Roku Doesn't Support IPv6 and It Might Be a Big Deal

As highlighted by Daring Fireball's John Gruber, Roku doesn't support IPv6 -- a next-gen Internet Protocol standard intended to eventually replace IPv4, the protocol many Internet services (including Roku) still use today. "DingleBog3899" writes on the Roku community forum: I work for a Native American tribe in the PNW. We scrambled to get the reservation reliable internet in the later part of 2019. We managed to cover most of the reservation with wi-max and wifi with a fiber back haul configuration. We are now slowly getting more stable and reliable fiber to the home(FttH) service installed to as many homes as we can, but it is slow process covering the mostly rural landscape doing all the work in house. Our tribal network started out IPv6, but soon learned we had to somehow support IPv4 only traffic. It took almost 11 months in order to get a small amount of IPv4 addresses allocated for this use. In fact there were only enough addresses to cover maybe 1% of population. So we were forced to create a very expensive proxy/translation server in order to support this traffic.

We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from Roku devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale (POS) equipment. So we cut Roku some slack three years ago by spending a little over $300k just to support their devices. First off I despise both Apple and that other evil empire (house of mouse) I want nothing to do with either of them. Now with that said I am one of four individuals that suggested and lobbied 15 other tribal nations to offer a new AppleTV device in exchange for active Roku devices. Other nations are facing the same dilemma. Spend an exorbitant amount of money to support a small amount of antiquated devices or replace the problem devices at fraction of the cost. "Now if Roku cannot be proactive at keeping up with connectivity standards they are going to be wiped out by their own complacency," adds DingleBob3899. "Judging by the growing number of offers to replace their devices for free their competitors are already proactively exploiting that complacency. When we approached Apple to see about a discount to purchase a large number of their devices, for the exchange, they eagerly offered to supply their devices for free."

NAT?

[GotNoRice]

Between the use of NAT and 6to4 translation this should be a complete non-issue. Why do they need so many IPv4 addresses?

Re:

[thegarbz]

CG-NAT is not cheap. There's a big difference between you NATting a few shitty computers in your house and doing it on a community ISP level supporting multiple FTTH installations along with their bandwidth requirements.

Re:

[CohibaVancouver]

There's a big difference between you NATting a few shitty computers in your house

But isn't the Roku just another shitty computer in your house that you are NATing? I'm pretty sure my fiber connection to my house is IPv6 but everything after the router in the house is IPv4.

Re:

[Bert64]

Unlikely...
CGNAT is not so common yet on fixed line connections in developed countries, because it's expensive to implement and operate. ISPs that have been around long enough to have enough legacy ip to give one to each customer.

Giving each user their own legacy IP and having their own device to NAT is how it works in developed countries. The device only needs to handle 1gbps of traffic maximum and a small handful of active connections. You will probably find that if you open hundreds of active connections

Re:NAT?

[Spazmania]

CGNAT is used by StarLink among others. It typically folds customers into algorithmically-selected port ranges on an IP address so that it doesn't have to log every connection in order to address with abuse reports.

Mobile carriers tend to use a different technology: 464xlat. Software on the phone translates the IPv4 packet to an IPv6 packet, and then the carrier's NAT device translates it back to an IPv4 packet. It shares some similarities with CGNAT but avoids the dual stack network cost.

Re:

[Bert64]

CGNAT is used by StarLink among others. It typically folds customers into algorithmically-selected port ranges on an IP address so that it doesn't have to log every connection in order to address with abuse reports.

That's assuming that the target being abused logs the source port - which many things do not by default (or at all), for instance Apache logs.
That also limits each user to a limited set of source ports, and thus the number of users supported per device. According to the article, they have enough legacy IP to cover 1% of their population which means that each NAT gateway would be supporting 100 users, leaving just over 60 ports per user.
StarLink performance isn't too great by all accounts, i would be curious

Re:

[bill_mcgonigle]

Yes, UDP4 is broken on Starlink.

If you want to connect to two Wireguard servers they will need to have different port numbers.

It's a pain but IP redirect on the other end helps.

Re:

[Bert64]

Yeah that's the point, NAT breaks things. Exactly what is broken can vary depending on implementation and other conditions. NAT is inferior to a fully routable connection and requires all kinds of kludgy workarounds, which waste resources and potentially introduce new problems, increase costs or impair performance.

Try wireguard over IPv6 and you won't have this problem.

Re:

[Spazmania]

That's assuming that the target being abused logs the source port

Yep, that's how it works. If you haven't logged the full 5-tuple and timestamp, the abuse desk can't help you.

That also limits each user to a limited set of source ports, and thus the number of users supported per device

Again correct. But here's the magic: one port is not limited to one connection. Multiple connections can use the same source port as long as the remote IP addresses are different. The socket stack on your PC will only do that on the side receiving the connection, but the protocol itself isn't bothered by port reuse in either direction. So long as it has unique 5-tuples, it's happy.

