User talk:Jasper Deng/IPv6

For comments not related to this proposal, please see my main talk pagenonconfirmed

Why is this article not merged into Blocking_IP_addresses ?
As the subject says: Why is this article not merged into Blocking_IP_addresses ? or at least referenced for people to read up on. Next to of course admins who do blocking being informed of it. — Preceding unsigned comment added by JeroenMassar (talk • contribs) 09:55, 29 October 2014 (UTC)

Overlap of IPv6 addresses with existing usernames?
Obviously, much of this isn't applicable...but, I'm pretty sure you can't create a "127.1" username (which is, actually, a valid "abbreviation" for 127.0.0.1 on many OSes.) But if I was 2001::db8 instead of 2001:db8, that would cause problems...since it would be a full address. Last I checked, you could create usernames with consecutive colons, or at least all the colons needed to not skip any digits. Seems to me that one can still create addresses that conflict with usernames. (In fact, I think Mediawiki even considers my "2001:db8" to be equivalent to "2001:db8::".) So, what's the suggestion on addressing this? :) I'd personally recommend that some sort of "v6:" prefix or something of the sort be used...it shouldn't have to be, but there are already likely existing usernames that conflict with IPv6 addresses, due to poor previous design... – 2001:db8:: (rfc &#124; diff) 06:34, 20 January 2012 (UTC)
 * Hhm... I think those accounts need to be autodisabled using a regex-based condition.Jasper Deng (talk) 06:36, 20 January 2012 (UTC)
 * There may be many accounts that conflict, though; basically, a large portion of accounts with colons on them and just numbers/hex otherwise. They certainly shouldn't be disabled...however, I would say ONE of the two needs to be renamed: those accounts that conflict with IPv6 addresses, or IPv6 addresses themselves for edit summaries and the like. (Thus my suggestion for prepending something like "v6".) Ideally, this wouldn't be an issue, but unfortunately it is. :(

It's a problem that my own account has its current username...it doesn't nominally conflict with any IPv6 address, but the CURRENT Mediawiki software actually parses the same as with "::" appended which does conflict! Kind of a multi-pronged problem here. :) – 2001:db8:: (rfc &#124; diff) 06:44, 20 January 2012 (UTC)
 * I'll have to file these to Bugzilla. Hopefully MW 1.19 will fix these.Jasper Deng (talk) 06:45, 20 January 2012 (UTC)

Then again, you'd noted here that Mediawiki internally expands IPv6 addresses to put a single zero in each unused section (so no :: but also no extra leading zeroes) for anon-IPv6 users as a standardisation measure. User:2001:DB8:0:0:0:0:0:0 would be an anon-IPv6 page (removing the :: shortcut, suppressing leading zeroes, forcing hexadecimal digits to uppercase), but the equivalent 2001:db8:: address written in any other format would not. An attempt to register 2001:DB8:0:0:0:0:0:0 as a user name does indeed fail with "Log in / create account Jump to: navigation, search Login error You have not specified a valid user name. " 66.102.83.61 (talk) 20:46, 14 April 2012 (UTC)
 * The problem then is usernames from before that filter was put in place.--Jasper Deng (talk) 00:42, 15 April 2012 (UTC)


 * There are only a couple of usernames with user:2001::1 (user talk:2001::1, special:contributions/2001::1) or similar (and the name *must* have the :: or all eight words of address to be an IPv6 address, 1234:5678 and the like are not IPv6 addresses. Neither of these addresses have ever had any contribs and it is not possible to register any more of these. Even for the pair that exist, the most that will happen is that an attempt to view user:2001::1's user/talk page will return anon-IP user:2001:0:0:0:0:0:0:1's page - which also is a redlink like this one. Nothing terribly interesting breaks here. 66.102.83.61 (talk) 07:04, 15 April 2012 (UTC)
 * Yeah, but we need to find a way to hunt down all such usernames and do a mass rename. That isn't something we can do on-wiki because the most efficient way is via the database directly.--Jasper Deng (talk) 19:06, 15 April 2012 (UTC)

Could you set out up to date guidance on: I'm guessing that most non-canonical technically-valid IP address representations are invalid as usernames (such as with one or more leading zeroes, lowercase hex or non-standard use of double-colons), so relatively simple regexes would be sufficient for most tools.
 * the canonical IPv4 representation within MediaWiki (I think this includes legacy addresses with the last octet anonymised, such as "123.45.6.xxx")
 * the canonical IPv6 representation within MediaWiki (as shown on watchlists etc)
 * the simplest username regex guaranteed to be an IPv4 editor
 * the simplest username regex guaranteed to be an IPv6 editor
 * the simplest username regex guaranteed not to be an anonymous editor?

