Most active commenters
  • throw0101d(11)
  • teddyh(10)
  • eqvinox(5)
  • (4)
  • sulandor(4)
  • aboardRat4(4)
  • otabdeveloper4(4)
  • DyslexicAtheist(3)
  • viraptor(3)
  • Animats(3)

←back to thread

The New Internet

(tailscale.com)
517 points ingve | 119 comments | 26 Jul 24 18:29 UTC | HN request time: 0.416s | source | bottom
1. teddyh ◴[27 Jul 24 03:19 UTC] No.41084227[source]
The eternal problem with companies like Tailscale (and Cloudflare, Google, etc. etc.) is that, by solving a problem with the modern internet which the internet should have been designed to solve by itself, like simple end-to-end secure connectivity, Tailscale becomes incentivized to keep the problem. What the internet would need is something like IPv6 with automatic encryption via IPsec, with PKI provided by DNSSEC. But Tailscale has every incentive to prevent such things to be widely and compatibly implemented, because it would destroy their business. Their whole business depends on the problem persisting.

(Repost of <https://news.ycombinator.com/item?id=38570370>)

replies(14): >>41084990 #>>41084996 #>>41085022 #>>41085061 #>>41085166 #>>41085236 #>>41085716 #>>41085987 #>>41086195 #>>41086648 #>>41087141 #>>41087359 #>>41089848 #>>41092877 #
2. whoistraitor ◴[27 Jul 24 07:24 UTC] No.41084990[source]
Ie. A form of perverse incentive or the cobra effect. Endemic to capitalism, especially in infrastructure.
3. DyslexicAtheist ◴[27 Jul 24 07:26 UTC] No.41084996[source]
I never thought of this. Forces me to rethink every negative post people made against DNSSEC which shaped my opinion. I still think that IPv6 and DNSSEC do more harm in practice than what they solve. Maybe the SCW podcast can do a deepdive on this together with somebody who is militantly-pro DNSSEC. <3 ...

edit: maybe even invite 2 or 3 DNSSEC advocates @tptacek :)

replies(3): >>41086078 #>>41087825 #>>41092402 #
4. viraptor ◴[27 Jul 24 07:32 UTC] No.41085022[source]
Zerotier does kind of that. It's a tunnel, but also the traffic is direct (unless double Nat is involved) and if you could route the traffic directly to the endpoint IPs, you can skip zt. The location service can be self-hosted if you want. You don't have to use them as a service if you don't want to. Apart from dnssec it's pretty much what you're asking for.
replies(1): >>41085255 #
5. ◴[27 Jul 24 08:00 UTC] No.41085128[source]
6. smolder ◴[27 Jul 24 08:06 UTC] No.41085153[source]
This is a poor analogy. Historically there is a significant cost to making bad cars with frequent repair needs.
replies(2): >>41085247 #>>41089117 #
7. Animats ◴[27 Jul 24 08:09 UTC] No.41085166[source]
And, worse, incentivized to require users to use a "coordination server" which helps with the NAT and firewall traversal problem by being something you can reach from outbound-only clients. There's a lot of verbiage there, but the general idea seems to be that Tailscale sits at the middle of this as the means by which machines find each other.

There are other ways to do that.

There are dynamic DNS schemes, so you can give your machine which only has a temporary IP address a permanent name. That's been around for decades, and seems to have a bad reputation.

There are schemes with multiple coordination nodes that know about each other, and published lists of such nodes. The list may be out of date, but as long as the published list has one live node, you can connect and get updated. That's how Kademlia, which underlies Etherium's network and some file sharing systems, works. That's about 20 years old, and sort of has a sketchy reputation.

It's possible to go only halfway, and separate discovery from transmission. Peertube does that. You find a file to stream via ordinary HTTP to a server you find by ordinary web search means. Anybody can set up such a server. The actual streaming, for files wanted by many clients, is distributed, with people currently watching also sending out blocks to other people watching. This scales well, in case your video goes viral. It's not used much, though.

So it's definitely possible to do this without someone in the middle able to cut off your air supply.

replies(1): >>41086655 #
8. sulandor ◴[27 Jul 24 08:28 UTC] No.41085236[source]
> The eternal problem with companies like

it's not a problem specific to any kind of corporation or corporations per se, but organizations or even broader, solutions.

though, do you really think that having a solution to a problem is worse than just having the problem?

replies(1): >>41086111 #
9. sulandor ◴[27 Jul 24 08:33 UTC] No.41085247{3}[source]
this is a poor statement. the cost is not in dispute, but the bearer of it.

historically car owners need to pay for repairs.

replies(1): >>41085302 #
10. lockywolf ◴[27 Jul 24 08:37 UTC] No.41085255[source]
Double NAT is now almost everywhere in the world, except maybe USA.
replies(2): >>41085472 #>>41086207 #
11. smolder ◴[27 Jul 24 08:50 UTC] No.41085302{4}[source]
Look at how the early 90s Ford Tempo resale value compared to Toyotas of the era. Trash cars don't keep their value. Toyota could then charge a premium because they were known for quality.
replies(1): >>41085734 #
12. viraptor ◴[27 Jul 24 09:44 UTC] No.41085472{3}[source]
What kind of Nat though? You can use upnp, predictable mapping, etc. and still allow the traffic through. And that's only with ipv4, because you can run zerotier over IPv6.
replies(3): >>41085864 #>>41086423 #>>41098230 #
13. hnarn ◴[27 Jul 24 10:56 UTC] No.41085716[source]
This sounds like a reasonable point, but the more I think about it, the more it sounds like digital flagellation.

IPv6 was released in 1998. It had been 21 (!) years since the release of IPv6 and still what you're describing had not been implemented when Tailscale was released in 2019. Who was stopping anyone from doing it then, and who is stopping anyone from doing it now?

It's easy to paint companies as bad actors, especially since they often are, but Google, Cloudflare and Tailscale all became what they are for a reason: they solved a real problem, so people gave them money, or whatever is money-equivalent, like personal data.

If your argument is inverted, it's a kind of inverse accelerationism (decelerationism?) whereby only in making the Internet worse for everyone, the really good solutions can see the light. I don't buy it.

Tailscale is not the reason we're not seeing what you're describing, the immense work involved in creating it is why, and it's only when that immense amount of work becomes slightly less immense that any solution at all emerges. Tailscale for example would probably not exist if they had to invent Wireguard, and the fact that Tailscale now exists has led to Headscale existing, creating yet another springboard in a line of springboards to create "something" like what you describe -- for those willing to put in the time.

replies(4): >>41085824 #>>41085838 #>>41086171 #>>41090058 #
14. throwaway290 ◴[27 Jul 24 11:00 UTC] No.41085734{5}[source]
is resale value what the manufacturer wants? I mean they want to sell new cars after all...
replies(2): >>41085907 #>>41085966 #
15. ◴[27 Jul 24 11:22 UTC] No.41085824[source]
16. throw0101d ◴[27 Jul 24 11:25 UTC] No.41085838[source]
> Who was stopping anyone from doing it then, and who is stopping anyone from doing it now?

