You must log in or # to comment.
I know it’s a joke, but the idea that NAT has any business existing makes me angry. It’s a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don’t notice too much. The Internet is more centralized and controlled because of it.
No, it is not a security feature. That’s a laughable claim that shows you shouldn’t be allowed near a firewall.
Fortunately, Google reports that IPv6 adoption is close to cracking 50%.
I think NAT is one reason why the internet is so centralized. If everyone had a static IP you could do all sorts of decentralized cool stuff.
Right, not the only reason, but it’s a sticking point.
You shouldn’t need to connect to your smart thermostat by using the company’s servers as an intermediary. That makes the whole thing slower, less reliable, and a point for the company to sell your personal data (that last one being the ultimate reason why it’s done this way).
Everyone having a static IP is a privacy nightmare.
There’s a reason the recommendation in the standard for ipv6 had to be amended (it whatever the mechanic was) so that generated local suffixes aren’t static. Before that, we were essentially globally identifiable because just the second half of your v6 address was static.
IPv4 centralization creates far more privacy issues than everyone having a static IP. The solutions are still things like VPNs and onion routing.
publicly addressable does not mean publicly routable… your router would still not arbitrarily connect untrusted external devices to internal hosts
NAT has the property of a firewall only as an implementation detail. replacing NAT with an IPv6 firewall in the router is an upgrade in every conceivable way
Fine, I won’t invite you to our bi-annual TURN server appreciation event.
You are right, but I wish ipv6 was less shitty of a replacement.
I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that’s the big, big, big networks — peering groups that connect large swaths of the Internet with other nations’ municipal or public infrastructure.
These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I’ve seen, IPv6 addresses very real logistical problems you only see with IPv4 when you’re already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.
However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Imo there’s not much to be done besides go forward with IPv6. It’s there, it’s tested, it’s basically ready for primetime in terms of NIC chip support… I just wish it weren’t so obtuse to learn. :/
There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn’t work very well. It needs to be treated as its own thing.
I couldn’t figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just “bigger IPv4” - it’s not. It’s so much more, and better.
deleted by creator
Funny how I never once criticized, or even mentioned, IPv6s complexity, yet that is the aspect you chose to so valiantly defend. Quite telling, isn’t it?
My isp and router both claim to have IPv6 but every test site has failed.
There is likely a filter you need to turn off.
We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.
That’s nothing that can’t be done with a good set of firewalls on IPv6.
This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.
there are duplicate machines that share programs
yes… that’s why every machine has its own IP address… so that they can both use the same port and you don’t have to connect to crazy bullshit like https://myhomerouter.example.com:8443/
The one thing you can’t do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.
Good luck trying to find industrial stuff that supports IPv6, hell most of it is still serial.
I have legit heard that serial is security mechanism because it cannot communicate long distance like ethernet.
Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.
Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.
it’s not magic… it’s a firewall, and it works pretty much exactly the same as a NAT: a whitelist of IP and port combinations
Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.
In my personal life I will probably “never” intentionally use ipv6.
But it is a DAMNED good sniff test to figure out if an IT/NT team is too dumb to live BEFORE they break your entire infrastructure. If they insist that the single most important thing is to turn it off on every machine? They better have a real good reason other than “it’s hard”
It’s vulnerable af. And I mean really, it’s as bad as Netscalers or Fortigate shit. Like https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/ or https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
Problem is, yes it’s hard to implement but it’s even a lot harder to get it properly secured. Especially because few people are using it, and not securing it is worse than disabling it.
Just a heads up, you linked to the same article twice
Clipboards are also hard
That’s odd, but truly sorry.
And I would consider a detailed argument on why it is more secure to disable it to be a good reason.
Personally? I consider an IT team who don’t know how to secure an ipv6 enabled network to not be competent. But that is a different conversation.
Yeah, I run dual stack without much trouble myself. I believe it is mainly difficult for people because eyeball diagnostics are impossible with 6.
My detailed explanation at my old job is that the dev team was full of idiots who hardcoded ipv4 addresses into their fucking code. Seriously. When we migrated from data center to cloud they had to go patch everything. The CTO wouldn’t do shit about it and the director was just there riding things out until retirement.
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There’s no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
If you don’t have ipv6 internally, you probably can’t access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
And this is why ipv6 will ultimately take another 20 years for full coverage. If it was more backwards compatible from the starting address-wise then this would all have been smoother. Should have stuck with point separators. Should have assumed zero padding for v4 style addresses rather than a prefix
If you don’t have ipv6 internally, you probably can’t access ipv6 externally. 6to4 gateways are a thing. 4to6? Not so much.
