[HN Gopher] Roku devices don't support IPv6 in 2023 and it's cos... ___________________________________________________________________ Roku devices don't support IPv6 in 2023 and it's costing ISPs Author : robbiet480 Score : 106 points Date : 2023-03-06 21:09 UTC (1 hours ago) (HTM) web link (community.roku.com) (TXT) w3m dump (community.roku.com) | Awelton wrote: | I just bought a brand new motherboard that still has VGA and PS/2 | ports, so I would guess IPv4 isn't going away any time soon. Old | standards seem to hang around forever for legacy support. Why an | ISP would assume they could set up an IPv6 only network is beyond | me. | outworlder wrote: | Not sure why we are comparing hardware with software here. Your | motherboard can run IPv6 just fine :) | | You probably bought a server motherboard, so the ports are | there for old KVM-type devices. Good luck buying a consumer | motherboard with VGA and PS/2 ports. | drdaeman wrote: | Unless it's a server motherboard, it most likely supports | DisplayPort or HDMI, possibly even over Thunderbolt/USB-C? | | Legacy compatibility is not an issue (unless it makes things | complicated, unreliable or limited in the name of backward | compatibility). Lack of modern functionality is. | | Similarly, presence IPv4 support in devices is not a problem - | lack of IPv6 support is. The comparable issue would be if you | have bought a new motherboard but all it supports is VGA - now, | that'd be quite inconvenient (even if it's a server board that | runs headless 99.99% of the time). | zamadatix wrote: | This reminded me of an e300-8D I recently parted ways with. | Bought new in 2017 but only had VGA out from the BMC... I | gave away the VGA monitor I was using with it. Looking back | I'm surprised I didn't just buy an active converter, it was | such a pain to pull that monitor out :p. | skee8383 wrote: | No one cares about ipv6. not even VPS providers, it's always | turned off by default unless you want to go through the pain of | enabling with commands. no thanks. | ehPReth wrote: | I really hate Roku as a product, ads on the home screen and the | remote(??) of something I paid for? No thanks. Though, I will | concede it is cool to load mostly "unapproved" apps if the | developer shares the app ID. (Certain x-rated sites liked to | advertise they have a Roku app, something that would never make | its way to most other TV boxes) | HelloMcFly wrote: | I went away from it, but ultimately came back because its | universal search worked best for me. Fire Stick, Chromecast w/ | Google TV, and Apple TV all routinely were unable to inform me | that a show or movie I searched for was available for me to | stream on a service I already subscribed to. | | At least on my Roku I can turn most of the fluff off, and I'm | much more confident I won't spend money renting something I | have available to stream for free. Beyond the basics of 4K and | HDR support, I didn't realize this would be the most important | thing to me. | | Edit: saw this article not 60 seconds later haha | https://www.theverge.com/23621907/streaming-tv-boxes-roku- | am...? | adamwk wrote: | I also think it's appalling how much input lag there is with | these devices. It's 2023 and there's seconds long delay between | input and response with these things. I get they're cheap but | how much CPU is needed to move a cursor? | lockhouse wrote: | I've tried pretty much all of them except Apple TV, and I'd | say Roku is the _least_ laggy overall. Our FireTV devices | became so laggy they were unusable. Android TV isn't too bad, | but Roku feels a bit more responsive to me. | some-guy wrote: | I promise you, LG's WebOS is worse in almost every conceivable | way. | luhn wrote: | That's par for the course nowadays, unfortunately. I couldn't | name a smart TV system that doesn't have ads. | | Roku is far from being the worst offender, my LG C2 that I paid | out the nose for has the majority of the home screen taken up | with ads. | Scubabear68 wrote: | Apple TV doesn't have ads. | goosedragons wrote: | It basically has ads with the default home screen setup to | show you what's new on ATV+ and iTunes. Slightly more | tasteful than McDonald's McDelivery Banner ads but it's | essentially the same. | DaiPlusPlus wrote: | The background-banner at the top of the Home Screen shows | banners from the currently highlighted app - if you | remove the AppleTV+ app from the top-row of your home- | screen then you don't see any promotions of any kind. | dimgl wrote: | > I couldn't name a smart TV system that doesn't have ads. | | What do you consider to be ads? Apple TV is pretty tasteful | in this regard. It never feels like I'm getting served an ad | at all. In fact, with all Apple products I never feel like | I'm getting served an ad. | yamtaddle wrote: | I feel the same way about tvOS, but I've not used it | without being subscribed to Apple TV, so I don't know if it | pushes that hard if you don't have it. Otherwise the | default screen has their service's stuff mixed in with | other services (if they support that--some don't, like IIRC | Netflix) and the amount of promotion isn't worse than if | you're in another streaming app and they're trying to show | you shows you're already paying for, that they want you to | watch--and the actual app menu has none of that, no ads at | all. | dools wrote: | > but I've not used it without being subscribed to Apple | TV, so I don't know if it pushes that hard if you don't | have it | | It doesn't. The only apple product I'm pushed to use is | iCloud on my phone and computer which is quite aggressive | because it's a notification you can't disable . | manicennui wrote: | Apple TV shows promotions for apps in the top row. These | are ads. They are often shows the user isn't interested in, | but the service is interested in pushing. | nemothekid wrote: | I'm pretty sure thats a feature for any app you put in | the top row. If you have Netflix in that