| ▲ | umanwizard a day ago |
| Why would they want to block IPv6 specifically? |
|
| ▲ | cogman10 a day ago | parent | next [-] |
| IDK for sure, but might be harder to maintain, monitor, and block. One characteristic of v4 is it's somewhat reasonable to do a straight forward block on a range of addresses to shut down access. This is still somewhat possible with v6, but harder as there's simply a much larger portion of ip addresses that can be all over the place. It's theoretically a lot easier for anyone that wants to bypass a simple filter to grab a new public IP address. |
| |
| ▲ | toast0 a day ago | parent | next [-] | | Otoh, ipv6 address assignment tends to be much more contiguous. My (small) residential ISP has one v6 prefix but several v4 prefixes. If you block the whole prefix for services you don't like, it's far less prefixes for v6. But, it is a new skill, and you can turn off v6 at small cost if you're already ok with heavily restricting v4. | |
| ▲ | sva_ a day ago | parent | prev | next [-] | | Additionally to the much larger IP space, you also have larger headers and additionally extension headers which make deep packet inspection computationally much more expensive if you consider the scale | |
| ▲ | miyuru a day ago | parent | prev | next [-] | | >One characteristic of v4 is it's somewhat reasonable to do a straight forward block on a range of addresses to shut down access. This is still somewhat possible with v6, but harder as there's simply a much larger portion of ip addresses that can be all over the place. It's theoretically a lot easier for anyone that wants to bypass a simple filter to grab a new public IP address. no its not, its easier to block IPv6 ranges than IPv4 ones. if someone want be block my ISP, they only need a single /32 rule with v6. | |
| ▲ | iso1631 a day ago | parent | prev [-] | | n ipv4 /32 is roughly equivalent to an ipv6 /56 or /64 You'd typically block an AS - i.e. every IP originating from AS12345. That's just as easy on v6 as v4. |
|
|
| ▲ | davidw a day ago | parent | prev | next [-] |
| There are some pretty big protests happening right now: https://bsky.app/profile/chadbourn.bsky.social/post/3mbvphn4... |
| |
| ▲ | umanwizard a day ago | parent [-] | | That doesn't explain why they would want to block IPv6 specifically, and not also block IPv4. | | |
| ▲ | marcosdumay a day ago | parent | next [-] | | The OP's comment is that they can censor IPv4 when they want, but they don't know how to censor IPv6. So they block it entirely. | | | |
| ▲ | observationist a day ago | parent | prev | next [-] | | A lot of the Starlink and other contraband uplinks are using ipv6, allowing connectivity for people the regime doesn't want to have contact with the rest of the world. They don't want the revolution broadcast or popularized. | | |
| ▲ | umanwizard a day ago | parent [-] | | I wouldn't think blocking terrestrial IPv6 links would have anything to do with blocking Starlink. |
| |
| ▲ | syncsynchalt a day ago | parent | prev [-] | | It could be as simple as their surveillance / censorship tools not fully supporting IPv6. |
|
|
|
| ▲ | coretx a day ago | parent | prev | next [-] |
| Because v6 IPs are cheap, expendable and routing it over encrypted tunnels does not look suspicious. Anyone can buy a block and with little help announce them from multiple locations including home, mobile, uni wifi, and route further from there. |
|
| ▲ | stackskipton a day ago | parent | prev | next [-] |
| It's much more difficult to block. A lot of anti censorship organizations have trouble getting more IPv4 /24 for cost reasons or moving it around to different AS since they would go offline. With IPv6, you can get IPv6 /40 from ARIN/RIPE no problem. You slice that up into /48 and just start bouncing it all over the place. When one /48 goes down, you move everything to another /48, switch providers if required and continue. EDIT: They also tend to get multiple blocks as well for when ISP figures out to root /40. |
| |
| ▲ | jcalvinowens a day ago | parent [-] | | > It's much more difficult to block. No it isn't. Nobody is blocking ranges as they roll in, they're blocking whole ASNs at once. That's just as trivial with v6 as v4, actually v6 can be simpler because ISPs tend to have fewer large blocks in v6land. | | |
| ▲ | stackskipton a day ago | parent [-] | | There are plenty of providers that when you BYOIP, they will broadcast out of their ASN, I know Azure does, Google appears to, no clue on AWS. Plenty of colo providers including $LastCompanyProvider will fold your IP block under their ASN as well. That's how it worked at last job. Sure, Iran government may just decide to block that specific ASN but if it's they want to remain somewhat on the internet, they are stuck with "Smack entire broad ASNs and lose large chucks of internet" or "Block specific IP spaces." |
|
|
|
| ▲ | tguvot a day ago | parent | prev [-] |
| (going with recent ipv6 discussion) they probably failed to make it work properly and decided that it's easier to block it |
| |
| ▲ | umanwizard a day ago | parent [-] | | Is this an attempt at a joke, or do you actually seriously believe a country capable of enriching uranium isn't capable of hiring competent network engineers? | | |
| ▲ | bigyabai a day ago | parent | next [-] | | Reading through their comment history, it doesn't seem like a good-faith comment. Not sure what they thought HN stood to gain from their contribution here. | | | |
| ▲ | tguvot a day ago | parent | prev [-] | | i'll leave it as exercise to a reader |
|
|