The MediaWiki canonical representation seems to be identical to the RFC recommendation but with uppercase hex (which makes sense, as it avoids inconsistencies with MediaWiki's tendency to capitalise letters after namespace colons).

— Richardguk (talk) 17:49, 14 June 2012 (UTC)
 * There are functions like isIPv6Address in Javascript available for MediaWiki (I'm sure it's also used by MediaWiki's PHP code), so coders generally don't need to think of that.--Jasper Deng (talk) 18:04, 14 June 2012 (UTC)

Blocking ranges/methodology
I think it might be a good idea to revisit the basic concept of blocking addresses. Currently, I've seen IPv4 /32s blocked normally, unless some larger block is causing problems. You're suggesting blocking /64s...which makes complete sense on the surface, since the "usual" home allocation or end-node allocation is a /64 these days. However, consider that only a single address is used if this is an end-node allocation, and if it's a home allocation, that /64 might just support a few computers. It might be better to just block /128s; in fact, in order to preserve the most amount of constructive editing, I'd guess it'd likely be best to initially just block /128s. We might get, say, schools or offices or whatnot where someone can't edit since some random person in that same /64 managed to get blocked.

It might be good to consider a two-tiered system for blocking here; it's of course easier for an end node to get its own IP, but it's actually harder for it to get a more unique IP than with IPv4. (Since you might have a bunch of cable users in the same /20 or whatever, but now you have an extra tier with, say, each user on a /64 and each system within that given a /128 within that /64.)

Anyways, I think blocking in general needs to be thought out better for a proposal like this. Other thoughts on this are appreciated...I have a few more myself, depending on what others' views on this are. I have a few more qualms as well, so those are just my initial thoughts. It may also be better to have a system where certain blocks are classified in a more-specific way (e.g., not just manually listing out tunnelbroker/sixxs vs comcast-sized blocks), in an automated fashion, for blocking... – 2001:db8:: (rfc &#124; diff) 06:53, 20 January 2012 (UTC)
 * I think somehow we need to find out whether addresses are dynamic, and if so, how much.Jasper Deng (talk) 06:56, 20 January 2012 (UTC)
 * Right, this is sort of what I was getting at...I think an initial block is best targeted at a /128, but if there's still vandalism from, say, that same /64, then it should be easy to block the whole /64. (E.g., maybe a normal user would even be able to apply a block to the /64 if an admin had already blocked the /128 in the last N minutes.) This is more complicated and such than current blocking mechanisms, obviously, but addressing is going to be quite different under IPv6. Seems better to me to block /128s initially...any single user is going to be on the same /128, unless switching computers, in almost all cases. The few cases that will requires blocking within the same /64 for the same vandal will, I'm guessing, be fairly rare by comparison...

As far as "whether addresses are dynamic", the answer is basically "yes." Another part of not blocking /64s is that a reallocated /64 (in the case of dynamic addressing) is going to have different /128s under it than the original block, since the last bits will generally be different. So if you inherit a "poisoned" /64 from someone who WAS blocked, that wouldn't necessarily prevent you from editing in the same block if only the /128 was blocked.

Also, this reminds me that many systems use Ethernet MAC-based addresses for the last 64 bits of their address. It might actually make sense to do a REVERSE block on those addresses (e.g., block the MAC address there.) Perhaps on top of the regular /64 block even...lessens repeat abuse rates. [Edit: I mean possibly block the LAST /64 with an inverted netmask in addition to the first /64, simply because unique MACs will show up more with IPv6. Have to make sure this doesn't hit normally-allocated ranges, through both range-checking and entropy checking even, so that could be a difficult proposition.]

