77 comments

[ 2.6 ms ] story [ 167 ms ] thread
Waiting for ipv7
> I don't want to lose the security provided by NAT

This grinds my gears so much. I hate everything about NAT. It is a pain to deploy, pain to debug, pain to code, pain to think about, pain to workaround in other protocols. Just the elimination of NAT is enough benefit to use IPv6 over IPv4.

Most people love the NAT. There's no sense in pissing against the wind here and telling people they're idiots and shouldn't like what they like.

(If we ever get to an IPv6 future, there will certainly be a NAT in it. Except this time more convoluted and hacky and brittle than it ever was back in the IPv4 days.)

> telling people they're idiots

I never said that.

> If we ever get to an IPv6 future, there will certainly be a NAT in it.

That will indeed be a very sad day for mankind.

> I'm used to be with you, but some things are only possible will NAT.

On ipv6 besides hiding (most common setup) a randomly assigned /64 ip address behind another /64 address I really don't see what any stateful firewall can't achieve

What? NAT hinders the deployment of P2P applications, how was that not a bane of NAT to get rid if it already?
Depending on whether you‘re someone trying to build clever, distributed applications or someone trying to defend a corporate network against them, that may be a bug or a feature.
> someone trying to defend a corporate network against them

If nat is part of your security strategy, you need a new security strategy.

Why? I mean, security is always defence-in-depth thing, a think that consists of multiple layers, etc.

If you would have left out the "part of" words, then yeah, implying that NAT is the only defense, that strategy must be thrown out of the window.

By the way, ~20 years ago, when ISP just gave public IP and that was directly hooked to PC... yeah, got bitten by some random script on internet that just deleted my files via SMB thanks to how insecure windows configuration was. Was grateful when router was my defense :) Not that something important was there for a kid, but credit goes to... NAT. I think that may have been the time when I learned something about open shares.

NAT is not a defense in ANY way.

Your router’s stateful firewall, that’s what saved you. But that’s separate and continues working with IPv6

> trying to defend a corporate network against them

That's not what NAT is for... That's what firewalls are for. Firewalls still exists in IPv6.

The fact that NAT sucks so much that it makes penetration harder is not a feature, it's a bug so severe it even affect hackers.

That's a feature, not a bug.

99% of the time "P2P applications" just means rootkits and botnets. Very few people actually use P2P in a legitimate way, and even the "legitimate" uses are actually software piracy.

(No, Zoom, Teams et al., aren't P2P applications; maybe they should be, but such is life.)

NAT helps obfuscate how many devices are on my home network. I don't look forward to the day my ISP starts wanting to charge me per computer/phone/tablet I have.
They will probably give you an entire /64 subnet. You can use 2^64 devices. It will be fine :)
I suspect they're referring more to a policy thing.

For instance carriers that forced phone makers to allow them to switch off using your phone as a Hotspot, unless you pay your carrier more.

you say this with the assumption that your devices will all implement a good ipv6 strategy and not suck.

generally the ipv6 support in endpoint/iot devices really sucks.

IPv6 offers randomly assigned addresses from the nice large subnet that you should have been given -- a /64 is 2^64 addresses, comfortably insanely larger than the entire IPv4 internet.

Your ISP can look at how many addresses you sent traffic from in a particular time period, but that's not indicative of how many machines or NICs you have.

That would have been true if parcelling out a /64 was actually easy or common. In practice, it's designed that one /64 is one device, and it's really hard to split up that subnet, with SLAAC outright making it impossible. It's possible with some static configuration, but that's not something an average Joe is going to use, and router software I came across usually considers it an unsupported option.

EDIT: disregard that, the /64 is actually the smallest subnet. It does hinder subnetting fun, but not allocation to devices. I'll leave the invalid post for the sake of transparency.