row it will show | you recommended. | scrame wrote: | my samsung has a permanent ad for appletv, and I'm an apple | hater, so I will never buy it and I can't easily make it go | away, which makes me hate it more. | winstonprivacy wrote: | IPv6... Can it just go away already? | | Adoption has been declining for years. Many devices don't support | it. Many services seemingly support it but break in strange ways. | | And not to mention it's a subtle and yet powerful privacy attack | vector. | Plasmoid wrote: | IPv6 adoption has been increasing. | dmd wrote: | On what metric does this look like it's declining? | https://www.google.com/intl/en/ipv6/statistics.html | eqvinox wrote: | That graph also shows another interesting bit: it seems that | IPv6 usage is higher on weekends -- i.e. home internet | connections. So it's even worse that Roku of all people | doesn't support IPv6, considering IPv6 is ahead in homes. | ArchOversight wrote: | > Adoption has been declining for years. | | Source? | | > Many devices don't support it. | | Source? | | > Many services seemingly support it but break in strange ways. | | Got any examples? | | > And not to mention it's a subtle and yet powerful privacy | attack vector. | | This is the only statement you've made that has any merit, and | even then very little. | | Privacy Addresses have been a thing for a while, and most OS's | support it. No longer are there stable addresses being | generated from the MAC address, and all outbound connections | are now on randomized addresses from the /64 that is announced | through SLAAC. | | Just like IPv4 having a single address for a household, IPv6 | has a /64 per household (although many ISP's let you request | more if you want). | | IPv6 is growing, more and more traffic is going over IPv6 and | it is not likely to go away any time soon. | zamadatix wrote: | Taking some points from their side not because I necessarily | agree with the conclusion but just because this comment comes | off a little strong: | | Adoption hasn't been declining by any measure but the | adoption rate isn't as high as it was 5 years ago. Of course | eventually the rate has to slow down because there is less | and less to change over so that doesn't mean much. Overall | though adoption has continued to increase without any long | term dips. | | Many devices don't support it is probably one I consider true | though. It's getting way better as the years go on but it's | fair to say the world isn't past IPv4 only devices in | households by any measure. Typically embedded products are | the worst. Home security stuff, point of sale gear, older or | just crappy media devices, oddly some IoT type devices like a | fridge. Plenty of gear also supports it but just very poorly. | Of those that do not all understand NAT64 either so while | they may support IPv6 but they don't necessarily work without | IPv4 (this also getting better as more services move to | supporting IPv6 too). | | SIP and WebSocket are examples of some protocols that can | break services under NAT64, especially with so much of the | web being v4 only. They should be fine if the world ever | moves 100% to IPv6 though. The era of misconfigured AAAA | records wreaking havoc thankfully seems to have come to an | end. | | I don't have anything to add on the privacy discussion, I | think you nailed it there. | ehPReth wrote: | hmmm no thanks. i'd very much like to not have to deal with NAT | anymore, just some firewall rules instead. | | do temporary addresses do nothing? | JohnFen wrote: | There remains the problem that we've run out of IPv4 addresses. | I agree that IPv6 was not the ideal solution to this, but it's | the only solution we have. | scarface74 wrote: | > First off I despise both Apple and that other evil empire | (house of mouse) I want nothing to do with either of them. | | It's funny that the poster despises Apple. But is okay with a | company where the CEO explicitly said that they want to make | money not via hardware sells, but via selling user's television | watching behavior. | | Everything about the Roku is a janky experience. From the ad that | takes up the Home Screen to the hard coded buttons that go to the | highest bidder. | | I have one remote that still has a useless Rdio button. | ehPReth wrote: | > via selling user's television watching behavior | | Gross. I hate how commonplace this is becoming. Even your basic | non-Roku-OS TV people are saying never to connect it to the | internet as it'll just fingerprint stuff on your HDMI and tell | advertisers you're watching Game of Thrones | DaiPlusPlus wrote: | I used to think like that, then I realised that my life is | not actually being made worse because of it. The TV doesn't | know who I am, personally (I'm not signed-in to any accounts) | and it's all just mass aggregate data that will probably end- | up being ignored by network-execs so why worry? | frankreyes wrote: | There's no ipv4 nat for IPv6? | zamadatix wrote: | There is but it'd require a special device at each customer | location. CG-NAT (a.k.a. double NAT) is probably what they did | because it only requires a couple of centralized boxes then the | rest is deployed like a normal dual stack network and your | average home Netgear router works with it out of the box. | | NAT in the other direction (i.e. IPv6 local client, IPv4 remote | host) is easier, and I'd be very surprised if they didn't | already have that given the number of v4 only sites, but | doesn't really help the v4 only devices. | frankreyes wrote: | Sorry flop the numbers. I meant public V6, private V4 nat. | hitpointdrew wrote: | Who the hell is giving their Roku a public IP? How is this | remotely a problem? This is 100% not the fault of Roku, and 100% | the fault of the ISP. The ISP should have an IPv6 to IPv4 gateway | built into their modem/router. You have a WAN port that is IPv6 | and an LAN port that IPv4. | | IPv6 for local networks, makes no sense