The folks who either (a) got in early on the IPv4 address land rush (especially the Western developed countries), or (b) with buckets of money who buy addresses.

If you're India, there probably weren't enough IPv4 address in the first place to handle your population, so you're doing IPv6:

* https://www.google.com/intl/en/ipv6/statistics.html#tab=per-...

Or even if you're in the West, if you're poor (a community Native American ISP):

> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.

* https://community.roku.com/t5/Features-settings-updates/It-s...

* Discussion: https://news.ycombinator.com/item?id=35047624

IPv4 'wasn't a problem' because the megacorps who generally run things where I'm guessing you're from (the West) were able to solve it in other means… until they can't. T-Mobile US has 120M and a few years ago it turns out that money couldn't solve IPv4-only anymore so they went to IPv6:

* https://www.youtube.com/watch?v=QGbxCKAqNUE

IPv6 is not taking off because IPv4 (and NAT/STUN/TURN) is 'better', but rather because (a) inertial, and (b) it 'works' (with enough kludges thrown at it).

replies(1): >>41086487 #
17. throw0101d ◴[27 Jul 24 11:31 UTC] No.41085864{4}[source]
> What kind of Nat though? You can use upnp, predictable mapping, etc. and still allow the traffic through.

Your computer can talk to your home router (CPE) and punch a hole for a connection, but if your WAN port does not have a public IP address, but rather itself also has a private address (probably 100.64/10), the CPE cannot talk to the ISP's router to punch a hole:

* https://en.wikipedia.org/wiki/Carrier-grade_NAT

The two layers of NAT (home network (192.168) -> CPE NAT (100.64/10) -> ISP NAT ('real' public IPv4)) prevent hole punching.

replies(1): >>41086063 #
18. throw0101d ◴[27 Jul 24 11:38 UTC] No.41085907{6}[source]
> is resale value what the manufacturer wants? I mean they want to sell new cars after all...

They have a higher resale value because they have a reputation of lasting a long time, and people are thus perhaps more willing to pay a higher initial purchase price because they know their "investment" will last longer.

And while they may not be planing to sell their car after only a few years, knowing that they'll get back more of their "investment" is also probably sitting in the back of their mind ('just in case').

19. _heimdall ◴[27 Jul 24 11:52 UTC] No.41085966{6}[source]
Resale values do have an impact on new car prices. The better a vehicle holds its value the easier it is for the company to charge more for a new car.

Its also worth considering that, for better or worse, very few people actually own their cars today. When you have a loan on it the resale value becomes really important. If the manufacturer wants the kind of customer that buys a new car every few years they'll need resale value that at least keeps up with the principle on the loan over that time.

20. tomjen3 ◴[27 Jul 24 11:58 UTC] No.41085987[source]
I think that is excessively negative take. Tailscales value proposition is also "you can connect to your network wherever you are, safely, and others cannot". That does not go away because of IPsec.
replies(1): >>41086095 #
21. viraptor ◴[27 Jul 24 12:13 UTC] No.41086063{5}[source]
Double Nat on one side is not that universal. Across Europe and Australia I've seen it maybe once on a residential connection. I'm sure it's used, but the comment about the US in the post above just doesn't match my experience.
replies(1): >>41086764 #
22. teddyh ◴[27 Jul 24 12:16 UTC] No.41086078[source]
Regarding DNSSEC:

• Blog post: <https://blog.technitium.com/2023/05/for-dnssec-and-why-dane-...>

• As a podcast episode: <https://blog.apnic.net/2023/03/16/podcast-dnssec-the-case-fo...>

23. teddyh ◴[27 Jul 24 12:19 UTC] No.41086095[source]
Network- and location-based security is ultimately unworkable. It’s like if you, in order to work, had to go to a ”virtual office” to even send mail to your colleagues. Mail, and related internet-enabled services, should be accessible from anywhere, and be secured at the end points, not at the network layer. (Most attacks are internal, anyway.)
replies(4): >>41086192 #>>41086878 #>>41092961 #>>41099063 #
24. teddyh ◴[27 Jul 24 12:21 UTC] No.41086111[source]
It is a problem if a company makes a lot of money ”solving” the problem, but:

• This does not really solve the problem, since a real solution would be to change the internet to make the problem go away

• A company making a lot of money gets to have an enormous influence on what is considered reasonable to standardize on. See for instance Google’s and Microsoft’s influence on things like the W3C. (Or if Tailscale is allowed to define what ”The New Internet” will be.)

replies(1): >>41086249 #
25. teddyh ◴[27 Jul 24 12:34 UTC] No.41086171[source]
It is a problem when, for instance, Google chooses not to implement SRV (and later HTTPS) DNS record support in their web browser. The problems which SRV (and now HTTPS) DNS records solves is not a problem for Google, since they solved the problem by sheer scale and brute force, and Google only benefits from everybody else still having the problem; it’s a great moat for them.
26. tomjen3 ◴[27 Jul 24 12:38 UTC] No.41086192{3}[source]
Why should you have access to the SSH host for my pie?

Or, more to the point, the server that I use to run my RSS feed reader?

Or my NAS?

Tailscale makes these more secure and more accessible for me. They are never meant to have the world access them.

Now for email and a few other things, sure, their nature is that they need to access the world.

replies(1): >>41086455 #
27. ZhongXina ◴[27 Jul 24 12:39 UTC] No.41086195[source]
No, we definitely don't want "automatic IPSec" (especially IPSec!), or really any enforced encryption at the network level, even if it's something sane at this moment like WireGuard. Look at old VPN protocols or authentication schemes like RADIUS which have glaring security holes and are impossible to fix because of compatibility issues, and they're running at much smaller scales than the whole internet. Hell, the way the industry is solving TCP ossification problems is by throwing TCP away and reimplementing it on top of UDP, that should tell us something.
replies(2): >>41086520 #>>41092386 #
28. sulandor ◴[27 Jul 24 12:41 UTC] No.41086207{3}[source]
foreseeable yet still somewhat surprising that having a clean v4 address on the cpe has become a very privileged position.

just the other day i was discouraging a youngster from manually populating his hosts-file in order to circumvent a dmca-related dns block.... what has the world come to.

29. sulandor ◴[27 Jul 24 12:51 UTC] No.41086249{3}[source]
seems indeed that microsoft is making lots of money by defending the status quo
replies(1): >>41086439 #
30. p_l ◴[27 Jul 24 13:22 UTC] No.41086423{4}[source]
You can't over double NAT because the second layer of NAT is not going to support UPnP
31. teddyh ◴[27 Jul 24 13:24 UTC] No.41086439{4}[source]
All large incumbents defend the status quo, except when advocating for larger barriers to entry for new and smaller competitors.
32. teddyh ◴[27 Jul 24 13:27 UTC] No.41086455{4}[source]
> Why should you have access to the SSH host for my pie?