I’m pretty sure stateful gateways do exist, but it’s a massive ball of complexity that would be entirely avoided if people just used native v6.
you sir/maam have not seen the netflix talk on using IPv6 for their full internal stack because of inefficiencies allocating IPv4 ranges i’m guessing
I use IPv6 every day and everywhere I can. It solves so many issues in large corporate and ISP network setups. And yes 10. Wasn’t big enough, and NATing is a PitA.
Honestly we just keep pushing it off when it’s not that bad. Workaround after workaround just because people are lazy.
I agree with everything you said but it still doesn’t make me hate ipv6 less.
How much slack did you have in your 10.* network? Or was it literally 16.7 million devices?
16M devices on one network would almost certainly have major scalability problems all its own. SMB chattiness alone . . . shudder.
Skill issue
IPv6 is easy to do.
2000::/3 is the internet range
fc00::/7 is the private network range (for non routing v6)
fe80::/64 is link local (like apipa but it never changes)
::1/128 is loopback
/64 is the smallest network allocation, and you still have 64 bits left for devices.
You don’t need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.
Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).
Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don’t have to play the static ip game to connect to it after changing your router or net config.
The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.
On my home network I make sure that my PDs are the same as my VLAN IDs so that I can at least know where a device is based on its IP. If I was smart I would also line them up with the IPv4 subnets as well.
Just my perspective as a controls (SCADA engineer):
I work for a large power company. We have close to 100 sites, each with hundreds of IP devices, and have never had a problem with ipv4. Especially when im out in the field I love being able to check IPs, calculate gateways, etc at a glance. Ipv6 is just completely freaking unreadable.
I see the value of outward-facing ipv6 devices (i.e. devices on the internet), considering we are out of ipv4s. But I don’t see why we have to convert private networks to ipv6. Put more bluntly: at least industry, it just isn’t gonna happen for decades (if it ever does). Unless you need more IPs it’s just worse to work with. And there’s a huge amount of inertia- got one singular device that doesn’t talk ipv6 at a given generation site? What are you supposed to do?
90% of industrial devices are still 100 Mbit/s.
I mean that’s of the ethenet capable ones… a huge chunk are still serial
And the rest are pure analog
I was going to say, my friend has to maintain some fucking DOS systems because their ancient embroidery machines only want to talk to software as old as they are, over connections as old as they are.
You’ll be lucky if you find ethernet on them. RJ45 serial is still pretty common nowadays
If you set up your DNS correctly then you don’t even need the IPs. Just give devices unique, human-readable names and maybe do separate sub-domains for each site or something.
For that to work industrial devices have to support DNS in the first place…
Oh, now that you mention it I’ve never tried to map a static DNS entry to a device without DNS. Welp, time to get thousands of raspberry pi’s to act as IP KVMs!
My favorite thing to use IPv6 for is to use the privacy extension to get around IP blocks on YouTube when using alternative front ends. Blocked by Google on my laptop? No problem, let me just get another one of my 4,722,366,482,869,645,213,696 IP addresses.
I have a separate subnet which is IPv6 only and rotates through IP addresses every hour or so just for Indivious, Freetube and PipePipe.
Could you link the privacy extension in question I haven’t heard of it
it’s not a browser extension, its a SLAAC thing https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac.
TL;DR is that SLAAC used to use part of your device MAC to form it’s IP, which would be trackable/fingerprintable. Now devices just pick the last 48-bits at complete random on the assumption that no other device is going to have that specific address out of the 4 quintilion available addresses.
edit the RFC https://datatracker.ietf.org/doc/html/rfc4941
Sure, it’s part of the IPv6 spec:
https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac/
What is stoping Google from just blocking your entire IP-Block?
Mostly, I’m not big enough to trigger anything there.
Also, since ISPs usually only get a single humongous IPv6 block, it’s actually pretty hard to know what is okay to block. Somebody might be on a /48, /56 or /64 network but they might also just have a single IPv6 address. Since you’re blocking quintillions of IP addresses with each /64 net, the risk of hitting innocent IPs is high.
Also also, I’m not sure if Google is actually prepared for such a case. Since all the requests coming from Invidious just seem like legit unauthenticated requests, it’s hard to flag them on IPv6 when the IPs are fully randomized.