is completely | unnecessary, and is a hill I will die on. IPv4 is here to stay. | blibble wrote: | > IPv6 for local networks, makes no sense is completely | unnecessary, and is a hill I will die on. IPv4 is here to stay. | | my mobile phone in the UK on one of the big 4 carriers only has | IPv6 addresses | | and only has IPv6 connectivity | | (using 464XLAT) | ehPReth wrote: | who cares if it's "public" if it's firewalled; likely by | default | dijit wrote: | link local ipv6 can be deterministic (no more shuffling IPs | around!) and no more silly dhcp services running on anaemic | hardware. | | Ditto for NAT, where devices can reach v6 endpoints (though | stateful firewalls should stick around!). | | Honestly, I really hate change. but ipv6 does have some upsides | and rather than complicate things, embracing actually | simplifies things. | | The issue is that we have a lot of sunk cost on how we bolt on | shit to ipv4 to make it passable in the modern day, and we | begrudge having to relearn what we think is solved. | carlhjerpe wrote: | How do you reach all 2^128 ips when you only have 2^32 | destinations? | | IPv6 makes sense everywhere. | bonsaibilly wrote: | Congratulations on completely failing to understand how CGNAT | loads work & their costs, and jumping to a wildly incorrect | understanding of the situation | tpmx wrote: | Prediction: CGNAT processing costs for gigabit subscribers | will become neglible in the medium term (3-5 years). Not that | it's wildly expensive today... | merbanan wrote: | MAP-T/MAP-E moves the CG-NAT functionality to the CPE. 60x | users per IPv4 address should be doable. | outworlder wrote: | Yeah, and that's currently the top comment. | | Which leads me to believe that the main barrier to IPV6 is | just that people don't want to re-learn anything. | dpkirchner wrote: | I think the main barrier is that for most people IPv4 works | just fine and they've never experienced a problem that IPv6 | would solve. Maybe they will, some day, like if Facebook | and Google shut down their IPv4 IPs. | JohnFen wrote: | > the main barrier to IPV6 is just that people don't want | to re-learn anything. | | I disagree, actually. I think the main barrier is that | networking folks have been pretty bad at explaining this to | non-networking folks. IPv6 isn't exactly simple to | understand. | | I'm a reasonably network-savvy guy, and I'm sure that I | understand less about IPv6 than I think I do. I just don't | know what parts I'm not understanding properly, and what | parts I just don't know about. | | It's pretty hard to find good explanations of this stuff | that aren't aimed at networking experts. | DaiPlusPlus wrote: | Speaking for myself, but my main barrier to IPv6 adoption | is my ISP (Wave/Astound, Seattle eastside) still being | IPv4-only, despite having DOCSIS3.1 service. | | I didn't think it was even possible to have DOCSUS3.1 | without IPv6 :S | bastardoperator wrote: | Not going to lie, I just turn IPv6 off on my router because I | don't fully understand it and because I pay a little extra for | a block of 3 IPv4 addresses. | [deleted] | ArchOversight wrote: | The ISP said they got only a limited set of IPv4 addresses, | those are assigned to their CGNAT gateways. Which are | expensive, especially for an Indian Reservation, not the deep | pockets of some MSP. | | The users are behind CG-NAT. | | But instead of using IPv6 which is cheaper (no need to maintain | CG-NAT, translation devices, or deal with traffic that is being | routed way more expensively) the Roku devices are only | streaming over IPv4. | | Each new user that adds an IPv4 only device adds additional | load the CG-NAT and additional capacity will need to be | provisioned. That is an additional expense and burden. | | Most of my traffic at my house (on Comcast) is over IPv6, | because most if not all streaming services now support IPv6 for | content delivery, so the small amount of data that may need to | go over IPv4 when the majority can go over IPv6 reduces the | load on IPv4. | zamadatix wrote: | Realistically they are already running a large scale NAT | device anyways, otherwise the v6 only clients wouldn't be | able to reach v4 only internet services (hello HN server), | and if they had planned to CG-NAT from the start it probably | could have all been done on the same pair of internet edge | routers for much less than 300k additional expense. | Symbiote wrote: | As the article says, the Roku traffic is the overwhelming | majority of that ipv4 traffic. | | HN and similar mostly-text websites would barely show up on | the statistics. | brokencode wrote: | Why does the IPv4 address need to be publicly exposed outside | of a customer's LAN? I thought you could set up NAT on a | router to translate local IPv4 addresses to something IPv6 | that is exposed publicly. | | Is this simply bad planning from the ISP where they didn't | handle it correctly? Or is there something I'm not | understanding about NAT? | | I think in an ideal world all devices would be using IPv6. | But I thought it would be common knowledge among network | engineers that many devices still use IPv4, so you have to | either handle it somehow or tell your customers that some of | their devices simply won't work. | ArchOversight wrote: | Because the IP address the Roku is trying to reach is an | IPv4 address. You can't just translate that to IPv6 and say | "good luck little packet". | | If you translate at the customers router that's fine and | all, but now you have an IPv4 packet in an IPv6 packet, | that IPv6 packet needs to get routed to a device that knows | how to then turn it back into an IPv4 packet so that it can | then go travel on the open internet like the electrons | intended... | | Once that IPv4 response come back, it needs to get | translated back to IPv6, sent to the customers edge, which | translates it back from IPv6 to IPv4 to send to the Roku | device. | brokencode wrote: | Oh, what a