Most active commenters
  • tptacek(5)
  • eptcyka(3)

←back to thread

The IPv6 Transition

(www.potaroo.net)
215 points todsacerdoti | 25 comments | 20 Oct 24 05:54 UTC | HN request time: 0s | source | bottom
1. uobytx2 ◴[20 Oct 24 21:14 UTC] No.41898529[source]
People posting have mentioned that IPv4 is working for what they use the internet for. But of course it is. When NATs has been required for your whole life, how could the internet have built features that needed p2p routing? Just convince businesses to build something that requires special router configuration? And still wouldn’t work on phones or with ISPs that require CG NAT? You got what worked out of the box. You obviously couldn’t use what didn’t exist.
replies(2): >>41899158 #>>41899246 #
2. theamk ◴[20 Oct 24 22:55 UTC] No.41899158[source]
Why do people assume IPv6 means "easy p2p"?

Even if NAT will be gone one day, the stateful firewalls won't. Every every home router would still ship with "deny all incoming" by default, and every corporate network would have the same setting as well.

Same as IPv4, IPv6 serving would still need registration with border device, either manual by user, or via UPnP-equivalent.

replies(3): >>41899364 #>>41899487 #>>41901569 #
3. tptacek ◴[20 Oct 24 23:08 UTC] No.41899246[source]
I can do more with the Internet today than I could with a static /22 assigned over my ISDN BRI back in the mid-1990s. A lot of things I would do back then, I would do differently today; running a chat system by connecting directly out to 6667/tcp feels pretty silly now, for instance. It's rough to build protocols that work that way today, but you're not missing much. Things were not better before the advent of presumptive NAT.
replies(2): >>41901019 #>>41905779 #
4. numpad0 ◴[20 Oct 24 23:25 UTC] No.41899364[source]
"everything gets a global IP, no more NAT headaches" was one of marketing talking points for IPv6. Not necessarily the case nor welcomed by everyone, but that was the intent.
replies(1): >>41899708 #
5. ndriscoll ◴[20 Oct 24 23:47 UTC] No.41899487[source]
UDP hole punching works when you don't have symmetric NAT. So e.g. voice and video calls don't need a proxy and can be higher quality. You only need a third party to locate/signal your peer.
6. mike_d ◴[21 Oct 24 00:39 UTC] No.41899708{3}[source]
Wide scale deployment of NAT (the "home router" that allowed you to connect multiple devices) was the greatest leap in internet security we ever made. I remember the days when we had "everything gets a global IP," and we do NOT want to go back to that. Look up Conficker, Code Red, Blaster, etc.

People naively assume the large IPv6 address space somehow hides your computer on the internet. That isn't true. Both because v6 host discovery is a solved-ish problem for attackers, and worms have near unlimited resources to throw at the wall.

replies(3): >>41899815 #>>41900115 #>>41900299 #
7. bigstrat2003 ◴[21 Oct 24 01:02 UTC] No.41899815{4}[source]
I remember those days too. They had nothing to do with computers not being behind a NAT.
replies(1): >>41900391 #
8. BenjiWiebe ◴[21 Oct 24 02:05 UTC] No.41900115{4}[source]
You'll still need a router to route. It just won't have to do NAT. It can still do a statefull firewall, just like it does with IPv4.
9. numpad0 ◴[21 Oct 24 02:58 UTC] No.41900299{4}[source]
NAT is technically not a firewall in itself, I believe early/some NAT implementations used deterministic assignments between external range to internal ip:port. They can be more transparent if that is the goal.

But the effect of proliferation of cheap Wi-Fi routers with cheap dynamic NAPTs in conjunction with UPnP did to XP-era PC security - 100% agreed, it was like sunlight self-disinfecting brass door handles.

10. tptacek ◴[21 Oct 24 03:18 UTC] No.41900391{5}[source]
They had to do with computers being directly addressable, routable, and reachable by the entire Internet, which was the default prior to widespread deployment of NAT. NAT isn't the best way to do it, but it probably is the single biggest factor in reducing the external reachability of endpoint IPs.
replies(1): >>41904203 #
11. beeflet ◴[21 Oct 24 05:49 UTC] No.41901019[source]
p2p was simpler. The NAT epidemic has totally suffocated P2P because no one can host anything anymore.

