The most touted reason is that their anti-spam systems only support IPv4. Their old Cloudflare endpoint however is still alive and you can't disable IPv6 on Cloudflare so feel free to add the following to your /etc/hosts:
2606:4700::6810:686e news.ycombinator.com
Interestingly when I tried to post the above comment over IPv6 I got a Cloudflare "You have been blocked" page. This might be something they do not want you to know! :D
This was an interesting Cloudflare "feature" I found out about the hard way. Even if you only use Cloudflare for DNS hosting, they will happily accept proxied requests for your hostnames and route them to your origin. I discovered this when we received a L7 DDoS from only Cloudflare IPs - the attacker had pointed their bots at Cloudflare with our hostname (bold move!).
The official solution (and might be why you see the blocked page) is to set up the WAF to block all requests.
Considering how long it took AWS to add IPv6 to services across the board, I'm not surprised that it's taking so long. On the other hand, it would be nice if they would be transparent about the challenges or the reason for the delay, rather than radio silence or, at best, "we're working on it."
It's debatable to extent that AWS has IPv6 across the board. Many seem to be using a 6 to 4 layer under the hood which can result in noticeable behavior.
My ISP (Metronet) uses CGNAT and refuses to touch IPv6. In my case, when I complained that port forwarding didn't work, they gave me a static IPv4 for free, but I have to call back once a year or else they start billing me $10/month for it.
I don't need a static IP. I'd be completely fine with a dynamic IPv4 or even dynamic IPv6. But they don't offer that. Just static IPv4 or CGNAT IPv4. Oh well, some day...
With most people leaving their router switched on all the time, the difference between a static and dynamic IPv4 address from the point of view of the ISP is probably marginal.
The difference is typically between a static _public_ IPv4 address or a dynamic _private_ IPv4 address, and CGNAT sharing public IPv4 addresses across subscribers.
For a long time I ran a HE tunnel to get me some sweet static IPv6, but now that my cable company has turned it on I no longer need that (probably should still have it as a backup).
I also have Metronet, but haven’t found any compelling reason for a static IP. I use Tailscale for remote access, and though I don’t host anything from home currently, Cloudflare Tunnel should work.
For about 4 years I have considered IPv6 first and IPv4 second. If IPv6 has an issue, I consider the service down, not just half down or slightly non operational. If I call an ISP for an IPv6 issue, I say "internet is down" even if IPv4 is working.
This policy helped move things forward on the networks I worked on. Lately I did setup a business internet with SLA, I specifically told the ISP I would not accept the contract if the SLA did not mention IPv6 as required.
But it is still a lot of battle, where it should be the default.
Github not fully supporting IPv6 is a real shame and they should really move things forward to support it quickly.
Also, systems should not use IP addresses as a mean of security or authentication, it was a bad idea for IPv4, it is even a worst idea for IPv6. To give you an example of bad firewall behavior, I was checking my electric bill from the train, and suddenly my account got blocked, and it took me a lot of time and effort to fix (physical mail...). My IP changed while I was browsing a page and the firewall didn't like it.
> For about 4 years I have considered IPv6 first and IPv4 second. If IPv6 has an issue, I consider the service down, not just half down or slightly non operational. If I call an ISP for an IPv6 issue, I say "internet is down" even if IPv4 is working.
Wow, you live in a very different world than me. If I did that, I can 100% guarantee that the answer from the other end of the line would be, "The Internet is working for everyone else just fine, maybe try clearing your cookies. Have a nice day. click"
That's the difference between residential and business class broadband. My isp in ireland, virgin media, has fairly useless support for residential, but for business, they are on the ball. And for enterprise (dedicated line in the office) they are even better. Suppose it depends on what you pay for.
I was speaking for business lines/contract. They usually have actual support with SLA. Residential is a lottery but local (public owned in a small village) will usually care.
This shortcoming becomes immediately apparent when you try to use certain VMs, like from Vultr, which are IPv6-only with no CG-NAT. You can't clone anything or fetch any release binaries at all.
If your VM provider issues IPv4 addresses you can run into another issue: your v4 address might be dirty. I recently spun up a development VM and was unable to download packages from maven.org. Apparently the address had previously been used for abuse and ended up on a blocklist.
Hmm, interesting. I tried Vultr a few months ago and had a number of issues, wonder if that was related. Is it common for a provider to only give out v6? My experiences is really only with Linode - which I've never had a problem with for years, and a bit of playing with DO which seemed fine but didn't wow me enough to move infra.
I'd be more accurate to say it's becoming common for providers that compete on price to give IPv6 a price advantage. I don't use Vultr, but they seem to occasionally have $2.50/month instances with IPv6 only. Hetzner charges you $0.50/month for an IPv4 IP for cloud instances, and $1.70/month for one for dedicated servers.
Hetzner sells v6 only dedicated servers, you have to pay a little extra for a v4 address now. So yeah, I'd consider it pretty common.
I have a weather station I run on T-Mobile which is v6only with a ipv4 CGNAT. I just Cloudflare the v6 endpoint and my legacy (v4) users can visit the station.