mess. I don't like that at all. | | I was assuming that there was some way to translate the | IPv4 address of the server to an IPv6 one and process it | that way, putting the burden of supporting IPv6 on the | server side. I had no idea that Roku would actually need | to be exposing an IPv4 server to handle these requests. | | That makes sense then that the ISP would need some number | of IPv4 addresses that it could use to communicate with | IPv4 servers then on behalf of IPv4 client devices. | | Shame on Roku for perpetuating this problem. | zamadatix wrote: | CG-NAT (NATing centrally at the ISP's internet edge) is | cheaper/simpler than something like 464xlat (NATing v4 | locally over v6) since you can do the former on 2 boxes | instead of 20,000. That said the 2nd option is much cooler | :). | ArchOversight wrote: | 464XLAT still requires IPv4 boxes on the edge to | translate IPv6 traffic back to IPv4. Whether that is two | boxes or 20,000, the same is true for other CG-NAT | solutions. Someone somewhere is bearing the cost of | translating. | zamadatix wrote: | Usually you need a special box at the consumer side to do | 464XLAT, it's not something you can just ask your | customer's Netgear to do and it's usually more expensive | if you want to provide it as the customer's rented | router. CG-NAT however looks completely normal to all | gear (other than the particular numbers assigned) except | the 2 edge boxes. It's the ultimate cost saving kludge. | cmeacham98 wrote: | Most modern OSes (I know for a fact Android, iOS, and | Windows) support automatically doing the 4->6 translation | on their side (as a matter of fact, some cellular | networks in the US are ipv6 only). | | I'm unsure if consumer routers would pass on the | appropriate RA flag to tell the OS they need to do this | in their default configuration however. | zamadatix wrote: | Well the devices that support 464xlat already support | IPv6 by definition. CG-NAT/464XLAT+Client NAT at the | gateway is for the devices like the Rokus that don't | support IPv6 at all. | cmeacham98 wrote: | NAT64 doesn't work if the connection is made to a | hardcoded IP(v4) address rather than DNS entry, and | that's way more common than you'd think! Thus why 464XLAT | and similar exist. | lmm wrote: | > IPv6 for local networks, makes no sense is completely | unnecessary, and is a hill I will die on. IPv4 is here to stay. | | Why would you make everything gratuitously complicated by | having two separate forms of addressing? All that IPv4 gains | you is new and exciting ways to mess up your networking. Just | give every device a normal public address (of course you | probably want to firewall off inbound traffic from the WAN to | the LAN, but that's got nothing to do with addresses) and have | a normal network rather than some bizzare frankenstein mashup. | znpy wrote: | > you probably want to firewall off inbound traffic from the | WAN to the LAN | | But all modem/routers are doing it anyway, they might as well | do that on ipv6. | | Effectively all router appliances (at home and soho level) | are linux appliances, and the firewall is built into the | kernel (and in use anyway). | phpisthebest wrote: | Sorry I do not trust the likes of home router vendors to | implement a linux firewall correctly | | While people may say "NAT is Not security", it is in fact a | layer (ahd huge one) in the security onion, that ipV6 is | likely going to increase drastically the amount of | ransomware and other malware on the public internet simply | because that NAT layer is gone | blibble wrote: | > that ipV6 is likely going to increase drastically the | amount of ransomware and other malware on the public | internet simply because that NAT layer is gone | | malware has connected outwards to c&c servers for more | than 20 years | JohnFen wrote: | > Sorry I do not trust the likes of home router vendors | to implement a linux firewall correctly | | Neither do I, but that's a fixable situation. Get an | appliance router that lets you put DD-WRT (or similar) on | it. Or use a computer instead of an appliance and set it | up any way you like. | phpisthebest wrote: | I am by trade a network administrator, and I run | enterprise gear in my home. | | I am not running a home router or dd-wrt. But I am not a | typlical user going down to best buy to pick up the | latest Belkin or Asus wireless AP / router combo they | have on sale for $99 and hooking it up to my internet | using default "wizard" settings from the mobile app... | | Nor I am I trusting Comcast, or ATT to configure their | residental rented equipment properly with proper firewall | rules | | My comment is not about me, I have enterprise grade | nextgen firewalls that are $$ | | My comment is about Grandma that calls up comcast to have | them set it all up, or Sally that is going into best buy | for the "Geek Squad" so hook her up... | yamtaddle wrote: | I remember what it was like when lots more home computers | were routable from the public Internet, because having a | NAT router between them and there wasn't a | nearly-100%-adoption thing yet. In fact, I worked at an | ISP (dial-up and DSL) in that era. | | It was indeed a shit-show. Adding a NATting router to | those set-ups instantly increased their security | tremendously. Sure you could use a proper firewall, but | the router w/NAT Just Works. | phpisthebest wrote: | I cant wait until all the printers, and webcams all | showup on the public internet again.... | yamtaddle wrote: | Portscanning for smb shares and webcams, LOL. Good times. | Found entire offices routing their whole network | publicly, back then, shared network drives and printers | right there for use by anyone who stumbled on them. It | was nuts. Worms spread like crazy. It was a real mess, | and that's with the Internet being _way the fuck | friendlier_ than it is now. | hitpointdrew wrote: | Why would I want any of my devices on my network to have a | publicly