You can't trivially host your own blog, for example, without going to your ISP and requesting a static address, and then configuring port forwarding. This is why everyone got stuck on social media, because they need someone else to run their website essentially.

replies(1): >>41901043 #
12. tptacek ◴[21 Oct 24 05:54 UTC] No.41901043{3}[source]
That's a retcon. People used Blogger because it was more convenient than setting up Apache and PHP on a webserver of their own. Linux nerds for whom doing that is no big deal are an infinitesimal fraction of everyone who blogged.
replies(1): >>41901129 #
13. beeflet ◴[21 Oct 24 06:09 UTC] No.41901129{4}[source]
why does it have to be such a big ordeal? A blog is pretty much just a static site.

Is it unimaginable that someone uses a HTML editor like microsoft word or something to write a blog and then copies it into the folder of a static web server? I'm sure it would be way simpler if people had the time to figure out P2P and the associated UI, it's not fundamentally super complicated versus client-server.

replies(2): >>41901499 #>>41902695 #
14. tptacek ◴[21 Oct 24 07:12 UTC] No.41901499{5}[source]
Just the idea of having an always-on computer anywhere in your home excludes probably more than 80% of everyone who has ever written a blog. IPv4 is not why people use hosted services.
replies(1): >>41902868 #
15. eptcyka ◴[21 Oct 24 07:27 UTC] No.41901569[source]
With how trivial generating new addresses in IPv6 is, it'd be cool to have a host block all incoming traffic on its own and have each service that deserves to be reached over the listen on an address unique to the service.
replies(1): >>41901733 #
16. nlitened ◴[21 Oct 24 07:56 UTC] No.41901733{3}[source]
> have each service that deserves to be reached over the listen on an address unique to the service

It’s already a thing. These unique per-service addresses are called “ports” in IP protocol.

replies(2): >>41902517 #>>41902735 #
17. ◴[21 Oct 24 10:10 UTC] No.41902517{4}[source]
18. bluGill ◴[21 Oct 24 10:39 UTC] No.41902695{5}[source]
What is complex is ongoing work. You have to watch for and apply security patches forever.
19. eptcyka ◴[21 Oct 24 10:47 UTC] No.41902735{4}[source]
Hosting service A shouldn't mean that every user of service A can also figure out you host C, B and D.

Also, the IP protocol does not care about ports at all. Ports are a thing for UDP and TCP.

replies(1): >>41904782 #
20. tcfhgj ◴[21 Oct 24 11:07 UTC] No.41902868{6}[source]
> Just the idea of having an always-on computer anywhere in your home excludes probably more than 80% of everyone who has ever written a blog.

I have yet to meet someone who turns off the router at night, although I have heard of such people.

Then if you think about it, TVs, washing machines, etc. people are too lazy to turn them off, and OLED TVs even require being turned on while not being used.

21. tucnak ◴[21 Oct 24 13:57 UTC] No.41904203{6}[source]
NAT deployment here is only tangential to the real differentiator: the firewall. I mean, you can make a case that NAT is a poor man's firewall but you should know that it's not a substitute for a security model. Zero trust is now the dominant philosophy, and it allows for firewall rules to be derived procedurally.

It's a shame the likes of Microsoft only care about "zero trust" insofar their compliance checkboxes with the the US government. They see it as a chore. Contrary to Google, Cloudflare, et al.

replies(1): >>41906767 #
22. nlitened ◴[21 Oct 24 14:48 UTC] No.41904782{5}[source]
> Also, the IP protocol does not care about ports at all. Ports are a thing for UDP and TCP.

You're right, they are one level above.

> Hosting service A shouldn't mean that every user of service A can also figure out you host C, B and D.

It how are ports on a single IP address essentially different from multiple IP addresses within a subnet?

replies(1): >>41908368 #
23. uobytx2 ◴[21 Oct 24 16:28 UTC] No.41905779[source]
Well sure, I’m not trying to say that the internet is less capable generally now than in the past.

I’m suggesting that the way you build an app is shaped by the prevalence of NAT, the same way the apps you build are shaped by how much bandwidth home users have for devices.

Some types of apps benefit from p2p functionality, and those hit obstacles for normal users due to port forwarding requirements, and are largely impossible which CG. I don’t think NAT is a villain, just something that does affect what and how we build stuff.

24. tptacek ◴[21 Oct 24 18:12 UTC] No.41906767{7}[source]
NAT was originally delivered as a security mechanism.
25. eptcyka ◴[21 Oct 24 20:46 UTC] No.41908368{6}[source]
In a /64, enumerating all hosts will not be as practical as enumerating all ports on a single IP. Further, you will not be able to link that two services are running on the same host by just the IP.