This all gets pretty complicated, obviously. The simplest thing to do is probably to block /128s. I wouldn't suggest blocking /64s, but the one "complicated" thing worth doing might be to allow regular editors to block /64s that a /128 is actively blocked from. – 2001:db8:: (rfc &#124; diff) 07:05, 20 January 2012 (UTC)
 * Not all operating systems will use the same MAC address. Because most vandals in homes use all their devices, we want to restrict all of their devices. For schools, a /64 typically should be blocked because the same goes for them, and the usual instructions apply. In many cases a single IPv4 address represents everyone, so that's my justification for using /64 similarly to single IPv4 addresses. As for special addresses, we could make a Javascript gadget to display WHOIS entries, which are far more important for IPv6 than IPv4.
 * The workplace is somewhat different; large companies usually have full IPv4 ranges, so single address blocks should be used initially in those cases and if abuse occurs, the /64 and so on.
 * Because rangeblocks are based solely on CIDR notation, we currently can't use them to reverse-block. We also have no knowledge of whether the user self-configured the address (many long-term abusers would like to do that).Jasper Deng (talk) 01:42, 21 January 2012 (UTC)

Move
I would move this somewhere under Wikiproject IPv6. It could even be merged with the main project page, just keep the current page's intro, goals, scope, participant list, and nav boxes. Equazcion ( talk ) 20:59, 25 Mar 2012 (UTC)
 * I'd move it too. But first, an RFC.--Jasper Deng (talk) 01:37, 14 April 2012 (UTC)

- Autoblock can only block the IP address the user is coming in on *right now*. That will be either IPv4 or IPv6, but not both at once. As soon as the browser gets a valid IPv6 connection, it stops trying to connect in IPv4. The only way you'd be able to guess both an IPv4 and an IPv6 address in one connection attempt is if the IPv6 version is requested, but using some sort of gateway (Teredo, 6to4) which encapsulates addresses. A native IPv6 address does not provide any clue to the user's IPv4 address (or vice versa) except to identify an individual origin ISP.
 * Bi-protocol blocks and autoblocks: Blocks that affect both protocols simultaneously. This would be most useful for Tor nodes, proxies, and Dual Stack clients.

- Again, either the user request arrived in IPv4 or IPv6, not both. If a user is on multiple addresses (for instance, a dynamic IP) that already is logged in CheckUser regardless of protocol.
 * Bi-protocol CheckUser: Log both IPv4 and IPv6 addresses for users.

- Um, how?
 * Identify anonymous users by both addresses.

- Why? If one computer in an office is used to edit a page, do we really want "You have new messages" showing up on every computer in the same /64 block just because that edit received a pointless talk page comment in response? 66.102.83.61 (talk) 22:31, 14 April 2012 (UTC)
 * An IP address' subnet's talk page needs to trigger a "You have new messages" notice for all affected IP addresses;
 * I disagree with everything in your comment, except your last point. I was pretty sure that PHP had functions to get both addresses, but I don't really know of that. If it's possible, bi-protocol CheckUser would be helpful for people who use tunnelbrokers that give little clue about the real location of their users, especially those with few POPs. OK, for the last point I think this is good for mobile clients and other places where addresses are highly dynamic, but probably not for a whole office building.--Jasper Deng (talk) 00:45, 15 April 2012 (UTC)


 * PHP can only get what it is passed from the HTTP packets. There's nothing in the packet body which indicates the client's IP addresses and the packet header only contains one source and one destination address - which must be in the same protocol. $_SERVER['REMOTE_ADDR'] returns one address, not two. The underlying HTTP spec RFC2616 uses a request message body like:


 * GET /pub/WWW/TheProject.html HTTP/1.1
 * Host: www.w3.org

or:
 * GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

which contains no additional client IP addressing info. The one address in the packet header is all that is available - and it'll be IPv4 or IPv6 (depending on packet type) but not both. 66.102.83.61 (talk) 07:04, 15 April 2012 (UTC)

