Most active commenters

    ←back to thread

    The IPv6 Transition

    (www.potaroo.net)
    215 points todsacerdoti | 16 comments | 20 Oct 24 05:54 UTC | HN request time: 1.458s | source | bottom
    1. kalleboo ◴[20 Oct 24 07:22 UTC] No.41893589[source]
    The internet stopped being a network of peers where everyone needed an address and is now a split into producers (a handful of large companies) and consumers (everyone else).

    The consumers are not expected to need a public address where they can be reached - in fact, having a public address is actually a security and privacy risk.

    replies(3): >>41893910 #>>41898097 #>>41898172 #
    2. redprince ◴[20 Oct 24 08:35 UTC] No.41893910[source]
    That was in fact one of the promises of IPv6: Restore the network of peers where every host is in principle a server and a client and communication between peers is unhindered unless a policy is enforced saying otherwise (on the machine, on a firewall, etc.).

    > having a public address is actually a security and privacy risk.

    Services can be turned off or a firewall instructed not to pass traffic from the internet (by default). That represents exactly the same attack surface as having a service enabled and nobody being able to get to it from the internet because of NAT.

    The privacy risk is mitigated by RFC4941 "Privacy Extensions for Stateless Address Autoconfiguration in IPv6". Granted that does not deal with the (delegated) prefix staying the same and when there are only one or very few users in that prefix, some individual behavior could be inferred. Because of that at least in Germany we have the peculiar horror of getting the IPv6 address and all delegated prefixes changed on every redial. That eliminates all privacy concerns while also continuing to make residential internet connections useless for hosting any services.

    Anyway. The internet is already way down the road of functioning only as the delivery conduit for a few cloud / service providers mediating all user communication and access to content.

    replies(1): >>41898691 #
    3. bigstrat2003 ◴[20 Oct 24 20:04 UTC] No.41898097[source]
    > in fact, having a public address is actually a security and privacy risk.

    I strongly disagree with this. Privacy (not that it's a big deal imo) is well handled by the temporary address extension, and security is not an issue if you run a firewall. And you should be running a firewall even if you use v4, because NAT is not an acceptable security measure.

    replies(1): >>41898489 #
    4. xnyan ◴[20 Oct 24 20:15 UTC] No.41898172[source]
    > The consumers are not expected to need a public address where they can be reached - having a public address is actually a security and privacy risk.

    100% of consumer routers and OS level firewalls deny new inbound connections by default. There are upsides and downsides to static vs dynamic ISP-provided addresses, but the only difference between IPv4 and IPv6 in this regard is that IPv6 has a vastly larger address space and offers an ISP far more capacity to randomize a customer's host address for a far lower cost than IPv4. CGNAT is available for 4 or 6 if such is desired.

    5. FridgeSeal ◴[20 Oct 24 21:09 UTC] No.41898489[source]
    Whilst I agree with you, I rather depressingly suspect a lot of people equate NAT with “security”.
    replies(2): >>41899377 #>>41901876 #
    6. Affric ◴[20 Oct 24 21:37 UTC] No.41898691[source]
    > in Germany we have the peculiar horror of getting the IPv6 address and all delegated prefixes changed on every redial.

    This is oh so very German.

    In normal times it is massively overkill. I have to wonder if, heaven forbid, the things these sort of German things are meant to mitigate come to pass again if they will make any difference or if they are a largely symbolic act designed to demonstrate ideological opposition to such things.

    replies(2): >>41899306 #>>41901522 #
    7. kiwijamo ◴[20 Oct 24 23:17 UTC] No.41899306{3}[source]
    This seem to be common. My RSP (ISP) only offers a fixed IPv6 address/prefix on request -- otherwise they will just allocate one out of their pool as they do for dynamic IPv4 (although both dynamic IPv4 and IPv6 is fairly sticky so normally DHCP/PPPoE connections will get the same address previously used as long as it hasn't been reallocated). I personally have a static IPv4 address and a static IPv4 address/prefix from my RSP for my home network.
    8. jiggawatts ◴[20 Oct 24 23:27 UTC] No.41899377{3}[source]
    Only CG-NAT provides any semblance of "privacy" from the perspective of the outside world, but is a hideous technology that shouldn't exist.

    Normal NAT as seen with home internet routers provides zero privacy, because you still have a predictable public IP.

    People also think that IPv4+NAT provides security, but IPv4 is such a tiny address space that all public IPs are scanned daily by various malicious bots. Meanwhile IPv6 is so enormous that unless you register your address in some public way, you're completely invisible to port-scanning bots by default!

    replies(1): >>41899937 #
    9. FridgeSeal ◴[21 Oct 24 01:32 UTC] No.41899937{4}[source]
    Yeah exactly.

    I have a friend who works in the networking division of a telco in my country, their team had to spend significant time and effort educating a PM who was dead-to-rights convinced that IPv6 was “less secure” and seemed to think that IPv6 didn’t have subnets and that NAT’s were the same as firewalls and refused to be convinced otherwise.

    People like that make any forward progress extremely difficult.

    replies(1): >>41900024 #
    10. jiggawatts ◴[21 Oct 24 01:47 UTC] No.41900024{5}[source]
    It's such a perfect example of erroneous thinking that it should be included in psychology textbooks.

    "A always comes with B, hence A is required to provide B" is obviously, trivially wrong, but a truly incredible number of people will dig their heels in and refuse to admit that "B can be provided in other ways".

    In this case where things went wrong was that: "Before A the availability B was rare, and A requires B, and hence B become commonplace only because of A."

    You can see how the association can be accidentally upgraded to an "if and only if" instead of merely "if".

    11. magicalhippo ◴[21 Oct 24 07:16 UTC] No.41901522{3}[source]
    Got the same here in Norway. I've had the same dynamic IPv4 address from my ISP since I moved here over 6 years ago. I get a new IPv6 prefix every time the line goes down, modem needs reboot, moon is full etc.
    12. PhilipRoman ◴[21 Oct 24 08:21 UTC] No.41901876{3}[source]
    Security - not really, but to be honest CG-NAT is kind of nice for privacy. I don't have to worry about leaking a (by default) permanent identifier. Once/if I go full ipv6, I'll probably start using a VPN full time.
    replies(2): >>41902544 #>>41902648 #
    13. orangeboats ◴[21 Oct 24 10:13 UTC] No.41902544{4}[source]
    Conversely, CGNAT also means that if someone in your neighbourhood decided to be a malicious actor, you will likely be affected too.
    replies(1): >>41903353 #
    14. abhinavk ◴[21 Oct 24 10:32 UTC] No.41902648{4}[source]
    The IP that you use to connect outside is separate and not permanent by default. AFAIK both Windows 11 and Linux generate a new one every day.
    replies(1): >>41903083 #
    15. PhilipRoman ◴[21 Oct 24 11:45 UTC] No.41903083{5}[source]
    AFAIK it is within the same /64, which for all tracking purposes means "the same ip". The CG-NAT ip on the other hand is not even unique at any particular moment, let alone permanently. Kind of like having your own free residential VPN.
    16. alwayslikethis ◴[21 Oct 24 12:19 UTC] No.41903353{5}[source]
    For law enforcement purposes most CGNAT operators should keep a log of who had what address at what time. You can still get blocked by websites until you get a new address, though.