I know it’s a joke, but the idea that NAT has any business existing makes me angry. It’s a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don’t notice too much. The Internet is more centralized and controlled because of it.
No, it is not a security feature. That’s a laughable claim that shows you shouldn’t be allowed near a firewall.
I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that’s the big, big, big networks — peering groups that connect large swaths of the Internet with other nations’ municipal or public infrastructure.
These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I’ve seen, IPv6 addresses very real logistical problems you only see with IPv4 when you’re already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.
However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Imo there’s not much to be done besides go forward with IPv6. It’s there, it’s tested, it’s basically ready for primetime in terms of NIC chip support… I just wish it weren’t so obtuse to learn. :/
However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Its kind of interesting to me how conservative the IT industry is with stuff like this.
The industry loves to say “move fast and break things” or “innovate and disrupt”, but that generally only applies to things that can be shat out in a two week long Python project (or shat out in 2 weeks after publicly funded universities spent years figuring out the algorithm for you). For anything foundational, like CPU architecture, operating systems, or the basic assumptions about how UI should work, they’re terrified of change.
There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn’t work very well. It needs to be treated as its own thing.
I couldn’t figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just “bigger IPv4” - it’s not. It’s so much more, and better.
Nah. You’re just too stupid to understand the internet is designed to be used with DNS. The people who design these protocols and operate the networks that form the internet have no issues with DNS and don’t care that you don’t understand.
Funny how I never once criticized, or even mentioned, IPv6s complexity, yet that is the aspect you chose to so valiantly defend. Quite telling, isn’t it?
We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.
no instead you yell the IP address and they spend 30min trying to debug why they can’t ping it or even get ICMP packets through and then you realise you yelled the private IP address and they were on the wrong side of the NAT
This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.
yes… that’s why every machine has its own IP address… so that they can both use the same port and you don’t have to connect to crazy bullshit like https://myhomerouter.example.com:8443/
I know it’s a joke, but the idea that NAT has any business existing makes me angry. It’s a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don’t notice too much. The Internet is more centralized and controlled because of it.
No, it is not a security feature. That’s a laughable claim that shows you shouldn’t be allowed near a firewall.
Fortunately, Google reports that IPv6 adoption is close to cracking 50%.
My isp and router both claim to have IPv6 but every test site has failed.
Fine, I won’t invite you to our bi-annual TURN server appreciation event.
Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.
Can you share more details please?
IPv6 is the natural Internet. Things are either allowed or forbidden to connect.
NAT is just a kludge.
You are right, but I wish ipv6 was less shitty of a replacement.
I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that’s the big, big, big networks — peering groups that connect large swaths of the Internet with other nations’ municipal or public infrastructure.
These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I’ve seen, IPv6 addresses very real logistical problems you only see with IPv4 when you’re already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.
However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.
Imo there’s not much to be done besides go forward with IPv6. It’s there, it’s tested, it’s basically ready for primetime in terms of NIC chip support… I just wish it weren’t so obtuse to learn. :/
Its kind of interesting to me how conservative the IT industry is with stuff like this.
The industry loves to say “move fast and break things” or “innovate and disrupt”, but that generally only applies to things that can be shat out in a two week long Python project (or shat out in 2 weeks after publicly funded universities spent years figuring out the algorithm for you). For anything foundational, like CPU architecture, operating systems, or the basic assumptions about how UI should work, they’re terrified of change.
There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn’t work very well. It needs to be treated as its own thing.
I couldn’t figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just “bigger IPv4” - it’s not. It’s so much more, and better.
Nah. You’re just too stupid to understand the internet is designed to be used with DNS. The people who design these protocols and operate the networks that form the internet have no issues with DNS and don’t care that you don’t understand.
Funny how I never once criticized, or even mentioned, IPv6s complexity, yet that is the aspect you chose to so valiantly defend. Quite telling, isn’t it?
We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.
That’s nothing that can’t be done with a good set of firewalls on IPv6.
The one thing you can’t do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.
no instead you yell the IP address and they spend 30min trying to debug why they can’t ping it or even get ICMP packets through and then you realise you yelled the private IP address and they were on the wrong side of the NAT
you can if you make it mostly zero
This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.
yes… that’s why every machine has its own IP address… so that they can both use the same port and you don’t have to connect to crazy bullshit like https://myhomerouter.example.com:8443/
Good luck trying to find industrial stuff that supports IPv6, hell most of it is still serial.
I have legit heard that serial is security mechanism because it cannot communicate long distance like ethernet.
Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.
it’s not magic… it’s a firewall, and it works pretty much exactly the same as a NAT: a whitelist of IP and port combinations