It's unfortunate, but expected that ISPs want you to continue paying for static address space, regardless of the scarcity of said space. So if you want to take advantage of the global IPv6 addressing scheme and avoid NAT, you have to script your config to tear down your routes and rebuild them with the new prefix when it changes. I do this with CenturyLink and its terrible 6rd implementation, but I would not expect to have to do this with DHCPv6 as a lease should not expire within milliseconds.

For some (many?) ISPs, the reason is that their equipment calculates end-user v6 leases from v4 leases. So a change in the latter automatically results in a change to the former.

That’s pretty unfortunate, seems to defeat the purpose a bit

If you’re on OpenWRT, you can mitigate this by having the DHCP client not send a RELEASE when it is stopped or restarted (network.wan.norelease=1).

You can probably do the same on other platforms.

For OPNSense, it's Interfaces -> Settings -> IPv6 DHCP -> Prevent release

Spectrum also has a bad habit of changing your prefix on you. Happy Eyeballs usually hides this failure as most use cases fallback to IPv4.

But all existing leases on your network are invalid until they refresh and won't route traffic.

When you catch it in the act, it is very annoying.

>Spectrum also has a bad habit of changing your prefix on you.

I wish I had that problem. Spectrum doesn't even offer IPv6 in my area. :(

Interesting. In my area, Spectrum would give out the same IPv4 address and IPv6 prefix seemingly indefinitely as long as I kept the MAC address and DHCPv6 client DUID the same. It'd persist across DHCP releases and renewals too. Managed to keep my "dynamic" address and prefix for half a decade.

So far, AT&T Fiber is behaving the same here too. I might somehow just be lucky with ISPs :)

The reassingment of ipv6 networks is annoying. My provider gives me an new 64 network on each reconnection, so i have to use the equivalent of the private adresses in my homenetwork.

Why do you need private addresses?

So that they will be stable.

Isn’t the whole idea to just use DNS?

It is, and for a lot of things that works. But if your DNS server is not your router, it needs to be at a stable address so other hosts on the network can find it.

As I understand it, we (admins of ipv6 networks) are expected to run both public and private sets of addresses internally. The public ones may change if your ISP makes you, but your ULAs never do.

"ULA is functionally useless in any IPv6 deployment that has dual-stack operating anywhere."

"ULA per RFC 6724 is less preferred (the Precedence value is lower) than all IPv4 (represented by ::ffff:0:0/96 in the table). Because of the lower Precedence value, if you have IPv4 enabled on a host, it will use IPv4 before using ULA."

https://blogs.infoblox.com/ipv6-coe/ula-is-broken-in-dual-st...

Certain Firewall rules don't work without stable IPs, DNS won't help with that.

But a relatively normal firewall daemon supports variables and aliases and lookups etc. I suppose if you don't use address lists or address tags and no DNS and no DDNS then it would indeed be a problem.

I have played with multiple routers even commercial ones that do not support aliases or anything but static addresses. You are not wrong but what you suggest is far from the norm.

I was curious to see what the solutions are for some of these - Ruckus for example has Ansible modules [0] but they just SSH in and change the config.

[0] - https://github.com/commscope-ruckus/RUCKUS_ICX_Ansible

DNS is generally looked up once, on ruleset initalization, there is no way a firewall is going to look up DNS every single time a rule is referenced. Since DNS here is changing constantly, this is unhelpful.

My guess is for address stability

yes. The internet connection is unreliable and sometimes i get 5 reconnections in less than half an hour.

but why do you need them to be stable?

edit: well for some reason I can't reply to you anymore, but for firewall rules I have had good luck using aliases instead of static addresses

If you are hosting internal services you want stable addresses.

Im hosting some internal services like monitoring with icinga, an grafana, my own recursive dns server, an kea dhcp and some more. the webinterface of my router is currently only available in the local dns with its ipv4 address.

I also ran into this with Comcast ipv6. It seemed to get better over the last couple years so maybe they change your PD less frequently now.

One solution I was considering, but never implemented, was to use a ULA addres range internally and doing 1:1 NAT mapping on the external delegation to the internal ULA range

I use Comcast IPv6. I've had the same IP address IPv6/60 for about six years now.