Because that is how the internet is meant to work. It is an end-to-end network. If SSH would not be secure enough to handle this, it would need a secure replacement.

> Or my NAS? […] They are never meant to have the world access them.

What is a NAS, if not a Network-Attached Storage, i.e. meant to be accessed from the network? The concept of a ”local”, ”secure” network is a dangerous illusion. Embrace ”zero trust” networking.

replies(1): >>41092972 #
33. api ◴[27 Jul 24 13:32 UTC] No.41086487{3}[source]
There is another reason: the addresses are long and impossible to remember and hard to type.

I always bring this up and it’s always dismissed because tech people continue to dismiss usability concerns.

Even “small” usability differences can have a huge effect on adoption.

replies(6): >>41086535 #>>41086588 #>>41089497 #>>41091332 #>>41091723 #>>41092279 #
34. teddyh ◴[27 Jul 24 13:36 UTC] No.41086520[source]
Your argument seems to be to never implement anything, because eventually it will become old and it will be hard to move away from it? This seems to be an argument against anything new, and it is therefore hard to take seriously.
replies(3): >>41086609 #>>41090041 #>>41092334 #
35. teddyh ◴[27 Jul 24 13:40 UTC] No.41086535{4}[source]
Yes, like Ethernet addresses. Those are impossible to remember, too, so obviously Ethernet is no good. /s

The solution for IPv6 addresses is the same for Ethernet addresses; don’t use them directly. Leave it to the name resolution system, and use host names.

replies(1): >>41086561 #
36. ◴[27 Jul 24 13:46 UTC] No.41086561{5}[source]
37. throw0101d ◴[27 Jul 24 13:50 UTC] No.41086588{4}[source]
> There is another reason: the addresses are long and impossible to remember and hard to type.

If only there was some mechanism in which we could use a human-friendly label and have that translated to a computer-usable address…

> I always bring this up and it’s always dismissed because tech people continue to dismiss usability concerns.

I don't bother remembering IPv4 addresses, so I'm not sure why I would bother to remember IPv6 addresses. Heck, phone numbers are generally short as well, and who remembers them nowadays? ("0118 999 881 999 119 725… 3")

Maybe it's dismissed because people see it as a non-issue. I regularly work at OSI Layer 2 (and even 1, pulling fibres in a DC), and Layer 3, and am not sure what the concerns are about.

replies(2): >>41086716 #>>41087223 #
38. api ◴[27 Jul 24 13:53 UTC] No.41086609{3}[source]
It’s an argument against complexity. IP had amazing longevity because of its simplicity and openness.

Even if something is open, complexity is almost like closed as we can see with crazy complicated web standards for which there are few implementations.

39. spacecadet ◴[27 Jul 24 14:00 UTC] No.41086648[source]
Companies like you list solve people problems. Their business is about using abstraction to create customer experiences that match the market demand. I want to say that "institutions" solve computer science problems, but it's much more complicated than that.
40. pphysch ◴[27 Jul 24 14:00 UTC] No.41086655[source]
How is trusting a dynamic DNS provider different than trusting Tailscale's coordination nodes?
replies(2): >>41088023 #>>41088692 #
41. api ◴[27 Jul 24 14:11 UTC] No.41086716{5}[source]
The problem is that DNS is not zero configuration. ARP and NDP are which is why nobody complains about Ethernet being hard to type. DNS has to be “stood up” which is a whole extra deployment.

In modern devops in particular it is common to create and tear down IP networks in seconds and sling stuff everywhere. The extra moving part is an extra thing to break.

DNS also runs over IP which means if IP is down DNS doesn’t work. What do you have to do then? You have to debug IP without DNS.

There is mDNS but it’s not reliable and doesn’t scale to large networks. It also runs on the IP layer so if there is a problem there it can break.

replies(1): >>41086838 #
42. throw0101d ◴[27 Jul 24 14:17 UTC] No.41086764{6}[source]
Great for you for not having to experience it, but that doesn't mean it sucks any less for those less fortunate:

> Our [Native American] tribal network started out IPv6, but soon learned we had to somehow support IPv4 only traffic. It took almost 11 months in order to get a small amount of IPv4 addresses allocated for this use. In fact there were only enough addresses to cover maybe 1% of population. So we were forced to create a very expensive proxy/translation server in order to support this traffic.

> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.

* https://community.roku.com/t5/Features-settings-updates/It-s...

* Discussion: https://news.ycombinator.com/item?id=35047624

43. throw0101d ◴[27 Jul 24 14:30 UTC] No.41086838{6}[source]
> The problem is that DNS is not zero configuration.

Certainly it is not-zeroconf, but it is the same not-zeroconf for both IPv4 and IPv6.

But extra work with DHCP is needed for IPv4, and extra-extra work if you need to do things like configure 'IP helper', whereas IPv6 can be configured using only a router (which you need regardless) and some on-link packets (RAs).

> DNS also runs over IP which means if IP is down DNS doesn’t work. What do you have to do then? You have to debug IP without DNS.

And? At least you have fe80/64 as a basic starting point. Run a tcpdump to see if you're on-link in any way (or in the correct VLAN), and if you are, you can then ping(6) ff02::2 to find if there any on-link routers. You've now debugged Layer 2 and Layer 3 connectivity. Tada.

You're making IPv6 (sound) way more complicated than it is. It is no more or less complicated than IPv4 or IPX/SPX or …. It's protocol data units at OSI Layer 2 or 3 in different formats with different fields.

44. ndriscoll ◴[27 Jul 24 14:36 UTC] No.41086878{3}[source]
Most people do need to be on a VPN or in an office to work. That's entirely normal, and makes sense even if you also require authentication for applications.
45. benreesman ◴[27 Jul 24 15:21 UTC] No.41087141[source]
So far as I’m aware, TailScale has been at all times a good actor.

I have no problem criticizing tech companies, but I try to wait until they behave badly.

replies(3): >>41087210 #>>41089842 #>>41091423 #
46. mrmetanoia ◴[27 Jul 24 15:32 UTC] No.41087210[source]
Wouldn't the point be they're an indecent, possibly bad, actor by default since they're a business at all rather than just creating or contributing to protocols/standards to resolve the issues their product relies on to exist? The only way they could be a good actor is if they're using the money from their sales to fund that initiative with a plan to obsolete themselves.

I suppose if you follow that thread though a lot of businesses just shouldn't exist except for fulfilling the need they fill for the sake of those in need.

replies(2): >>41087242 #>>41091173 #
47. louthy ◴[27 Jul 24 15:35 UTC] No.41087223{5}[source]
> who remembers them nowadays? 0118 999 881 999 119 725… 3

Me, that’s the new number for the emergency services.