Still, Google is moving towards requiring a login for everything. So I assume that method won’t work for much longer.
This is exactly why ipv6 was never widely adopted. There’s too much power in a limited IP pool.
Define “widely”.
According to Google 46.09% of their traffic is IPv6 and most servers support it. It’s mostly large ISPs dragging their feet.
I think it’s just a few domestic US ISPs. The rest of the world has been happily using it for quite some time.
I have never started using ipv6 so I’m in the clear here
C’mon, IPv4 has so many problems. Sure, let’s reserve a whole /8 for a single loopback address, that’s efficient. 🙄
Well of course, how else would you trick script kiddies that figured out when they DDOSed 127.0.0.1 and learned what a loop back was, and get them again in a few weeks with “ok ok my real address is 127.34.21.2”
Wait… I know 127.0.0.1 but what’s the second one?
not sure if you are joking, but any valid IP4 address starting with 127. does the same thing, loopback. 127.0.0.1 is just the standard most people use, you could use 127.127.127.127, or 127.1.1.1 or any random numbers 0 and 254 for the second 2, and 1 and 254 for the last and the effects will be identical.
In fact, it’s so standard that there’s a bunch of shitty code out there that thinks 127.0.0.1 is the only loopback address.
I’m thinking of a networked Chinese laser cutter that we put on our 10.0.0.0/16 network in the makerspace. It seems to think that 10.0.1.1 and 10.0.2.1 are on different networks. Wouldn’t be surprised if it does a similar mistake with loopback addresses.
A /8 subnet is basically everything after the first of the four segments, e.g. 127.*.*.*. marine_mustang was saying that loopback (what you think of as only 127.0.0.1) is actually an entire subnet, so any address that starts with 127 will hit the loopback interface. TIL, never thought about it much before.
I’m surprised by the comments here. I use 90% IPv6. For me v4 is only present for retro compatibility. The transition was hard however.
Was?
It’s still in progress…
In progress?
I can’t even get an IPv6 address, even if I wanted to pay an obscene amount for a business tier.
CGNATs suck ass though, I had to buy a vps just to access my own network outside my home.
I’ve recently changed isp and am now hitting CGNAT problems. I have been running Nextcloudpi for years and now I can’t access it from outside. I’ve trying to understand if I can fix the problem using IPv6 but from what you’ve said I’m now wondering if a vps is the solution?
My ISP doesn’t properly support IPV6, otherwise it should work. I use wireguard to route just my server traffic to the vps.
I deal with cgnat on my 2 isps at home. Install tailscale on your vps and your router at home and then on your router you can share subnet devices over your tailscale network. Install a reverse proxy on your vps.
If set up correctly you can route a human readable web address (jellyfin.example.com) to your vps static ip address and then to, for example, a docker container with local address 192.168.100.1:8096, via reverse proxy.
I know its a joke but man its annoying to go from something that is organized in a human readable way to one where you have to rely on the system. I am someone who hates databases though so I have always been like this. Heck way back in the aughts I used to complain that my job involved more seeing and issues and fixing it and the systems were getting to were I feel more like im counseling it.
I do like how I can easily remember IPv4 addresses while I struggle to remember a single IPv6 address
Its really not possible to remember an IPv6. I mean it is but its really an abandonment on human level and a solution that leverage dhcp which was common anyway. Its about as easy as a hardware address.
https://en.m.wikipedia.org/wiki/Internet_Stream_Protocol
In case anyone wants to know what not to talk about.
I wrote and ipv6 parser once.
Never again.
Meh, the idea of having every address be globally routable makes a lot of sense. NAT is a great bandaid but it’s still a bandaid. It still limits how peer to peer and multicast applications function, especially on larger networks.
NAT444 is shit. I can’t even host a web server without routing it through a VPN, and my ISP can’t work out how to provide an IPv6 addresses yet. Give it to me and I will work out how to use it.
Slight update - Just looked and apparently they had a goal of rolling out IPv6 addresses to all customers by earlier this year. I’ll check my router config tomorrow and who knows. Maybe I will be able to get one now? Would be pretty sweet.
I am sorry to interrupt, my ISP gave me an ipv6 address, but I just can’t access anything through it even when I specify it in the firewall, maybe they are blocking this functionality because they sell static ips.
I can use dynamic DNS, the problem is I can’t host over NAT444 without something like a VPN.
Still not been given an IPv6 address though.
fun fact, the RFC introducing NAT calls it a “short-term solution”
