diff --git a/sources/tech/20220129 Reasons for servers to support IPv6.md b/sources/tech/20220129 Reasons for servers to support IPv6.md deleted file mode 100644 index 1e606c4a92..0000000000 --- a/sources/tech/20220129 Reasons for servers to support IPv6.md +++ /dev/null @@ -1,192 +0,0 @@ -[#]: subject: "Reasons for servers to support IPv6" -[#]: via: "https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/" -[#]: author: "Julia Evans https://jvns.ca/" -[#]: collector: "lujun9972" -[#]: translator: "chai001125" -[#]: reviewer: " " -[#]: publisher: " " -[#]: url: " " - -Reasons for servers to support IPv6 -====== - -I’ve been having a hard time understanding IPv6. On one hand, the basics initially seem pretty straightforward (there aren’t enough IPv4 addresses for all the devices on the internet, so people invented IPv6! There are enough IPv6 addresses for everyone!) - -But when I try to actually understand it, I run into a lot of questions. One question is: `twitter.com` does not support IPv6. Presumably it can’t be causing them THAT many issues to not support it. So why _do_ websites support IPv6? - -I asked people on Twitter [why their servers support IPv6][1] and I got a lot of great answers, which I’ll summarize here. These all come with the disclaimer that I have basically 0 experience with IPv6 so I can’t evaluate these reasons very well. - -First though, I want to explain why it’s possible for `twitter.com` to not support IPv6 because I didn’t understand that initially. - -### how can you tell `twitter.com` doesn’t support IPv6? - -You can tell they don’t support IPv6 is because if you look up their AAAA record (which contains their IPv6 address), there isn’t one. Some other big sites like `github.com` and `stripe.com` also don’t support IPv6. - -``` - - $ dig AAAA twitter.com - (empty response) - $ dig AAAA github.com - (empty response) - $ dig AAAA stripe.com - (empty response) - -``` - -### why does `twitter.com` still work for IPv6 users? - -I found this really confusing, because I’ve always heard that lots of internet users are forced to use IPv6 because we’ve run out of IPv4 addresses. But if that’s true, how could twitter.com continue to work for those people without IPv6 support? Here’s what I learned from the Twitter thread yesterday. - -There are two kinds of internet service providers (ISPs): - - 1. ISPs who own enough IPv4 address for all of their customers - 2. ISPs who don’t - - - -My ISP is in category 1 – my computer gets its own IPv4 address, and actually my ISP doesn’t even support IPv6 at all. - -But lots of ISPs (especially outside of North America) are in category 2: they don’t have enough IPv4 addresses for all their customers. Those ISPs handle the problem by: - - * giving all of their customers a unique IPv6 address, so they can access IPv6 sites directly - * making large groups of their customers _share_ IPv4 addresses. This can either be with CGNAT (”[carrier-grade NAT][2]”) or “464XLAT” or maybe something else. - - - -All ISPs need _some_ IPv4 addresses, otherwise it would be impossible for their customers to access IPv4-only sites like twitter.com. - -### what are the reasons to support IPv6? - -Now we’ve explained why it’s possible to _not_ support IPv6. So why support it? There were a lot of reasons. - -### reason: CGNAT is a bottleneck - -The argument that was most compelling to me was: CGNAT (carrier-grade NAT) is a bottleneck and it causes performance issues, and it’s going to continue to get