How many times do

Re:

[Bert64]

Yep, that's how it works. If you haven't logged the full 5-tuple and timestamp, the abuse desk can't help you.

Try telling that to a court which has ordered you to identify a customer that uploaded some terrorist or pedophile content.
Explain to the court why you can't identify a customer based solely on IP address, when other ISPs were able to comply with the court's demands.

Re:

[Spazmania]

Try telling that to a court which has ordered you to identify a customer that uploaded some terrorist or pedophile content.

"We seek to quash the subpoena on the grounds it was overly broad. Our technical expert is prepared to testify as to why the information provided by law enforcement is insufficient to identify the information they seek. Were law enforcement to provide additional information X in the subpoena, we believe it likely we could narrow identification to a single customer account."

But you won't have to say that because it turns out law enforcement folks aren't fools. You'll explain it to their technical expert who'

Re:

[Etcetera]

The only reason ISPs most places implement logging in the first place is because they like tracking you.

That's absolutely not correct. Any ethical and responsible ISP will want to kick spammers and network abusers of their network (or they'll hear it from their peers), and most ISPs also want to keep people doing very, very illegal things getting the attention of the Feds off their network, for reasons which you can put in any order you like.

VPN providers for whom everything is anonymous and likely outside of their jurisdiction are one thing. ISPs themselves very much are OK with cooperating and getting rid o

Re:

[WaffleMonster]

Again correct. But here's the magic: one port is not limited to one connection. Multiple connections can use the same source port as long as the remote IP addresses are different. The socket stack on your PC will only do that on the side receiving the connection, but the protocol itself isn't bothered by port reuse in either direction. So long as it has unique 5-tuples, it's happy.

How many times do you need more than 100 parallel connections to the same remote IP address? Not many, even for power users.

Remember not too long ago doing some product testing over a NAT with similar restrictions. I would browse around for a bit just fine and then start getting hit with crazy lag I didn't expect. Between wireshark and pulling state from the NAT I quickly realized my mistake. It's not the amount of parallel connections that is the limiting factor. It's the number of slots in the NATs state table waiting to forward the tails of long since forgotten TCP sessions that is what actually mattered.

Re:

[Spazmania]

Sure. CGNAT has a massive state table it has to maintain, and you have to buy a beefy enough box to implement it.

Re:NAT?

[ledow]

"NAT gateway has to handle hundreds of users and many thousands of active connections. It also needs to log each of them so that if there are any abuse reports they are able to trace the connection back to the actual customer that originated it."

Oh, no, you mean like even the smallest of schools have to do, over leased lines, with thousands of devices, and log everything including full HTTPS inspection of all traffic, for all of their users?

I work in UK schools, including primary, secondary, state, independent (private), boarding and further education. This sort of NAT is literally off-the-shelf stuff nowadays, and "hundreds of users" and "thousands of connections" just shows how out of touch this is.

Also, all logging also applies to IPv6 so adding in IPv4 for those same users adds nothing of note to logging.

Seriously, this is a couple of routing VMs running cloud-based (e.g. Meraki MX Cloud), or on local hardware, a centralised point, and not even HTTPS inspection (which is likely illegal at an ISP and certainly would break SSL certificates without government insistence / hardware to do that).

What you say was true 20 years ago, maybe, but I've seen primary schools that are doing comparable stuff on tiny budgets.

And nobody cares about port-forwarding and static IPs any more, for the majority of Internet users. I manage the above systems and yet for the last 5 years I ran my entire house off a 4G connection - including gaming, CCTV, IoT, NVR, VPN etc. - that was CGNAT'd by just punching holes out to a privately hosted VPN server instead of in (it was far less hassle to do that than deal with trying to get static IPs, track dynamic IPs or port-forwards).

Seriously, if you've got kit managing the backbone traffic - whatever that may be? 100Gbit? - then you've already got kit capable of CGNAT without even batting an eyelid. Either that or your upstream is so pathetic you could do it with an off-the-shelf router or a single VM (e.g. if it was 1Gbit-10Gbit).

And the logging thing is just laughable. I've got systems breaking open thousands upon thousands of SSL connections, generating signed certs for every new connection, and analysing all the traffic inside for keywords, domains, images, etc. in a primary school. I'm sure someone operating an ISP for even the vaguest of charities has kit that could do the same.

Re:NAT?

[Bert64]

How many schools do you think an ISP has to serve, in addition to all of the individual end users?

Routing 100gbps of traffic is much easier than doing NAT, and if you are doing NAT you'll still need to route the traffic too. None of this is free, as mentioned in the article it cost them an extra $300k on top of the IPv6 network they already had running.

ISPs not stuck with CGNAT generally don't log user traffic, there's no reason to. All they want to log is address assignment, and you could have the same address block assigned for weeks or even months at a time which keeps the logs small and easily manageable.

