Tailscale raises $100M

Tailscale is one of the ways you can restore the end-to-end connectivity principle that IP introduced and that NAT destroyed.

This is kind of overstated. Even if everyone went IPv6 and gave every device a public IP address, pretty much every network would have a firewall that behaved just like NAT.

Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.

This fact must be bundled everywhere someone mentioned "IPv6 will allow direct connectivity again". While NAT isn't a fully-functional firewall, it did do things that a firewall in a router would do. What equipment have proper IPv6 firewalls? Routers, that's who.

> Even if everyone went IPv6 and gave every device a public IP address, pretty much every network would have a firewall that behaved just like NAT.

No, they do not behave just like NAT. With NAT you have two problems:

* figuring out your address

* firewall hole punching

With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.

* https://en.wikipedia.org/wiki/Hole_punching_(networking)

* https://en.wikipedia.org/wiki/Port_Control_Protocol

* https://en.wikipedia.org/wiki/Universal_Plug_and_Play

* http://www.upnp.org/resources/documents/AnnexA-IPv6_000.pdf

This helps immensely for residential connections since people (generally) control their gateways, and with more and more higher speed (fibre) connections being done, it could help in more self-hosted and peer-to-peer services.

What one is allowed to do at the office would be dictated by the policy(s) of your employer: they could allow PCP/uPNP opening via authenticated requests for example.

> Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.

Sure they are. All home routers that I'm aware of allow for port forwarding so folks can self-host a service: perhaps a game server (e.g., Minecraft), web, e-mail, etc.

It's just going forward you can set up a separate subnet to put your gear in (especially if you get multiple /64 subnets from your ISP). You can have a DMZ, and use either the router- and/or host-level firewall to dictate which connections are allowed.

No, no, no, no. You haven't really experienced the quality of IPv6 routers at home. The only thing that I can (probably) say with confidence is you will not need TURN, and even that assumption can be broken with even more restrictive firewalls that block nearly all UDP traffic or even not know your real public address because IPv6 NAT does exist (https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no..., https://datatracker.ietf.org/doc/html/rfc6296), but fortunately this is usually found in enterprise stuff. NAT-PMP or router UPnP is probably the wildest: majority don't (remember that I'm focusing on ISP routers since that most people don't bother to switch to actual routers...*), some only on IPv4 (which is even more frustrating), and only few supports it correctly. Worse, those same broken garbage-level routers have NAT-like firewalls: at least you know what address and port you will contact the other computer, but you will still need UDP (TCP handshake will be very problematic) and you will still need keepalives (or otherwise your firewall will just close the port).

* ... and most that do get another router (usually because they have seen that their Wi-Fi on the "modem" is bad) don't turn on** bridge mode which will be a definite headache on both IPv4 (double NAT) and IPv6 (address conflict, especially if you're using an ISP like Comcast that would only allocate a /64 and no more.

** ... because you need to call up the ISP or even outright refused to bridge it (either because they're stupid but you don't have another ISP to switch or the equipment manufacturer of their garbage special router didn't program one).

... if your definition of "home routers" excludes ISP-provided ones, then I'll agree. Unfortunately, I'm pretty sure that either you are on an ISP that actually cared and found a good supplier or didn't check out what are the capabilities of ISP-provided routers.

Ah yeah, that makes sense.

Of the three ISPs in my area that I have used, all of them allowed inbound traffic and either had useful controls in their routers or didn't supply a router, just an ethernet handoff. RCN, Comcast, Verizon.

All of them filtered out the SMB/CIFS ports.

Two of them filtered outbound port 25; one of them was willing to open it with the additional cost of a static IP.

Yeah, it's inconsistent to be honest. I've found that Hitron to not have any sort of firewalls (except for IPv4 NAT if you consider it as a firewall), while Huawei routers (which is not used in the US for reasons hopefully known to you) do have an IPv6 firewall that is only an off or on switch, stupidly their enterprise stuff do have advanced controls, Alcatel/Nokia-branded ones are inconsistent to say the least and the same can be said for Zyxel. I'm actually interested in checking out other routers used by ISPs, but those are the ones I've actually seen.

Our epic treatise on how NAT traversal works (in general, not specific to Tailscale) mentions this. IPv6 greatly reduces the amount of pain for p2p connections, but does not eliminate some of the fundamentals (stateful firewall traversal) if you want it to be zero-config: https://tailscale.com/blog/how-nat-traversal-works/

But until deployment hits 100%, and until ISPs start caring about IPv6 reliability the way they do about IPv4, "just use IPv6" can't be your answer. It's lovely when it works, but you need to do something other than "give up" when it doesn't. (also, as long as the internet is dual-stacked, doing IPv6 right also implies figuring out if NAT64 is in play, and wielding it correctly; so arguably IPv6 adds more complexity to the overall story, for now :) )

> No, no, no, no. You haven't really experienced the quality of IPv6 routers at home.

I've been running IPv6 at home >2 years. You're telling me that my own experience is invalid?

No, not necessarily, but if you're using an aftermarket router rather than an ISP-supplied router, then this rather long list is not applicable to you.

> With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.

What about phone networks? (in the US providers block all incoming traffic.) Or other ISPs that block incoming traffic?

NAT has been used to address a fundamental problem of what traffic can be trusted. That's what Tailscale fixes.

The point is for the user to not have to go configure their firewall.

Which can be done via UPnP and PCP, and without having to maintain TURN/STUN/etc infrastructure. The latter of which can only be done with IPv6, since with IPv4 you're NATing.

So IPv6 makes things easier—which was the point of my post: IPv6 makes things easier.

With IPv4 I have to worry about UPnP/PCP working and TURN/STUN/etc non-sense when it comes to peer-to-peer protocols. With IPv6 I only have to worry about about UPnP/PCP working. In my books that's an improvement.

If I want to self-host something, then with IPv4 I have publish my IP and worry about the CPE supporting port forwarding. With IPv6 I have publish my IP and use UPnP/PCP to allow all connections. Is there any CPE gear that does not support UPnP/PCP?

I'm guessing you're in the US? Haven't had any problems with IPv6 on ISP-supplied routers in UK, NL, DE, CN, HK, VN, TH, SG over the last 10y or so, seems like a solved problem for most of the world.

Very cool write-up. Thank you all for writing (and linking) it.