route-able address? | | > Why would you make everything gratuitously complicated by | having two separate forms of addressing? | | How is IPv6 itself not "gratuitously complicated". You think | I am going to remember the IP of my firewall, my network | switch, if it is that mess of characters that is an IPv6 | address? I can easily recall 10.10.10.1 is my gateway, or | that 192.168.1.1 is my gateway. You think instead setting up | local DNS server and domain so I can do myrouter.lan is | somehow "less complicated"? | | Hard pass. | xxpor wrote: | Why would you need a DNS server? That's what mDNS is for. | vetinari wrote: | Some people might have more than one subnet. Or road- | warrior VPN and VPN-ing in. It is nice when your networks | name resolution works, even if you are outside your | network. | xxpor wrote: | If you have multiple subnets, you almost certainly have | an advanced enough router that it supports mDNS | forwarding. There's no reason why it can't work across a | VPN either. | zamadatix wrote: | fe80::1 is your gateway, fe80::2 can be your switch, | fe80::blah can be your server. Let the device automatically | get it's temporary public address it uses when talking | through fe80::1, you shouldn't really need to know it or | use it. If you really do feel free to use DHCPv6 or a | static SLAAC offset of mDNS but you're just making more | work for yourself if it's a home environment. | ownagefool wrote: | The main reason would be to do p2p without hacks / servers. | | Why are you so militant against the idea? | tristanbvk wrote: | >Why would I want publically routable addresses | | Hate to break it to you but that is how the internet was | intended to work for end-users. Firewalls are cheap and | easy to install :) | JohnFen wrote: | > Why would you make everything gratuitously complicated by | having two separate forms of addressing? | | If it ain't broke, don't fix it? If IPv6 brings no benefit to | my LAN, why should I spend all the effort needed to shift it | to IPv6? I can just make the connection to the internet IPv6 | and leave everything else alone. | | Although I have additional friction in my case, in that I | have numerous devices that are IPv4-only. So no matter what, | I'd have to at least have one LAN segment that is IPv4. | tristanbvk wrote: | Finally some sense. There are so many senseless IPv4 shills | here. IPv6 always works, never had a problem with it. | | Just switch to it alrready. | slackdog wrote: | I'll switch when IPv4 stops working. Until then, I have no | reason to switch. | | > _It 's costing ISPs_ | | I hate my ISP so this is actually a feature. If they add an | IPv4 surcharge to my bill then I'll reconsider. | acedTrex wrote: | A pipe dream, but the best case seems to be a total | standardization on v6 | zamadatix wrote: | By traffic it seems like "if only we didn't have these Rokus!" | but it's a streaming device, it generates a lot of traffic | compared to the other IPv4 only devices. Inevitably the long tail | of devices is what's costing them extra (sounds like CG-NAT dual | stack or 464xlat at the gateway) not just the Roku devices. | | As someone who operates their own ASN with IPv6 because I like v6 | so much the problem here was simply poor planning. Handing out | Apple TV's to replace Roku devices isn't going to make the need | for v4 services go away at these homes. | ArchOversight wrote: | It may not reduce the need for IPv4, but it will reduce the | need for costly CG-NAT devices and capacity for IPv4 when the | streaming can happen over IPv6 which does not require the | costly CG-NAT devices. | zamadatix wrote: | I may be mistaken on how many people this ISP is serving but | for 300K they should have gotten pro serv, licensing, and | hardware for ~100 million sessions, some of which now no | longer need to go through the NAT64 hardware. | | Hopefully they didn't buy through the same people that sold | them the NAT64 hardware+software without CG-NAT built in | though... | Gigachad wrote: | Wonder if ISPs will just let their CG-NAT get overloaded and | if you want to send a v4 packet you just have to wait for | your time slice on the hardware. | toast0 wrote: | I've seen that. Too many connections, so the idle timeout | is now ten seconds. And, as per usual middlebox NAT, no | packets sent when closing an idle connection, and no | response to packets sent on 'unknown' connections. | hugoromano wrote: | The recent Netflix password-sharing cracking may create some Roku | victims. | | The other day, I reviewed the devices logging into my account, | all inside my house. However, there was one caveat: two Apple TVs | in IPv6 and one Roku in IPV4, with different ASNs, showing as two | separate networks 900 km apart. I didn't receive any Netflix | notice so far. | vkdelta wrote: | For a company who thrives on making cheap devices and charging | for licenses/platform, this is almost a crime especially when | supporting ipv6 on Linux based devices is much easier now. Wonder | why don't support it. | colordrops wrote: | Are Rokus Linux based? I'd love to install an alternate | distribution on one. | yamtaddle wrote: | From Wikipedia: | | > The Roku box runs a custom Linux distribution called Roku | OS. | | Looks like yes. | throw0101c wrote: | > _Are Rokus Linux based?