Mobile telcos are by far the heaviest users of CGNAT, and they are also generally the first to deploy IPv6. There's a reason for that. Since you're in the UK, look up the talk given by BT/EE a few years back about their deployment of IPv6 and the costs of CGNAT.

Re:

[lsllll]

full HTTPS inspection of all traffic

How would they do that if they didn't force all the machines to trust their CA and create certificates on the fly in order to do MITM attack?

Re:

[bill_mcgonigle]

My experience concurs with yours.

People without such experience have complaints - see below.

Re:

[jsonn]

For IPv6, you only need to log the prefixes delegated to each user. That can be static or for a non-broken setup done once a way. Very low overhead. Allocating a fixed port range per user is one of the ways CGNAT is done as mentioned by others to get around having to do fine grained logging. But that needs a certain amount of IPs for let's say every 1000 users to work. So no, this requirement is nowhere near as dumb as you make it sound.

Re:NAT?

[WaffleMonster]

Oh, no, you mean like even the smallest of schools have to do, over leased lines, with thousands of devices, and log everything including full HTTPS inspection of all traffic, for all of their users?

Scales of data usage and expectations are in completely different universes between schools and ISPs. Anyone can put up a system at a local school that forwards a gig or two with NAT and TLS inspection on commodity hardware. BFD.

For storage your options are either record flows or do port range allocations and record the allocations. Allocations require a larger pool of public IP addresses due to limitations on pool size and effects on user experience. Recording flows at scale for any amount of time is very expensive.

I work in UK schools, including primary, secondary, state, independent (private), boarding and further education. This sort of NAT is literally off-the-shelf stuff nowadays, and "hundreds of users" and "thousands of connections" just shows how out of touch this is.

Also, all logging also applies to IPv6 so adding in IPv4 for those same users adds nothing of note to logging.

Yea it costs nothing for ISPs to log all their traffic flows for 6 months. I also have some prime Florida real-estate you might be interested in.

Seriously, if you've got kit managing the backbone traffic - whatever that may be? 100Gbit? - then you've already got kit capable of CGNAT without even batting an eyelid. Either that or your upstream is so pathetic you could do it with an off-the-shelf router or a single VM (e.g. if it was 1Gbit-10Gbit).

Anyone can do a few gigs on commodity hardware. Beyond this there is a significant cost and complexity difference between simple forwarding ASICS and CGN.

While it's no consideration for a school - ISPs don't have the luxury of filling up racks with commodity PCs to handle all of their routing.

And the logging thing is just laughable. I've got systems breaking open thousands upon thousands of SSL connections, generating signed certs for every new connection, and analysing all the traffic inside for keywords, domains, images, etc. in a primary school. I'm sure someone operating an ISP for even the vaguest of charities has kit that could do the same.

Good for you but your experience does not scale.

Re:

[thegarbz]

Oh, no, you mean like even the smallest of schools have to do, over leased lines, with thousands of devices, and log everything including full HTTPS inspection of all traffic, for all of their users?

No. Nothing like this. Schools don't guarantee their users any form of traffic nor do individual users pay for internet with the expectation of a certain speed. Also when you do try to meet higher bandwidth end user requirements in a significantly sized company or organisation it gets very expensive very quickly, which is the whole point of the discussion.

You do not support 100s of users each with their own 1gbps FTTH link in your school. Equating a school to running a mini ISP is incredibly ignorant.

then you've already got kit capable of CGNAT without even batting an eyelid.

No you

Re:

[thegarbz]

CGNAT is not so common yet on fixed line connections in developed countries

Errr yeah it is. Heck in much of Europe right now you'll only get an IPv4 connection if you sign up to a business account with a major telecoms provider. /Disclaimer: I run a business account precisely because in one of the western countries with the world's top 10 internet speeds and availability I am forced to do so or accept CGNAT.

Re:

[Bert64]

Ahh it's even worse then.
Generally the large incumbent telcos in developed countries have lots of legacy address space, a declining customer base and a saturated market, so they can avoid having to implement CGNAT. Any new competitors entering the market have no choice and are stuck with CGNAT and all the costs/problems it entails.

In developing countries even the incumbent telcos don't have large pools of legacy address space and no cost effective way to get any.

Re:

[thegarbz]

But isn't the Roku just another shitty computer in your house that you are NATing?

They aren't NATting Rokus, they are NATting customer FTTH endpoints. Would you be happy with a 1Gbps connection for some devices randomly (it is random for you end user, you don't understand IPv4 vs v6 and how devices may preference one or the other) running at 50Mbps if your ISP's excuse was "but you only use your Roku why would you care!"

Re:

[Bert64]

You can't announce a block smaller than 256 addresses via BGP, the hardware for doing large scale NAT is not cheap, nor is the operational cost of keeping it running and all the logging required to comply with the law. You won't get any block from the RIRs any more, you're stuck buying at auction and bidding against the likes of amazon and microsoft.
As pointed out it's cost them an extra $300k to support legacy ip, an extra $300k that somehow has to be recouped from the users and can't be reinvested in othe

Re:

[Spazmania]

And the end result is inferior, who wants a connection stuck behind NAT?

