Today in our newest take on "older technology is better": why NAT rules!
I felt dirty! and broke so much shit when i had to implement NAT on networks in the mid 90's. Nowdays with ipv6 and getting rid of NAT is much more liberating. The difference is staggering!
Now the greatest and best effect of ipv6 is none of the above. It is that with ipv6 we have a slim hope of reclaiming some of what made the Internet GREAT in the first place. When we all stood on equal footing. Anyone could host their own service. Now we are all vassals of the large companies that have made the common person into a CGNAT4444 using consumer mindlessly lapping up what the large company providers sees fit to provide us. with no way to even try to be a real and true part of the Internet. Fight the companies that want to make you a eyeball in their statistic, Set up your own IPv6 service on the Internet today !
I felt dirty!
"Senpai, route me like one of your French ISPs"
If all that is true, then why do I still hate ipv6 so much.
I assume the normal fear of unknown things. It is hard to hate ipv6 once you have equivalent competence in ipv4 and ipv6.
I think it’s worth taking the time to learn IPv6 property. If you have a good understanding of IPv4 it shouldn’t take you more than an afternoon.
Eliminating NAT and just using firewall rules (ie what NAT does behind your back) is incredibly freeing.
I don’t get people complaining about typing out IPs. I like to give all of my clients full FQDNs but you don’t have to. Just using mDNS would be enough to avoid typing a bunch of numbers.
Maybe I have Stockholm Syndrome, but I like NAT. It’s like, due to the flaws of IPv4 we basically accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections, which kinda implies you know what you’re doing (ssshh don’t talk about UPnP). Accidental security of a default deny policy even without any firewalls configured. Haha. I’m still getting into this stuff though, please feel free to enlighten me
I don’t think you have Stockholm syndrome. You just like what you already understand well. It’s a normal part of the human condition.
All those features of nat also work with IPV6 with no nat in the exact same way. When I want to open up a port I just make a new firewall rule. Plus you get the advantages of being able to address the ach host behind the firewall. It’s a huge win with no losses.
Anything connected to an untrusted network should have a firewall, doesn't matter if it's IPv4 or IPv6.
There's functionally no difference between NAT on IPv4 or directly allowing ports on IPv6, they both are deny by default and require explicit forwarding. Subnetting is also still a thing on IPv6.
If anything, IPv6 is more secure because it's impossible to do a full network scan. My ISP assigned 4,722,366,482,869,645,213,696 addresses just to me. Good luck finding the used ones.
With IPv4 if you spin up a new service on a common port it usually gets detected within 24h nowadays.
Instead of nat and port forwards that rewrite, your firewall is set to only forward specific traffic, exactly how'd you'd configure outbound forwarding on a nat network (but opposite directions)
Open forwarding is a router, not a firewall
Bro used <> instead of !=
What languages use this? I don't like it!
On the other hand it goes well with >= and <=. If >= means "either > or =" then <> means "either < or >", it checks out.
But I still don't like it.
BASIC. At least VB.
I think Excel formulas also use this, but it's been a long time so I might be misremembering.
The problem is we're projected to run out of unique IPv4 addresses by 2003.
And we are facing the effects of it as we're speaking. CGNAT and protocols like TURN were not invented without a reason.
Honestly we should just use 4 bit ip addresses, it’s too hard for me to remember ipv4 addresses anyways. Carrier grade NAT will take care of the rest.
You can still NAT IPv6
I haven't read anything this cursed in a while
Yes, but why would you want to? We have enough addresses for the foreseeable future.
So you don’t need to change your network if your isp changes.
You shouldn’t have to?? Maybe you might need to change the mask in your firewall settings if the ipv6 allocation block size changes but that should be it.
Everything else should just work as normal.
1:1 stateless NAT is useful for static IPs. Since all your addresses are otherwise global, if you need to switch providers or give up your /64, then you'll need to re-address your static addresses. Instead, you can give your machines static private IPs, and just translate the prefix when going through NAT. It's a lot less horrible than IPv4 NAT since there's no connection tracking needed.
This is something I probably should have done setting up my home Kubernetes cluster. My current IPv6 prefix is from Hurricane Electric, and if my ISP ever gives me a real IPv6 prefix, I will have to delete the entire cluster and recreate it with the new prefix.
It should only be needed if your ISP is brain-dead and only gives you a /64 instead of what they should be doing and also giving you a /56 or /48 with prefix delegation (I.e it should be getting both a 64 for the wan interface, and a delegation for routing)
You router should be using that prefix and sticking just a /64 on the lan interface which it advertises appropriately (and you can route the others as you please)
Internal ipv6 should be using site-local ipv6, and if they have internet access they would have both addresses.
Only if you're a masochist.
Ha I can remember the ipv6 of cloudflare DNS just fine! It's uh..... something : something : something :: 1111
2606:4700:4700::1111
Hmm, maybe Google is easier:
2001:4860:4860::8888
Quad9 is 2620:fe::fe or 2620:fe::9
I don't understand why they can't get better addresses than that. Like surely 1::1 would be valid?
Edit: So IANA only control addresses 2001:: and up and there are quite a few IETF reservations within that. I don't know why they picked such a high number to start at. Everything else seems IETF reserved with a little space allocated for special purposes (link-local, multicast, etc.).
Ipv6 is not 6 bytes? 8 segments of 2 bytes for a sum of 16 bytes?
Or am I stupid right now?
Typing addresses in ipv4 is ingrained into my brain, but zero NATing with ipv6 is magical.
Mystery of the universe, would IPv5 have hit the sweet spot and taken off?
I'm still on IPv3, haven't updated yet.
6 ≠ 16
v ≠ o
IPv6 = second system effect. It's way too complicated for what was needed and this complexity hinders its adoption. We don't need 100 ip addresses for every atom on the earth's surface and we never will.
They should have just added an octet to IPv4 and be done with it.
Every time there's a "just add an extra octet" argument, I feel some people are completely clueless about how hardware works.
Most hardware comes with 32-bit or 64-bit registers. (Recall that IPv6 came out just a year before the Nintendo 64.) By adding only an extra octet, thus having 40 bits for addressing, you are wasting 24 bits of a 64-bit register. Or wasting 24 bits of a 32-bit register pair. Either way, this is inefficient.
And there's also the fact that the modern internet is actually reaching the upper limits of a hypothetical 64-bit IPv5: https://lemmy.world/comment/10727792. Do we want to spend yet another two decades just to transition to a newer protocol?
it's not about using all 100 IP addresses for every atom
it's about having large enough ranges to allocate them in ways that make sense instead of arbitrarily allocating them by availability
Ok, now I'm fully proposing a new standard, called IPv16! (Keeping with the tradition to jump over numbers.)
Also, it will be fully backwards compatible for a change! That solves the largest complaint from the holdouts!
Slightly related to the issue of remembering addresses, I think the main issue is with the fact that local nameservers are pretty much non-existent if you're not running OpenWrt or OpnSense. Which is shameful because the local nameserver is an amazing quality of life tool.
Also the fact that officially there are no local TLDs except for ".arpa" while browsers won't resolve one word domains without adding http://
And don't get me started on TLS certificates in local networks... (although dns01 saves the day)
Well... I still like IPv6 better than ATM and those darn virtual circuit identifiers.
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.