We don't talk about IPv5
-
And yet, in the real world we actually use distribution centers and loading docks, we don’t go sending delivery boys point to point. At the receiving company’s loading docks, we can have staff specialise in internal delivery, and also maybe figure out if the package should go to someone’s office or a temporary warehouse or something. The receiver might be on vacation, and internal logistics will know how to figure out that issue.
Meanwhile, the point-to-point delivery boy will fail to enter the building, then fail to find the correct office, then get rerouted to a private residence of someone on vacation (they need to sign personally of course), and finally we need another delivery boy to move the package to the loading dock where it should have gone in the first place.
I get the ”let’s slaughter NAT” arguments, but this is an argument in favour of NAT. And in reality, we still need to have routing and firewalls. The exact same distribution network is still in use, but with fewer allowances for the recipient to manage internal delivery.
Personal opinion: IPv6 should have been almost exactly the same as IPv4, but with more numbers and a clear path to do transparent IPv6 to IPv4 traffic without running dual stack (maybe a NAT?). IPv6 is too complex, error prone and unsupported to deploy without shooting yourself in the foot, even now, a few decades after introduction.
IPv6 is too complex, error prone and unsupported to deploy without shooting yourself in the foot, even now, a few decades after introduction.
Which is purely down to people not testing things before releasing them, because the support is there but there's layers of unnecessary stuff put in the way. Like I had an old ISP provided router that ran Linux, but the management UI was only ever tested against v4 networks so none of the v6 stuff was actually hooked up correctly.
Support in desktops and mobile devices is effectively 100%, but even in embedded hardware there's often full support, just not enabled correctly or tested.
-
This post did not contain any content.
fun fact, the RFC introducing NAT calls it a "short-term solution"
-
Also for home network I don’t won’t my IOT to have a real IP to the Internet. Using IPv4 NAT you can have a bit of safety by obscurity
NAT is not much different to a firewall though… just because the address space is publicly routable does not mean that the router has to provide a route to it, or a consistent route
NAT works by assigning a public port for the outgoing stream different to the internal port, and it does that by inspecting packets as they go over the wire: a private machine initiates a connection, assign an arbitrary free port, and sends that packet off to the router, who then reassigns a new port, and when packets come in on that port it looks up the IP and remapped port and substitutes them
that same process can easily be true in IPv6 but you don’t need to do any remapping: the private machine initiates a connection, and the router simply marks that IP and port combination as “routable” rather than having to do mappings as well
-
No, actually tbh the address space is the least of my worries. At this point I'm gonna be honest, the ants just don't wanna play ball
have you tried giving them tiny ant-sized balls
-
And yet, in the real world we actually use distribution centers and loading docks, we don’t go sending delivery boys point to point. At the receiving company’s loading docks, we can have staff specialise in internal delivery, and also maybe figure out if the package should go to someone’s office or a temporary warehouse or something. The receiver might be on vacation, and internal logistics will know how to figure out that issue.
Meanwhile, the point-to-point delivery boy will fail to enter the building, then fail to find the correct office, then get rerouted to a private residence of someone on vacation (they need to sign personally of course), and finally we need another delivery boy to move the package to the loading dock where it should have gone in the first place.
I get the ”let’s slaughter NAT” arguments, but this is an argument in favour of NAT. And in reality, we still need to have routing and firewalls. The exact same distribution network is still in use, but with fewer allowances for the recipient to manage internal delivery.
Personal opinion: IPv6 should have been almost exactly the same as IPv4, but with more numbers and a clear path to do transparent IPv6 to IPv4 traffic without running dual stack (maybe a NAT?). IPv6 is too complex, error prone and unsupported to deploy without shooting yourself in the foot, even now, a few decades after introduction.
wrote on last edited by [email protected]in the real world we actually use distribution centers and loading docks
because we can pass packages in bulk between large distances… in routing, it’s always delivery boys: a single packet is a single packet: there’s no bulk delivery, except where you have eg a VPN packing multiple packets into a jumbo frame or something…
the comment you’re replying to is only providing an analogy: used to explain a single property by abstraction; not the entire thing
we can have staff specialise in internal delivery
but that’s not at all how NAT works: its not specialising in delivery to private hosts and making it more efficient… it’s a layer of bureaucracy (like TURN servers and paperwork - the lookup tables and mapping) that adds complexity, not because it’s ideally necessary but just because of limitations in the data format
routers still route pretty much exactly the same in IPv6 direct or NAT, but just at the NAT layer public IP and port is remapped to internal addresses and ports: the routing is still exactly the same, but now your router has to do extra paperwork that’s only necessary because of the scheme used to address
-
Let me one up this. IPv4 NAT is like the pizza guy has to deliver to you, but you live in a gated community with a strict no visitors policy, which does not allow you to even mention what unit you're in, and none of the addresses in the community are registered with the post office or on Google Maps either. Instead, you tell the guardhouse you want to order, and they order the pizza for you. The pizza guy delivers to the guardhouse, and the guardhouse delivers the pizza to you.
IPv6 (with firewalling) is like a normal gated community, you order the pizza and include the unit number, and the delivery driver can deliver your pizza directly, as long as the guardhouse approves.
The difference is, with NAT, the guardhouse has to both guard (firewall) and route (keep track of all deliveries, and deliver) your packages, where with IPv6, the guardhouse (firewall) only has to guard (firewall) the packages.
wrote on last edited by [email protected]i kinda love that this explanation is so much more complex not because it adds nothing but precisely because it adds a lot of realism: NAT is actually just far more complexity and processing
-
Everyone having a static IP is a privacy nightmare.