_ | | Even if it wasn't, don't most embedded OSes come with IPv6 | support? How small do you have to be to not have it? QNX is | pretty compact, and even it has it: | | * https://www.qnx.com/developers/docs/7.0.0/#com.qnx.doc.neut | r... | kevin_thibedeau wrote: | LwIP is common on embedded devices. It has only supported | dual stack in the last few years but even if it's possible, | there are resource savings when only running v4. | filmgirlcw wrote: | What would the point be, exactly? The stuff that makes a Roku | worthwhile are all the apps and the proprietary drivers and | networking stack stuff. If you're going to put an alternate | distro on it, you might be better off getting a whitebox | Android TV/Kodi/whatever box off of Aliexpress than trying to | get around the limitations on the Roku hardware. | javajosh wrote: | It would be pretty cool to be able to program my Roku to do | anything I want, rather than be limited to whatever they | want. In theory I can connect another device to the TV and | use it as a display, but even in that case the Roku | software is active. A security researcher (amateur or | professional) is going to want to get in there and see | what's going on in addition to running through a proxy. | | There are also some scenarios (admittedly pretty contrived | in our compute-rich world) where your TV computer is the | only one available to you, and so it would be in your | interest to expand its functions. Imagine a kid in a poor | neighborhood - theoretically with just a keyboard and a USB | stick he could be using that TV as an internet-connected | computer to learn how to program. That's a lot more value | than running Netflix, IMHO. | abracadaniel wrote: | This is an area that seems surprisingly empty from my | observations. There doesn't seem to be much interest in | rooting Rokus, and even if you did there doesn't seem to be a | good open source replacement. The closest would be to install | Android TV, but that's just exchanging one closed garden for | another. | Syonyk wrote: | > _Wonder why don't support it._ | | It's probably harder to tie devices in a single household | together with IPv6 than with IPv4, or so they think. | | They don't make (much) money on their devices, they make money | on selling data collected and aggregated by their devices. | Their "privacy" policy [0] is a hoot to read. "Whatever we can | do, we will. If the laws of the country we collected the data | in would interfere with that, we'll move the data and then do | what we want." I mean, they grant themselves permission to nmap | your network for other devices! Emphasis mine. | | > _We may receive information about the browsers and devices | you use to access the Internet, including our services, such as | device types and models, unique identifiers including | advertising identifiers (e.g., for Roku Devices, the | Advertising Identifier associated with that device), MAC | address, IP address, operating system type and version, browser | type and language, Wi-Fi network name and connection data, | __and information about other devices connected to the same | network__._ | | [0]: https://docs.roku.com/published/userprivacypolicy/en/us | jmclnx wrote: | > It's probably harder to tie devices in a single household | together with IPv6 than with IPv4, or so they think | | So I wonder if this means it is harder to ID the consumer | with IPv6 ? | megous wrote: | It's easier. You'd be using SLAAC and your devices would | have globally unique IP address based on the MAC address of | their network interface. | outworlder wrote: | Expect that some systems use random temporary IPv6 | exactly to make it harder to track (even Windows) | toast0 wrote: | > It's probably harder to tie devices in a single household | together with IPv6 than with IPv4, or so they think. | | It's probably easier, in fact. A significant and growing | number of households are behind CGNAT on IPv4 and not have a | 1:1 household : ip address relationship. On the other hand, | if they're on IPv6, they're most likely on the same /64. | | But, Roku's not doing IPv6 was handy for me when Netflix | decided not to accept IPv6 connections over Hurricane | Electric tunnels. I didn't have to change anything, and I | didn't have to do anything, the Rokus were already ignoring | IPv6. | mitchs wrote: | The big issue with v6 is you don't know what every ISP is | doing with their IP space. The current RIPE recommendation | is to delegate somewhere between a /48 to a /56 to every | customer. Some ISPs might only delegate a 64, and perhaps | typical home wifi setup may only use a single /64. For data | aggregation maybe the error is ok, but I've wondered about | what IP banning/filtering looks like for v6. Assume | everyone gets a /64 and most cats will have 256 lives, and | sometimes 16384. Assume everyone has anything larger than a | 64, and you may block 255+ other people with the intended | target. | Gigachad wrote: | IP based bans have long been obsolete imo. These days a | combination of google captcha tracking and phone number | verification is mostly used. A few things like IRC and | 4chan still do IP bans which is painfully obvious when | you notice you are randomly banned depending on what CG- | NAT handed you at the time. | yamtaddle wrote: | > __and information about other devices connected to the same | network__ | | They may also be doing more nefarious things, but this might | just mean it watches for UPNP and other announcement- | broadcast messages on your network (like, say, mdns). | Syonyk wrote: | The rest of their "Haha, you bought one of our devices, all | your data is ours!" policy doesn't give me much cause to | give them the benefit of the doubt here. | | At least some people [0] have reported their Roku device | scanning their network, which is explicitly allowed in that | policy. Though you can probably do a lot of it passively | without leaving those annoying traces. | | Once they've granted themselves permissions to do it, why | wouldn't you? Knowing a house is an Apple household with a | lot of devices probably means they've got money, or at | least a willingness to take on debt. You can get a sense of | when devices come and go to help identify activity, and if | you're particularly annoying, you could snoop wireless | signal strength of other devices on the LAN to get an idea | of who's in the room with you. | | If it's only got a few Androids and Chromebooks, well, | probably lower income. If you can't find a thing on the | LAN, you're probably in the house of a computer security | researcher and should behave. Etc. | | If they