It's easier to remember the IPs of good DNSes, too.
It's easier to remember the IPs of good DNSes, too.
Today in our newest take on "older technology is better": why NAT rules!
Fire bad, change scary
Apes together weak
Tree pretty
I felt dirty! and broke so much shit when i had to implement NAT on networks in the mid 90's. Nowdays with ipv6 and getting rid of NAT is much more liberating. The difference is staggering!
- you do not need NAT any longer, firewall is the security, just like on ipv4, just less obscurity.
- you do not need dns views, to workaround NAT any more
- you do not need hairpin NAT to workaround NAT any more
- you do not need to renumber to resize a network. they are always /64, and the answer to how many hosts can it fit is: ALL of them!
- many ALG's will be unnecessary since there is not NAT.
- vpn's are easier, since it can be the same address both inside and outside the vpn, the firewall (or host even) enforces the encryption.
- vpn's are MUCH easier since you will have less rfc1918 collisions due to some other network using the rfc1918 of the vpn's network
- vpn's are MUCH MUCH easier since you will have less rfc1918 collisions due to you using the rfc1918 of the vpn partner network, to 1:1 nat a previous vpn network you collided with some months ago... ARGH!!!
- vpn are generally less required, heck i swear 95% of the time the VPN are just to workaround the NAT problem and the data is pointlessly double or triple encrypted.
- you can make more granular firewall rules (eg the spesific host, or network of the source address, instead of the whole enterprise's public ip) this is real tangible improved security, where any random machine in a network you do not control. do not automatically have openings into your own network.
- firewall objects can if it is suited easily use and depend on FQDN DNS objects when allowing traffic. reducing the need of coordinating firewall object ip address changes between 15 companies.
- firewall rules are easier, more readable, and much more predictable how they will work. All the hairpin nat, public to private nat, private to public nat for a thing that need a different public ip, 1:1 nat for a separate zone, NAT to a vpn or 50 (where 10 of them are 1:1 nat due to collisions, making you require 4 dns views of the same ip space!! ) very quickly gets messy and unreadable. this is probably the largest security benefit. just to reduce the complexity.
- much easier to get people to use dns, since nobody wants to remember ipv6 addresses :D
- nibbles in the ipv6 address can have meanings you assign to them, making the networks and structure both easy to remember and logically structured.
- aggregating routes becomes very easy if you design your network that way.
- firewall policies can become easier if you design your network that way.
- your routing tables is leaner and easier, and of a better consistency. We have 1 large public ipv6 prefix, but 25ish ipv4 prefixes of all kinds of various sizes.
- no need to spend $$ to buy even more ipv4 prefixes.
- no need to have spent hundreds of $$ on a new ipv4 prefix only to be unable to use them for over a year because you need to sanitize the addresses from all the reputation filters. and constantly hound geo ip database providers to update the new country of the prefix. (i am bitter,, can you tell..)
- did i mention no need to renumber since you need to grow the /24 to /23 due to to many hosts in a network ?
- did i mention no need to renumber 2 /24's to /25's to make space for that larger /23.
- you do not even need any ipv4 addresses any more, use a public NAT64 service, for outgoing. and for incoming just use one of the many free public ipv4 to ipv6 proxies for your services online. for a homelab i really like http://v4-frontend.netiter.com/ (go support them) But most large business l networks use cloudflare, or akamai
- since you do not need your ipv4 address space any more, you can ~~sell them for a profit $$$ ~~ return them to the RIR and give some address space to one of the thousands of companies struggling because they do not have any IPv4 : https://www.ripe.net/manage-ips-and-asns/ipv4/ipv4-waiting-list/
- much lower latency on ipv6, since you do not go across a cloud based ipv4 to ipv6 proxy in order to reach the service ;)
Now the greatest and best effect of ipv6 is none of the above. It is that with ipv6 we have a slim hope of reclaiming some of what made the Internet GREAT in the first place. When we all stood on equal footing. Anyone could host their own service. Now we are all vassals of the large companies that have made the common person into a CGNAT4444 using consumer mindlessly lapping up what the large company providers sees fit to provide us. with no way to even try to be a real and true part of the Internet. Fight the companies that want to make you a eyeball in their statistic, Set up your own IPv6 service on the Internet today !
