←back to thread

The New Internet

(tailscale.com)
517 points ingve | 4 comments | 26 Jul 24 18:29 UTC | HN request time: 0s | source
Show context
teddyh ◴[27 Jul 24 03:19 UTC] No.41084227[source]
The eternal problem with companies like Tailscale (and Cloudflare, Google, etc. etc.) is that, by solving a problem with the modern internet which the internet should have been designed to solve by itself, like simple end-to-end secure connectivity, Tailscale becomes incentivized to keep the problem. What the internet would need is something like IPv6 with automatic encryption via IPsec, with PKI provided by DNSSEC. But Tailscale has every incentive to prevent such things to be widely and compatibly implemented, because it would destroy their business. Their whole business depends on the problem persisting.

(Repost of <https://news.ycombinator.com/item?id=38570370>)

replies(14): >>41084990 #>>41084996 #>>41085022 #>>41085061 #>>41085166 #>>41085236 #>>41085716 #>>41085987 #>>41086195 #>>41086648 #>>41087141 #>>41087359 #>>41089848 #>>41092877 #
hnarn ◴[27 Jul 24 10:56 UTC] No.41085716[source]
This sounds like a reasonable point, but the more I think about it, the more it sounds like digital flagellation.

IPv6 was released in 1998. It had been 21 (!) years since the release of IPv6 and still what you're describing had not been implemented when Tailscale was released in 2019. Who was stopping anyone from doing it then, and who is stopping anyone from doing it now?

It's easy to paint companies as bad actors, especially since they often are, but Google, Cloudflare and Tailscale all became what they are for a reason: they solved a real problem, so people gave them money, or whatever is money-equivalent, like personal data.

If your argument is inverted, it's a kind of inverse accelerationism (decelerationism?) whereby only in making the Internet worse for everyone, the really good solutions can see the light. I don't buy it.

Tailscale is not the reason we're not seeing what you're describing, the immense work involved in creating it is why, and it's only when that immense amount of work becomes slightly less immense that any solution at all emerges. Tailscale for example would probably not exist if they had to invent Wireguard, and the fact that Tailscale now exists has led to Headscale existing, creating yet another springboard in a line of springboards to create "something" like what you describe -- for those willing to put in the time.

replies(4): >>41085824 #>>41085838 #>>41086171 #>>41090058 #
throw0101d ◴[27 Jul 24 11:25 UTC] No.41085838[source]
> Who was stopping anyone from doing it then, and who is stopping anyone from doing it now?

The folks who either (a) got in early on the IPv4 address land rush (especially the Western developed countries), or (b) with buckets of money who buy addresses.

If you're India, there probably weren't enough IPv4 address in the first place to handle your population, so you're doing IPv6:

* https://www.google.com/intl/en/ipv6/statistics.html#tab=per-...

Or even if you're in the West, if you're poor (a community Native American ISP):

> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.

* https://community.roku.com/t5/Features-settings-updates/It-s...

* Discussion: https://news.ycombinator.com/item?id=35047624

IPv4 'wasn't a problem' because the megacorps who generally run things where I'm guessing you're from (the West) were able to solve it in other means… until they can't. T-Mobile US has 120M and a few years ago it turns out that money couldn't solve IPv4-only anymore so they went to IPv6:

* https://www.youtube.com/watch?v=QGbxCKAqNUE

IPv6 is not taking off because IPv4 (and NAT/STUN/TURN) is 'better', but rather because (a) inertial, and (b) it 'works' (with enough kludges thrown at it).

replies(1): >>41086487 #
api ◴[27 Jul 24 13:32 UTC] No.41086487[source]
There is another reason: the addresses are long and impossible to remember and hard to type.

I always bring this up and it’s always dismissed because tech people continue to dismiss usability concerns.

Even “small” usability differences can have a huge effect on adoption.

replies(6): >>41086535 #>>41086588 #>>41089497 #>>41091332 #>>41091723 #>>41092279 #
Gormo ◴[27 Jul 24 21:35 UTC] No.41089497{3}[source]
Also, NAT is desirable for security/network isolation reasons, and having no distinction between a local IP and a public IP has a lot of disadvantages.

Yes, there are ways to configure IPv6 to isolate subnets, separate local traffic from internet traffic, set up firewalls and DMZs, run local DNS, etc., but they're all more complicated to configure and administer than their IPv4 equivalents.

replies(4): >>41089808 #>>41089818 #>>41090012 #>>41090543 #
eqvinox ◴[27 Jul 24 22:36 UTC] No.41089818{4}[source]
> NAT is desirable for security/network isolation reasons

For the love of expletive this mistaken belief needs to have died yesterday. NAT boxes help primarily because they also contain a firewall. But most of 2024's network security problems originate from the devices behind your firewall getting exploited through their on requests, not some random shit connecting from the outside. (Yes, that does still happen, so you keep your firewall.)

> no distinction between a local IP and a public IP

https://en.wikipedia.org/wiki/Unique_local_address

replies(2): >>41090800 #>>41090897 #
aboardRat4 ◴[28 Jul 24 02:46 UTC] No.41090897{5}[source]
>But most of 2024's network security problems originate from the devices behind your firewall getting exploited through their on requests, not some random shit connecting from the outside.

That is Survivor Bias at its best.

The originate _inside_ because NAT effectively blocks all _external_ requests.

replies(1): >>41091187 #
eqvinox ◴[28 Jul 24 04:17 UTC] No.41091187{6}[source]
> The originate _inside_ because NAT effectively blocks all _external_ requests.

You mean the firewall effectively blocks all external requests.

replies(2): >>41091344 #>>41092143 #
1. noduerme ◴[28 Jul 24 05:04 UTC] No.41091344{7}[source]
Regardless, it's a fair point. Most of the attack surface on client / end user boxes these days is through social engineering and end user stupidity. Vanishingly little of it on modern OSes comes from external sources like a scan revealing a mistakenly open port. It's just that the threat profile has shifted toward making users make mistakes to the point where so much resource is thrown at fooling users now that, by the numbers and the ransomware profits, it's more effective than trying to penetrate software remotely.
replies(1): >>41092322 #
2. tjoff ◴[28 Jul 24 10:25 UTC] No.41092322[source]
That is because most systems comes with a firewall on and fairly limited surface area in the form of exposed services.

But, there are billions of other devices (IoT etc). that barely has any security protections in place that rely completely on not being exposed to the outside world.

replies(1): >>41093975 #
3. throw0101d ◴[28 Jul 24 15:45 UTC] No.41093975[source]
> But, there are billions of other devices (IoT etc). that barely has any security protections in place that rely completely on not being exposed to the outside world.

Yes. And you can not-expose them via default deny firewall rule.

My home printer had an IPv6 in a prefix assigned from my ISP, but it was not accessible to the Internet (it was actually ping6-able because my Asus allowed ICMPv6 by default, but I could not connect to its web interface, like I can internally). Neither could I SSH into my macOS desktop or laptop from the outside (but could between the two internally).

And even if my globally addressable devices were globally reachable (which they were not), good luck scanning a /64.

replies(1): >>41094307 #
4. tjoff ◴[28 Jul 24 16:46 UTC] No.41094307{3}[source]
I know. But this old NAT vs. firewall crap was pointless decades ago.

Still is.