RFC
Please comment on the validity of what this page describes; consider it to be under the scope of WikiProject IPv6 readiness. I'd like the following to be addressed: While this discussion is going on, feel free to make copy-edits and other improvements to this page; don't let the fact that it's in my userspace deter you.--Jasper Deng (talk) 01:43, 14 April 2012 (UTC)
 * 1) Do you agree or disagree with the contents of this page? Describe each part in detail.
 * 2) Is this ready to be made an official proposal, at least under the WikiProject? If so, should the page be kept as a whole or split, and if the latter, how?
 * 3) World IPv6 Launch is coming in under two months, and the WMF plans to participate in it. Do you believe this is realistic?
 * 4) If you developed, are developing, or maintain a user script that does certain things related to user IP addresses, what are you doing to prepare for IPv6 if you have not done so yet?
 * 5) For any of the listed issues that you consider valid, what do you think would be the best solution for each of those particular issues?
 * 6) Of how much value would using Wikimedia Labs to test IPv6 be? How much do you believe there is to test, and what? See 35947 for background.
 * As far as #2, I think it can safely be moved under the wikiproject. Let people make whatever changes are needed by seeing and editing the document there. That's what the wiki and the wikiproject are for -- there's no need to have a solid draft ready before it goes there. The project is there for people to collaborate on crafting goals etc.  Equazcion  ( talk )  20:58, 14 Apr 2012 (UTC)
 * At the moment, what little info is available on IPv6 seems to be scattered in too many places already, we have WikiProject IPv6 readiness and IPv6 initiative plus whatever's listed on IPv6 support (the manual and roadmap, wikitech, bugzilla...). These really don't need to spill into userspace too. As for blocking non-routeable addresses like ::1? I don't advise it, user:127.0.0.1 by definition is the Wikimedia server and therefore would fall under any prohibition of attempts by admins to block WMF-owned machines (let's block Squid! let's block Varnish! oops!). Blocking Teredo, 6to4 and the like is only useful if the vandal you're trying to block is coming in with both IPv6 and IPv4 addresses (rare, a standard browser will use just the IPv6 if it exists, instead of alternating between protocols randomly) and the two addresses are related (which they won't be if ISP's ever start deploying proper native IPv6 on the last mile on any scale). Expect only a fraction of one percent of problem users to have IPv6 and an even smaller fraction of those to have the specific tunnels mentioned. Effectively, it's just another obscure block of dynamic IP addresses - same as pools of dial-up modems, xDSL and the like. If some particular block of addresses is abused, it's blocked... if not, it's ignored.
 * Odds are, existing blacklists of known problem addresses (such as DNS BL's, botscout or Project Honeypot) will be of limited utility in IPv6 as the underlying lists are currently IPv4. That could change if the keepers of the blacklists themselves add IPv6 awareness first, but not before. 66.102.83.61 (talk) 21:25, 14 April 2012 (UTC)
 * I disagree - I feel that the vast majority of our IPv6 clients will be using a tunnel of some sort. 6to4 is quite easy to setup in Apple Airport 5.6 or (less easily) with Windows Internet Connection Sharing, so that's my reasoning behind an IPv6 6to4 blocks. I also feel that some rather unreliable tunnelbrokers may act as "broken" half the time. But wait, did I really say to block ::1 etc.?--Jasper Deng (talk) 00:48, 15 April 2012 (UTC)
 * Those using Hurricane Electric's tunnelbroker service can experience problems with IPv6 connectivity if the global IPv4 address assigned to the CPE changes if the tunnel endpoint is not updated. I have experinced this myself when my modem resets. For this reason we need to be able to block both address types. – Allen4names 07:09, 15 April 2012 (UTC)
 * HE is probably not going to be a consumer tunnel-broker.--Jasper Deng (talk) 19:05, 15 April 2012 (UTC)
 * If the global IPv4 address assigned to the CPE changes? They usually end up re-blocked under the new address if they're still vandalising pages. That much exists now. I don't see how IPv6 changes this. They change IP address, they vandalise, reblock 'em. The end result is still two separate blocks on two different addresses; we don't have evidence they're both the same person, but if both addresses are causing WP:VANDAL issues, both end up blocked independently. There isn't a way for anyone other than he.net to identify an IPv4 based just on the numeric address of a tunnelbroker /64 pair so all we can do is block any addresses from which the spam or vandalism arrived, individually. 66.102.83.61 (talk) 17:46, 15 April 2012 (UTC)
 * My concern is that IPv6 addresses are like a hundred times more dynamic than IPv4, and probably change on like an hourly or daily basis as opposed to IPv4's monthly or annual basis.--Jasper Deng (talk) 19:05, 15 April 2012 (UTC)
 * My ISP has rolled out IPv6, and I can confirm that my leases are twenty-four hours in length, and the lease is never renewed - I'm handed off to some other unrelated address that doesn't share any characteristics with the earlier one that I can identify (as with IPv4, say, you were in the 74.x.x.x pool, you always got a 74.x.x.x address). St John Chrysostom ΔόξατωΘεώ 15:28, 22 April 2012 (UTC)
 * No dice unless confirmed that all users are able to connect to IPV6. Mr Little Irish  (talk) © 15:18, 2 May 2012 (UTC)
 * Full IPv6 support will not be realized for a decade - we will have both kinds of users for that period.--Jasper Deng (talk) 17:35, 2 May 2012 (UTC)
 * Then I don't see any point switching the project to IPv6 until then. I suspect the servers have static addresses now and IPv6 will be able to access IPv4 sites. If the project was to switch before all users, alot of users who don't have any plans to upgrade will not be able to connect to the project. Mr Little Irish  (talk) © 17:48, 2 May 2012 (UTC)
 * Both IPv4 and IPv6 users will be connecting to Wikipedia once the date hits. That's a given. MediaWiki is already updated to provide IPv6 access. The question is just whether all our scripts and tools are are ready to accommodate them, and if something will start breaking down when, say, a script or anti-vandal tool needs to place a warning on an IPv6 user's talk page (simple example).  Equazcion  ( talk )  19:03, 2 May 2012 (UTC)
 * We will maintain our IPv4 access. This is just when we enable IPv6 access. For example, the navigation pop-ups gadget needs to start recognizing IPv6 addresses.--Jasper Deng (talk) 19:43, 2 May 2012 (UTC)