Anyone who wants to be about 90% secure without having to think too hard about it. One of NAT's useful properties, from a security perspective, is that devices outside the NAT can't address a packet to a device inside the NAT unless that NAT has been explicitly programmed with a translation for it. Any error devising that translation renders the device inaccessible instead of wide-open.

Re:

[nipslan]

-1, Disagree This isn't quite true... Technically if there is an open translation table any traffic that matches will be allowed in. It isn't impossible to spoof the source. You are most likely just going to hit the applications tcp/ip stack and get dropped, or the OS's tcp/ip stack (windows firewall) and get dropped if the app has already closed the port internally. That said its not impossible to send traffic in, assuming you can monitor traffic out. This also allows for things like remote access connec

Re:

[Bert64]

Incorrect.
You cannot address a packet to a device inside unless you are able to control every device on the path and ensure that it knows where to route the packet.
In the case that you are on an ISP which puts customers into a shared address pool such that nearby users are adjacent to each other, you can indeed send packets destined to internal addresses via adjacent customers.
Wether this works against a specific device and configuration will depend, but it's almost never tested because it's falsely assumed

Re:

[Darinbob]

This is like turning NAT into a cheap firewall. It works, but it's not the intended purpose of NAT. IPv6 should never need NAT and it is discouraged by the IETF, and yet it has been added in because of this desire to use NAT for security (and privacy). Issues like this are holding back IPv6.

IPv6 is the _current_ generation, not the next gen, and IPv4 is the outdated generation. This is like having a souped up PC and running 32-bit applications on it. Sure, you *can* run 32-bit applications on the new PCs

Re:

[sjames]

That excuse is so old and dusty I'm surprised you were able to clean it up enough to be presentable.

You can get exactly the same level of security with a simple IPv6 rule without the overhead of packet rewriting.

Specifically, for each address pair, no inbound packets unless there was first an outbound packet. Periodically age out old table entries.

Even without that, machines inside an IPv6 lLAN are needles in a haystack. The haystack is the size of the entire v4 address space.

Re:

[WaffleMonster]

Anyone who wants to be about 90% secure without having to think too hard about it. One of NAT's useful properties, from a security perspective, is that devices outside the NAT can't address a packet to a device inside the NAT unless that NAT has been explicitly programmed with a translation for it. Any error devising that translation renders the device inaccessible instead of wide-open.

The opposite is true. SPI is MORE SECURE than NAT.

SPI accomplishes everything NAT does without the packet mangling and ALG hacks and their associated security risks.

Re:

[jsonn]

You are wrong. With most NAT implementations, both TCP and UDP connections can be established by some cooperation between the devices involved. Repeat after me: a NAT is no more secure than a stateful firewall with a "block in" default rule.

Re:

[Spazmania]

Security is about depth. It's about what happens when you make a mistake. Is your house still secure when you forget to lock the door? Does an alarm still go off? Does a camera still record intruders? Or is the lock your -only- layer of security?

When you accidentally remove or override the "block in" rule on an IPv6 firewall, Internet probe traffic flows in and reaches the device.

When you accidentally remove or override the "translate in" rule on a NAT firewall, no Internet probe traffic crosses the firewal

Re:

[jsonn]

If your network perimeter is protected by a bike lock, it's not a security feature, but obscurity at most. Period. If you mess up the perimeter firewall, it should not change any security parameter of the network AT ALL, because each network device is supposed to be secured on its own as well. Failing to do so is one of the major reasons we have as many ransomware attacks. It's exactly this layer of "security" provided by NAT that has made bugs in "NAT proxies" so devastating. Quite a few FTP ALGs for examp

Re:

[WaffleMonster]

Security is about depth. It's about what happens when you make a mistake. Is your house still secure when you forget to lock the door? Does an alarm still go off? Does a camera still record intruders? Or is the lock your -only- layer of security?

Security is about achieving real world results. It's recognizing the fact NAT is LESS secure than SPI. It's not about contrived examples that can be arbitrarily applied in an infinite array of circumstances (e.g. mistakes) in order to support desired pre-ordained conclusions.

When you accidentally remove or override the "block in" rule on an IPv6 firewall, Internet probe traffic flows in and reaches the device.

When you "accidentally" enable port forwarding or PNP and the same shit happens then what? Where does this "what if" nonsense end?

Re:

[Spazmania]

Since SPI is a fundamental component of NAT, it's unclear how NAT could be less secure. Unless of course you redefine NAT back to it's original mid-90's meaning that barely anybody used then and nobody at all uses now.

Re:

[WaffleMonster]

Since SPI is a fundamental component of NAT, it's unclear how NAT could be less secure. Unless of course you redefine NAT back to it's original mid-90's meaning that barely anybody used then and nobody at all uses now.