worse over time as access to IPv4 addresses becomes more and more restricted. - -Someone also mentioned that because CGNAT is a bottleneck, it’s an attractive DDoS target because you can ruin lots of people’s internet experience just by attacking 1 server. - -Servers supporting IPv6 reduces the need for CGNAT (IPv6 users can just connect directly!) which makes the internet work better for everyone. - -I thought this argument was interesting because it’s a “public commons” / community argument – it’s less that supporting IPv6 will make your site specifically work better, and more that if _almost everyone_ supports IPv6 then it’ll make the experience of the internet better for everyone, especially in countries where people don’t have easy access to IPv4 addresses. - -I don’t actually know how much of an issue this is in practice. - -There were lots of more selfish arguments to use IPv6 too though, so let’s get into those. - -### reason: so IPv6-only servers can access your site - -I said before that most IPv6 users still have access to IPv4 though some kind of NAT. But apparently that’s not true for everyone – some people mentioned that they run some servers which only have IPv6 addresses and which aren’t behind any kind of NAT. So those servers are actually totally unable to access IPv4-only sites. - -I imagine that those servers aren’t connecting to arbitrary machines that much – maybe they only need to connect to a few hosts with IPv6 support. - -But it makes sense to me that a machine should be able to access my site even if it doesn’t have an IPv4 address. - -### reason: better performance - -For users who are using both IPv4 and IPv6 (with a dedicated IPv6 address and a shared IPv4 address), apparently IPv6 is often faster because it doesn’t need to go through an extra translation layer. - -So supporting IPv6 can make the site faster for users sometimes. - -In practice clients use an algorithm called “Happy Eyeballs” which tries to figure out whether IPv4 or IPv6 will be faster and then uses whichever seems faster. - -Some other performance benefits people mentioned: - - * maybe sometimes using IPv6 can get you a SEO boost because of the better performance. - * maybe using IPv6 causes you to go through better (faster) network hardware because it’s a newer protocol - - - -### reason: resilience against IPv4 internet outages - -One person said that they’ve run into issues where there was an internet outage that only affected IPv4 traffic, because of accidental BGP poisoining. - -So supporting IPv6 means that their site can still stay partially online during those outages. - -### reason: to avoid NAT issues with home servers - -A few people mentioned that it’s much easier to use IPv6 with home servers – instead of having to do port forwarding through your router, you can just give every server a unique IPv6 address and then access it directly. - -Of course, for this to work the client needs to have IPv6 support, but more and more clients these days have IPv6 support too. - -### reason: to own your IP addresses - -Apparently you can buy IPv6 addresses, use them for the servers on your home network, and then if you change your ISP, continue to use the same IP addresses? - -I’m still not totally sure how this works (I don’t know how you would convince computers on the internet to actually route those IPs to you? I guess you need to run your own AS or something?). - -### reason: to learn about IPv6 - -One person said they work in security