Translated

This commit is contained in:
chai001125 2022-10-14 10:45:30 +08:00 committed by GitHub
parent fc8be4d826
commit 43dd1f407f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 186 additions and 192 deletions

View File

@ -1,192 +0,0 @@
[#]: subject: "Reasons for servers to support IPv6"
[#]: via: "https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/"
[#]: author: "Julia Evans https://jvns.ca/"
[#]: collector: "lujun9972"
[#]: translator: "chai001125"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
Reasons for servers to support IPv6
======
Ive been having a hard time understanding IPv6. On one hand, the basics initially seem pretty straightforward (there arent enough IPv4 addresses for all the devices on the internet, so people invented IPv6! There are enough IPv6 addresses for everyone!)
But when I try to actually understand it, I run into a lot of questions. One question is: `twitter.com` does not support IPv6. Presumably it cant be causing them THAT many issues to not support it. So why _do_ websites support IPv6?
I asked people on Twitter [why their servers support IPv6][1] and I got a lot of great answers, which Ill summarize here. These all come with the disclaimer that I have basically 0 experience with IPv6 so I cant evaluate these reasons very well.
First though, I want to explain why its possible for `twitter.com` to not support IPv6 because I didnt understand that initially.
### how can you tell `twitter.com` doesnt support IPv6?
You can tell they dont support IPv6 is because if you look up their AAAA record (which contains their IPv6 address), there isnt one. Some other big sites like `github.com` and `stripe.com` also dont support IPv6.
```
$ dig AAAA twitter.com
(empty response)
$ dig AAAA github.com
(empty response)
$ dig AAAA stripe.com
(empty response)
```
### why does `twitter.com` still work for IPv6 users?
I found this really confusing, because Ive always heard that lots of internet users are forced to use IPv6 because weve run out of IPv4 addresses. But if thats true, how could twitter.com continue to work for those people without IPv6 support? Heres what I learned from the Twitter thread yesterday.
There are two kinds of internet service providers (ISPs):
1. ISPs who own enough IPv4 address for all of their customers
2. ISPs who dont
My ISP is in category 1 my computer gets its own IPv4 address, and actually my ISP doesnt even support IPv6 at all.
But lots of ISPs (especially outside of North America) are in category 2: they dont have enough IPv4 addresses for all their customers. Those ISPs handle the problem by:
* giving all of their customers a unique IPv6 address, so they can access IPv6 sites directly
* making large groups of their customers _share_ IPv4 addresses. This can either be with CGNAT (”[carrier-grade NAT][2]”) or “464XLAT” or maybe something else.
All ISPs need _some_ IPv4 addresses, otherwise it would be impossible for their customers to access IPv4-only sites like twitter.com.
### what are the reasons to support IPv6?
Now weve explained why its possible to _not_ support IPv6. So why support it? There were a lot of reasons.
### reason: CGNAT is a bottleneck
The argument that was most compelling to me was: CGNAT (carrier-grade NAT) is a bottleneck and it causes performance issues, and its going to continue to get worse over time as access to IPv4 addresses becomes more and more restricted.
Someone also mentioned that because CGNAT is a bottleneck, its an attractive DDoS target because you can ruin lots of peoples internet experience just by attacking 1 server.
Servers supporting IPv6 reduces the need for CGNAT (IPv6 users can just connect directly!) which makes the internet work better for everyone.
I thought this argument was interesting because its a “public commons” / community argument its less that supporting IPv6 will make your site specifically work better, and more that if _almost everyone_ supports IPv6 then itll make the experience of the internet better for everyone, especially in countries where people dont have easy access to IPv4 addresses.
I dont actually know how much of an issue this is in practice.
There were lots of more selfish arguments to use IPv6 too though, so lets get into those.
### reason: so IPv6-only servers can access your site
I said before that most IPv6 users still have access to IPv4 though some kind of NAT. But apparently thats not true for everyone some people mentioned that they run some servers which only have IPv6 addresses and which arent behind any kind of NAT. So those servers are actually totally unable to access IPv4-only sites.
I imagine that those servers arent connecting to arbitrary machines that much maybe they only need to connect to a few hosts with IPv6 support.
But it makes sense to me that a machine should be able to access my site even if it doesnt have an IPv4 address.