What do you mean ? All my computer, I and suspect most ipv6 stacks updated in the last decade, assigns at least two address now by default, on linux, one showed as global, assigned by router, typically static, and others temporary ones, random /64 and used by default for outbound connections.
> /64 is 2^64 addresses, comfortably insanely larger than the entire IPv4 internet.

Yes. I get it is technically very possible. I still don't want most of my devices able to be identified when they poll the internet.

> Your ISP can look at how many addresses you sent traffic from in a particular time period, but that's not indicative of how many machines or NICs you have.

Until they start charging by the address and OS manufacturers respond by keeping them more static. Or hell, until say streaming services start counting different IPv6 addresses as machines for licenses.

IPv4 household situation:

one external IPv4 public address at your router/firewall, 2^16 invisible addresses NATted behind it - streaming service embeds a UUID in your client and reports it every time you make a request.

IPv6 household situation:

2^64 external addresses at your router/firewall, 1 to N of them remain static so you can get ACK packets from the outside, up to 2^64 -1 of them are randomly reassigned every so often at the mercy of your client OS's privext implementation. Streaming service embeds a UUID in your client and reports it every time you make a request.

I don't understand. You could still run a router that performs NAT. Is there something about IPv6 that makes running NAT intrinsically harder than IPv4 and more susceptible to corporate overlords?
A data point: I think OpenWRT simply does not bother making it easy.
If I'm using NAT, I don't need IPv6. And IPv6 NAT is, for some reason, still buggy.

So yes, if I go to IPv6, I could get a worse version of what I have now.

Well the second and third points seem valid.

The first point though, I don't get? You are forced to use NAT now. If IPv6 were the standard, and assuming that the implementation of NAT was fine, then you could have the choice of both. Since you prefer to keep NAT, I'm not sure why you'd need to stop using it if IPv6 rolls out?

Are you saying that because we're forced to use IPv4 now, you're more accepting of NAT?

No, I'm saying I want to use NAT. IPv4 NAT is better than IPv6 NAT (less buggy). Therefore I want to use IPv4. It's pretty much only one point.

But I still haven't heard an advantage of IPv6. It would let me avoid NAT, which is why people tolerate a buggy NAT implementation. But I don't want to.

It's like telling a Yankees fan that one of the perks of his new job is season tickets to the Red Sox. (I hope I got the teams correct)

> But I still haven't heard an advantage of IPv6.

That's my original point. Ipv6 makes NAT obsolete and useless. That is enough of a benefit to use it over Ipv4.

You seem to be failing at reading comprehension here. As has been repeated a couple of times, but once again in all caps for emphasis: SOME PEOPLE WANT TO USE NAT TO OBSCURE DEVICES ON THEIR NETWORK. Period. End of story.

That IPv6 makes nat 'useless' is not a point in its favour or a benefit. That IPv6 NAT is inferior to IPv4 NAT makes IPv4 preferable and IPv6 something to be avoided for people who have this particular use case.

So if IPv6 NAT worked as well as IPv4 NAT/was not buggy, you would be fine switching in a hyoothetical IPv6 mandate?
IPv6 isn't better in my experience. The software out there is frequently very immature and does not support typical use-cases.

It's also so many new moving parts, so I find it very difficult to translate my IPv4 experience, making it a pain to work with. Every time something breaks on my network it's IPv6 related, and every time I have to go digging in RFC's and whatnot to figure out what to do.

The main pain points with IPv4+NAT are still pain points with IPv6, namely dynamically open ports in the firewall.

I'm sure IPv6 will be in a better place in 10-20 years time, and I'm sure a lot of my annoyance with it is due to my inexperience. One day...

How can I publicly shame my ISP into providing IPv6? I have symmetrical 1gbps fiber but the lack of IPv6 is laughable.

I love everything about them (Race Communications) but this is something that really gets under my skin.

There is nothing really you can do.

Verizon FiOS in NYC does not support IPv6 and does not have it on any public road maps. So I'm in the same boat 1gbps symmetric without native IPv6.

But Verizon FiOS does have IPv6 else where, including places in NY state for many years already.