I felt dirty!
"Senpai, route me like one of your French ISPs"
If all that is true, then why do I still hate ipv6 so much.
I assume the normal fear of unknown things. It is hard to hate ipv6 once you have equivalent competence in ipv4 and ipv6.
🧓
Imagine actually having ipv6 available through your ISP.
...and ever if my ISP actually provided one, getting a static one costs money so there's no difference in the end.
This is one of the best comments I've ever read on Lemmy. Thanks for writing it. I fully agree with all your points!
Thank you! :) I also notice i compleatly forgot the port exhaustion issue we see with larger networks behind roo few ipv4 NAT addresses..
But IPv4 addresses are easier to remember!
/s
I could see a point of having home networks stay on IPv4 and NAT with an external v6 address.
That would keep the current security model for home networks where we can assume general tech litteracy is low.
That is not how it works. You can have a home network on ipv6. And it can reach all of ipv4 via nat ( just like ipv4 do today). A net with only ipv4 can not reach any ipv6 without a proxy that terminst the v4 connection and make a new v6 connection. since ipv6 is backwards compatible. But ipv4 is naturally not forwards compatible.
Also it is the default deny of the stateful firewall that always coexist with NAT, since NAT depends on that state, that is the security in a NAT router.
That default deny is not in any way dependant on the NAT part.
Con: you are now even more dependent on DNS, increasing the blast radius even more
ifwhen it breaks.But DNS rarely break. The meme about it beeing DNS's fault is more often then not just a symptom of the complexity of IPv4 NAT problem.
If i should guesstimate i think atleast 95% of the dns issues i have ever seen, are just confusion of what dns views they are in. confusion of inside and outside nat records. And forgetting to configure the inside when doing the outside or vice verca. DNS is very robust and stable when you can get rid of that complexity.
That beeing said, there are people that insist on obscurity beeing security (sigh) and want to keep doing dns views when using IPv6. But even then things are much easier when the result would be the same in either view.
I think it’s worth taking the time to learn IPv6 property. If you have a good understanding of IPv4 it shouldn’t take you more than an afternoon.
Eliminating NAT and just using firewall rules (ie what NAT does behind your back) is incredibly freeing.
I don’t get people complaining about typing out IPs. I like to give all of my clients full FQDNs but you don’t have to. Just using mDNS would be enough to avoid typing a bunch of numbers.
Maybe I have Stockholm Syndrome, but I like NAT. It’s like, due to the flaws of IPv4 we basically accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections, which kinda implies you know what you’re doing (ssshh don’t talk about UPnP). Accidental security of a default deny policy even without any firewalls configured. Haha. I’m still getting into this stuff though, please feel free to enlighten me
I don’t think you have Stockholm syndrome. You just like what you already understand well. It’s a normal part of the human condition.
All those features of nat also work with IPV6 with no nat in the exact same way. When I want to open up a port I just make a new firewall rule. Plus you get the advantages of being able to address the ach host behind the firewall. It’s a huge win with no losses.
Anything connected to an untrusted network should have a firewall, doesn't matter if it's IPv4 or IPv6.
There's functionally no difference between NAT on IPv4 or directly allowing ports on IPv6, they both are deny by default and require explicit forwarding. Subnetting is also still a thing on IPv6.
If anything, IPv6 is more secure because it's impossible to do a full network scan. My ISP assigned 4,722,366,482,869,645,213,696 addresses just to me. Good luck finding the used ones.
With IPv4 if you spin up a new service on a common port it usually gets detected within 24h nowadays.
Instead of nat and port forwards that rewrite, your firewall is set to only forward specific traffic, exactly how'd you'd configure outbound forwarding on a nat network (but opposite directions)
Open forwarding is a router, not a firewall
Every time I see a defense of IPv4 and NAT, I think back to the days of trying to get myself and my roommate to play C&C: Generals together online, with a 2v2 game, with one of us hosting. Getting just the right combination of port forwarding working was more effort than us playing C&C: Red Alert on dial up when we both lived at home.