There's a reason the recommendation in the standard for ipv6 had to be amended (it whatever the mechanic was) so that generated local suffixes aren't static. Before that, we were essentially globally identifiable because just the second half of your v6 address was static.
publicly addressable does not mean publicly routable… your router would still not arbitrarily connect untrusted external devices to internal hosts
NAT has the property of a firewall only as an implementation detail. replacing NAT with an IPv6 firewall in the router is an upgrade in every conceivable way
-
The one thing you can't do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.
wrote on last edited by [email protected]no instead you yell the IP address and they spend 30min trying to debug why they can’t ping it or even get ICMP packets through and then you realise you yelled the private IP address and they were on the wrong side of the NAT
-
This post did not contain any content.
excuse me all my addresses have had letters in them
-
This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.
there are duplicate machines that share programs
yes.. that’s why every machine has its own IP address… so that they can both use the same port and you don’t have to connect to crazy bullshit like https://myhomerouter.example.com:8443/
-
Good luck trying to find industrial stuff that supports IPv6, hell most of it is still serial.
I have legit heard that serial is security mechanism because it cannot communicate long distance like ethernet.
Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.
Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.
it’s not magic… it’s a firewall, and it works pretty much exactly the same as a NAT: a whitelist of IP and port combinations
-
Define "widely".
According to Google 46.09% of their traffic is IPv6 and most servers support it. It's mostly large ISPs dragging their feet.
I've never seen functional ipv6 except at university, and I would only consider gci large in terms of coverage area and price.
-
They kept talking it was because address exaustion, and IANA sold all the remaining blocks they had...
I tested it at the time. Ran nmap ping scan across a block all night with zero results. IANA sold the internet
many “unused” IP addresses are unused because they’re kinda like having spare parts: if you’re planning on extending your network in the futures, your IP block kinda should reflect your end state (ie the parts you need over time to replace or “build” new hosts)
or for blue/green deployments where it’s likely that at least half the IP range will be used in terms of process, but unused most of the time in terms of reachability
and then there’s weird things with splitting up IP blocks into subnets with a division of 3 (the minimum needed for dealing with net splits etc) - eg across availability zones… there are always “waste” IPs because you can’t divide multiples of 8 cleanly into 3
-
This post did not contain any content.
Imagine using ipv6
-
Realistically no organization has so many endpoints that they need IPv6 on their internal networks. There's no reason to deal with more complicated addressing schemes except on the public Internet. Only the border devices should be using IPv6.
Hopefully if an organization has remote endpoints which are connecting to the internal network over the Internet, they are doing that through a VPN and can still just be assigned IPv4 addresses on dedicated VLANs when they connect.
you sir/maam have not seen the netflix talk on using IPv6 for their full internal stack because of inefficiencies allocating IPv4 ranges i’m guessing
-
publicly addressable does not mean publicly routable… your router would still not arbitrarily connect untrusted external devices to internal hosts
NAT has the property of a firewall only as an implementation detail. replacing NAT with an IPv6 firewall in the router is an upgrade in every conceivable way
wrote on last edited by [email protected]I'm aware of that, and didn't say otherwise?
My comment wasn't even ipv6 specific, quite the opposite. The comment I was replying to also wasn't, and the implication that things would be better if everyone had a fixed IP(v4) was actually the specific privacy nightmare scenario I wanted to emphasize. That is the literal worst case of all.
Things can be mitigated somewhat with IPv6, but also only to a degree. Here you'd (usually) have a static prefix and not IP. You then need to use the randomized suffix generation (on a host level, or in DHCPv6 if you're using that), and not all OS so this by default, but I think Windows does these days. Advertising data collectors, which means basically every web site, could just assume that your prefix is stable and the information they gain if they happen to be correct it's... uncomfortable.
-
I'm aware of that, and didn't say otherwise?
My comment wasn't even ipv6 specific, quite the opposite. The comment I was replying to also wasn't, and the implication that things would be better if everyone had a fixed IP(v4) was actually the specific privacy nightmare scenario I wanted to emphasize. That is the literal worst case of all.
Things can be mitigated somewhat with IPv6, but also only to a degree. Here you'd (usually) have a static prefix and not IP. You then need to use the randomized suffix generation (on a host level, or in DHCPv6 if you're using that), and not all OS so this by default, but I think Windows does these days. Advertising data collectors, which means basically every web site, could just assume that your prefix is stable and the information they gain if they happen to be correct it's... uncomfortable.
ah! sorry i misread/misunderstood privacy to mean security in your comment
-
It does not have less eyes on and it's 50% of Google traffic.
Think they mean local networks.
If an IT department carefully curates IPv4 but ignores IPv6, then a rogue actor can set up a parallel IPv6 network largely without being noticed.
IPv6 can be managed, just that it is a blindside for a lot of these departments.
-
Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.
Can you share more details please?
-
Ipv6 is broken for those that want control over their home networks thanks to Google and terribly written RFCs.
All that was needed was an extra byte or two of address space, but no, some high and mighty evangelicals in their ivory towers built something that few people understand 30 years later. Their die hard fans are sure that this will be the year of ipv6. The Year of Linux on the Desktop will come 10 years before the year of ipv6.
Ipv6 is broken for those that want control over their home networks
I don't see how? Works great for my home network.