They clearly have a reason to pause the roll out, but I have no clue what it is.

Looks like a pretty small provider - maybe just call them and ask if they will set up a tunnel or something for you?
Is there an advantage to use my ISPs tunnel vs another tunnel? I have an open case inquiring about IPv6 and can ask them via that ticket. But if there isn't a benefit from using an ISPs tunnel then I'd rather just save them the work.
Thisipv6excusedoesnotexist.com
"Our business intelligence team can't even parse IPv4 logfiles " - this one is so true and hard to argue against.
I have yet to understand why I care about IPv6. I haven't seen any problems it solves. Instead, I see a giant change for no real benefit. It's like Catalina refusing to support 32-bit applications for no reason.
This is similar to opposing infrastructure updates because I don't see any benefit from replacing the transformers on our block.

The power company does not need me to care, or understand. But they should probably try to keep the lights on while they do the change.

> The power company does not need me to care, or understand

Sure, but I'm reasonably intelligent and well versed in the subject matter. If a random person asks about replacing the transformer, you have a fine response. If someone who worked for ConEd asked, then you should answer them.

This is like the comment “Who needs the iPhone 13’s faster CPU” I read yesterday on a random forum, except you’re on HN and you should probably know better.

The reason is simple: IPv4 addresses are getting more rare and therefore more costly.

> Who needs the iPhone 13’s faster CPU

Ironically I think the answer here is the same: not the end customer.

Most normal people don't really need a faster CPU and wish they could still be hanging on to their beloved iPhone 4, but the developers writing software for it need customer phones to be faster, so everyone has to spend money on it.

For IPv6, not everyone needs private addresses, especially in the age of IoT. Even though NAT is not a safety feature, it's probably the main reason we only have millions rather than billions of exposed IoT devices in Shodan.

And in the age of privacy violations (and done, again, by people who write software), sharing an IP with my neighbours because of Carrier-Grade NAT doesn't sound like a bad idea to me at all anymore.

As for the lack and cost of IPv4, I'd bet that the main reason for that is not because of domestic customers, but rather because of companies, other institutions or even countries holding onto or using IPv4 addresses unnecessarily like they're candy.

Thanks. I would have written something with similar points, but your writing was better.
lol.

Sorry there’s nothing else to add, you’re just proving my point. On HN.

The underlying reason is pretty simple - there's not enough IPv4 addresses to uniquely identify all the devices.

We work around that with things like NAT, but as we have more and more devices on the internet we need a simpler solution. That simpler solution being moar bits in the address.

Not uniquely identifying all devices is a feature. We have NAT, and NAT works. Meanwhile, I cannot think of anything worse than more unique points of tracking.
> We have NAT, and NAT works

Until it doesn't. NAT is fine for a home or company network, it'll soon be getting not fine for mobile and other networks. Using NAT you are not simply hiding the identity of individual devices you are sacrificing concurrent connections per device for fake extra address space, that will run out eventually with more and more devices being connected (you might say “my smart bulbs don't need to access the public network” but your smart bulb manufacturer appears to think differently!). IIRC Linux defaults to a range of 32768–60999 for port mapping so about 28,000 maximum concurrent connections per public IPv4 which seems a large number but if you have many users using P2P protocols (potentially hundreds of connections per host) or many many just web browsing (tens per host that is currently active) that can soon run out and connections start failing in a manner that is hard to diagnose at the client end (it just looks intermittent) and near impossible to diagnose at the far end.

And it is a pain for true P2P comms even at one level, never mind nested NAT if you and your ISP are both doing it.

NAT doesn't help for needing more publicly addressable addresses on the other side either, it only helps with your side of the problem. You will eventually have to move off IPv4 because services will start to be IPv6 only. Yes there are ways to essentially reverse-NAT around that (for instance HTTPS+SNI is now viable in most cases as you are only excluding really ancient devices) but those techniques also add complexity & latency and won't work for everything. Nor is the issue simple numbers: the distribution if IPv4 blocks is not at all smooth and working around that adds complexity to routing (yes large orgs have released some of the v4 allocations back for reuse, but that is far from as simple as just saying “hey, you over there, these are now available to use”.

