[HN Gopher] IPv6 support for cloning Git repositories from GitHub ___________________________________________________________________ IPv6 support for cloning Git repositories from GitHub Author : stargrave Score : 215 points Date : 2022-08-24 14:28 UTC (8 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | flas9sd wrote: | from the NAT64 gateway in the thread I learned from ipv4 mapped | ipv6 addresses 2001:67c:27e4:1064::140.82.121.3 | github.com www.github.com | | if your curious too, see https://www.rfc- | editor.org/rfc/rfc6052#section-2.4 | kuon wrote: | For about 4 years I have considered IPv6 first and IPv4 second. | If IPv6 has an issue, I consider the service down, not just half | down or slightly non operational. If I call an ISP for an IPv6 | issue, I say "internet is down" even if IPv4 is working. | | This policy helped move things forward on the networks I worked | on. Lately I did setup a business internet with SLA, I | specifically told the ISP I would not accept the contract if the | SLA did not mention IPv6 as required. | | But it is still a lot of battle, where it should be the default. | | Github not fully supporting IPv6 is a real shame and they should | really move things forward to support it quickly. | | Also, systems should not use IP addresses as a mean of security | or authentication, it was a bad idea for IPv4, it is even a worst | idea for IPv6. To give you an example of bad firewall behavior, I | was checking my electric bill from the train, and suddenly my | account got blocked, and it took me a lot of time and effort to | fix (physical mail...). My IP changed while I was browsing a page | and the firewall didn't like it. | bityard wrote: | > For about 4 years I have considered IPv6 first and IPv4 | second. If IPv6 has an issue, I consider the service down, not | just half down or slightly non operational. If I call an ISP | for an IPv6 issue, I say "internet is down" even if IPv4 is | working. | | Wow, you live in a very different world than me. If I did that, | I can 100% guarantee that the answer from the other end of the | line would be, "The Internet is working for everyone else just | fine, maybe try clearing your cookies. Have a nice day. _click_ | " | tiernano wrote: | That's the difference between residential and business class | broadband. My isp in ireland, virgin media, has fairly | useless support for residential, but for business, they are | on the ball. And for enterprise (dedicated line in the | office) they are even better. Suppose it depends on what you | pay for. | pantalaimon wrote: | I also don't understand what stops ycombinator from supporting | IPv6. It's a pretty simple website, what's the big effort? | [deleted] | tambre wrote: | The most touted reason is that their anti-spam systems only | support IPv4. Their old Cloudflare endpoint however is still | alive and you can't disable IPv6 on Cloudflare so feel free to | add the following to your /etc/hosts: | 2606:4700::6810:686e news.ycombinator.com | | Interestingly when I tried to post the above comment over IPv6 | I got a Cloudflare "You have been blocked" page. This might be | something they do not want you to know! :D | fzfaa wrote: | I know of so many websites that break spectacularly when you | do that... | r1ch wrote: | This was an interesting Cloudflare "feature" I found out | about the hard way. Even if you only use Cloudflare for DNS | hosting, they will happily accept proxied requests for your | hostnames and route them to your origin. I discovered this | when we received a L7 DDoS from only Cloudflare IPs - the | attacker had pointed their bots at Cloudflare with our | hostname (bold move!). | | The official solution (and might be why you see the blocked | page) is to set up the WAF to block all requests. | stingraycharles wrote: | Interesting that apparently this is a problem, I would have | thought that spam filtering is completely outsourceable by | now. | | Doesn't CloudFlare have good bot detection? What does HN do | that relies on IP addresses that CloudFlare can't do? | londons_explore wrote: | HN can do things like "This user is posting from an IP | which geolocates far from where it normally posts from". It | can take into account the total post history, user upvotes, | etc. | | Cloudflare bot detection is more request-by-request. | Cloudflares product is more intended to prevent DDoS | attacks with millions of bots. I don't think it's | sufficiently fine tuned to prevent a handful of spam | comments through. | jimcavel888 wrote: | exabrial wrote: | You in fact CAN disable ipv6 on Cloudflare, but they make you | do it with an API request. | tambre wrote: | Doesn't that still only remove the records from DNS? So far | for all Cloudflare sites that IPv6 disabled I've been able | to derive the IPv6 address by hand and make requests | without issues. | systemz wrote: | This was possible only for some time, now it's only | enterprise option I'm afraid. For Free/Pro plan option is | grayed out and API refuses to change it. | codeflo wrote: | Wouldn't it be reasonable for their backend to only accept | (write) requests from whatever the anti-spam proxy is? | Otherwise, there's little point. | tambre wrote: | Currently there are no proxies in front and you connect | directly to their baremetal server hosting the site. I | presume the anti-spam system is custom-built and part of | their own codebase. Cloudflare is officially sanctioned, | but retired from widespread use. | waffle_ss wrote: | This shortcoming becomes immediately apparent when you try to use | certain VMs, like from Vultr, which are IPv6-only with no CG-NAT. | You can't clone anything or fetch any release binaries at all. | geraldcombs wrote: | If your VM provider issues IPv4 addresses you can run into | another issue: your v4 address might be dirty. I recently spun | up a development VM and was unable to download packages from | maven.org. Apparently the address had previously been used for | abuse and ended up on a blocklist. | bongobingo1 wrote: | Hmm, interesting. I tried Vultr a few months ago and had a | number of issues, wonder if that was related. Is it common for | a provider to only give out v6? My experiences is really only | with Linode - which I've never had a problem with for years, | and a bit of playing with DO which seemed fine but didn't wow | me enough to move infra. | joecool1029 wrote: | Hetzner sells v6 only dedicated servers, you have to pay a | little extra for a v4 address now. So yeah, I'd consider it | pretty common. | | I have a weather station I run on T-Mobile which is v6only | with a ipv4 CGNAT. I just Cloudflare the v6 endpoint and my | legacy (v4) users can visit the station. | wongarsu wrote: | I'd be more accurate to say it's becoming common for | providers that compete on price to give IPv6 a price | advantage. I don't use Vultr, but they seem to occasionally | have $2.50/month instances with IPv6 only. Hetzner charges | you $0.50/month for an IPv4 IP for cloud instances, and | $1.70/month for one for dedicated servers. | bombcar wrote: | As others have said it's getting more and more common on the | low-cost providers (especially if you get outside the | US/Europe and into Asia). | | But even then they often have an ability to get a NAT IPv4 | connection out somehow. | the_mitsuhiko wrote: | I think what a lot of people like to miss is that a lot of | detection and antispam stuff is not working well on ipv6. A | server without any ipv4 is still limited in many more ways than | not being able to reach github which probably means there is not | a lot of pressure for github yet. | djbusby wrote: | Any quick info on why anti-spam/bot detection is harder on | IPv6? | humanwhosits wrote: | My guess is that each user's IP suffix changes a lot more | often | stingraycharles wrote: | Probably because with IPv6 privacy is built-in somewhat into | the protocol, eg you can have a different IP really easy. For | example, I can see my desktop right now has 7 different | addresses. | | Now, you could truncate this to eg a /64 or /56 range to | identify users, but each ISP has different rules. Mine gives | a /56, but I also hear many give only a /64 or less. | | As such, it basically means that you can't really rely easily | on IP addresses anymore for spam detection, rate limiting, | etc. | | Note that I'm not an expert on spam filtering, but I do have | quite some networking experience and QoS, and ran into these | issues a lot. | 10000truths wrote: | But this same issue occurs with CGNAT IPv4, whose private | address delegation is even more opaque than IPv6's prefix | delegation. And CGNAT will become more prevalent going | forward as address exhaustion becomes a bigger issue. | There's no circumventing the fundamental problem that there | is no 1-1 correspondence between IP addresses and "real" | users. | londons_explore wrote: | It's also the fact that having a datastructure that stores | few bits per /24 range in RAM is very doable in IPv4. | Banning a /24 doesn't have too much collateral damage. | | Whereas the same in IPv6 isn't feasible. There is no | reasonable way to divide the IP space non-sparsely and keep | in RAM and still ban without ending up banning a whole ISP. | zekica wrote: | A simple HashMap works fine for blocking IPv6 /56. | X-Istence wrote: | Filtering by /64 is good enough. With a /56 you have 2^8 | (256) prefixes, if you spam enough for a /64 to be blocked, | you have 255 more tries before all of those are blocked | too. | | With some heuristics of "hey, we saw two /64's from the | same /60" you can catch most ISP's that are offering prefix | delegation to their customers, and that's only 16 /60's in | that /56 before you are fully blocked... | | It's not that much harder or difficult. | kmeisthax wrote: | Because IPv6 addresses are free and IPv4 is expensive. Same | reason why Google won't let you sign up without SMS | verification. If you're caught spamming or breaking TOS | you've effectively burned that v4 address or phone number. | | v6 is more difficult, by design. The lower half of the | address is deliberately not subnettable and it is the | explicit design intent that machines on a v6 network can just | make up new addresses within a /64 as they please. So you | have to burn _subnets_. Except there isn 't really a standard | for how subnets are issued: most ISPs hand out /48s, Comcast | insists on /64s for