and in security it’s very important to understand how internet protocols work (attackers are using internet protocols!). So running an IPv6 server helps them learn how it works. - -### reason: to push IPv6 forward / IPv4 is “legacy” - -A couple of people said that they support IPv6 because it’s the current standard, and so they want to contribute to the success of IPv6 by supporting it. - -A lot of people also said that they support IPv6 because they think sites that only support IPv4 are “behind” or “legacy”. - -### reason: it’s easy - -I got a bunch of answers along the lines of “it’s easy, why not”. Obviously adding IPv6 support is not easy in all situations, but a couple of reasons it might be easy in some cases: - - * you automatically got an IPv6 address from your hosting company, so all you need to do is add an `AAAA` record pointing to that address - * your site is behind a CDN that supports IPv6, so you don’t need to do anything extra - - - -### reason: safer networking experimentation - -Because the address space is so big, if you want to try something out you can just grab an IPv6 subnet, try out some things in it, and then literally never use that subnet again. - -### reason: to run your own autonomous system (AS) - -A few people said they were running their own autonomous system (I talked about what an AS is a bit in this [BGP post][3]). IPv4 addresses are too expensive so they bought IPv6 addresses for their AS instead. - -### reason: security by obscurity - -If your server _only_ has a public IPv6 address, attackers can’t easily find it by scanning the whole internet. The IPv6 address space is too big to scan! - -Obviously this shouldn’t be your only security measure, but it seems like a nice bonus – any time I run an IPv4 public server I’m always a tiny bit surprised by how it’s constantly being scanned for vulnerabilities (like old versions of WordPress, etc). - -### very silly reason: you can put easter eggs in your IPv6 address - -IPv6 addresses have a lot of extra bits in them that you can do frivolous things with. For example one of Facebook’s IPv6 addresses is “2a03:2880:f10e:83:face:b00c:0:25de” (it has `face:b00c` in it). - -### there are more reasons than I thought - -That’s all I’ve learned about the “why support IPv6?” question so far. - -I came away from this conversation more motivated to support IPv6 on my (very small) servers than I had been before. But that’s because I think supporting IPv6 will require very little effort for me. (right now I’m using a CDN that supports IPv6 so it comes basically for free) - -I know very little about IPv6 still but my impression is that IPv6 support often isn’t zero-effort and actually can be a lot of work. For example, I have no idea how much work it would actually be for Twitter to add IPv6 support on their edge servers. - -### some more IPv6 questions - -Here are some more IPv6 questions I have that maybe I’ll explore later: - - * what are the _disadvantages_ to supporting IPv6? what goes wrong? - * what are the incentives for ISPs that own enough IPv4 addresses for their customers to support IPv6? (another way of asking: is it likely that my ISP will move to supporting IPv6 in the next few years? or are they just not incentivized to do it so it’s unlikely?) - * [digital ocean][4] seems to only support IPv4 floating IPs, not IPv6 floating IPs. Why not? Shouldn’t it be _easier_ to give out IPv6 floating IPs since there are more of them? - * when I try to ping an IPv6 address (like example.com’s IP `2606:2800:220:1:248:1893:25c8:1946` for example) I get the error `ping: connect: Network is unreachable`. Why? (answer: it’s because my ISP doesn’t support IPv6 so my computer doesn’t have a public IPv6 address) - - - -This [IPv4 vs IPv6 article from Tailscale][5] looks interesting and answers some of these questions. - --------------------------------------------------------------------------------- - -via: https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/ - -作者:[Julia Evans][a] -选题:[lujun9972][b] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://jvns.ca/ -[b]: https://github.com/lujun9972 -[1]: https://twitter.com/b0rk/status/1487156306884636672 -[2]: https://en.wikipedia.org/wiki/Carrier-grade_NAT -[3]: https://jvns.ca/blog/2021/10/05/tools-to-look-at-bgp-routes/ -[4]: https://docs.digitalocean.com/products/networking/floating-ips/ -[5]: https://tailscale.com/kb/1134/ipv6-faq/ diff --git a/translated/tech/20220129 Reasons for servers to support IPv6.md b/translated/tech/20220129 Reasons for servers to support IPv6.md new file mode 100644 index 0000000000..2024b77e6f --- /dev/null +++ b/translated/tech/20220129 Reasons for servers to support IPv6.md @@ -0,0 +1,186 @@ +[#]: subject: "Reasons for servers to support IPv6" +[#]: via: "https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/" +[#]: author: "Julia Evans https://jvns.ca/" +[#]: collector: "lujun9972" +[#]: translator: "chai001125" +[#]: reviewer: " " +[#]: publisher: " " +[#]: url: " " + +服务器支持 IPv6 的原因 +====== + +我一直在努力学习关于 IPv6 的相关知识。一方面,IPv6 的基础概念是很简单的(没有足够的 IPv4 地址可以满足互联网上的所有设备,所以人们发明了 IPv6!每个人都能有足够的 IPv6 地址!) + +但是当我试图进一步理解它时,我遇到了很多问题。其中一个问题是:为什么 `twitter.com` 不支持 IPv6。假设,网站不支持 IPv6 并不会造成很多困难,那么为什么网站需要支持 IPv6 呢? + +我在 Twitter 上询问了很多人 [为什么他们的服务器支持 IPv6][1],我得到了很多很好的答案,我将在这里总结一下。事先说明一下,因为我对 IPv6 基本上毫无经验,所以下面所总结的理由中可能会有写得不准确的地方,请大家多多包涵。 + +首先,我想解释一下为什么 `twitter.com` 可以不支持 IPv6,因为这是最先让我困惑的地方。 + +### 怎么知道 `twitter.com` 不支持 IPv6 呢? + +你可以使用 dig 命令以 AAAA 的选项查询某一个域名的 IPv6 地址记录,如果没有记录,则表明该域名不支持 IPv6。除了 `twitter.com`,还有一些大型网站,如 `github.com` 和 `stripe.com` 也不支持 IPv6。 + +``` + + $ dig AAAA twitter.com + (empty response) + $ dig AAAA github.com + (empty response) + $ dig AAAA stripe.com + (empty response) + +``` + +### 为什么 `twitter.com` 仍然适用于 IPv6 用户? + +我发现这真的很令人困惑。我一直听说因为 IPv4 地址已经用完了,从而很多互联网用户被迫要使用 IPv6 地址。但如果这是真的,twitter.com 怎么能继续为那些没有 IPv6 支持的人提供服务呢?以下内容是我昨天从 Twitter 线程中学习到的。 + +互联网服务提供商(ISP)有两种: + + 1. 能为所有用户拥有足够 IPv4 地址的 ISP + 2. 不能为所有用户拥有足够 IPv4 地址的 ISP + + +我的互联网服务提供商属于第 1 类,因此我的计算机有自己的 IPv4 地址,实际上我的互联网服务提供商甚至根本不支持 IPv6。 + +但是很多互联网服务提供商(尤其是北美以外的)都属于第 2 类:他们没有足够的 IPv4 地址供所有用户使用。 这些互联网服务提供商通过以下方式处理问题: + + * 为所有用户提供唯一的 IPv6 地址,以便他们可以直接访问 IPv6 网站 + * 让用户 _共享_ IPv4 地址,这可以使用 CGNAT(“[运营商级 NAT(carrier-grade NAT)][2]”)或者“464XLAT”或其他方式。 + +所有互联网服务提供商都需要 _一些_ IPv4 地址,否则他们的用户将无法访问 twitter.com 等只能使用 IPv4 的网站。 + +### 为什么网站要支持 IPv6? + +现在,我们已经解释了为什么可以 _不支持_ IPv6。那为什么要支持 IPv6 呢?有下面这些原因。 + +### 原因一:CGNAT 是一个性能瓶颈 + +对我而言,支持 IPv6 最有说服力的论点是:CGNAT(carrier-grade NAT)是一个瓶颈,它会导致性能问题,并且随着对 IPv4 地址的访问变得越来越受限,它的性能会变得更糟。 + +有人也提到:因为 CGNAT 是一个性能瓶颈,因此它成为了一个有吸引力的拒绝服务攻击(DDoS)的目标,因为你可以通过攻击一台服务器,影响其他用户对该服务器的网站的可用性。 + +支持 IPv6 的服务器减少了对 CGNAT 的需求(IPv6 用户可以直接连接!),这使得互联网对每个人的响应速度都更快了。 + +我认为这个论点很有趣,因为它需要各方的努力——仅仅你的网站支持 IPv6,并不会让你的网站更好地运行,而更重要的是如果 _几乎每个网站_ 都支持 IPv6,那么它将使每个人的互联网体验更好,尤其对于那些无法轻松访问 IPv4 地址的国家/地区。 + +实际上,我不知道这在实践中会有多大的关系。 + +不过,使用 IPv6 还有很多更自私的论点,所以让我们继续探讨吧。 + +### 原因二:只能使用 IPv6 的服务器也能够访问你的网站 + +我之前说过,大多数 IPv6 用户仍然可以通过 NAT 方式访问 IPv4 的网站。