NAT if you want it to work that way. It’s rarely deployed that way because NAT is no longer needed.

All of that said, your preference for IPv4 is perfectly fine, and you can continue to use it as long as you’d like. Others need to use IPv6, that number is growing, and IPv6 is not properly supported by the pool. Your concerns for how it may or may not fit your use case would probably be better discussed in a separate thread. Or, are you saying the pool should not further implement IPv6?

Technically, it is:

Legacy (in computing):

Denoting or relating to software or hardware that has been superseded but is difficult to replace because of its wide use.

Off course you can do NAT with IPv6. There is not much demand for it, but it can be done.

Then block the entire /64, /56 or even /48.

UPDATE:
Sorry @John, I only saw your (similar) post later. It makes my response redundant.

I have to disagree with you, it’s not technically superseded. Just because it does different routing and has more addresses, that does not make it better then the previous.

Legancy means that it’s still working but will be faded out because the new is better.
However, IPv6 isn’t better, it’s different. It lacks a lot of the previous protocol.

Another example, it has no MX record in the DNS, so I can not tell it’s a mailserver.

Don’t get me wrong, the protocol works when you get it working, but it has many shortcomings that IPv4 doesn’t have. On the other hand, IPv4 has a few problems too, but most can be solved.

DNS-wise, you do not have many options to direct traffic instantly to the right server?

You may want to read this: Should mail servers publish IPv6 MX records? Could this harm your spam filtering?

Like I said, IPv6 has more flaws then IPv4, so it doesn’t superseded it as it makes matter more complicated then needed. Also, it’s not ready for general use when it comes to these matters.

Try banning abuse, it’s almost impossible. Therefor it should have gateways, if they are blocked the entire subnet should be out. But it’s not the way it works, you have to figure out the subnet.
If they start using VPN’s it will be impossible to do, it’s very hard under IPv4 but doable…let alone you can do it with IPv6.

Spammers are going to love this, no more filtering on networks.

IPv4 is not legacy, at the moment it’s actually better to manage. Until they solve those problems it will not supersede IPv4. As such it’s not legacy at all, far from it.

Please, remain on topic. Feel free to bring up your grievances in another thread and refrain from hijacking this thread in the future.

Yes!

As I mentioned my time on the project mostly goes to basic care and feeding of the system (as an example, other than the big server migration this summer/fall, over the last years all the DNS servers got a bunch of upgrades so they use mTLS for more of the communication with the central systems and they send logs centrally. The various systems to manage logs (system logs, DNS logs and monitoring data) have gotten a bunch of upgrades. A lot of this was a prerequisite to improve the monitoring system (the current project).

The new monitoring system is really close to done. I’m still watching and adjusting things, but it already overwhelmingly seem to work better than the production system. There’s a bit more testing and work to do before I’m comfortable putting it in production (where it needs to operate reliably while unsupervised), but it’s definitely winding down.

The next thing is to add some features for managing the “vendor zones” so vendors can choose if/when they want to upgrade to “full IPv6”. I also want to change it so the zones can be configured to fit the needs (a single zone for SNTP clients; a single zone for NTP clients with “pool” functionality or the traditional ~4 zones). This will help the servers in that if a vendor only needs a single zone we can add all the servers safely to that zone instead of having them rotate every so many minutes.

There are also some related features for expediting how the vendor zones are managed to make sure I’m not a bottleneck in that process, so vendors who need IPv4 only can get that setup.

When this is done my plan is to get back to the original plan of making IPv6 the default in all country zones where it makes sense. There are some choices to be made around backfilling zones from the region versus not providing AAAA records vs giving out (too) few IPs. The same issues exist for IPv4/A records, but in many countries it’s worse for IPv6 if it’s not addressed.

Please let us know when you are about to enable this. I would like to monitor the effect on my servers (30 instances globally anycasted, plus a couple of unicast servers).

Thank you.

“my plan is to get back to the original plan of making IPv6 the default in all country zones where it makes sense.”

Bump…

Any news to report @ask ?

One year later.

Just keeping the thread alive - because it’s important.

Why? Time won’t suffer if it keeps being IPv4.

IPv6 is one of those protocols that was never designed properly, still isn’t.

It’s not backwards compatible, as such it keeps being second and people keep avoiding it if they can.

I do believe they will come up with something better as IPv6 isn’t widely accepted/used.

Time to fix the problems with it. Else it will never take over.

IPv6 ain’t broken. IPv6 ain’t IPv4. What you learned about the latter may or may not apply to the former. IPv6 is its own thing. Deal with it, as any IT professional would.

“A good craftsman never blames his tools.”

It should have never been designed this way.

And sorry, it is broken in many ways.

Try to ban a troll on a forum, you can’t, he/she can take any IP they like and you have to figure how many they have, without hurting others.

It should have an option to show the gateway so you can block from there.
It doesn’t have this, not that I have seen an option for it.

When is an IPv6 IP from a different gate? How to determine the range they have assigned?

With IPv4 it’s simple as all passes the same gate.

How do you do this on IPv6?

How do you block a troll behind IPv4 CGNAT without hurting others? IPv6 was designed with the same principles as IPv4 before its addresses became scarce.

Agree, but IPv6 also opens the gates for hackers and criminals.

Tools like Fail2ban are practiaclly useless because they can switch IP’s in a second and using millions at the same time.
It’s impossible for fail2ban to keep up.

One of the complaints from server-hosters to keep hackers out.

They should have left a gateway in place, but they didn’t.

The proper way to propose changes to IPv6 or a new protocol is by filing an RFC with the IETF. The IETF does not monitor this forum.