residential use, etc. In the IPv4 world | you could ban one IP at a time, and only move on to banning | entire AS allocations if you needed to. On IPv6, banning a | /64 is a lot less impactful, so you have to start with the | most drastic and customer-hostile option. | ArchOversight wrote: | Comcast hands out a /60 for prefix delegation if you ask | for it (i.e. software asks for it, no customer service | interaction required). In fact Comcast allows you to ask | for as many /60's as you want (caveat, there may be a | limit, but at one point I made a config mistake that led to | asking for 32 /60's and I got all of them, so I am not | aware of a limit). | forgot_old_user wrote: | This is sad :( hetzner charges extra for ipv4 address, and this | means I couldn't run `git clone` without paying extra. | longsword wrote: | > This is sad :( hetzner charges extra for ipv4 address, and | this means I couldn't run `git clone` without paying extra | | Well, they added the Option, so you can get your server for | less then normal. The Servers are cheaper, if you Opt-Out of | IPv4. I really liked that move. | blibble wrote: | with no NAT64 gateway or something similar to it? | | pretty lame by hetzner if that's the case | xnyanta wrote: | Hetzner has an official NAT64/DNS64 gateway you can use with | their v6-only offerings. | duskwuff wrote: | I can't seem to find any documentation on this. Details? | ugjka wrote: | IPv4 is only 0.64EUR upsell | withinboredom wrote: | Unless you have a dedicated server, then it is quite a bit | more expensive. | tiernano wrote: | 2 euro if you want one primary ip is not that bad. If you | want extra, yes, they charge more for a setup (20 up | front for 1, still only 2 quid per month extra). | sebazzz wrote: | Well, if Github nowadays runs on Azure under the hood (which they | probably don't) I understand. IPv6 support in Azure is patchy | with many of their services. | CottonMcKnight wrote: | Considering how long it took AWS to add IPv6 to services across | the board, I'm not surprised that it's taking so long. On the | other hand, it would be nice if they would be transparent about | the challenges or the reason for the delay, rather than radio | silence or, at best, "we're working on it." | luhn wrote: | > Considering how long it took AWS to add IPv6 to services | across the board | | Unfortunately all but a handful of their APIs have yet to | support IPv6. | bragr wrote: | It's debatable to extent that AWS has IPv6 across the board. | Many seem to be using a 6 to 4 layer under the hood which can | result in noticeable behavior. | dwheeler wrote: | Lots of organizations do not support IPv6. For another example, | Heroku does not (and many systems are based on Heroku): | https://help.heroku.com/I8L6RW01/does-heroku-support-ipv6 | | It's unfortunately harder to support IPv6 than I think it should | be, so many organizations do not. I'd love to see GitHub support | IPv6, but they are by no means the only one. | pelorat wrote: | Because of this post I decided to check my network interface | statistics. I'm in the Netherlands and my IPv6 usage is ~10x that | of IPv4. | nfriedly wrote: | My ISP (Metronet) uses CGNAT and refuses to touch IPv6. In my | case, when I complained that port forwarding didn't work, they | gave me a static IPv4 for free, but I have to call back once a | year or else they start billing me $10/month for it. | | I don't need a static IP. I'd be completely fine with a dynamic | IPv4 or even dynamic IPv6. But they don't offer that. Just static | IPv4 or CGNAT IPv4. Oh well, some day... | pelorat wrote: | Guess they are sticking with their old equipment, because IPv6 | is free in any modern industrial ISP router. | Symbiote wrote: | With most people leaving their router switched on all the time, | the difference between a static and dynamic IPv4 address from | the point of view of the ISP is probably marginal. | foepys wrote: | In Germany all bigger DSL providers still disconnect you once | a day and issue new IPs. | | Bad for at home hosting, good for privacy. | apk17 wrote: | Partially. Telekom keeps up the line for months at a time. | I guess that is due to telephony being done via VoIP, and | they don't want to interrupt your late night calls. | | Others, even Congstar (which is a cheap telekom brand), do | 24h disconnects with a new v4 address, and no v6 at all. | | The DSL I use gives me a fixed v4 and v6 range, but still | needs to do the daily disconnects. | Wubdidu wrote: | Is that so? At least Telekom doesn't do that for IPv4 | anymore. They do have a 24h dynamic prefix for IPv6 though | (which feels very weird, considering they stopped doing | that for IPv4) | nfriedly wrote: | Yeah, that's true enough. | | I guess the point I was trying to make is that I think IPv6 | is a better solution to their problem of not having enough | IPv4 addresses. | bombcar wrote: | For a long time I ran a HE tunnel to get me some sweet static | IPv6, but now that my cable company has turned it on I no | longer need that (probably should still have it as a backup). | | https://www.tunnelbroker.net ___________________________________________________________________ (page generated 2022-08-24 23:00 UTC)