meant to say "We watch for UPNP announcements to | identify other content sources on your LAN," they could | have said that. But they didn't. They left the door wide | open to do whatever home LAN analysis they think they can | get away with. | | I mean, this is a company whose response to the "Do Not | Track" bit is to ignore you [1]. No standards? It's | _literally in the name._ | | > _Do Not Track_ | | > _Some Internet browsers include the ability to transmit | "Do Not Track" signals. Since uniform standards for "Do Not | Track" signals have not been adopted, the Roku Sites do not | currently process or respond to "Do Not Track" signals._ | | [0]: https://community.roku.com/t5/Wi-Fi-connectivity/Roku- | Device... [1]: | https://docs.roku.com/published/cookiepolicy/en/us | birdman3131 wrote: | They use this for the remote feature in the app. You can | control roku's on your network without being signed into | the roku account tied to the device iirc. | | (At least. Not saying they are not doing anything else bad, | Just that there is a valid use.) | michh wrote: | What I don't understand is why. Their OS is built on a linux | kernel from at most a couple of years ago. I'm assuming the same | goes for the libraries and the parts of the userland they didn't | make themselves. On any linux kernel not from the 90s it's more | effort not to support IPv6. Unless they rolled their own, which | would be a tremendously stupid thing to do. | tpmx wrote: | Perhaps they have a limited development team and chose to focus | on matters that bring in the most dough and/or make their | average customer the happiest. | cocodill wrote: | that's not a bug, it's a feature | znpy wrote: | The amount of idiocy and ignorance around ipv6 is crazy. | | I've seen many supposedly senior engineers that claimed they | didn't want to implement ipv6 because anyone could connect to | hosts from "outside". | | Nat has become so engraved in people's thinking that they can't | even understand the actual role of a firewall anymore. | | We're going to see many stories like this, where networking | incompetence will start costing pretty pennies to companies. | whatwhaaaaat wrote: | It's not just that ipv6 is publicly routable but rather the | mistrust of ipv6 itself. There have been a multitude of | remotely exploitable vulnerabilities with ipv6 many in embedded | devices that are not getting patched. | | Turn on ipv6 and all of these vulnerabilities are instantly | exploitable. It's not a matter of filtering as some of these | vulnerabilities are in parts of the icmpv6 required for | configuration. For an alarming example check out some of the | rtos vulns back in 2020. | zamadatix wrote: | On the flip side I'm so regularly impressed by what random | HNers know about networking (particularly due to containers) I | sometimes wonder if there is a point in me being a network guy! | | I think a large part of the general attitude is IPv6 is a topic | everyone is exposed to but few have really been expected to | know so there is a lot of strong feelings about how it's crazy | compared to the thing they've already spent 20 years getting | familiar with. I think if everyone was exposed to NAT in the | same fashion there would be a 10x stronger reaction against NAT | than IPv6 but at this point everyone is used to NAT and IPv4 | and forgets how weird/annoying they really are too. | tristanbvk wrote: | I have devices on public v6 at home. When I hear people | complain about these things I honestly ask them. What the hell | are you running on your machine that you dont want anyone | accessing? Bind it locally then or use an fwall. | | I am astounded by the lackadaisical stance of network admins in | the pro-v4 camp. | jedberg wrote: | Basic corporate and home networking with NAT and sane default | firewalls have been solved for so long now that even senior | engineers have never had to deal with it. I haven't had to deal | with firewalls in 15 years now. | | So I can't entirely fault them for not understanding, but | you're right, it's kinda nuts. | FridgeSeal wrote: | > I've seen many supposedly senior engineers that claimed they | didn't want to implement ipv6 because anyone could connect to | hosts from "outside" | | I had this argument with the head of dev ops at my previous | work. They claimed IPv6/dual stack networks were a security | risk that couldn't possibly be tolerated. The fact that they | were going to be private sunsets, and would have a firewall, | NACL's, etc was lost on them. | totallyunknown wrote: | I have reviewed the logs for our video CDN and out of 150,000 | sessions, only 48 were identified to be using IPv6. These | sessions were identified by the user-agent Roku/DVP-12.0 | (12.0.0.xxxx-xx), indicating that the recent update to the | operating system now supports IPv6. | slaymaker1907 wrote: | I wonder if it's just a bunch of old and outdated Roku boxes | causing problems? They probably work off of a ~3-5 year support | cycle like phones but are updated even more infrequently by | endusers (why should they if it's still working for them?). | totallyunknown wrote: | All other streams are made with 11.5 - which is the official | latest version. | zamadatix wrote: | Release notes don't say anything about that change but it | wouldn't surprise me if it was left out. | favaq wrote: | What makes no sense in 2023 is to have an IPv6-only network. That | is liable not to work. Someone will eventually bring some old | device that won't be able to connect. | jonny_eh wrote: | Did you mean "IPv6-only network"? | [deleted] | favaq wrote: | Definitely, thanks! | dmitrygr wrote: | My #1 step in troubleshooting any network issues is to disable | IPv6. Step #2 is so rarely needed that I no longer remember what | it was. IPv6 has been a failure, it is about time we openly | admitted it. Why? Simple - it causes consumer pain and no | consumer gain | dragonwriter wrote: | You can't just change the size of