• Frezik@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    220
    arrow-down
    4
    ·
    4 days ago

    I know it’s a joke, but the idea that NAT has any business existing makes me angry. It’s a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don’t notice too much. The Internet is more centralized and controlled because of it.

    No, it is not a security feature. That’s a laughable claim that shows you shouldn’t be allowed near a firewall.

    Fortunately, Google reports that IPv6 adoption is close to cracking 50%.

    • iii@mander.xyz
      link
      fedilink
      English
      arrow-up
      15
      ·
      4 days ago

      Fine, I won’t invite you to our bi-annual TURN server appreciation event.

    • Auli@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 days ago

      Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.

      • I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that’s the big, big, big networks — peering groups that connect large swaths of the Internet with other nations’ municipal or public infrastructure.

        These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I’ve seen, IPv6 addresses very real logistical problems you only see with IPv4 when you’re already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.

        However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.

        Imo there’s not much to be done besides go forward with IPv6. It’s there, it’s tested, it’s basically ready for primetime in terms of NIC chip support… I just wish it weren’t so obtuse to learn. :/

        • drosophila@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          7
          ·
          3 days ago

          However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.

          Its kind of interesting to me how conservative the IT industry is with stuff like this.

          The industry loves to say “move fast and break things” or “innovate and disrupt”, but that generally only applies to things that can be shat out in a two week long Python project (or shat out in 2 weeks after publicly funded universities spent years figuring out the algorithm for you). For anything foundational, like CPU architecture, operating systems, or the basic assumptions about how UI should work, they’re terrified of change.

      • Frezik@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        26
        ·
        4 days ago

        There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn’t work very well. It needs to be treated as its own thing.

        • drkt@scribe.disroot.org
          link
          fedilink
          arrow-up
          10
          ·
          4 days ago

          I couldn’t figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just “bigger IPv4” - it’s not. It’s so much more, and better.

      • deur@feddit.nl
        link
        fedilink
        arrow-up
        2
        arrow-down
        33
        ·
        4 days ago

        Nah. You’re just too stupid to understand the internet is designed to be used with DNS. The people who design these protocols and operate the networks that form the internet have no issues with DNS and don’t care that you don’t understand.

    • IrateAnteater@sh.itjust.works
      link
      fedilink
      arrow-up
      6
      arrow-down
      10
      ·
      4 days ago

      We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.

        • socsa@piefed.social
          link
          fedilink
          English
          arrow-up
          11
          ·
          4 days ago

          The one thing you can’t do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.

          • Pup Biru@aussie.zone
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            2 days ago

            no instead you yell the IP address and they spend 30min trying to debug why they can’t ping it or even get ICMP packets through and then you realise you yelled the private IP address and they were on the wrong side of the NAT

        • IrateAnteater@sh.itjust.works
          link
          fedilink
          arrow-up
          5
          arrow-down
          2
          ·
          4 days ago

          This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.

        • Hotzilla@sopuli.xyz
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          3 days ago

          Good luck trying to find industrial stuff that supports IPv6, hell most of it is still serial.

          I have legit heard that serial is security mechanism because it cannot communicate long distance like ethernet.

          Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.

          • Pup Biru@aussie.zone
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 days ago

            Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.

            it’s not magic… it’s a firewall, and it works pretty much exactly the same as a NAT: a whitelist of IP and port combinations