Primarily protocols supported by ALGs in 1:n NAT environment rely on exploitable ambiguities allowing attackers to confuse state tracking systems.

Re:

[Junta]

The thing is that home router devices implement a suitable IPv6 default firewall. Just like you have to go and explicitly assign ports for NAT, you have to go in and declare what services are allowed through ipv6. If the industry had grown up without NAT, maybe the routers would have been wide open by default, but the norm of 'no incoming traffic to residential networks' has carried into the IPv6 era.

It is true that a router could err on the more open side, but it's so easy to get right and every home rou

Re:

[SuiteSisterMary]

Right, we call that a 'firewall,' and that's how they're supposed to work. You block connections to internal devices.

The fact that your firewall is performing the extra step of translating a network address is immaterial.

Re: NAT?

[ArmoredDragon]

You can't announce a block smaller than 256 addresses via BGP, the hardware for doing large scale NAT is not cheap, nor is the operational cost of keeping it running and all the logging required to comply with the law.

What kind of police state requires logging the public internet? And what kind of logging is it? 5 tuple? Or do they also require DNS and TLS handshake data? And if they want DNS, does that mean using DNS over TLS is illegal?

Re:

[Bert64]

Virtually every country in the world requires ISPs to disclose customer information if required by a court order. Usually that court order will specify the IP address associated with some kind of illegal activity. If that IP is shared by multiple customers, then the ISP needs to be able to identify which one was responsible for whatever illegal activity took place.

With regular IP assignment this is easy - customer X had address Y on $DATE. With NAT you need to do a lot more logging in order to be able to un

Re: NAT?

[ArmoredDragon]

Virtually every country in the world requires ISPs to disclose customer information if required by a court order. Usually that court order will specify the IP address associated with some kind of illegal activity.

I'd be very surprised if there was any country that doesn't have laws like these. However, very few outside of dictatorships have any actual data retention requirements for ISPs. The US has none at all, and AFAIK neither do Canada or Mexico, which covers basically all of North America. I know Switzerland doesn't, Norway doesn't, Panama doesn't, Argentina doesn't, and Brazil doesn't.

If that IP is shared by multiple customers, then the ISP needs to be able to identify which one was responsible for whatever illegal activity took place.

That's more than passive data retention, that basically borders on datamining. Unless you're taking about CPE based NAT, then t

Re:

[Bert64]

It stems from the PSTN days, where if someone did something like making a bomb threat call the telco would be required to provide the customer who's line was used to make the threat.
Hence why it applies to CGNAT, but not to CPE NAT since the latter is the same customer as far as the ISP is concerned.
The UK has such legislation, for instance:
https://www.legislation.gov.uk... [legislation.gov.uk]

Data necessary to identify the date, time and duration of a communication 13.—(1) In the case of internet access—
(a) the date and time of the log-in to and log-off from the internet access service, based on a specified time zone,
(b) the IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and
(c) the user ID of the subscriber or registered user of the internet access service.

So you need to be able to tie the IP and user ID together, which becomes very expensive when the ISP uses CGNAT.

There are also articles

Never heard of NAT?

[StonyCreekBare]

Why? This doesn't sound right to me. Some critical piece of the puzzle is missing. IPv4 devices existing behind a NAT on an all IPv6 network is a non-issue.

Re:

[Spazmania]

There's no NAT from an IPv4 client to an IPv6 server. Does not exist.

Re: Never heard of NAT?

[reanjr]

Ok, but doesn't that mean the server needs to support IPv4? And not the intermediary hops, which can tunnel IPv4 over IPv6?

Re: Never heard of NAT?

[ArmoredDragon]

If you don't have IPv4 routing in some way shape or form, it doesn't matter what the server does. Either it supports IPv6 or there's no connectivity. Period.

Re: Never heard of NAT?

[reanjr]

Isn't that what DS-Lite is for?

Re: Never heard of NAT?

[ArmoredDragon]

That's a form of ipv4 routing. You still have to have an ipv4 address somewhere, whether it's NAT or otherwise.

Re:

[amorsen]

Sure it does. NAT46 is a thing, just like NAT64 and NAT44 and even NAT66.

Once a small percentage of sites go v6 only, it will temporarily become a popular feature.

Re:

[hey!]

Sure, I've done the same thing in my home with two or three devices, but I wouldn't jump to the conclusion I could provide service to potentially thousands or tens of thousands of devices this way.

Scale matters. Just because I have no trouble making one of these [wikimedia.org] doesn't mean I'm ready to tackle something like this [wikimedia.org].

Re:

[NicknameUnavailable]

It's an issue because IPv6 is typically very hard for a novice user to secure properly, and default configs don't cut it (likely intentionally.) It reduces the attack footprint by a lot to run all IPv4, so there is a push to IPv6 for IoT and other things so people can buy consumer garbage and have it obfuscated on their network in an easy-to-backdoor manner.

Re:

[amorsen]

Yes IPv6 is a scam to trick you into putting backdoor devices onto your network. You caught us. Damn.