an IPv4 address without | creating a whole new thing. | CoolGuySteve wrote: | You can though, there is an options field in IPv4 that could | have been made to hold extended address values. | | It was used as part of the Extended Internet Protocol: | https://www.rfc-editor.org/rfc/rfc1385 | | And the Address Extension protocol aka IPv7: https://www.rfc- | editor.org/rfc/rfc1475 | outworlder wrote: | And now you need all routers in your path to support it. | Effectively creating two incompatible networks and | achieving a worse result. | CoolGuySteve wrote: | They're specifically designed so only routers at the edge | need to support them. | | You should try reading the specs before making technical | claims instead of completely missing the point of why | those RFCs were created in the first place. | dmitrygr wrote: | Yes, but let's not pretend that IPv6 was just IPv4 with a | larger addr size. A lot of other unnecessary cruft got | changed. That is kinda the issue. Add an extra octet to IPv4, | call it IPv5. Done. DHCP (as is) can already handle variable- | length addresses so it'll work unmodified for 5-byte addrs, | for example. Same for ARP. | lmm wrote: | > Yes, but let's not pretend that IPv6 was just IPv4 with a | larger addr size. A lot of other unnecessary cruft got | changed. | | Mostly removed (e.g. removing fragmentation). If you're | making an incompatible protocol, might as well take the | chance to remove the cruft. | | > Add an extra octet to IPv4, call it IPv5. Done. | | Have fun debugging nondeterministic routing loops lol. | thesnide wrote: | I am wondering if we could hack the ipip tunnel to | automagically handle a bigger address space. | | Much akin to your idea but mostly supported already | wvenable wrote: | But the IPv6 changes are actually good, right? IPv4 was | designed for an entirely different world and IPv6 was | designed for this world. You're only going to get one | chance to make these kind of improvements. | tristanbvk wrote: | IPv6 has link-local, v4 doesn't. That is a huge | configuration win. | colordrops wrote: | At least for local applications at home, this has been my | experience as well. I'm sure data center operators love ipv6 | but it's been nothing but a headache with no benefit for home | consumer use. | yamtaddle wrote: | I remember when I first got Google Fiber and the solution to | "amazon.com _will not_ load, ever, period " was to disable ipv6 | on their router. | | Not sure I've ever bothered to turn it back on. | bcoates wrote: | That hasn't been my experience at all. Working around slow, | unreliable NAT devices (all of them) causes stuff that runs | over ipv6 (these days, almost anything that uses significant | bandwidth) to work better and faster for me. | ehPReth wrote: | If only everyone hadn't dragged their feet "because it's too | hard"; we could maybe be living in an IPv6 utopia? Maybe if the | government started handing out fines? haha | betaby wrote: | Please leave the profession - you lack the required | qualification. | op00to wrote: | IPv6 was enabled about 6 months ago in my area by my ISP. I | noticed it was on about a week after they enabled it because I | saw funny IPv6 networks I didn't recognize in a log somewhere. | I doubt this national ISP would turn on IPv6 like this without | any notification if they were concerned it would cause | "consumer pain and no consumer gain". No pain here, and I'm | hosting IPv6 only sites I can easily access from my mobile | (with native IPv6) for fun. | | Is it possible your ISP's IPv6 network was problematic? I'm not | sure how you can draw the conclusion that "IPv6 has been a | failure" given evidence it's live, in public, serving its | purpose. The world has not exploded. | silisili wrote: | I feel similarly, but what is the solution? IPv4 blocks are all | but impossible to get anymore, there's a waiting list at ARIN | that doesn't really ever move. The company I was working at | signed up 3 or 4 years ago for a /24 and never heard back to | this day. Sure you can rent/buy them on the open market, but | that's only going to last so long, and eventually puts anyone | without FAANG money out of the running... | baq wrote: | Regulation. Incentivize ipv6, tax ipv4 only devices, mandate | ipv6 in government networks. | tristanbvk wrote: | Ah yes "the government will fix it" okay . | | Maybe practice what you preach and deploy v6. I have. | Infact I run v6 only. | slaymaker1907 wrote: | There is a cost there though as mentioned in the forum post. | The ISP in question is using CGNAT, but they need more IPv4 | addresses even with CGNAT to support higher loads. CGNAT only | reduces the number of IPv4 addresses required, it does not | eliminate the scaling. | | However, I do think IPv4 is honestly pretty good for local or | even WAN networking for organizations. You're unlikely to ever | hit limits in the reserved blocks and it's much easier to read | and work with IPv4 addresses. Maybe we need easier configs to | block IPv6 except for external addresses? | DaiPlusPlus wrote: | > I do think IPv4 is honestly pretty good for local or even | WAN networking for organizations | | Strong disagree here: I sometimes do work which involves | VPNing-in to SMB company on-prem networks from within other | SMB's on-prem networks, so they're all invariably using | 192.168.x.x or 172.16.x.x whuch means they all conflict with | each other when you want to use LAN resources at the same | time you're VPN-ing to another network. | | My hope is that IPv6 will mean point-to-site and site-to-site | VPNs will die-off and we'll be able to connect all hosts | directly to other hosts - but then I'm reminded that | configuring an IPv6 firewall for IPSec is conceptually much | harder than setting up OpenVPN - and SMBs don't have much in | the way of people who even know what IPSec is, ugh. ___________________________________________________________________ (page generated 2023-03-06 23:00 UTC)