With IPv6, the answer is to open incoming traffic on the port(s) to the host machine (or just both since the other guy is might host next time). With IPv4, we have to have a conversation about port forwarding and possibly hairpin routes on top of that. This isn't a gate for people "who know what they're doing", it's just a bunch of extra bullshit to deal with.
accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections
You can intentionally get that behaviour by using a firewall.
Bro used <> instead of !=
What languages use this? I don't like it!
On the other hand it goes well with >= and <=. If >= means "either > or =" then <> means "either < or >", it checks out.
But I still don't like it.
Damn I never understood it but now it makes sense thanks to you
Yea it’s ugly 😭
logo does
The problem is we're projected to run out of unique IPv4 addresses by 2003.
And we are facing the effects of it as we're speaking. CGNAT and protocols like TURN were not invented without a reason.
Not a big deal. We're projected to run out of years by 2000 and then the world will end.
Oh god that brings back memories. Reallying dumb ones of people but memories none the less
And it took a lot of hard work by a lot of people to adopt new date standards to avoid that problem. Now it's time to adopt new IP standards, and it's going to take a lot of hard work by a lot of people.
Honestly we should just use 4 bit ip addresses, it’s too hard for me to remember ipv4 addresses anyways. Carrier grade NAT will take care of the rest.
Why compromise? Use 1-bit IP addresses.
Finally, a use for my 1-bit bloom filter!
You can still NAT IPv6
I haven't read anything this cursed in a while
Yes, but why would you want to? We have enough addresses for the foreseeable future.
1:1 stateless NAT is useful for static IPs. Since all your addresses are otherwise global, if you need to switch providers or give up your /64, then you'll need to re-address your static addresses. Instead, you can give your machines static private IPs, and just translate the prefix when going through NAT. It's a lot less horrible than IPv4 NAT since there's no connection tracking needed.
This is something I probably should have done setting up my home Kubernetes cluster. My current IPv6 prefix is from Hurricane Electric, and if my ISP ever gives me a real IPv6 prefix, I will have to delete the entire cluster and recreate it with the new prefix.
That's what they thought for IPv4... and for 2-year digits... and for...
Only if you're a masochist.
Ha I can remember the ipv6 of cloudflare DNS just fine! It's uh..... something : something : something :: 1111
2606:4700:4700::1111
Hmm, maybe Google is easier:
2001:4860:4860::8888Quad9 is 2620:fe::fe or 2620:fe::9
I don't understand why they can't get better addresses than that. Like surely 1::1 would be valid?
Edit: So IANA only control addresses 2001:: and up and there are quite a few IETF reservations within that. I don't know why they picked such a high number to start at. Everything else seems IETF reserved with a little space allocated for special purposes (link-local, multicast, etc.).
1.1.1.1? :p
Typing addresses in ipv4 is ingrained into my brain, but zero NATing with ipv6 is magical.
Ipv6 is not 6 bytes? 8 segments of 2 bytes for a sum of 16 bytes?
Or am I stupid right now?
Yes, you've got it right. <> means ≠. 16 is not equal to 6.
Never seen that Notation.
IPv6 is unfortunately not six bytes, no. For some weird, ass-backwards reason.
Mystery of the universe, would IPv5 have hit the sweet spot and taken off?
I'm still on IPv3, haven't updated yet.
6 ≠ 16
v ≠ oOk, now I'm fully proposing a new standard, called IPv16! (Keeping with the tradition to jump over numbers.)
Also, it will be fully backwards compatible for a change! That solves the largest complaint from the holdouts!
IPv6 is already backwards compatible though. There's a /96 of the IPv6 space (i.e. 32 bit addresses) specifically for tunneling IPv4 traffic, and existing applications and IPv4 servers Just Work™ on IPv6 only networks, assuming the host operating system and routing infrastructure know about the 6to4 protocol and are willing to play ball.