Re:

[thegarbz]

It's an issue because IPv6 is typically very hard for a novice user to secure properly

Nope. Default configs work just fine. State based packet inspection (which is the default on any router when you enable the firewall) is equally as secure as IPv4 NAT, because ... NAT is nothing more than a state-based inspection with a routing rule applied.

Whether you drop packets because you can't recognise the state and the firewall rule has that default set, or whether you drop packets because you can't recognise the state and thus can't figure out the routing end point, the security is the same.

Re:Never heard of NAT?

[thegarbz]

IPv4 devices existing behind a NAT on an all IPv6 network is a non-issue.

Because they don't work at all and therefore there's no issue? You can't route IPv4 over IPv6 magically, you need a 6-to-4 gateway. That may be free for an individual user, but gets very expensive for a commercial one and that's before you consider the performance implications of routing your internet traffic through some remote 3rd party.

I don't understand the problem

[wakeboarder]

Are they complaining about the traffic or the IPv4 addresses? I would think that the traffic would be similar no matter the protocol.

Re:

[Bert64]

Well other competing devices support IPv6, which means the traffic can route directly without having to go via an expensive CGNAT gateway, resulting in significantly lower costs for the ISP (and ultimately the end users) and better performance.

Eff em

[Turkinolith]

Roku devices are mostly phoning home for ads traffic, and they do it obnoxiously often. My Pihole blocks SO MANY Roku pings that it is absurd. Don't support them, eff them on not keeping up with times. it's not YOUR JOB to help support their lack of updates.

Re:Eff em

[Ritz_Just_Ritz]

Exactly. My wife and young kids like the Roku interface which they use to mostly access our own content on our own PLEX server. So I blackhole Roku outbound requests with prejudice on our pihole. We have 3 Roku devices in our home and I see approximately 40k drops from them a day. That's almost 2 orders of magnitude more than the next biggest offender (Amazon).

Best,

Re:

[Inglix the Mad]

"Smart" devices like TV are little better. They phone home constantly with viewing data, i.e. information about what you are watching. LG, Samsung, Sony, Vizio... and many, Many, MANY more...

Re:

[thegarbz]

it's not YOUR JOB to help support their lack of updates.

As quoted by former CEOs of bankrupt businesses elsewhere. "Customer requirements? What are those! How dare our customers expect internet to just work!"

Non-PC warning, accent joke

[Tablizer]

IPv6 won't come out until they release the Haiku. IPv5 will be available on the Midku.

Re:

[Whibla]

IPv6 won't come out until they release the Haiku.

Connected Roku
Drowned in a torrent of ads
Back to Sudoku

Donâ(TM)t support evil Apple, but Roku is oka

[guruevi]

Roku is the epitome of privacy violation. Theyâ(TM)re the ones that generalized the cheap ad-supported always-listening to your content TV set.

Get an AppleTV or an AndroidTV (lol) or tell people about Plex or Kodi and spend $300k (which is well overpriced for a 4-to-6 router for a âoesmallâ population) to host your own TV channel.

Youâ(TM)re an ISP, many ISP provide dual-stack, you can complain about the price of a regular ISP, but at least everything works.

Re:

[Darinbob]

If they're doing this then it's not for their own ad revenue. Roku has very few ads, they're small, they're related to actual content available, and only on the home page or screensaver. If they're using this to target ads then I'm not seeing this happen on the Roku itself and I don't see any ads elsewhere that imply they've figured out what shows I've been watching.

There are no "good" ads

[ihadafivedigituid]

I don't see any ads on my AppleTV except for the occasional HBO Max promo trailer before an HBO feature (which I skip while loudly complaining even so).

I don't want to see any ads, ever. I pay for the streaming services who have the stuff I want, and if I have to pay a little extra to skip ads then I will. Roku can gtfo with their ad supported model.

Re:

[drinkypoo]

Remember when Roku had 0 ads on the home screen? That was the last time it made sense for anyone to run Roku, and that was the only reason.

Now that they have ads like everyone else, but are technically inferior in every way, they are inferior in every way in which they are not the same. You are paying extra for an inferior experience, and defending it too.

Re:

[Darinbob]

Are they ads or just showing content that is available? There are not ads for Chrysler, Coca Cola, etc. How is it inferior to something like Amazon which has ads inside its ads?

Re:

[guruevi]

They "listen" to the content you watch, both on regular TV channels and streaming services and then sell that information. Yes, they also host ads themselves and have ad-supported "free" channels.

Roku's total revenue was 3B last years, 1.4B of that was directly from ads (almost half)

How did they not already solve this problem?

[Guspaz]

If they planned their new ISP to be IPv6 only, and made zero accommodations for their customers to talk to IPv4-only hosts, then how exactly did they expect their customers to talk to the ~60% of Internet hosts that only support IPv4? Most websites are only accessible over IPv4, the IPv6 transition is nowhere near far enough along to completely ignore IPv4.