Actually, that’s the only phone number I can remember :D

replies(1): >>41090987 #
48. jtwoodhouse ◴[27 Jul 24 15:39 UTC] No.41087242{3}[source]
Companies are allowed to solve problems for a profit. People can choose to sell their time and energy or give it away. The choice is the default.

In fact, I prefer that capitalist model at this point having seen countless OSS/nonprofit efforts turn into glorified abandonware.

At least the business has an interest in remaining a going concern and maintaining the stack.

49. pvillano ◴[27 Jul 24 15:58 UTC] No.41087359[source]
Cloudflare sells bulletproof vests
50. tptacek ◴[27 Jul 24 16:55 UTC] No.41087825[source]
I don't think the analysis upthread should make you rethink DNSSEC, since it, too, is a centralized system; rather than being controlled by Avery Pennarun (you could do worse), it's controlled by an unholy alliance of world governments and companies like Verisign.

If we could find a credible DNSSEC advocate (for our audience; that is: a cryptography engineer, vulnerability researcher, or an engineering leader at a major firm), we would absolutely invite them on.

'teddyh below gave you links to two pro-DNSSEC resources; fun note: the latter source (Geoff Huston, one of the world's more respected networking researchers) has since then written this:

https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/.

replies(2): >>41095703 #>>41096325 #
51. Animats ◴[27 Jul 24 17:26 UTC] No.41088023{3}[source]
Not everybody has to use the same dynamic DNS provider.
52. transpute ◴[27 Jul 24 19:21 UTC] No.41088692{3}[source]

  Competition
  Jurisdiction
  Resilience
  Biodiversity
53. neuralRiot ◴[27 Jul 24 20:29 UTC] No.41089117{3}[source]
As somebody working in the modern automotive field I would like to disagree. The only incentive for car manufacturers is price point vs warranty period, after that you’re on your own. “Durability and “reliability” are no longer selling points for any automaker.
replies(1): >>41089437 #
54. listenallyall ◴[27 Jul 24 21:23 UTC] No.41089437{4}[source]
As someone not in the field, do you believe there is a true, objective, statistically valid way to tell which manufacturers (or which specific models) are more durable than others? All I see are consumer surveys, JD Power (more surveys), etc which, like most surveys, have wide error margins, and overall seem rather anecdote-based, and don't necessarily account for different stresses placed on the car based on driving style, diligence of maintenance, climate, etc.
55. Gormo ◴[27 Jul 24 21:35 UTC] No.41089497{4}[source]
Also, NAT is desirable for security/network isolation reasons, and having no distinction between a local IP and a public IP has a lot of disadvantages.

Yes, there are ways to configure IPv6 to isolate subnets, separate local traffic from internet traffic, set up firewalls and DMZs, run local DNS, etc., but they're all more complicated to configure and administer than their IPv4 equivalents.

replies(4): >>41089808 #>>41089818 #>>41090012 #>>41090543 #
56. throw0101d ◴[27 Jul 24 22:34 UTC] No.41089808{5}[source]
> Also, NAT is desirable for security/network isolation reasons […]

This is security theatre. People have been saying that NAT is not a security feature for over a decade:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

but the message still has not sunk in. The "Zero Trust" paper was published by John Kindervag in 2010:

* https://media.paloaltonetworks.com/documents/Forrester-No-Mo...

Most modern attacks start from a compromised internal host (e.g., from phishing), or through stolen credentials via a remote access method. The above is "castle-and-moat" thinking that tends to have weaker internal controls because it is thought the internal network is "hidden" from the dangerous outside network.

Set your firewall to default deny, then add a rule for allow outgoing connections, followed by only allow incoming connections if they are replies. For most machines (and networks), most of the time, this is what's needed: the above is applicable for both IPv6 and IPv4 (with or without NAT).

The protection comes from filtering (generally) and stateful packet inspection, not from hiding addresses.

> […] and having no distinction between a local IP and a public IP has a lot of disadvantages.

Just because something has a global addresses does not mean global reachability (see default deny above). Further you can layout your IPv6 address plan so that you can tell at a glance if hosts are externally accessible. Using a /48 a basis, you break out sixteen /52s, numbered $PREFIX:[0-f]000::/52.

To make it easier to remember what is externally accessible, you put all of those hosts in $PREFIX:e000::/52, where e stands for external. That /52 can then be broken down into:

* sixteen /56s

* 256 /60s

* 4096 /64s

or any combination thereof. See Figure A-5 for various ways to slice and dice:

* https://www.oreilly.com/library/view/ipv6-address-planning/9...

Everything in $PREFIX:[0-d,f]000::/52 is not externally reachable.

replies(1): >>41090886 #
57. eqvinox ◴[27 Jul 24 22:36 UTC] No.41089818{5}[source]
> NAT is desirable for security/network isolation reasons

For the love of expletive this mistaken belief needs to have died yesterday. NAT boxes help primarily because they also contain a firewall. But most of 2024's network security problems originate from the devices behind your firewall getting exploited through their on requests, not some random shit connecting from the outside. (Yes, that does still happen, so you keep your firewall.)

> no distinction between a local IP and a public IP

https://en.wikipedia.org/wiki/Unique_local_address

replies(2): >>41090800 #>>41090897 #
58. eqvinox ◴[27 Jul 24 22:40 UTC] No.41089842[source]
> I have no problem criticizing tech companies, but I try to wait until they behave badly.

I'd rather not wait until they have a (quasi-)monopoly on something though. Twitter was great until…

replies(1): >>41091914 #
59. depingus ◴[27 Jul 24 22:40 UTC] No.41089848[source]
Yggdrasil is p2p ipv6 e2ee. https://yggdrasil-network.github.io/

Last I checked, it hasn't solved DNS yet (there are unofficial projects trying to do that). I tested a small private network with a few devices and it worked very well.

60. zbentley ◴[27 Jul 24 23:09 UTC] No.41090012{5}[source]
> Yes, there are ways to configure IPv6 to isolate subnets, separate local traffic from internet traffic, set up firewalls and DMZs, run local DNS, etc., but they're all more complicated to configure and administer than their IPv4 equivalents.

Eh, I think that has hindsight bias. Setting up NAT manually, or customizing how things are NATed beyond the typical "one or two subnets/IP ranges behind a NAT gateway and maybe a DMZ" you see in businesses and residences is quite complicated! It's just that our control planes are really optimized to make that common case very easy. From router web UIs to pf presets to Windows'/NetworkManager's "share network" functionality to what articles/how-tos are available, that complexity is very effectively hidden but not removed.

As IPv6 becomes more entrenched (and more sites move to IPv6-only or public-IPv6-only deployments), the same thing that happened for the IPv4 world will happen for network segmentation configuration in the IPv6 world: it will get a lot easier and common defaults/conventions will emerge. I don't think the inherent complexity differences between IPv4 and IPv6 are that relevant here.