### reason: better performance
For users who are using both IPv4 and IPv6 (with a dedicated IPv6 address and a shared IPv4 address), apparently IPv6 is often faster because it doesnt need to go through an extra translation layer.
So supporting IPv6 can make the site faster for users sometimes.
In practice clients use an algorithm called “Happy Eyeballs” which tries to figure out whether IPv4 or IPv6 will be faster and then uses whichever seems faster.
Some other performance benefits people mentioned:
* maybe sometimes using IPv6 can get you a SEO boost because of the better performance.
* maybe using IPv6 causes you to go through better (faster) network hardware because its a newer protocol
### reason: resilience against IPv4 internet outages
One person said that theyve run into issues where there was an internet outage that only affected IPv4 traffic, because of accidental BGP poisoining.
So supporting IPv6 means that their site can still stay partially online during those outages.
### reason: to avoid NAT issues with home servers
A few people mentioned that its much easier to use IPv6 with home servers instead of having to do port forwarding through your router, you can just give every server a unique IPv6 address and then access it directly.
Of course, for this to work the client needs to have IPv6 support, but more and more clients these days have IPv6 support too.
### reason: to own your IP addresses
Apparently you can buy IPv6 addresses, use them for the servers on your home network, and then if you change your ISP, continue to use the same IP addresses?
Im still not totally sure how this works (I dont know how you would convince computers on the internet to actually route those IPs to you? I guess you need to run your own AS or something?).
### reason: to learn about IPv6
One person said they work in security and in security its very important to understand how internet protocols work (attackers are using internet protocols!). So running an IPv6 server helps them learn how it works.
### reason: to push IPv6 forward / IPv4 is “legacy”
A couple of people said that they support IPv6 because its the current standard, and so they want to contribute to the success of IPv6 by supporting it.
A lot of people also said that they support IPv6 because they think sites that only support IPv4 are “behind” or “legacy”.
### reason: its easy
I got a bunch of answers along the lines of “its easy, why not”. Obviously adding IPv6 support is not easy in all situations, but a couple of reasons it might be easy in some cases:
* you automatically got an IPv6 address from your hosting company, so all you need to do is add an `AAAA` record pointing to that address
* your site is behind a CDN that supports IPv6, so you dont need to do anything extra
### reason: safer networking experimentation
Because the address space is so big, if you want to try something out you can just grab an IPv6 subnet, try out some things in it, and then literally never use that subnet again.
### reason: to run your own autonomous system (AS)
A few people said they were running their own autonomous system (I talked about what an AS is a bit in this [BGP post][3]). IPv4 addresses are too expensive so they bought IPv6 addresses for their AS instead.
### reason: security by obscurity
If your server _only_ has a public IPv6 address, attackers cant easily find it by scanning the whole internet. The IPv6 address space is too big to scan!
Obviously this shouldnt be your only security measure, but it seems like a nice bonus any time I run an IPv4 public server Im always a tiny bit surprised by how its constantly being scanned for vulnerabilities (like old versions of WordPress, etc).
### very silly reason: you can put easter eggs in your IPv6 address
IPv6 addresses have a lot of extra bits in them that you can do frivolous things with. For example one of Facebooks IPv6 addresses is “2a03:2880:f10e:83:face:b00c:0:25de” (it has `face:b00c` in it).
### there are more reasons than I thought
Thats all Ive learned about the “why support IPv6?” question so far.
I came away from this conversation more motivated to support IPv6 on my (very small) servers than I had been before. But thats because I think supporting IPv6 will require very little effort for me. (right now Im using a CDN that supports IPv6 so it comes basically for free)
I know very little about IPv6 still but my impression is that IPv6 support often isnt zero-effort and actually can be a lot of work. For example, I have no idea how much work it would actually be for Twitter to add IPv6 support on their edge servers.
### some more IPv6 questions
Here are some more IPv6 questions I have that maybe Ill explore later:
* what are the _disadvantages_ to supporting IPv6? what goes wrong?
* what are the incentives for ISPs that own enough IPv4 addresses for their customers to support IPv6? (another way of asking: is it likely that my ISP will move to supporting IPv6 in the next few years? or are they just not incentivized to do it so its unlikely?)