I learned a lot about it from this video: https://www.youtube.com/watch?v=e-oLBOL0rDE
Oh nice. Does your system FINALLY provide enough addreses for every Planck volume in the observable universe? It’s been frickin amateur hour, this internet thing.
No, sorry. It's backwards compatible on address length too.
TBH 4 billion IP addresses is way too many. We should reduce that to 33 million for convenience.
IPv6 = second system effect. It's way too complicated for what was needed and this complexity hinders its adoption. We don't need 100 ip addresses for every atom on the earth's surface and we never will.
They should have just added an octet to IPv4 and be done with it.
Every time there's a "just add an extra octet" argument, I feel some people are completely clueless about how hardware works.
Most hardware comes with 32-bit or 64-bit registers. (Recall that IPv6 came out just a year before the Nintendo 64.) By adding only an extra octet, thus having 40 bits for addressing, you are wasting 24 bits of a 64-bit register. Or wasting 24 bits of a 32-bit register pair. Either way, this is inefficient.
And there's also the fact that the modern internet is actually reaching the upper limits of a hypothetical 64-bit IPv5: https://lemmy.world/comment/10727792. Do we want to spend yet another two decades just to transition to a newer protocol?
you are wasting 24 bits of a 64-bit register
You're not "wasting" them if you just don't need the extra bits, Are you wasting a 32-bit
integerif your program only ever counts up to 1000000?Even so when you do start to need them, you can gradually make the other bits available in the form of more octets. Like you can just define it as a.b.c.d.e = 0.a.b.c.d.e = 0.0.a.b.c.d.e = 0.0.0.a.b.c.d.e
Recall that IPv6 came out just a year before the Nintendo 64
If you're worried about wasting registers it makes even less sense to switch from a 32-bit addressing space to a 128-bit one in one go.
Anyway, your explanation is a perfect example of "second system effect" at work. You get all caught up in the mistakes of the first system, in casu the lack of addressing bits, and then you go all out to correct those mistakes for your second system, giving it all the bits humanity could ever need before the heat death of the universe, while ignoring the real world implications of your choices. And now you are surprised that nobody wants to use your 128-bit abomination.
it's not about using all 100 IP addresses for every atom
it's about having large enough ranges to allocate them in ways that make sense instead of arbitrarily allocating them by availability
Please don't I barely understand subnetting as it is.
That why we should adopt my ipv12. Its three levels of addresses rach 512 bit longs. One for host one for network and one what ever the heel else need. Planet that's it we asogn each planet a 512 bit address
Slightly related to the issue of remembering addresses, I think the main issue is with the fact that local nameservers are pretty much non-existent if you're not running OpenWrt or OpnSense. Which is shameful because the local nameserver is an amazing quality of life tool.
Also the fact that officially there are no local TLDs except for ".arpa" while browsers won't resolve one word domains without adding http://
And don't get me started on TLS certificates in local networks... (although dns01 saves the day)
I don't get why '.local' isn't a top level domain for LAN hosts.
And don’t get me started on TLS certificates in local networks…
I hate this and the fact that modern platforms seem to require TLS even if you're serving localhost, so much.
Well... I still like IPv6 better than ATM and those darn virtual circuit identifiers.
Another Technical Mistake
Hah. But to be fair, ATM did have a specific use that it worked great for. That is the move to digital voice circuits. The small fixed cell size and built in QoS meant that if you had a fixed line size you could fit X voice channels, and they would all be extremely low latency and share the bandwidth fairly. You didn't need to buffer beyond one cell of data and you didn't need to include overhead beyond the cell headers.
ATM was designed to handle the "future" or digital network needs. But, the immediate use was about voice frames and that likely dictated a lot of the design I'd expect.
I would love to start using ipv6 but my ISP decided that their devices won't support prefix delegation because "nobody uses ipv6 and nothing works with it"
I can remember an up, but would never an ipv6
I feel like I could learn Dutch, my English is already broken