61. zbentley ◴[27 Jul 24 23:14 UTC] No.41090041{3}[source]
Not GP, but I interpreted it as an argument to innovate/proliferate implementations early and often, but to standardize minimally and as late as possible.
62. Animats ◴[27 Jul 24 23:18 UTC] No.41090058[source]
> IPv6 was released in 1998. ... Who was stopping anyone from doing it then, and who is stopping anyone from doing it now?

Well, for a long time, IPv6 didn't work very well. We're past that, mostly. Google reports that 45% of their incoming connections worldwide are IPv6.[1] Growth rate has been close to linear, at 4%/year, since 2015. IPv6 should pass 50% some time in 2025.

Mobile is already 70%-90% IPv6. They need a lot of addresses.

Most of the delay comes from enterprise networks. They have limited connectivity to the outside world, and much of that limiting involves some kind of address translation. So a "corporate IPv6 strategy" is required.

[1] https://www.google.com/intl/en/ipv6/statistics.html

63. belorn ◴[28 Jul 24 01:11 UTC] No.41090543{5}[source]
Modern ransomware attacks has demonstrated beyond doubt the very harmful belief that private network behind nat is an acceptable alternative to keeping systems secured and patched. The only thing nat does in a security sense is to provide false sense of security until the day a single machine inside get compromised and then the whole hospital or company comes to a standstill while rushing to restore from backup, praying that they do keep backups. Its a mistake, and the only reason it felt like a good idea was because Microsoft with windows 98/2k/xp got hit en-mass with worms targeting vulnerable windows machines that never got updates.
64. BonoboIO ◴[28 Jul 24 02:20 UTC] No.41090800{6}[source]
Amen! In the 2000s I had a newly setup windows xp with the modem on the internet. After 30 minutes it was toast.

Riddled with viruses.

replies(1): >>41113673 #
65. aboardRat4 ◴[28 Jul 24 02:44 UTC] No.41090886{6}[source]
>https://blog.ipspace.net/2011/12/is-nat-security-feature/ >>Basic NAT (as defined in RFC 2663) performs just the IP address translation (one inside host to one IP address in the NAT pool). The moment the inside host starts a session through the NAT, it becomes fully exposed to the outside world.

This is a lie. A "session through the NAT" does not really expose the host to the outside world, because in 99% of the cases this is a TCP session, and the NAT machine would drop all "out of order" packets.

>Most modern attacks start from a compromised internal host (e.g., from phishing), or through stolen credentials via a remote access method.

Your statement is a perfect example of https://en.wikipedia.org/wiki/Survivorship_bias.

Most modern attacks start from an internal host exactly because NAT makes external attacks infeasible for the majority of scenarios.

>Set your firewall to default deny, then add a rule for allow outgoing connections, followed by only allow incoming connections if they are replies.

What about I don't do it, and the system is still _automatically_ secure, because NAT does exactly that while being _required_ for the system to work.

>See Figure A-5

LOL. What about I don't see any figures, and the system still works and is secure for the 99% of the cases.

replies(2): >>41091930 #>>41092500 #
66. aboardRat4 ◴[28 Jul 24 02:46 UTC] No.41090897{6}[source]
>But most of 2024's network security problems originate from the devices behind your firewall getting exploited through their on requests, not some random shit connecting from the outside.

That is Survivor Bias at its best.

The originate _inside_ because NAT effectively blocks all _external_ requests.

replies(1): >>41091187 #
67. adolph ◴[28 Jul 24 03:12 UTC] No.41090987{6}[source]

  Eight six seven five three oh nine
  Eight six seven five three oh nine
68. wmf ◴[28 Jul 24 04:13 UTC] No.41091173{3}[source]
BTW the best way to make standards happen is to sell a product based on the standard. Academic standards don't go anywhere.
replies(1): >>41104742 #
69. eqvinox ◴[28 Jul 24 04:17 UTC] No.41091187{7}[source]
> The originate _inside_ because NAT effectively blocks all _external_ requests.

You mean the firewall effectively blocks all external requests.

replies(2): >>41091344 #>>41092143 #
70. dilawar ◴[28 Jul 24 05:02 UTC] No.41091332{4}[source]
Thanks for pointing this out. It's hard to communicate ipv4 and I dread even reading ipv6.

I don't understand why they didn't just add two or four more fields to ipv4 e.g. 0.91.127.0.0.1 is localhost where 0.91 can be omitted in the local context.

PS: I don't understand how networking works. Feels very very complex and full of jargons.

replies(3): >>41091622 #>>41091684 #>>41093912 #
71. noduerme ◴[28 Jul 24 05:04 UTC] No.41091344{8}[source]
Regardless, it's a fair point. Most of the attack surface on client / end user boxes these days is through social engineering and end user stupidity. Vanishingly little of it on modern OSes comes from external sources like a scan revealing a mistakenly open port. It's just that the threat profile has shifted toward making users make mistakes to the point where so much resource is thrown at fooling users now that, by the numbers and the ransomware profits, it's more effective than trying to penetrate software remotely.
replies(1): >>41092322 #
72. mike_d ◴[28 Jul 24 05:39 UTC] No.41091423[source]
> TailScale has been at all times a good actor.

This is the Cloudflare problem all over again. One day Matthew Prince will get hit by a bus, all the "trustworthy people" will leave, a PE firm will take the company private, and merge it with an ad network. Congrats, the entire internet now has a single companies ads all over it and we let it happen because we happened to like the people fucking us.

replies(1): >>41092170 #
73. fragmede ◴[28 Jul 24 06:41 UTC] No.41091622{5}[source]
if ipv4 is called that because there are 4 numbers in the IP address, what would you call your scheme with 6 of them?
74. wolfendin ◴[28 Jul 24 06:57 UTC] No.41091684{5}[source]
Because the fields are there for humans, in the packet itself it’s a 32bit integer, and you can’t just arbitrarily make the src/dest fields in the packet bigger— it stops being IPv4 then.
replies(1): >>41092033 #
75. wolfendin ◴[28 Jul 24 07:09 UTC] No.41091723{4}[source]
That’s because nobody normal— anyone who isn’t a tech person— remembers IP addresses.

Hell I can’t get tech people I work with to give me their public IP.

replies(1): >>41097984 #
76. nsonha ◴[28 Jul 24 08:13 UTC] No.41091914{3}[source]
when was twitter ever great? It has been creating echo chambers from day one, and deliberately making discourse difficult and non-nuance. It's arguably the shittiest form of human communication, and that counts facebook also.
77. alfons_foobar ◴[28 Jul 24 08:19 UTC] No.41091930{7}[source]
> This is a lie. A "session through the NAT" does not really expose the host to the outside world, because in 99% of the cases this is a TCP session, and the NAT machine would drop all "out of order" packets.