If your reason for using NAT is security then be aware that what security/privacy you do get is only by accident and probably not as effective as you think anyway, certainly against meaningful tracking.

i agree with mostly everything you said but i think your calculation is wrong. to figure out how to map addresses not only the destination port can be taken to account but the addresses themselves and the source port too. that makes 28k (that figure is questionable too) concurrent connections per single connected IP and port on the far end. i am also somewhat certain if this would become a real issue the fix would probably involve mapping connections using more state like sequence numbers in TCP or similar things instead of abandoning this idea entirely and for good.
IPv6 is a light years away from simply "moar bits in address".
Considering this thread is "what are the advantages of IP6", would you mind elaborating?
Parent talked about simple solution for address shortage. Like IPv6 is mere IPv4 with 128bit addresses.
Its nice for every device to have a unique public IP, if that has value to you. It also means for a typical home user, you need to be a little more mindful about firewall rules instead of relying on NAT to make direct incoming access more difficult.
> Its nice for every device to have a unique public IP, if that has value to you

It has the opposite of value to me. I don't want most of my devices to have more of a public IP than they need to. In fact, it being technically possible for my lightbulbs to have public IPs sounds horrible.

I was just replying to HWR_14 asking why they should care about IPv6 - there's more to it than just moar bits obviously, but if you want the simplest reason to care then that's probably it.
But I don't want more of my devices on the internet.
> Larger headers are less efficient

LMAO

In the back of my mind I have a "Days since I solved networking issues by disabling ipv6" calculator. Currently it's at one month, give or take. The host in question was not serving proper ssl certs on ipv6 ports, so connections failed with really scary errors.

I know ipv6 solves a lot of issues for actual networking people, but for the grunts who just want mom's printer to start working, disabling ipv6 still seems to be a silver bullet.

I'm very aware that the latest issue I solved was entirely the fault of the server operator, not of ipv6, but the user experience still was "ipv6 broken, no ipv6, no broken"

On the other hand I had performance issues when disabling ipv6 on gentoo based system for running docker (containers where starting in 1.5-2 seconds instead of 0.4 seconds). Enabling ipv6 solved those issues.
Interesting that you mention certificates because my counter of Days since I could have solved website issue by disabling https is also about a month or so. Those certificate warnings are really scary for users, but telling them what the certificate error means and how to fix it made for an happy client.

Of course they could have solved it by disabling https but then the browser would display this ugly icon and google would not rank their website as good as before, so there is a strong incentive to keep https. The server admins responsible for the site will just have to accept that certificate renewal is part of their responsibility.

When I had more hair and I was about to graduate, IPv6 was basically ready. After decades of half-assed adoption, there are still bugs related to expecting IPv4 addresses; I take it almost personally.
I'm on IPv6. Right now. Via Sonic.net. And I didn't do anything.

Here's an argument to use with management: Conversion to IPv6 is in the 14th Five Year Plan of the People's Republic of China.

"We will focus on strengthening support for digital transformations, intelligent upgrades, and integration and innovation and deploy and construct new infrastructure such as information infrastructure, integration infrastructure, and innovation infrastructure. We will build high-speed, ubiquitous, integrated and interconnected, safe, and efficient information infrastructure that integrates space and earth (天地一体) and enhance data perception, transmission, storage, and computing capabilities. We will accelerate the large-scale deployment of 5G networks, increase the user penetration rate to 56%, and promote the upgrade of gigabit optical fiber networks. We will build up technology reserves for the future deployment of 6G network technology. We will expand backbone network interconnection nodes, set up a number of new international communication gateways, and comprehensively promote the commercial deployment of Internet Protocol Version 6 (IPv6)."