> This is sad :( hetzner charges extra for ipv4 address, and this means I couldn't run `git clone` without paying extra
Well, they added the Option, so you can get your server for less then normal. The Servers are cheaper, if you Opt-Out of IPv4. I really liked that move.
Think of it as providing a discount for going v6 only. Every single provider is charging you to have a v4 address. They aren't charities. Some providers just let you opt out of paying for that.
Meanwhile in both India[1] and China[2] (two biggest countries by Internet users count) IPv6 is mandated by the national policy. Everyone else should do that, otherwise the transition would never be finished. ISPs and other network businesses should be forced to do upgrades by the law or policy, otherwise they will never allocate budget and resources for that.
I have had a dual stack at home and work for around a decade now but "Everyone else should do that" is a bit proscriptive.
If it ain't broke (and it really isn't quite yet) then I suggest we crack on. IPv4/6 are simply transports, one has a larger address space and quite a lot of attitude! There are translation mechanisms so it is unlikely that anyone will be left behind. As systems move to IPv6, parts of IPv4 space are released and 6to4 n that tunnels can patch up the holes.
You need to learn patience. It took me about two years to persuade a firm with around 6000 employees to deploy DHCP back in the day. I made sure it was everyone else's idea and took my time. That was a tiny thing. This is the entire internet and it requires a massive mindset shift, engineering, purchasing and what not.
I'm going to tentatively put IPv4 -> IPv6 in the "paradigm shift" category. It isn't really technically: the wires (ethernet etc) are the same but the bits are somewhat different!
If you really want to get steamed up then why not debate the semantics of how multi-WAN connections should work with IPv6? Suppose you have two ISP connections for WAN and hence two lots of addresses. How do you deal with an ISP outage? How do your PCs know which set of source addresses to use? Do you use NAT64 or NPT or something else.
Another thing to consider is how do you "bootstrap" your network with IPv6 and how do you deal with a change of ISP? Do you set DNS servers with ULA addresses so they stay static or what? Bear in mind that SLAAC doesn't give out DNS servers. OK, lets do DHCPv6 ... not on Android ...
IPv6 needs some care. It has been messed and muddled around with so many times and it still has some gaping holes. For me the biggest problem is the righteous indignation you find at nearly every turn where stuff gets broken for its own good.
It all starts to go wrong with "everyone should"!
The starry eyed approach that you think that India and China espouse is simply twaddle. No one really thinks that in the real world, despite what is said on TV. Nation policy of that sort is normally a case of "Do as I say and not as I do".
In my opinion we should damn well continue to muddle along as best we can with what we've got. We will patch the flaws and paper over the cracks because that is what engineers do.
Another elephant in the room: /64, /56, or /48. The first one is completely unacceptable in the modern world, the second is acceptable and the third is desirable ... per ISP connection.
If you only get a /64 ie one IPv6 subnet prefix then you are only a tick in a box.
Ideally you also get a separate uplink subnet too along with your shiney prefix for WAN. There is a RFC that will enable a sub-prefix from a prefix allocation to be taken out for WAN and make it all work. Sorry if that sounds like gibberish - I won't explain that lot here!
There are so many things to get sorted with IPv6 - it is not a finished thing. It's only about 40 or so years old.
I think what a lot of people like to miss is that a lot of detection and antispam stuff is not working well on ipv6. A server without any ipv4 is still limited in many more ways than not being able to reach github which probably means there is not a lot of pressure for github yet.
Probably because with IPv6 privacy is built-in somewhat into the protocol, eg you can have a different IP really easy. For example, I can see my desktop right now has 7 different addresses.
Now, you could truncate this to eg a /64 or /56 range to identify users, but each ISP has different rules. Mine gives a /56, but I also hear many give only a /64 or less.
As such, it basically means that you can’t really rely easily on IP addresses anymore for spam detection, rate limiting, etc.
Note that I’m not an expert on spam filtering, but I do have quite some networking experience and QoS, and ran into these issues a lot.
Because IPv6 addresses are free and IPv4 is expensive. Same reason why Google won't let you sign up without SMS verification. If you're caught spamming or breaking TOS you've effectively burned that v4 address or phone number.
v6 is more difficult, by design. The lower half of the address is deliberately not subnettable and it is the explicit design intent that machines on a v6 network can just make up new addresses within a /64 as they please. So you have to burn subnets. Except there isn't really a standard for how subnets are issued: most ISPs hand out /48s, Comcast insists on /64s for residential use, etc. In the IPv4 world you could ban one IP at a time, and only move on to banning entire AS allocations if you needed to. On IPv6, banning a /64 is a lot less impactful, so you have to start with the most drastic and customer-hostile option.
Readit News
The official solution (and might be why you see the blocked page) is to set up the WAF to block all requests.
Doesn’t CloudFlare have good bot detection? What does HN do that relies on IP addresses that CloudFlare can’t do?
Deleted Comment
Unfortunately all but a handful of their APIs have yet to support IPv6.