No, it's not. NAT only translates addresses and does not inspect the TCP "internals" (like sequence number etc, which would allow it to block certain packets).

What you are describing is a stateful firewall that allows "reply packets" for an established TCP-session.

replies(1): >>41099541 #
78. jkrejcha ◴[28 Jul 24 08:50 UTC] No.41092033{6}[source]
I'm pretty sure the person you're replying to is saying that IPv6, should be IPv4 but longer, which is not at all an uncommon opinion, even if it's a breaking change to the IP protocol. And I'd argue there would've been incredibly strong benefits and much wider adoption if they did this. Sure, you'd still need new networking gear and software support to handle it, but the change is relatively simple (and potentially more easily backwards compatible), especially compared to all of the baggage that came with IPv6.

It's a fact of life that working with networking that we'll have to work with IP addresses at some level. It's easy to tell someone, "hey try typing in 'ping 8.8.8.8' and tell me what you get".

The readability of IPv6 is, in my opinion, worse with repeated symbols and more characters to remember. The symbols that were chosen were also poorly thought out. Colons are used in networking a lot of times when you want to connect to a service on a particular port, so if you want to visit 2001:4860:4860::8888 in your browser, you have to enclose the address in square brackets.

replies(1): >>41104367 #
79. Sophira ◴[28 Jul 24 09:27 UTC] No.41092143{8}[source]
You are technically correct that iptables is what provides the NAT functionality on Linux (by way of the MASQUERADE target), which many routers run. However, you are very incorrect that the firewall is directly involved in blocking the request.

The reason NAT works for this is because by default there are no Internet-accessible services available via the router. If a request is received by the router that doesn't match an open port, its OS will, by default, reject it, with no firewall required.

replies(1): >>41092230 #
80. johnklos ◴[28 Jul 24 09:32 UTC] No.41092170{3}[source]
Matthew Prince is definitely not a good actor, but that's not the point. What Cloudflare did was they acted like good people, said good things, even did some good things, but once they got enough business and momentum, they then started doing shadier and shadier things, and now they're a protection racket that is happy to protect scammers for a fee. I think Cloudflare's most ardent fans would have trouble articulating technically valid reasons for why it makes sense to re-centralize the Internet around them, yet that's exactly what Cloudflare want.

That's why people don't necessarily, and shouldn't, trust that Tailscale won't head down the same path. It's hard enough for non-profits - heck, the Mozilla Foundation is losing all the good will they've ever had, and even the Raspberry Pi Foundation decided to gaslight people when they started eyeing corporate money.

If there's an open source way to do a thing that's a pain in the ass and a way to do the same thing from a for-profit company, I'll take the pain in the ass thing every time. History has shown it to be the prudent thing time and time again.

replies(2): >>41099035 #>>41117098 #
81. superb_dev ◴[28 Jul 24 09:55 UTC] No.41092230{9}[source]
So then what’s this default firewall rule I have that blocks all non-established connections?

NAT is not required for any of the things you’re talking about.

replies(1): >>41092686 #
82. gorgoiler ◴[28 Jul 24 10:10 UTC] No.41092279{4}[source]
In practice I haven’t ever had a problem memorising IPv6 addresses. The significant proportions of any address you might type manually are 48 bits long at one end and a few bits at the other.

An example IPv4 address is 8 to 12 digits:

  10.30.115.5
A memorable IPv6 address at a /56 site — the prefix and then one or two digits — isn’t much longer:

  2001:db8:404:14::42
If you’re with a reasonably clued in ISP you probably get a /48 for your site by default:

  2001:db8:404::42
If you’re enumerating your own /64 prefixes then it’s not much more complicated than:

  site 2001:db8:404::
  net              :14::
  host                ::42
replies(2): >>41097625 #>>41097978 #
83. tjoff ◴[28 Jul 24 10:25 UTC] No.41092322{9}[source]
That is because most systems comes with a firewall on and fairly limited surface area in the form of exposed services.

But, there are billions of other devices (IoT etc). that barely has any security protections in place that rely completely on not being exposed to the outside world.

replies(1): >>41093975 #
84. snek_case ◴[28 Jul 24 10:28 UTC] No.41092334{3}[source]
The argument is more that encryption technologies can become outdated quickly. You also make it harder for small embedded devices to implement network connections if you mandate that all traffic must be encrypted.

A simple protocol is more likely to last.

85. jeroenhd ◴[28 Jul 24 10:47 UTC] No.41092386[source]
IPSec is still widely deployed, securely even. All manual, of course, because it doesn't do the stuff that makes HTTPS easy.

IPSec is not always a VPN protocol. L2TP over IPSec is often used as one, but IPSec does little more than encrypt a tunnel between two IP addresses. IPSec in tunnel mode can be a minimal VPN, but it's not used as such as in VPN scenarios without a second packet encapsulation protocol, as it lacks authorization beyond key exchange.

As for the risk of ossification: that didn't go away with the current system either. HTTPS over TLS 1.3 looks like a TLS 1.2 session resumption on the wire (in its default configuration) because shitty middleboxes are used often enough that it would impede the protocol.

The "let's remake TCP over UDP" approach QUIC takes has very similar origins. UDP is generally allowed by random firewalls over that network, while other (more suited) protocols for this type of stuff like SCTP are not. The operating system doesn't allow opening raw network sockets without high privileges, so adding a new QUIC protocol at the layer of TCP and UDP to implement them at the right spot in the stack wouldn't be usable for many devices. Same is true for the TCP stack you have to use what the OS provides or get higher privileges to do your own; patching the TCP state machine isn't practical. So, if you want to implement a better version of TCP optimised for web browsing and such, you use UDP, because while technically incorrect, it'll work in most cases and has the least restrictions.

In the context of the network, IPSec is the new protocol here, not the result of ossification.

86. jeroenhd ◴[28 Jul 24 10:53 UTC] No.41092402[source]
I may be in favour of DNSSEC, but I admit that it's time for a v2 of the RFC that removes the stupid "encryption can't be done at the endpoint" restriction. In practice you can just turn on validation on many computers and gain its benefits, especially if used in the manner as described here where you can just block connections to unprotected hostnames to work around the most glaring issue, but the whole spec is written for a world we've moved beyond.

IPv6 doesn't have that problem, though.

replies(1): >>41095712 #
87. throw0101d ◴[28 Jul 24 11:20 UTC] No.41092500{7}[source]
> Most modern attacks start from an internal host exactly because NAT makes external attacks infeasible for the majority of scenarios.

Or, you know, because firewalls block stuff.

I've had hosts with public IPv4 addresses attacked on (e.g.) tcp/80 and tcp/443 because that's what the firewall allowed through so the web service was available to the public. I've had hosts with internal IPv4 addresses attacked on web ports because they were behind a (reverse proxy) load balancer for serving traffic: the fact that they had a 10/8 and were behind a NAT did not protect them from attack.