Basic IPv6 info
Could you add a few short sentences about what IPv6 is? This page is really inaccessible for the non-techies among us and, as I pointed at Talk:IPv6, the Wikipedia article doesn't really help here. --Philosopher Let us reason together. 03:44, 3 June 2012 (UTC)
 * ✅, though my intended target audience is people who regularly deal with things like rangeblocks.--Jasper Deng (talk) 03:52, 3 June 2012 (UTC)
 * Thanks. I realize I'm not in your target audience, but this helps.  A lot.  --Philosopher Let us reason together. 21:35, 3 June 2012 (UTC)

Mentioned in blog
The Wikipedia blog talks about IPv6 deployment, and links to this page. Brace for incoming traffic! :) Best, Jesse V. on his phone, 74.124.115.247 (talk) —Preceding undated comment added 15:59, 9 July 2012 (UTC)

Privacy Extensions
I've just been reading IPv6 - this suggests to me that more or less every communication with wikipedia, the user will seem to have a new IP address. Am I understanding this correctly? And if so does this mean every IPv6 block is going to be a range block? Egg  Centri  c  12:42, 15 July 2012 (UTC)
 * No and no. I feel that in most cases users won't get a new IPv6 address that often - they'd only do so on a reboot of their computer. Blocking ranges by default is not a good idea (unlike what some "expert" tried to recommend on Meta). You don't know how many people will be affected - one subnet can have anywhere from a single person to hundreds of people on it.--Jasper Deng (talk) 16:49, 15 July 2012 (UTC)
 * Actually..... the default timer on privacy extension addresses is 7200 seconds, thus 2 hours. As such, every 2 hours a user will get a new IPv6 (privacy) address. Note that Privacy addresses do not follow the standard EUI-64 format (ff:fe in the middle) thus can be recognized as such. Hence if one sees 64bits of randomness it is a privacy address. IMHO, if you see multiple addresses from the same /64 causing some form of "abuse", contacting the abuse@ in WHOIS is the first step (which should solve the problem), putting a temp edit-block for non-logged-in users is the next. If further abuse comes from the same /48, then check WHOIS if that is a /48 prefix, if so, temp edit-block that. Just my POV though. Contacting the abuse@ address (abuse-mailbox in RIPE whois) is a good start though to resolve things. Of course check the IPv6 page (of which this is the talk page) for details on this. — Preceding unsigned comment added by JeroenMassar (talk • contribs) 09:50, 29 October 2014 (UTC)