* [digital ocean][4] seems to only support IPv4 floating IPs, not IPv6 floating IPs. Why not? Shouldnt it be _easier_ to give out IPv6 floating IPs since there are more of them?
* when I try to ping an IPv6 address (like example.coms IP `2606:2800:220:1:248:1893:25c8:1946` for example) I get the error `ping: connect: Network is unreachable`. Why? (answer: its because my ISP doesnt support IPv6 so my computer doesnt have a public IPv6 address)
This [IPv4 vs IPv6 article from Tailscale][5] looks interesting and answers some of these questions.
--------------------------------------------------------------------------------
via: https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/
作者:[Julia Evans][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://jvns.ca/
[b]: https://github.com/lujun9972
[1]: https://twitter.com/b0rk/status/1487156306884636672
[2]: https://en.wikipedia.org/wiki/Carrier-grade_NAT
[3]: https://jvns.ca/blog/2021/10/05/tools-to-look-at-bgp-routes/
[4]: https://docs.digitalocean.com/products/networking/floating-ips/
[5]: https://tailscale.com/kb/1134/ipv6-faq/

View File

@ -0,0 +1,186 @@
[#]: subject: "Reasons for servers to support IPv6"
[#]: via: "https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/"
[#]: author: "Julia Evans https://jvns.ca/"
[#]: collector: "lujun9972"
[#]: translator: "chai001125"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
服务器支持 IPv6 的原因
======
我一直在努力学习关于 IPv6 的相关知识。一方面IPv6 的基础概念是很简单的(没有足够的 IPv4 地址可以满足互联网上的所有设备,所以人们发明了 IPv6每个人都能有足够的 IPv6 地址!)
但是当我试图进一步理解它时,我遇到了很多问题。其中一个问题是:为什么 `twitter.com` 不支持 IPv6。假设网站不支持 IPv6 并不会造成很多困难,那么为什么网站需要支持 IPv6 呢?
我在 Twitter 上询问了很多人 [为什么他们的服务器支持 IPv6][1],我得到了很多很好的答案,我将在这里总结一下。事先说明一下,因为我对 IPv6 基本上毫无经验,所以下面所总结的理由中可能会有写得不准确的地方,请大家多多包涵。
首先,我想解释一下为什么 `twitter.com` 可以不支持 IPv6因为这是最先让我困惑的地方。
### 怎么知道 `twitter.com` 不支持 IPv6 呢?
你可以使用 dig 命令以 AAAA 的选项查询某一个域名的 IPv6 地址记录,如果没有记录,则表明该域名不支持 IPv6。除了 `twitter.com`,还有一些大型网站,如 `github.com``stripe.com` 也不支持 IPv6。
```
$ dig AAAA twitter.com
(empty response)
$ dig AAAA github.com
(empty response)
$ dig AAAA stripe.com
(empty response)
```
### 为什么 `twitter.com` 仍然适用于 IPv6 用户?
我发现这真的很令人困惑。我一直听说因为 IPv4 地址已经用完了,从而很多互联网用户被迫要使用 IPv6 地址。但如果这是真的twitter.com 怎么能继续为那些没有 IPv6 支持的人提供服务呢?以下内容是我昨天从 Twitter 线程中学习到的。
互联网服务提供商(ISP)有两种:
1. 能为所有用户拥有足够 IPv4 地址的 ISP
2. 不能为所有用户拥有足够 IPv4 地址的 ISP
我的互联网服务提供商属于第 1 类,因此我的计算机有自己的 IPv4 地址,实际上我的互联网服务提供商甚至根本不支持 IPv6。
但是很多互联网服务提供商(尤其是北美以外的)都属于第 2 类:他们没有足够的 IPv4 地址供所有用户使用。 这些互联网服务提供商通过以下方式处理问题:
* 为所有用户提供唯一的 IPv6 地址,以便他们可以直接访问 IPv6 网站
* 让用户 _共享_ IPv4 地址,这可以使用 CGNAT“[运营商级 NAT(carrier-grade NAT)][2]”或者“464XLAT”或其他方式。
所有互联网服务提供商都需要 _一些_ IPv4 地址,否则他们的用户将无法访问 twitter.com 等只能使用 IPv4 的网站。
### 为什么网站要支持 IPv6
现在,我们已经解释了为什么可以 _不支持_ IPv6。那为什么要支持 IPv6 呢?有下面这些原因。
### 原因一CGNAT 是一个性能瓶颈
对我而言,支持 IPv6 最有说服力的论点是CGNATcarrier-grade NAT是一个瓶颈它会导致性能问题并且随着对 IPv4 地址的访问变得越来越受限,它的性能会变得更糟。
有人也提到:因为 CGNAT 是一个性能瓶颈因此它成为了一个有吸引力的拒绝服务攻击DDoS的目标因为你可以通过攻击一台服务器影响其他用户对该服务器的网站的可用性。
支持 IPv6 的服务器减少了对 CGNAT 的需求IPv6 用户可以直接连接!),这使得互联网对每个人的响应速度都更快了。
我认为这个论点很有趣,因为它需要各方的努力——仅仅你的网站支持 IPv6并不会让你的网站更好地运行而更重要的是如果 _几乎每个网站_ 都支持 IPv6那么它将使每个人的互联网体验更好尤其对于那些无法轻松访问 IPv4 地址的国家/地区。
实际上,我不知道这在实践中会有多大的关系。
不过,使用 IPv6 还有很多更自私的论点,所以让我们继续探讨吧。
### 原因二:只能使用 IPv6 的服务器也能够访问你的网站
我之前说过,大多数 IPv6 用户仍然可以通过 NAT 方式访问 IPv4 的网站。但是有些 IPv6 用户是不能访问 IPv4 网站的,因为他们发现他们运行的服务器只有 IPv6 地址,并且不能使用 NAT。因此这些服务器完全无法访问只能使用 IPv4 的网站。
我想这些服务器并没有连接很多主机,也许它们只需要连接到一些支持 IPv6 的主机。
但对我来说,即使没有 IPv4 地址,一台主机也应该能够访问我的站点。
### 原因三:更好的性能
对于同时使用 IPv4 和 IPv6即具有专用 IPv6 地址和共享 IPv4 地址的用户IPv6 通常更快,因为它不需要经过额外的 NAT 地址转换。
因此,有时支持 IPv6 的网站可以为用户提供更快的响应。
在实际应用中客户端使用一种称为“Happy Eyeballs”的算法该算法能够从 IPv4 和 IPv6 中为用户选择一个最快的链接。
以下是网站支持 IPv6 的一些其他性能优势:
* 使用 IPv6 可以提高搜索引擎优化Search Engine Optimization因为 IPv6 具有更好的性能。
* 使用 IPv6 可能会使你的数据包通过更好(更快)的网络硬件,因为相较于 IPv4IPv6 是一个更新的协议。
### 原因四:能够恢复 IPv4 互联网中断
有人说他碰到过由于意外的 BGP 中毒,而导致仅影响 IPv4 流量的互联网中断问题。
因此,支持 IPv6 的网站意味着在中断期间,网站仍然可以保持部分在线。
### 原因五避免家庭服务器的NAT问题
将 IPv6 与家庭服务器一起使用,会变得简单很多,因为数据包不必通过路由器进行端口转发,因此只需为每台服务器分配一个唯一的 IPv6 地址,然后直接访问服务器的 IPv6 地址即可。
当然,要实现这一点,客户端需要支持 IPv6但如今越来越多的客户端也能支持 IPv6 了。
### 原因六:为了拥有自己的 IP 地址
你也可以自己购买 IPv6 地址,并将它们用于家庭网络的服务器上。如果你更换了互联网服务提供商,可以继续使用相同的 IP 地址。
我不太明白这是如何工作的,是如何让 Internet 上的计算机将这些 IP 地址路由转发给你的我猜测你需要运行自己的自治系统AS或其他东西。
### 原因七:为了学习 IPv6
有人说他们在安全领域中工作,为保证信息安全,了解互联网协议的工作原理非常重要(攻击者正在使用互联网协议进行攻击!)。因此,运行 IPv6 服务器有助于他们了解其工作原理。
### 原因八:为了推进 IPv6
有人说因为 IPv6 是当前的标准,因此他们希望通过支持 IPv6 来为 IPv6 的成功做出贡献。
很多人还说他们的服务器支持 IPv6是因为他们认为只能使用 IPv4 的网站已经太“落后”了。
### 原因九IPv6 很简单
我还得到了一堆“IPv6 很容易,为什么不做呢”的答案。在所有情况下添加 IPv6 支持并不容易,但在某些情况下添加 IPv6 支持会是很容易的,有以下的几个原因:
* 你可以从托管公司自动地获得 IPv6 地址,因此你只需要做的就是添加指向该地址的 `AAAA` 记录
* 你的网站是基于支持 IPv6 的内容分发网络CDN因此你无需做任何额外的事情
### 原因十:为了实施更安全的网络实验
因为 IPv6 的地址空间很大,所以如果你想在网络中尝试某些东西的时候,你可以使用 IPv6 子网进行实验,基本上你之后不会再用到这个子网了。
### 原因十一为了运行自己的自治系统AS
也有人说他们为了运行自己的自治系统(我在这篇 [BGP 帖子][3] 中谈到了什么是 AS因此在服务器中提供 IPv6。IPv4 地址太贵了,所以他们为运行自治系统而购买了 IPv6 地址。
### 原因十二IPv6 更加安全
如果你的服务器 _只_ 有公共的 IPv6 地址,那么攻击者扫描整个网络,也不能轻易地找出你的服务器地址,这是因为 IPv6 地址空间太大了以至于不能扫描出来!
