Dual Stack home network pros and cons

[Tech9]

Are you question the security of IPv6 in general

What I'm saying is I can care about security only when I know what is going on. When I don't, I can only hope about security. Lost services as a result of IPv6 are part of security measures. The fact the developers around don't have IPv6 ISP's to test with doesn't make me feel any better.

IPv6 doesn't use NAT.

With NAT acceleration disabled the router can process about 350Mbps WAN-LAN, no more Gigabit capable. It affects all WAN traffic. I don't know if the error in logs is something to be concerned about, but a kernel buggy log doesn't sound very exciting when testing something new.

The same argument could be made for turning off IPv4 if you have IPv6 enabled.

WAN Disconnected. No Internet. Tested already. Asuswrt needs IPv4 to function properly.

IPv6 doesn't use NAT.

A layer of security lost.

 

[Frank Monroe]

What I'm saying is I can care about security only when I know what is going on. When I don't, I can only hope about security. Lost services as a result of IPv6 are part of security measures. The fact the developers around don't have IPv6 ISP's to test with doesn't make me feel any better.

Understood

With NAT acceleration disabled the router can process about 350Mbps WAN-LAN, no more Gigabit capable. It affects all WAN traffic. I don't know if the error in logs is something to be concerned about, but a kernel buggy log doesn't sound very exciting when testing something new.

The point is, its not disabled. And, you dont' even know why the one person reporting the issue is having the issue. I have been running for months without issue.

WAN Disconnected. No Internet. Tested already. Asuswrt needs IPv4 to function properly.

You are completely missing the point

Most of what I have seen in the past couple of posts show me a complete lack of understanding. And because of this, like another poster has said, its hard to take this thread seriously.

 

[Tech9]

Most of what I have seen in the past couple of posts show me a complete lack of understanding.

Yeah, right. The escape plan. Some folks wanted testing. Testing is what I did. As close as possible to a typical home router user - no knowledge required, just turn it on and forget about it. But you don't understand, but the ISP, but the DNS, but the routing... fix it and let me know when it's ready. What I clearly understand is I'm wasting my time flashing routers and changing settings for no good reason and with no appreciation of my time and efforts.

You are completely missing the point

I see no point. Routers reset and back to the shelf. Thank you!

 

[Frank Monroe]

Yeah, right. The escape plan. Some folks wanted testing. Testing is what I did. As close as possible to a typical home router user - no knowledge required, just turn it on and forget about it. But you don't understand, but the ISP, but the DNS, but the routing... fix it and let me know when it's ready. What I clearly understand is I'm wasting my time flashing routers and changing settings for no good reason and with no appreciation of my time and efforts.

The effort is appreciated. But, you can't come to the conclusions you are trying to come to with the limited amount of time and limited anecdotal evidence you are using. ASUS has been building home routers with IPv6 for years. And now suddenly today, in a 12 hour period, its being judged.

But, the biggest problem here is the premise from the start: You say you are testing as close to a typical home user as possible. Well, a typical home user isn't going to be doing any of the things you are testing. They aren't going to install Merlin. They aren't going to use alternate DNS servers...etc. In fact, as stated earlier, a typical home user in my region will be a Comcast customer, with Comcast equipment and with IPv6 already enabled.

 

[Tech9]

limited anecdotal evidence

Thanks again. I don't use Asus routers, so not my problem. Sorry to bother you. I'm done here.

 

[dave14305]

Anyone still running IPv6 on Asus, please refresh my memory if your LAN addresses show a lifetime other than forever. I seem to think there was not proper handling of the prefix delegation lifetimes, but I might be wrong.

ip -6 addr show dev br0 scope global

Don’t post your real global address.

OpenWrt:

root@router:~# ip -6 addr show dev eth0 scope global
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2601:123:4567:8910::1/60 scope global dynamic noprefixroute
       valid_lft 338250sec preferred_lft 338250sec
    inet6 fd8f:9fe8:feb3::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever

 

[Frank Monroe]

Anyone still running IPv6 on Asus, please refresh my memory if your LAN addresses show a lifetime other than forever. I seem to think there was not proper handling of the prefix delegation lifetimes, but I might be wrong.

ip -6 addr show dev br0 scope global

Mine shows as forever. But T-Mobile doesn't support delegation.

 

[learning_curve]

Anyone still running IPv6 on Asus, please refresh my memory if your LAN addresses show a lifetime other than forever. I seem to think there was not proper handling of the prefix delegation lifetimes, but I might be wrong.

ip -6 addr show dev br0 scope global

Don’t post your real global address.

Yes, mine is also forever, but FWIW

# ip -6 addr show dev br0 scope global
10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500
    inet6 20**:***:***::1/56 scope global
       valid_lft forever preferred_lft forever

The IPv6 address /56 is the LAN, which is SLAAC, which can be seen on the router's IPv6 GUI page:
IPv6 / IPv6 LAN Setting / LAN IPv6 Address which is then further confirmed on the same page by the LAN IPv6 Prefix 20**:***:***:: value that is shown below that LAN IPv6 Address. It's not the WAN IPv6 Address: 20**:***:****:****:****:****:****:****/64 It's the LAN allocation that's allocated from that WAN IPv6 Address. /56 is more suitable for a home user LAN than /64 is, in terms of the amount of numbers...