Re:

[Darinbob]

A 4-in-6 tunnel? Though that can be clumsy I think it can be automated. I have not tried turning off IPv4 to see (not straightforward in windows) but I wonder how many of those web sites really are important to visit? We certainly cannot stay at IPv4 forever, I am baffled that there is still reluctance to move on.

Re:

[Todd Knarr]

It's the other way around. The Roku boxes only support IPv4, so if the local network is IPv6-only there's no way the Roku boxes can talk to anything. The local network needs to support IPv4 (probably using the 10.0.0.0/8 netblock) and do NAT to map the internal addresses onto the limited set of allocated IPv4 addresses. This isn't a trivial task.

Note: this is one sign that the IPv4 address exhaustion is reaching the critical point where supporting IPv6 will no longer be optional. Users don't care about IPv6

Re:

[Junta]

Note that so far in a residential context, I've always seen at least a CG-NAT IPv4 so the residence thinks it's talking IPv4 all the way through (and may be) to an IPv4-only host. As others comment, this is hard on the ISP when used heavily, and Roku has their devices check in to common IP addresses, limiting effectiveness of CG-NAT tricks for port sharing.

I have been on a couple of research institution networks that are 100% IPv6, no IPv4 on the host at all. They employ NAT64 and DNS64 to allow connection

House of Mouse?

[CmdrPorno]

Why does this dude hate Chuck E. Cheese so much?

I don't understand

[Torodung]

My IPv6 outward-facing router provides NAT services to an IPv4 class C home network. Most people have this. Do these folks not have magic, forbidden router technology or something?

Re:

[suutar]

If I understand it right, your NATted IPv4 gets carried over IPv6 to your ISP's world-facing edge and turned back into IPv4, because your ISP has a lot of IPv4 addresses. So does mine. The nation in the story doesn't; they have a few now, probably at great expense, but not enough to act as the world-facing identity for all their users.

I may be completely off, in which case I would appreciate gentle correction, but that's my understanding.

Re:

[Torodung]

That hardly seems like a big problem for Roku. Seems like it's a problem for the indigenous Nation that lacks the IP addresses. Guess they're all switching to AppleTV for free then? Hardly a Roku-killer and seems like it's going to work out just fine.

Click bait then. Thank you for wasting my time Internet. You win this round!

Re:

[drinkypoo]

That hardly seems like a big problem for Roku. Seems like it's a problem for the indigenous Nation that lacks the IP addresses.

It's a problem for Roku because it's not just a problem for tribes, it's a problem for everyone. IP address starvation is a serious problem, IPv6 is the cure, and Roku is standing in the way of progress — and it absolutely does not care about them.

On the other hand, is it a serious problem for them now? Probably not. There's enough other lames out there dragging their feet that they can probably get away with it for quite a while yet.

Re:

[MooseTick]

"IP address starvation is a serious problem"

I've been hearing about how we're running out of IPv4 space since the 90s, yet the internet is still going strong.

Re:

[drinkypoo]

I've been hearing about how we're running out of IPv4 space since the 90s, yet the internet is still going strong.

Yes, that is exactly like Y2K. Specifically, it still works because a lot of people have expended a lot of time and effort, and money to keep it working. In the process it costs a lot of money. And for what? So we can keep some antique operating systems on the internet? Let the users run tunnels if they need IPv4 so badly.

Re:

[suutar]

In large part that's because:
a) a lot of stuff has moved to IPv6, transparently
b) most of the ISPs in the US have enough IPv4 to do NAT smoothly.
So it may not be a serious problem to you, as a consumer, but as the story indicates, it's a real problem for new ISPs.

Re:

[WaffleMonster]

I've been hearing about how we're running out of IPv4 space since the 90s, yet the internet is still going strong.

Running out of IPv4 addresses is a bit like running out of Oil. You never actually run completely out. What does happen is costs keep getting higher and higher as scarcity increases while EROI (value) keeps getting lower and lower due to inability for peers to communicate.

Over time the opportunity cost of failure to adopt IPv6 increases selectively favoring the developed world and entrenched providers who got theirs while the getting was good. Meanwhile everyone else gets scraps while the lucky ones get

Raku Roku

[iggymanz]

Headline made me think successor to Perl had library problems.

Roku...Perl 6.... the swiss army knife with fold outs including bowling ball, fire plug and camel.

I'm more surprised they used Wi-Max

[jfdavis668]

Haven't heard about that in a while.

We phased out browsers that don't support TLS 1.2

[xack]

About 99% of the internet dosen't work unless you have a TLS 1.2 browser. It is the same thing with phasing out IPv4. I bet IPv4 fanboys use Internet Explorer and Flash too. There is a perpetual debate about keeping old crap on the internet. With arguments about ewaste on one side and security on the other. Either update your firmware/operating system or recycle your ewaste. IPv4 only devices were ewaste in 2010.

Neither do I, so all of my stuff works.