One gotcha is that when I replace the firewall, I gotta make sure I keep the same ethernet MAC address to avoid re-IPing on the IPv4 side (the line in my FreeBSD firewall's config is "ifconfig_ix0="DHCP ether 00:0d:b9:48:92:48".

The other gotcha, for IPv6, is I have to migrate my client DHCP Unique Identifier (DUID) (`/var/db/dhcp6c_duid`) to my new firewall to retain my existing IPv6 subnets.

With IPv6, multiple addresses on a host are the norm. Just add a ULA network in addition to the public IPs you’re getting. No need to do NAT; your public stuff routes just fine using the public IPs and you can still contact internal resources on their ULA addresses as needed.

Why not have a ULA and an internal dns server that rewrites the dns to the ULA address and have the external dns dynamicly updated?

One great thing about ipv6 is your not limited to 1 IP address per interface

Doesn’t that have the same issues as IPv4 split horizon DNS? Cached DNS resolutions on a client would persist if you disconnected from the LAN - I guess you can set the TTL to be very low but I’m not sure what the right balance is there.

You aren't limited with IPv4, either (assuming you're using a capable OS)

True but it's much easier in IPv6 as it's the standard way of doing things

I was annoyed by the PD churn on Comcast Business in principal but it didn't affect me too much in practice.

The internal lan issues didn't bother me because I still prefer a local fd##::/64.

For a few firewall rules that used the prefix, I noticed that the /56s I'd get weren't completely unbound so it was easy to keep a list in an nftables var.

For inbound access, I have DNS rfc2136 with frequent updates for IPv4 so adding v6 was trivial.

On a related topic, I've been scratching my head over an ipv6 config issue using Openwrt on my router and Fedora Linux as the client. If I configure my client to use SLAAC all works well - it gets an address and default gateway. If I configure the client to use DHCP it gets an address but no default gateway. I can see via packet dump that the client doesn't send a router solicitation when configured for DHCP ... Is this working as designed? How is a DHCP client supposed to get a default gateway if not via RA?

Can anyone recommend a good IPv6 book?

My IPv4 address with FiOS changes frequently. I use an outside dynamic DNS provider that the FiOS router supports natively so I can always get back to my home network.

I think that would work for IPv6 as well but not with the use case where you’re using the public IP address as your hosts’ DNS server.

Could you assign an internal IPv6 address to your DNS server that is static and have it also get a second address from FiOS? Then all your clients could be configured to go to the static internal address.

Because I'm irritated by paying for dynamic DNS that actually works, I run the following script once an hour via cron(1):

   ip=`curl --silent ipinfo.io/ip`
   ssh -i <CREDENTIALS> <MY-CLOUD-HOST> "echo $ip > lastlog"

Then anytime I need to know where home is:

   ssh MY-CLOUD-HOST -C cat lastlog

[ EDIT: having posted this, i realized you could do the same thing just using whoami(1) on MY-CLOUD-HOST and avoid ipinfo.ip entirely ]

The environment variable SSH_CONNECTION also gives this info. I have almost the same setup.

mine looks sort of like this.

echo "${SSH_CONNECTION}" | awk '{print $1}' | cat "/var/ip_log" - | uniq > "/var/ip_log.new"

mv "/var/ip_log.new" "/var/ip_log"

On my machine I send this directly to nsupdate and have part of my personal domain delegated to that machine for dns stuff like this.

I haven't tested it too hard, but hurricane electric's free dns includes a dynamic DNS option which seems to work as long as you don't cron it too frequently (every 5 minutes works, every minute was too frequent and got blocked)

  ssh <MY-CLOUD-HOST> "echo \$SSH_CLIENT" | cut -f1 -d' '

works too

>* My IPv4 address with FiOS changes frequently. I use an outside dynamic DNS provider that the FiOS router supports natively so I can always get back to my home network.*

I handle this exclusively with WireGuard or Nebula now, though I'm sure other stuff like ZeroTier would work too. At worst a $5 VPS is enough to act as a lighthouse/relay, although as it happens for one of my virtual networks I do have a fixed IP to work with. But everything else can be whatever, completely dynamic, and all the tunnels stay up fine 24/7/365 and traffic can be routed through them as I wish and extremely minimal exposure. On my own sites I use OPNsense to mix and match whole VLANs.