I don't need a static IP. I'd be completely fine with a dynamic IPv4 or even dynamic IPv6. But they don't offer that. Just static IPv4 or CGNAT IPv4. Oh well, some day...
Bad for at home hosting, good for privacy.
I guess the point I was trying to make is that I think IPv6 is a better solution to their problem of not having enough IPv4 addresses.
https://www.tunnelbroker.net
This policy helped move things forward on the networks I worked on. Lately I did setup a business internet with SLA, I specifically told the ISP I would not accept the contract if the SLA did not mention IPv6 as required.
But it is still a lot of battle, where it should be the default.
Github not fully supporting IPv6 is a real shame and they should really move things forward to support it quickly.
Also, systems should not use IP addresses as a mean of security or authentication, it was a bad idea for IPv4, it is even a worst idea for IPv6. To give you an example of bad firewall behavior, I was checking my electric bill from the train, and suddenly my account got blocked, and it took me a lot of time and effort to fix (physical mail...). My IP changed while I was browsing a page and the firewall didn't like it.
Wow, you live in a very different world than me. If I did that, I can 100% guarantee that the answer from the other end of the line would be, "The Internet is working for everyone else just fine, maybe try clearing your cookies. Have a nice day. click"
I have a weather station I run on T-Mobile which is v6only with a ipv4 CGNAT. I just Cloudflare the v6 endpoint and my legacy (v4) users can visit the station.
But even then they often have an ability to get a NAT IPv4 connection out somehow.
Well, they added the Option, so you can get your server for less then normal. The Servers are cheaper, if you Opt-Out of IPv4. I really liked that move.
pretty lame by hetzner if that's the case
[1] https://www.indiatimes.com/technology/news/india-sets-new-de...
[2] http://www.stdaily.com/English/ChinaNews/202208/e154b19bb5b0...
If it ain't broke (and it really isn't quite yet) then I suggest we crack on. IPv4/6 are simply transports, one has a larger address space and quite a lot of attitude! There are translation mechanisms so it is unlikely that anyone will be left behind. As systems move to IPv6, parts of IPv4 space are released and 6to4 n that tunnels can patch up the holes.
You need to learn patience. It took me about two years to persuade a firm with around 6000 employees to deploy DHCP back in the day. I made sure it was everyone else's idea and took my time. That was a tiny thing. This is the entire internet and it requires a massive mindset shift, engineering, purchasing and what not.
I'm going to tentatively put IPv4 -> IPv6 in the "paradigm shift" category. It isn't really technically: the wires (ethernet etc) are the same but the bits are somewhat different!
If you really want to get steamed up then why not debate the semantics of how multi-WAN connections should work with IPv6? Suppose you have two ISP connections for WAN and hence two lots of addresses. How do you deal with an ISP outage? How do your PCs know which set of source addresses to use? Do you use NAT64 or NPT or something else.
Another thing to consider is how do you "bootstrap" your network with IPv6 and how do you deal with a change of ISP? Do you set DNS servers with ULA addresses so they stay static or what? Bear in mind that SLAAC doesn't give out DNS servers. OK, lets do DHCPv6 ... not on Android ...
IPv6 needs some care. It has been messed and muddled around with so many times and it still has some gaping holes. For me the biggest problem is the righteous indignation you find at nearly every turn where stuff gets broken for its own good.
It all starts to go wrong with "everyone should"!
The starry eyed approach that you think that India and China espouse is simply twaddle. No one really thinks that in the real world, despite what is said on TV. Nation policy of that sort is normally a case of "Do as I say and not as I do".
In my opinion we should damn well continue to muddle along as best we can with what we've got. We will patch the flaws and paper over the cracks because that is what engineers do.
If you only get a /64 ie one IPv6 subnet prefix then you are only a tick in a box.
Ideally you also get a separate uplink subnet too along with your shiney prefix for WAN. There is a RFC that will enable a sub-prefix from a prefix allocation to be taken out for WAN and make it all work. Sorry if that sounds like gibberish - I won't explain that lot here!
There are so many things to get sorted with IPv6 - it is not a finished thing. It's only about 40 or so years old.
Now, you could truncate this to eg a /64 or /56 range to identify users, but each ISP has different rules. Mine gives a /56, but I also hear many give only a /64 or less.
As such, it basically means that you can’t really rely easily on IP addresses anymore for spam detection, rate limiting, etc.
Note that I’m not an expert on spam filtering, but I do have quite some networking experience and QoS, and ran into these issues a lot.
v6 is more difficult, by design. The lower half of the address is deliberately not subnettable and it is the explicit design intent that machines on a v6 network can just make up new addresses within a /64 as they please. So you have to burn subnets. Except there isn't really a standard for how subnets are issued: most ISPs hand out /48s, Comcast insists on /64s for residential use, etc. In the IPv4 world you could ban one IP at a time, and only move on to banning entire AS allocations if you needed to. On IPv6, banning a /64 is a lot less impactful, so you have to start with the most drastic and customer-hostile option.