这显然不能是你仅有的安全策略,但是这是安全上的一个大大的福利。每次我运行 IPv4 服务器时,我都会惊讶于 IPv4 地址一直能够被扫描出来的脆弱性,就像是老版本的 WordPress 博客系统那样。
### 一个很傻的理由:你可以在你的 IPv6 地址中放个小彩蛋
IPv6 地址中有很多额外的位你可以用它们做一些不重要的事情。例如Facebook 的 IPv6 地址之一是“2a03:2880:f10e:83:face:b00c:0:25de”其中包含 `face:b00c`)。
### 理由还有很多
这就是到目前为止我所了解的“为什么支持 IPv6”的理由。
在我理解这些原因后,相较于以前,我在我的(非常小的)服务器上支持 IPv6 更有动力了。但那是因为我觉得支持 IPv6对我来说只需要很少的努力。现在我使用的是支持 IPv6 的 CDN所以我基本上不用做什么额外的事情
我仍然对 IPv6 知之甚少,但是在我的印象中,支持 IPv6并不是不需要花费努力的实际上可能需要大量工作。例如我不知道 Twitter 在其边缘服务器上添加 IPv6 支持需要做多少繁杂的工作。
### 其它关于 IPv6 的问题
这里还有一些关于 IPv6 的问题,也许我之后再会探讨:
* 支持 IPv6 的缺点是什么?什么会出错呢?
* 对于拥有了足够 IPv4 地址的 ISP 来说,有什么让他们提供 IPv6 的激励措施?(另一种问法是:我的 ISP 是否有可能在未来几年内转为支持 IPv6或者他们可能不会支持 IPv6
* [Digital Ocean][4] 译注一家建立于美国的云基础架构提供商面向软件开发人员提供虚拟专用服务器VPS只提供 IPv4 的浮动地址,不提供 IPv6 的浮动地址。为什么不提供呢?有更多 IPv6 地址,那提供 IPv6 的浮动地址不是变得更 _便捷_ 吗?
* 当我尝试 ping IPv6 地址时(例如 example.com 的 IP 地址`2606:2800:220:1:248:1893:25c8:1946`),我得到一个报错信息 `ping: connect: Network is unreachable`。这是为什么呢?(回答:因为我的 ISP 不支持 IPv6所以我的电脑没有公共 IPv6 地址)
这篇 [来自 Tailscale 的 IPv4 与 IPv6 文章][5] 非常有意思,并回答了上述的一些问题。
--------------------------------------------------------------------------------
via: https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/
作者:[Julia Evans][a]
选题:[lujun9972][b]
译者:[chai001125](https://github.com/chai001125)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://jvns.ca/
[b]: https://github.com/lujun9972
[1]: https://twitter.com/b0rk/status/1487156306884636672
[2]: https://en.wikipedia.org/wiki/Carrier-grade_NAT
[3]: https://jvns.ca/blog/2021/10/05/tools-to-look-at-bgp-routes/
[4]: https://docs.digitalocean.com/products/networking/floating-ips/
[5]: https://tailscale.com/kb/1134/ipv6-faq/