←back to thread

The New Internet

(tailscale.com)
517 points ingve | 8 comments | 26 Jul 24 18:29 UTC | HN request time: 0.244s | source | bottom
Show context
teddyh ◴[27 Jul 24 03:19 UTC] No.41084227[source]
The eternal problem with companies like Tailscale (and Cloudflare, Google, etc. etc.) is that, by solving a problem with the modern internet which the internet should have been designed to solve by itself, like simple end-to-end secure connectivity, Tailscale becomes incentivized to keep the problem. What the internet would need is something like IPv6 with automatic encryption via IPsec, with PKI provided by DNSSEC. But Tailscale has every incentive to prevent such things to be widely and compatibly implemented, because it would destroy their business. Their whole business depends on the problem persisting.

(Repost of <https://news.ycombinator.com/item?id=38570370>)

replies(14): >>41084990 #>>41084996 #>>41085022 #>>41085061 #>>41085166 #>>41085236 #>>41085716 #>>41085987 #>>41086195 #>>41086648 #>>41087141 #>>41087359 #>>41089848 #>>41092877 #
viraptor ◴[27 Jul 24 07:32 UTC] No.41085022[source]
Zerotier does kind of that. It's a tunnel, but also the traffic is direct (unless double Nat is involved) and if you could route the traffic directly to the endpoint IPs, you can skip zt. The location service can be self-hosted if you want. You don't have to use them as a service if you don't want to. Apart from dnssec it's pretty much what you're asking for.
replies(1): >>41085255 #
1. lockywolf ◴[27 Jul 24 08:37 UTC] No.41085255[source]
Double NAT is now almost everywhere in the world, except maybe USA.
replies(2): >>41085472 #>>41086207 #
2. viraptor ◴[27 Jul 24 09:44 UTC] No.41085472[source]
What kind of Nat though? You can use upnp, predictable mapping, etc. and still allow the traffic through. And that's only with ipv4, because you can run zerotier over IPv6.
replies(3): >>41085864 #>>41086423 #>>41098230 #
3. throw0101d ◴[27 Jul 24 11:31 UTC] No.41085864[source]
> What kind of Nat though? You can use upnp, predictable mapping, etc. and still allow the traffic through.

Your computer can talk to your home router (CPE) and punch a hole for a connection, but if your WAN port does not have a public IP address, but rather itself also has a private address (probably 100.64/10), the CPE cannot talk to the ISP's router to punch a hole:

* https://en.wikipedia.org/wiki/Carrier-grade_NAT

The two layers of NAT (home network (192.168) -> CPE NAT (100.64/10) -> ISP NAT ('real' public IPv4)) prevent hole punching.

replies(1): >>41086063 #
4. viraptor ◴[27 Jul 24 12:13 UTC] No.41086063{3}[source]
Double Nat on one side is not that universal. Across Europe and Australia I've seen it maybe once on a residential connection. I'm sure it's used, but the comment about the US in the post above just doesn't match my experience.
replies(1): >>41086764 #
5. sulandor ◴[27 Jul 24 12:41 UTC] No.41086207[source]
foreseeable yet still somewhat surprising that having a clean v4 address on the cpe has become a very privileged position.

just the other day i was discouraging a youngster from manually populating his hosts-file in order to circumvent a dmca-related dns block.... what has the world come to.

6. p_l ◴[27 Jul 24 13:22 UTC] No.41086423[source]
You can't over double NAT because the second layer of NAT is not going to support UPnP
7. throw0101d ◴[27 Jul 24 14:17 UTC] No.41086764{4}[source]
Great for you for not having to experience it, but that doesn't mean it sucks any less for those less fortunate:

> Our [Native American] tribal network started out IPv6, but soon learned we had to somehow support IPv4 only traffic. It took almost 11 months in order to get a small amount of IPv4 addresses allocated for this use. In fact there were only enough addresses to cover maybe 1% of population. So we were forced to create a very expensive proxy/translation server in order to support this traffic.

> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.

* https://community.roku.com/t5/Features-settings-updates/It-s...

* Discussion: https://news.ycombinator.com/item?id=35047624

8. orangeboats ◴[29 Jul 24 05:56 UTC] No.41098230[source]
The vast majority of CGNATs across the world don't support the PCP protocol for predictable mapping.