Does your company want to be Left Behind?

[1] https://cset.georgetown.edu/wp-content/uploads/t0284_14th_Fi...

Is there a good/hassle-free IPv6 tunnel broker that could be used instead of SiXXS?
if you dont need dynamic tunnels like sixxs offered them via aiccu you can you tunnelbroker.net for free 6in4 tunels, they are pretty stable and fast.
I'm worried that IPv4 is too entrenched and that IPv6 will forever be niche. It reminds me of the situation of USB-A versus USB-C. I try as much as possible to have USB-C devices/ports only, but too many manufacturers of devices insist on USB-A or something else like Lightning ports.

For the rare times that it has been 100% USB-C, it's made a noticeable difference. Similarly, I would like a future for 100% IPv6, but we will never get there because the world's core services have been set up on IPv4 and there isn't enough political will to shift the decentralized community.

If core infra sees a client try to connect from IPv6, it will expect the client to bridge through to IPv4 somehow. It might be like this for a hundred years or more.

If only IPv6 had come just a little bit sooner...

I don't see it as matching the situation with USB-C.

USB-C has way, way too many subtypes (Power delivery, Displayport over USB-C, Thunderbolt 4, USB 3.2 Gen-2x2.6467764, USB-C form factor but only wired for USB 2.0/3.0) and needs "smart" cables to make half these work (which, while only some resistors, still means a manufactuer has to weight spending on resistors vs just on copper and plugs) and for most use cases "2.0 micro-B" works well enough.

IPv6 instead is slow to adopt because there is a LOT of infastructure (almost like it's a global spanning network) that needs upgrading, and companies will absolutely wring out the value of their original IPv4 purchases as long as possible before spending on upgrades.

I feel like it wouldn't be too hard to come up with software IP-equivalents analogies to the USB-C woes you mentioned, don't you think so? Not really the same, but relatable in terms of entrenchment and adoption speed?

I agree that IPv6 adoption will be made even more difficult by the fact that companies will try their hardest to hold onto IPv4 and the money associated with it.

Is there like a list of services and/or software which are fully ipv6-capable?

I guess that would mitigate many of these excuses and fears. I know a time, where OpenVPN had to be patched. And there ARE CloudProviders who not really have IPv6 as a firstclass citizen

(i would like to have the same for dnssec, the adoption rate is similar abysmal)

Because your favourite chat software does not support IPv6.
Main problem with IPv6 is lack of backward compatibility. You cannot "just use IPv6". If you accessing Internet you still needs to obtain IPv4 address and setup NAT if needed. Then optionally you can setup IPv6. Internet connection works great without IPv6 but is broken without IPv4.

My IPS do not offer IPv6. I asked him about it and they response that they does not have plan to implement IPv6. I understand them: for their clients (normal consumer) there is no significant benefit from adding IPv6 protocol.

I configured 4to6 tunnel for P2P tests... but it is already deprecated and Google complains about using it.

I have a dual-stack home network.

I care about 1 IPv6 address, my web server. My local network has IPv6 connectivity, but the address space is private. All of the fixed addresses I worry about are IPv4.

I don't see a need for IPv6 for a home network (from a address management standpoint), but I do think an external IPv6 address is important. My concern with IPv4 is increasingly restrictive carrier-grade NAT to stretch addresses further.

my ISP has supported IPv6 for some time. The provided router out of the box doesn't do much but if you put it in passthrough mode, you can do anything IPv6 related.

After screwing with this for a few weeks, all I had was weird networking problems. v6 and v4 don't coexist nicely, especially naming, and if you want to talk to a v4 web server and only have a v6, well... you need a proxy.

Exactly: it shows how lack of backward compatibility slows technology adoption. 25 years after IPv6 there is still no benefit for ISP from using it. They still needs IPv4 address (and NAT, DHCP etc.) - IPv6 do not resolve problem of limited number of IPv4 for them.