Before recently switching ISPs, my last one had IPv6 (new one does not). They activated IPv6 at some point, and I enabled it on my Asus, and suddenly all my internal devices got an IPv6 address (via RA), including things like my printer.

I had SSH enabled on my macOS laptop and desktop, but could not SSH into them from an outside source. My printer has a web interface on port 80 that I could connect to internally, but not externally. Even though all the devices had IPv6 addresses.

Just because a device is globally addressable does not mean it is globally reachable.

> What about I don't do it, and the system is still _automatically_ secure, because NAT does exactly that while being _required_ for the system to work.

Because NAT is doing that I describe, so you are doing it. The firewall is checking state on incoming packets and rejecting those that are not in its state table. The firewall is also coïncidentally just happening to also be fiddling some bits in the address field.

It is the stateful inspection that is protecting you.

* https://en.wikipedia.org/wiki/Stateful_firewall

replies(1): >>41095709 #
88. pas ◴[28 Jul 24 12:06 UTC] No.41092686{10}[source]
okay now I'm curious

what happens with an incoming packet if there are no firewall rules on the NAT gateway/middlebox? without having a corresponding conntrack entry they will be dropped (and maybe even an ICMP message sent back, depending on the protocol), no?

for example if there is an incoming TCP packet with a 4-tuple (src ip, src port, dst ip, dst port) ... by necessity "dst ip" is the public IP of the NAT box, and on a pure NAT box there are no bound listening sockets. so whatever "dst port" is .. unless it gets picked up by an established NAT flow ... it will splash on the wall and getting a TCP RST.

isn't the argument that "NAT is not required", but that "NAT is implicitly a firewall"?

replies(3): >>41093037 #>>41093964 #>>41098213 #
89. otabdeveloper4 ◴[28 Jul 24 13:00 UTC] No.41092877[source]
The problem with TCP/IP is the lack of a standard and robust VPN/overlay network protocol. Everything we have is extremely fragmented and/or proprietary.

IPv6 is completely useless and doesn't solve this problem.

Normal people don't care if they have to pay 5 dollars instead of 50 cents to rent an IP address. This is a problem specific only to the huge providers, and we don't need to rollout a whole internet upgrade just to optimize a tiny part of the operational costs for huge providers.

replies(1): >>41099045 #
90. otabdeveloper4 ◴[28 Jul 24 13:23 UTC] No.41092961{3}[source]
No, network- and location-based security is a necessary and indispensable layer in your security stack.

> should be accessible from anywhere, and be secured at the end points, not at the network layer

If you're not securing at both the network layer and the endpoints, then you have utterly failed security and you need to go sit in the dunce corner.

91. otabdeveloper4 ◴[28 Jul 24 13:26 UTC] No.41092972{5}[source]
> Because that is how the internet is meant to work.

No. The "internet" is literally the "inter-network", a way to connect private networks between each other.

The fact that VPN technologies sit behind proprietary corporate intellectual property is not by design, it is a failure of the internet standardization process as it was gamed by corporate interests.

92. eqvinox ◴[28 Jul 24 13:38 UTC] No.41093037{11}[source]
On a directly connected outside system, you can set a route for your LAN address space via that router and it will just work. It requires telco or physical access but I have in fact done this before.
93. throw0101d ◴[28 Jul 24 15:34 UTC] No.41093912{5}[source]
> I don't understand why they didn't just add two or four more fields to ipv4 e.g. 0.91.127.0.0.1 is localhost where 0.91 can be omitted in the local context.

Because they thought that 64-bits would not be enough, and did not want to have to go through yet another transition.

The IPng proposal that was chosen, SIPP, was originally 'only' 64-bits:

* https://datatracker.ietf.org/doc/html/rfc1752#section-9

See also §10.2:

* https://datatracker.ietf.org/doc/html/rfc1752#section-10.2

Specifically (§11.1):

    * scale - an address size of 128 bits easily meets the need to
      address 10**9 networks even in the face of the inherent
      inefficiency of address allocation for efficient routing
94. throw0101d ◴[28 Jul 24 15:43 UTC] No.41093964{11}[source]
> what happens with an incoming packet if there are no firewall rules on the NAT gateway/middlebox?

See perhaps stateless NAT:

* https://wiki.nftables.org/wiki-nftables/index.php/Performing...

95. throw0101d ◴[28 Jul 24 15:45 UTC] No.41093975{10}[source]
> But, there are billions of other devices (IoT etc). that barely has any security protections in place that rely completely on not being exposed to the outside world.

Yes. And you can not-expose them via default deny firewall rule.

My home printer had an IPv6 in a prefix assigned from my ISP, but it was not accessible to the Internet (it was actually ping6-able because my Asus allowed ICMPv6 by default, but I could not connect to its web interface, like I can internally). Neither could I SSH into my macOS desktop or laptop from the outside (but could between the two internally).

And even if my globally addressable devices were globally reachable (which they were not), good luck scanning a /64.

replies(1): >>41094307 #
96. tjoff ◴[28 Jul 24 16:46 UTC] No.41094307{11}[source]
I know. But this old NAT vs. firewall crap was pointless decades ago.

Still is.

97. DyslexicAtheist ◴[28 Jul 24 20:22 UTC] No.41095703{3}[source]
thanks much appreciated to you and teddyh for these links. really needed this opposite views.
98. mrkstu ◴[28 Jul 24 20:23 UTC] No.41095709{8}[source]
You have a mix of accurate mix with not so much here.

> I've had hosts with internal IPv4 addresses attacked on web ports because they were behind a (reverse proxy) load balancer for serving traffic: the fact that they had a 10/8 and were behind a NAT did not protect them from attack.

You explicitly set up a NAT bypass (reverse proxy) and then claim NAT didn't protect them. If I am an external attacker coming in towards a single public IP where the backside hasn't set up UPNP/Port Forwarding/STUN/Reverse Proxy, NAT does exactly what the previous poster said. It drops packets because the 'destination' is the router itself in the packet. It has no where else to go, it has literally reached its destination.

A stateful firewall is in no way necessary for this functionality to exist. Even UDP stateless packets cannot bypass the NAT because there if there is no table tracking the conversation from the POV of the inside->out initiating the conversation because the router would have zero idea which interior host to forward the packet to and no reason to do so.

99. DyslexicAtheist ◴[28 Jul 24 20:23 UTC] No.41095712{3}[source]
thanks!
100. teddyh ◴[28 Jul 24 22:04 UTC] No.41096325{3}[source]
The title of that article which you link to is “Calling time on DNSSEC?”, and Betteridge's law of headlines applies to it. Here’s the final paragraphs from that article:

I guess the question we should be asking is — if we want a secured namespace what aspects should we change about the way DNSSEC is used to make it simpler, faster, and more robust?

replies(1): >>41097248 #
101. tptacek ◴[29 Jul 24 01:13 UTC] No.41097248{4}[source]
I'm happy just to see more people reading it. People can make their own call about it.
102. RulerOf ◴[29 Jul 24 02:56 UTC] No.41097625{5}[source]
>the prefix and then one or two digits — isn’t much longer

I'd argue it's just enough to make the difference though.