[sabbede]

Who the hell builds an IPv6-only network? How many ISPs even provide service that isn't some form of 6-in-4 tunneling?

Whoever setup service for that tribe made a really bad decision at the outset by putting all their eggs in a widely-unsupported basket.

Learn the basics

[laughingskeptic]

There are many low budget ISPs around the world making due with the Quagga open source project to support IPv4 locally with only IPv6 egress. They could also have used any commercial router and provided NATed IPv4 Private IP addresses internally with a cheap DHCP server and then they would have only needed one IPv4 address for the whole project. The consumers would also be safer this way. Why do they want to give their consumers routable IP addresses?

I admire their "just do it attitude", but not their

Cellular providers

[Midnight Thunder]

More and more cellular providers are going IPv6, using NAT64 and DNS64. This means that applications need to support IPv6, otherwise they wonâ(TM)t be able to connect with IPv4 based internet. The experience described on the article should be a canary in the mine for anyone who has been ignoring IPv6, since this is going to become more common.

I am still amazed at new hardware that doesnâ(TM)t support IPv6 out of the box and frustrated when hosting services make it complicated to have IPv6 on the h

Re: Cellular providers

[Midnight Thunder]

Looks like the Nintendo Switch does not support IPv6 from what I reading. That is more than a disappointment. It is shameful for a console released in the last 10 years.

Re:

[MooseTick]

And has that been a problem for any Switch user? If its not an issue, why does it matter?

Re:

[WaffleMonster]

And has that been a problem for any Switch user? If its not an issue, why does it matter?

Given people are complaining in various online forums it would seem the answer is YES.

I'm more concerned Roku doesn't support Ethernet.

[pecosdave]

Seriously - the cable Internet comes into the house where the cable is - under the TV.
The Ethernet ports are on the cable modem, under the TV.
The Roku is plugged into the TV 3 ft from the cable modem. Under the TV.

It's a high rise apartment building and WiFi sucks because multiple that by the number of Roku's on your floor with the same setup plus the floors above and below yours. The spectrum is saturated because everyone is at home watching and bitching about Velma at the same time.

But, if there was an

Re:

[phoenix_rizzen]

Roku Premiere+ and Ultra models (the larger square boxes) support 100 Mbps Ethernet via built-in RJ45 ports.

The soundbar models also support Ethernet, albeit via a USB adapter.

It's only the Express, Streaming Stick, and similar models (the "sticks") that are wireless only. These are also the crappiest hardware in their lineup and should be avoided except as test setups.

Re:

[pecosdave]

They also happen to be the most used versions of their crap.

That soundbar ESPECIALLY should have the port built in.

When you are in charge of developing for the public you cater to the least intelligent denominator, and the cheapest denominator. I am very happy using my NVIDIA Shield.

Is it connected directly?

[bjwest]

Who the hell connects their Roku directly to the internet? The ISPs modem is what needs the IPV6 address, not the devices connected to the modem.

Re:

[Bert64]

They did use NAT, they only have enough legacy IP to support 1% of their population so there is at least 100:1 sharing of legacy address space, and the implementation of all this cost them $300k.
And NAT only gives you partial connectivity, performance will be degraded and some things just won't work at all.

Re:

[_Sharp'r_]

The way NAT works is that you don't need legacy IPs on the inside, you can use private IPs, because they're being translated on the outside.

Why would you assign public IPv4 space, and then NAT it? Do one or the other, either assign an IPv4 address to a user's router, or else use IPv6 w/NAT and configure the internal network to use a private IPv4 network, like every other similar ISP does.

Their explanation of why they care what IP stack a device on a user's internal network is configured for is nonsensical,

Re:Priorities

[jsonn]

Network connections (TCP and effectively UDP as well) are identified by a four tuple of src address, src port, destination address and destination port. If you have concurrent access to a single server, the destination address and port is fixed (e.g. port is 443 and the address is whatever public IPv4 the server uses). Let's say you have only one public IPv4 address. TCP reserves a port for at least 60s after close and in practice, similar constraints can be assumed for UDP, too. So you can have (at most!) 64k connections per minute. or about 1000 connections per second. That's not a lot, especially if you have 100+ users.

Re:

[Bert64]

You still need public legacy IP on the outside of the gateways, and if you have a lot of users you're going to need multiple gateways both for redundancy and handling the load. How many you need will depend on how you have it configured, what type of devices you have, what capacity those devices are and how much user traffic you have. You also need a strategy for mapping traffic to users since the IP alone won't uniquely identify a customer, as you need to be able to identify an individual customer in the e

Re:

[Bert64]

A quick google search will find many users complaining about NAT causing problems with things like gaming, ipsec, ftp, voip etc.
NAT either breaks things, or required workarounds which cause other problems (eg shoving all the traffic through a central server which degrades performance and will stop working entirely once the central server is shut down).
You will also find lots of users complaining that their shared IP is banned from various services despite not having done anything to warrant this ban, or the