If one explicitly wants to run services to the general world from home that's of course no good, but if it's all private I think modern point to point tunnels or high level dynamic meshes are an excellent option now, and can be fully self-hosted super easily. It's very exciting how fast, reliable and powerful completely FOSS options are nowadays.

Oh, that is an interesting one I hadn't thought about. Since I expected IPv6 to just never change.

I have all my IPs configured static internally, and have DNS going over to AdGuard Home. Even have the firewall set up to force all DNS traffic over there. Doesn't work so well if all my IPs change because Verizon had an outage.

That's surprising, my FiOS IPv4 address doesn't change for years at a time.

I've had FiOS in the mid-atlantic since 2007 and as far as I can tell it only changes IP addresses when there is a power outage and everything reboots, which is rare.

I have FIOS with a router with OpenWRT, and my IP address only changes when the power goes out.

I'm excited and scared to try this personally. So essentially the issue in using IPv6 is that you're usually using the whole block to directly assign those addresses to local devices? Is that the primary benefit in a residential space?

The minimum subnet size in IPv6 is a /64 (18 quintillion IPs), and I think typically IPSs have been doing /56 delegation so you can have 256 of the /64 subnets. It means every device ever gets its own IP, and you never have to NAT anything anymore.

Assigning /64 subnets confused me for a long time with ipv6. It didn’t make sense.

It clicked when I learned about some of the ways devices can get ipv6 ips. Those /64 subnets provide a large enough space for devices to randomly self-assign their own address without a high risk of collisions. https://datatracker.ietf.org/doc/html/rfc4193#section-3.2.1

All devices need to know is the prefix to generate their own a unique local address (ULA). This can provide for stable local IPs for a device too. This eliminates the need for dhcp since ipv6 provides a standard udp / icmpv6 based protocol for routers to announce the prefix. Icmpv6 also replaces arp so in all it’s a much more elegant system. It can be much more stable too.

Based on the comments, telekom.de is doing the same thing. A /56 prefix, changing every day. Blood-boiling.

Can anyone recommend an EU-based server provider that could be used as a tunnel?

One possibility is using paid VPN Services that offer IPv6 and have your Router setup to route everything via the VPN Service.

Hetzner would be the obvious choice.

Don't your ISP offer static addresses as an option?

For a fee, yes. It's usually not cheap. Even "good" ISPs like Google Fiber basically make you upgrade to a "business" account , then buy static IP addressing as an add-on. It can end up costing twice as much as your regular residential service.

With IPv4 it has always made far more sense for hobbyists to just use a dynamic DNS service, of which there are many free options. Some registrars like Namecheap even offer it when you buy a domain. IPv6 obviously complicates the hell out of this and I haven't really seen a solution as easy as for your average hobbyist.

> IPv6 obviously complicates the hell out of this

Why is it different? Can't you just dynamically update a AAAA record?

I've never done this, so asterisks as appropriate, but if you're using IPv6 to assign addresses from your block internally (that is, you aren't NATting your devices behind the router), you now have to invalidate all of them.

With IPv6, your ISP gives you a block of IP addresses which your router then divvies up among its clients. Each device on your network has a unique public IPv6 address, rather than sharing one and your router using NAT and port forwarding to direct traffic.

This makes dynamic DNS much more complicated because you can't just update the AAAA record with the address of your router, you need to update records for all clients that need to be externally accessible.

This is not an unsolvable problem, but it does make things a bit more complicated than just punching your DynDNS credentials into your router config or running Namecheap's DNS tool on one of your machines.

Yeah, Sonic walked back their promise to offer static IPv4 addresses with their fiber service (you can get one free static v4 address with their DSL offerings). They don't even do IPv6.

OTOH 10G fiber.

Telus won’t even do static addresses and IPv6. Either you get IPv6 or you can pay for static IPv4. You can’t even have static IPv4 and IPv6 enabled.

in uk many providers charge £5 for a static ip, some give static ipv4 for free

In the US, this is generally only available on "business" accounts. You can get a business account at your house but it will cost 2 to 3x for the same amount of bandwidth.

Not all of them do: after learning about that possibility here, I got myself an IPv4 subnet from AT&T fiber for no extra cost except the subnet itself