 

[SomeWhereOverTheRainBow]

Anyone still running IPv6 on Asus, please refresh my memory if your LAN addresses show a lifetime other than forever. I seem to think there was not proper handling of the prefix delegation lifetimes, but I might be wrong.

ip -6 addr show dev br0 scope global

Don’t post your real global address.

OpenWrt:

root@router:~# ip -6 addr show dev eth0 scope global
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2601:123:4567:8910::1/60 scope global dynamic noprefixroute
       valid_lft 338250sec preferred_lft 338250sec
    inet6 fd8f:9fe8:feb3::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever

I suppose mine is correct

@RT-AX88U-C7C0:/tmp/home/root# ip -6 addr show dev br0 scope global
24: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc htb state UP group default
    inet6 26XX:XXX:XXX:XXX::1/64 scope global
       valid_lft forever preferred_lft forever

 

[geobernd]

Anyone still running IPv6 on Asus, please refresh my memory if your LAN addresses show a lifetime other than forever. I seem to think there was not proper handling of the prefix delegation lifetimes, but I might be wrong.

ip -6 addr show dev br0 scope global

Don’t post your real global address.

ASUSWRT-Merlin RT-AC68U 386.4_beta3 Tue Dec 28 21:09:32 UTC 2021
router@RT-AC68P-2880:/tmp/home/root# ip -6 addr show dev br0 scope global
10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500
    inet6 xxx1:xxx:xxxx:23::1/64 scope global
       valid_lft forever preferred_lft forever

Forever here...

 

[dave14305]

Thanks. I find it unlikely that it’s supposed to be forever.

 

[Frank Monroe]

Thanks. I find it unlikely that it’s supposed to be forever.

I refuse to release my lease.

 

[L&LD]

The take away here from my point of view is that a router/network needs to be built from the ground up with IPv6 enabled and working from the start. And not switching back and forth from IPv6 and IPv4 to find issues.

I'll put this down as another option to not toggle on/off (without doing a full/proper reset in between, if the testing is to be valid and repeatable).

Not that this testing was done in a non - biased approach to begin with.

 

[geobernd]

Thanks. I find it unlikely that it’s supposed to be forever.

It also shows as forever on eth0. Is there a way to show how long the single IPv4 on eth0 is valid for - I'd be curious to see if it's also forever as I don't remember every seeing any renewals happening except when the whole eth0 drops? (my linux shell is getting a bit rusty with old age )
On a side note: While I don't have static IP with Comcast here I have a Business line and both my IPv6 prefix and IPv4 address have survived switching modems once and router once and are unchanged for over 2 year already - so I suspect they are a lot more sticky than I am used to from previous residential with Optimum/Altic...

 

[CriticJay]

How do you track this?

Install the IPvFoo chrome extension on either Chrome or Microsoft Edge. There's probably a similar plugin for Firefox users.

Very handy way to tell you if your current website was fetched by your browser using IPv6 or IPv4. Including secondary resources on the web page (images, banner ads, 3rd party cookies, etc.)

 

[CriticJay]

Here is what I found, including Asuswrt-Merlin specifics:

- potential DNS related location issues
- potential slower DNS resolution
- NAT acceleration issues on AC86U (perhaps, model specific)

With my AC86U running Merlin 386.3_2, I haven't seen any of the 3 issues mentioned above in the past 3 weeks (which is how long I've had IPv6 dual-stack re-enabled on my home network just for "fun"; my sig below is out-of-date).

1. With DoT enabled on the router, and using Google DNS on IPv4 only, I've had no location issues nor slower DNS resolution.
Note that IPv4 DNS servers are perfectly capable of returning both the IPv4 and IPv6 records. So you don't need to configure DoT to hit up both IPv4 and IPv6 DNS servers.

2. NAT acceleration issues: have not seen any such kernel error messages in my logs. All hardware acceleration features on the router (RUNNER and FLOW CACHE) are enabled and seem to be working fine; I'm seeing speedtest.net results of up to 912mbps down for my Wired GbE devices, with Adaptive QoS enabled (my cable plan is 1000mbps/30mbps on a DOCSIS 3.1 modem).

 

[SomeWhereOverTheRainBow]

Thanks. I find it unlikely that it’s supposed to be forever.

That is what good old ULA's are for.

 

[Christos]

Most DoS attacks come from IPv4 and unpatched routers and IoT devices.
If a device is patched and updated, then IPv6 posses no threat and IPv4 will not save you.

 

[SomeWhereOverTheRainBow]

Most DoS attacks come from IPv4 and unpatched routers and IoT devices.
If a device is patched and updated, then IPv6 posses no threat and IPv4 will not save you.

DDoS attacks are just as prevalent on IPV6 as on IPV4, research actually shows that mitigating DDoS attacks on IPV6 is far more complex and difficult than with IPV4. This is neither here nor there, but it is the case since IPV6 is still so new and is very complex in design. I am not mentioning this as a reason for people not to use IPV6, but to prevent misinformation presented in your statement.

References

https://dl.acm.org/doi/10.1145/3424978.3425020

 

[FLA_NL]

Coming up. Another trade off though - 1.1.1.2 doesn't appear to support DoT at the moment, in case I would like to keep this functionality. I would like to have some Malware/Phishing protection similar to running IPv4 network only.

I'm using Dot with 1.1.1.2, 1.0.0.2 for quite some time now with security.cloudflare-dns.com. It does seem to work. Also with https://phishing.testcategory.com/ which is then blocked.