very large rangeblocks
Referring to anything broader than /48 as to “very large” is wrong – /48 is comparable to roughly /21 in IPv4. /40 may represent an entire pool of a large ISP and IMHO is “large”; something which is “very large” should only begin there. Anyway, respect for this essay as it doesn’t contain this stupid “some quintillions of IP addresses” discourse of WP:Blocking IP addresses – the minimal unit which can practically be counted in the v6 Internet is /64. Incnis Mrsi (talk) 11:52, 10 January 2019 (UTC)
 * The Wikimedia Foundation's allocation in the USA is a /46 and it is no small organization. The House and the Senate both have similar-sized ranges and have /16 IPv4's. So I think the "very large" label is appropriate in terms of collateral damage potential. Also, "the minimal unit which can be practically be counted in the v6 Internet is /64" – this is quite false for mobile networks that concentrate many users in one place. This is why I'm not advocating blocking /64's by default.--Jasper Deng (talk) 20:52, 29 March 2019 (UTC)
 * You missed the point – the minimal unit which can practically be counted . Surely a sub-/64 block can make sense, including one of an individual IPv6 (for a short time). Lower 64 bits of the source IPv6 are some data, like any else. Imagine a sysadmin who filters incoming traffic. Different attributes can be used for it, such as: allow src_ip=trusted.ip.example ∧ dst_port=important_service, reject src_ip=leaky.server.example ∧ src_port≥49152. Or, with the 20th-century identd on the source machine, even owners of processes can be determined… but all these things are not units. In IPv4 the unit is an address, they are counted (as practical items), whereas nobody would count (in hundreds, thousands, millions…) elements of such sets as IP_addresses × TCP_ports. It’s the latter which is comparable to individual IPv6 addresses. As for “Wikimedia Foundation… is no small organization” – in terms of what? It is not a service provider to end users, nor is it really large as an enterprise. Wikimedia’s rôle in Internet is serving users from Internet (not quite similar to, say, a government branch having hordes of employees), and for almost all Wikimedia services a handful of IPs really matter, one set in the US and another in Europe. It is silly to assume the same kind of address space requirements for Wikimedia and for organizations whose Internet activity is shaped by users. Incnis Mrsi (talk) 15:20, 30 March 2019 (UTC)
 * I did not miss the point. I reject the point as incorrect. Since we are concerned with blocking individual people, and individuals use individual IPv6 addresses, the individual address remains the unit of counting here. 2000 addresses being used in a /64 is a different story from 1 or 2 so it makes no sense to count them the same. The TCP port analogy is invalid because any given user, even in a NAT situation in IPv4, will use multiple ports, and an undetermined number of them simultaneously (for various applications). This is not true for IPv6 addresses: users use only one at a time. This becomes especially absurd for webhosts that distribute addresses for their customers from a single /64, which is perfectly valid technically since they all live on the same subnet, but for which clearly we cannot count it as one entity.
 * You seem to be oblivious to the fact that the foundation has to run multiple datacenters with hundreds of servers, on its own autonomous systems with BGP and everything, not to mention its offices, which have hundreds of end-users. And you didn't contest the House and Senate examples. In practice, blocking ranges larger than /48 almost always results in collateral damage. Such ranges in IPv4 would be described as "very large". So I am carrying over that terminology.--Jasper Deng (talk) 20:38, 30 March 2019 (UTC)
 * The nearest range size in IPv4 above (non-existent) /48 is /32. Incnis Mrsi (talk) 18:32, 10 April 2019 (UTC)