但是有些 IPv6 用户是不能访问 IPv4 网站的,因为他们发现他们运行的服务器只有 IPv6 地址,并且不能使用 NAT。因此,这些服务器完全无法访问只能使用 IPv4 的网站。 + +我想这些服务器并没有连接很多主机,也许它们只需要连接到一些支持 IPv6 的主机。 + +但对我来说,即使没有 IPv4 地址,一台主机也应该能够访问我的站点。 + +### 原因三:更好的性能 + +对于同时使用 IPv4 和 IPv6(即具有专用 IPv6 地址和共享 IPv4 地址)的用户,IPv6 通常更快,因为它不需要经过额外的 NAT 地址转换。 + +因此,有时支持 IPv6 的网站可以为用户提供更快的响应。 + +在实际应用中,客户端使用一种称为“Happy Eyeballs”的算法,该算法能够从 IPv4 和 IPv6 中为用户选择一个最快的链接。 + +以下是网站支持 IPv6 的一些其他性能优势: + + * 使用 IPv6 可以提高搜索引擎优化(Search Engine Optimization),因为 IPv6 具有更好的性能。 + * 使用 IPv6 可能会使你的数据包通过更好(更快)的网络硬件,因为相较于 IPv4,IPv6 是一个更新的协议。 + + +### 原因四:能够恢复 IPv4 互联网中断 + +有人说他碰到过由于意外的 BGP 中毒,而导致仅影响 IPv4 流量的互联网中断问题。 + +因此,支持 IPv6 的网站意味着在中断期间,网站仍然可以保持部分在线。 + +### 原因五:避免家庭服务器的NAT问题 + +将 IPv6 与家庭服务器一起使用,会变得简单很多,因为数据包不必通过路由器进行端口转发,因此只需为每台服务器分配一个唯一的 IPv6 地址,然后直接访问服务器的 IPv6 地址即可。 + +当然,要实现这一点,客户端需要支持 IPv6,但如今越来越多的客户端也能支持 IPv6 了。 + +### 原因六:为了拥有自己的 IP 地址 + +你也可以自己购买 IPv6 地址,并将它们用于家庭网络的服务器上。如果你更换了互联网服务提供商,可以继续使用相同的 IP 地址。 + +我不太明白这是如何工作的,是如何让 Internet 上的计算机将这些 IP 地址路由转发给你的?我猜测你需要运行自己的自治系统(AS)或其他东西。 + +### 原因七:为了学习 IPv6 + +有人说他们在安全领域中工作,为保证信息安全,了解互联网协议的工作原理非常重要(攻击者正在使用互联网协议进行攻击!)。因此,运行 IPv6 服务器有助于他们了解其工作原理。 + +### 原因八:为了推进 IPv6 + +有人说因为 IPv6 是当前的标准,因此他们希望通过支持 IPv6 来为 IPv6 的成功做出贡献。 + +很多人还说他们的服务器支持 IPv6,是因为他们认为只能使用 IPv4 的网站已经太“落后”了。 + +### 原因九:IPv6 很简单 + +我还得到了一堆“IPv6 很容易,为什么不做呢”的答案。在所有情况下添加 IPv6 支持并不容易,但在某些情况下添加 IPv6 支持会是很容易的,有以下的几个原因: + + * 你可以从托管公司自动地获得 IPv6 地址,因此你只需要做的就是添加指向该地址的 `AAAA` 记录 + * 你的网站是基于支持 IPv6 的内容分发网络(CDN),因此你无需做任何额外的事情 + + +### 原因十:为了实施更安全的网络实验 + +因为 IPv6 的地址空间很大,所以如果你想在网络中尝试某些东西的时候,你可以使用 IPv6 子网进行实验,基本上你之后不会再用到这个子网了。 + +### 原因十一:为了运行自己的自治系统(AS) + +也有人说他们为了运行自己的自治系统(我在这篇 [BGP 帖子][3] 中谈到了什么是 AS),因此在服务器中提供 IPv6。IPv4 地址太贵了,所以他们为运行自治系统而购买了 IPv6 地址。 + +### 原因十二:IPv6 更加安全 + +如果你的服务器 _只_ 有公共的 IPv6 地址,那么攻击者扫描整个网络,也不能轻易地找出你的服务器地址,这是因为 IPv6 地址空间太大了以至于不能扫描出来! + +这显然不能是你仅有的安全策略,但是这是安全上的一个大大的福利。每次我运行 IPv4 服务器时,我都会惊讶于 IPv4 地址一直能够被扫描出来的脆弱性,就像是老版本的 WordPress 博客系统那样。 + +### 一个很傻的理由:你可以在你的 IPv6 地址中放个小彩蛋 + +IPv6 地址中有很多额外的位,你可以用它们做一些不重要的事情。例如,Facebook 的 IPv6 地址之一是“2a03:2880:f10e:83:face:b00c:0:25de”(其中包含 `face:b00c`)。 + +### 理由还有很多 + +这就是到目前为止我所了解的“为什么支持 IPv6?”的理由。 + +在我理解这些原因后,相较于以前,我在我的(非常小的)服务器上支持 IPv6 更有动力了。但那是因为我觉得支持 IPv6,对我来说只需要很少的努力。(现在我使用的是支持 IPv6 的 CDN,所以我基本上不用做什么额外的事情) + +我仍然对 IPv6 知之甚少,但是在我的印象中,支持 IPv6并不是不需要花费努力的,实际上可能需要大量工作。例如,我不知道 Twitter 在其边缘服务器上添加 IPv6 支持需要做多少繁杂的工作。 + +### 其它关于 IPv6 的问题 + +这里还有一些关于 IPv6 的问题,也许我之后再会探讨: + + * 支持 IPv6 的缺点是什么?什么会出错呢? + * 对于拥有了足够 IPv4 地址的 ISP 来说,有什么让他们提供 IPv6 的激励措施?(另一种问法是:我的 ISP 是否有可能在未来几年内转为支持 IPv6?或者他们可能不会支持 IPv6?) + * [Digital Ocean][4] (译注:一家建立于美国的云基础架构提供商,面向软件开发人员提供虚拟专用服务器(VPS))只提供 IPv4 的浮动地址,不提供 IPv6 的浮动地址。为什么不提供呢?有更多 IPv6 地址,那提供 IPv6 的浮动地址不是变得更 _便捷_ 吗? + * 当我尝试 ping IPv6 地址时(例如 example.com 的 IP 地址`2606:2800:220:1:248:1893:25c8:1946`),我得到一个报错信息 `ping: connect: Network is unreachable`。这是为什么呢?(回答:因为我的 ISP 不支持 IPv6,所以我的电脑没有公共 IPv6 地址) + + +这篇 [来自 Tailscale 的 IPv4 与 IPv6 文章][5] 非常有意思,并回答了上述的一些问题。 + +-------------------------------------------------------------------------------- + +via: https://jvns.ca/blog/2022/01/29/reasons-for-servers-to-support-ipv6/ + +作者:[Julia Evans][a] +选题:[lujun9972][b] +译者:[chai001125](https://github.com/chai001125) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://jvns.ca/ +[b]: https://github.com/lujun9972 +[1]: https://twitter.com/b0rk/status/1487156306884636672 +[2]: https://en.wikipedia.org/wiki/Carrier-grade_NAT +[3]: https://jvns.ca/blog/2021/10/05/tools-to-look-at-bgp-routes/ +[4]: https://docs.digitalocean.com/products/networking/floating-ips/ +[5]: https://tailscale.com/kb/1134/ipv6-faq/