The problem is that people got used to being able to rely on memorizing IP addresses. IPv6 does its best at making IP addresses both harder to memorize, and completely dynamic, going so far as to change the IP on a fairly regular basis. It's antithetical to some very core qualities that an IP address is supposed to have in the minds of many.

103. tempcommenttt ◴[29 Jul 24 04:52 UTC] No.41097978{5}[source]
This is the first time I read about someone actually trying to remember IP6 addresses, maybe I should try that, because it’s really easy to remember IP4. For me, the problem is that there’s hex numbers, which are harder to remember and missing zeros, so you need remember the colons. If IP6 would just be 6 decimal numbers and this would be the default way of writing them, this would not be a problem. But it feels to me that the cryptic way IP6 is written is to make it hard for humans to remember it.
104. tempcommenttt ◴[29 Jul 24 04:54 UTC] No.41097984{5}[source]
Maybe young people can’t, but older folks can easily store phone numbers in their brains, so IP4 is easy.
105. orangeboats ◴[29 Jul 24 05:52 UTC] No.41098213{11}[source]
>what happens with an incoming packet if there are no firewall rules on the NAT gateway/middlebox?

You get a Full Cone NAT. Once the middlebox maps an (internal IP, port) tuple to an external port, every connection to that external port would lead to that internal tuple.

Why should Host C be able to reach Host A, when Host A is only speaking to Host B?

I am sure you know this but still, I have to stress that NAT is merely a mapper from one tuple to another tuple. If your router can handle NAT it certainly can handle an IPv6 firewall. And modern home/SOHO routers come with IPv6 firewall enabled by default (for the non-home routers, you have a bigger issue if your networking guys are not checking whether firewall is active) so I find the firewall discussions utterly as meaningless as someone fearing their DHCP server is not turned on by default. And frankly speaking, it's just an excuse for not implementing IPv6 -- saying that your ISP doesn't provide IPv6 connectivity would have been more convincing.

replies(2): >>41099017 #>>41099495 #
106. orangeboats ◴[29 Jul 24 05:56 UTC] No.41098230{4}[source]
The vast majority of CGNATs across the world don't support the PCP protocol for predictable mapping.
107. pas ◴[29 Jul 24 09:08 UTC] No.41099017{12}[source]
Thanks, I wasn't familiar with this term!

I think you misunderstand my post. My "philosophical inquiry" is about trying to get to the bottom of this, and it seem to me that NAT, as virtually everywhere deployed and found in the unspeakably many SoHo setups, is a stateful NAT, and it's implicitly a bad firewall.

So when people say that this is "meme" should die .... well they are right, but not technically right, no?

108. PLG88 ◴[29 Jul 24 09:11 UTC] No.41099035{4}[source]
Check out OpenZiti then - https://openziti.io/. Its Tailscale on steroids, with. (IMHO) a much more scalable implementation of zero trust principles.
109. PLG88 ◴[29 Jul 24 09:12 UTC] No.41099045[source]
We are trying to change that with OpenZiti - https://openziti.io/. Its an open source network overlay built with zero trust principles and deny by default in mind. We also built it for developers, so includes SDKs and other means to embed overlay networking directly into the SDLC.
replies(1): >>41099986 #
110. PLG88 ◴[29 Jul 24 09:15 UTC] No.41099063{3}[source]
secured at the endpoints yes... I would argue you can go one step further, doing it at the application level. This is what we built (and open sourced) with OpenZiti (https://openziti.io/), the ability to embed an overlay network, built on zero trust and deny by default principles, directly into the app as part of the SDLC.

If you do this, your application has no listening ports on the WAN, LAN, or host OS network and thus cannot be attacked from the external network/IP.

The asymmetry of risk now favours the defender, not attacker. Oh, plus we also have pre-built tunnelers for endpoints if you cannot do app embedded.

111. aboardRat4 ◴[29 Jul 24 11:09 UTC] No.41099495{12}[source]
> If your router can handle NAT it certainly can handle an IPv6 firewall.

The point is not that "it can", the point is that on ipv4 "it doesn't work without".

In order for ipv4 to work at all you MUST use NAT, and implicitly a firewall, those two always work together even if there the person installing the system doesn't know the word "firewall", which is usually the case.

replies(2): >>41099881 #>>41101330 #
112. aboardRat4 ◴[29 Jul 24 11:19 UTC] No.41099541{8}[source]
>No, it's not. NAT only translates addresses and does not inspect the TCP "internals" (like sequence number etc, which would allow it to block certain packets).

Yes it is. How would it forward response packets back if it doesn't track connections?

In real life I haven't seen "stateless NAT" for about 20 years.

But cgnat machines usually go beyond that and even verify sequence numbers.

113. eqvinox ◴[29 Jul 24 12:21 UTC] No.41099881{13}[source]
> The point is not that "it can", the point is that on ipv4 "it doesn't work without".

Hmm. I hadn't seen this brought up and I think it's a stronger argument than most others.

The IPv6 equivalent is services on ULA only, but that's not a default behaviour.

114. otabdeveloper4 ◴[29 Jul 24 12:41 UTC] No.41099986{3}[source]
It's a complex problem that hasn't even been formulated properly yet.

For example, every existing solution touts "security" and yet completely mangles the difference between authentication and encryption.

Authentication is important - you don't want random servers or users to enroll on your network, and you want good tools to rotate and manage secrets.

Encryption isn't important unless you care about state-level actors sniffing your traffic at the backbone. (And if you care about that then you already have your own datacenter.)

Meanwhile encrypting all network traffic is a huge performance penalty. (Orders of magnitude for some valid use cases.)

115. ◴[29 Jul 24 15:46 UTC] No.41101330{13}[source]
116. Lammy ◴[29 Jul 24 22:29 UTC] No.41104367{7}[source]
> The symbols that were chosen were also poorly thought out.

The wackiest example I've seen of this is the `ipv6-literal.net` notation for Windows UNC paths: https://devblogs.microsoft.com/oldnewthing/20100915-00/?p=12...

117. benreesman ◴[29 Jul 24 23:37 UTC] No.41104742{4}[source]
I have no idea what the adoption is, but this reminds me of the really nice work the buf.build people are doing with ConnectRPC.

I have a SaaS-crush on buf because they did such a good job on fixing such an annoying problem.

118. nurettin ◴[30 Jul 24 20:15 UTC] No.41113673{7}[source]
I had the same, except I was not running it as admin, so nothing could touch system32 or the boot sector.
119. braginini ◴[31 Jul 24 07:34 UTC] No.41117098{4}[source]
Or https://netbird.io which is open-source. You can host the coordination server too :)