Hacker News

Why don't you want every device to have a public IP? There seems to be a perception that this is somehow insecure, but the default configuration of any router is to firewall everything. And one small bonus of the huge size of a /64 is that port scanning is not feasible, unlike in the old days when you could trivially scan a whole IPv4 /24 of a company that forgot to configure their firewall.

NAT may work fine for your setup, but it can be a huge headache for some users, especially users on CGNAT. How many years of human effort have gone towards unnecessary NAT workarounds? With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.

Your ISP shouldn't be rotating your /64, although unfortunately many do since they are still IPv4-brained when it comes to prefix assignment. Best practice is to assign a static /56 per customer, although admittedly this isn't always followed.

And if you don't need a /48... don't use it? 99.99% of home customers will just automatically use the first /64 in the block, and that's totally fine. There's a ton of address space available, there's no drawback to giving every customer a /56 or even a /48.

NAT is arguably a very broken solution.IPv4 isn't meant to be doing address translation, period. NAT creates all sorts of issues because in the end you're still pretending all communications are end to end, just with a proxy. We had to invent STUN and all sorts of hole punching techniques just to make things work decently, but they are lacking and have lots of issues we can't fix without changing IPv4. I do see why some people may like it, but it isn't a security measure and there are like a billion different ways to have better, more reliable security with IPv6. The "I don't want my devices to have public, discoverable IPs" is moot when you have literally billions of addresses assigned to you. with the /48 your ISP is supposed to assign you you may have 4 billion devices connected, each one with a set of 281 trillion unique addresses. You could randomly pick an IP per TCP/UDP connection and not exhaust them in _centuries_. The whole argument is kind of moot IMHO, we have ways to do privacy on top of IPv6 that don't require fucking up your network stack and having rendezvous servers setting that up.

We may also argue that NAT basically forces you to rely on cloud services - even doing a basic peer to peer VoIP call is a poor experience as soon as you have 2 layers of NAT. We had to move to centralised services because IPv4 made hosting your own content extremely hard, causing little interest in symmetrical DSL/fiber, leading to less interest into ensuring peer to peer connections between consumers are fast enough, which lead to the rise of cloud and so on. I truly believe that the Internet would be way different today if people could just access their computers from anywhere back in the '00s without having to know networking

> I like NAT

I'm in favor of having society overrule you. NAT is a horrible kludge and not okay. Never was.

How is a public address any worse than NAT? You can always choose to not respond.

NAT only matters in so far as you don't technically need a firewall to block incoming traffic since if it fails a NAT lookup you know to drop the traffic.

But from a security standpoint you can just do the same tracking for the same result. That is just technically a firewall at that point.

So run fc00::/7 addresses with IPv6 NAT.

That addresses all of your concerns, and you have that option.

I recently changed ISPs and have IPv6 for the first time. I mostly felt the same way, but have learned to get over it. Some things took some getting used to.

An "ip address show" is messy with so many addresses.

Those public IPs are randomized on most devices, so one is created and more static but goes mostly unused. The randomly generated IPs aren't useful inbound for long. I don't think you could brute force scan that kind of address space, and the address used to connect to the Internet will be different in a few hours.

Having a public address doesn't worry me. At home I have a firewall at the edge. It is set to block everything incoming. Hosts have firewalls too. They also block everything. Back in the day, my PC got a real public IP too.

NAT really is nice for keeping internal/external separate mentally.

I'm lucky enough my current ISP does not rotate my IPv6 range. This, ironically, means I no longer need dynamic DNS. My IPv4 address changes daily.

A residential account usually gets a /56, what are you talking about? Nowhere near a /48! (I'm just being funny here...)

There are reasons to need direct connectivity that aren't hosting a server. Voice and video calls no longer need TURN/STUN. A bunch of workarounds required for online gaming become unnecessary. Be creative.

IPv4 is not holding back home setups, nobody cares about NAT at home.

The place where it hurts is small VPSs, from AWS to mom and pop hosters, the cost of addresses is becoming significant compared to low cost VPSs.

NAT demonstrably does not work fine. We have piles of ugly hacks (STUN, etc) that exist only because NAT does. If you really want to keep NAT then nothing stops you from running it on IPv6, but the rest of us shouldn't suffer because of your network design goals.

NAT is a horrible, HORRIBLE hack that makes everything in networking much more complicated. IP networking is very elegant when everyone is using globally unique addresses and a ugly mess when Carrier NAT is used.

> IPv6 doesn't benefit big tech.

It does, and big tech has largely adopted IPv6.

For users with IPv6, the v6 path is often less constrained than then v4 path. Serving data faster/more consistently is of benefit to big tech. For a lot of users, v4 and v6 routing are different, which is also helpful for big tech. If you have two paths to the server (and happy eyeballs or something), you have more resiliance to routing issues.

Clouds are slow on v6, but CDNs are not. Adoption on eyeball networks has been very slow, and it's unlikely to speed up much, IMHO. The benefits of v6 for ISPs are not that big for established serviced with large v4 pools. For ISPs running CGNAT, more v6 means less CGNAT and CGNAT is a lot more expensive than plain ip routing. (Doesn't mean all CGNAT providers run v6, but it's an incentive).

SNI routing is such a bad way to do what should be L3 problem that people implemented PROXY protocol to send information about user's endpoint address without doing MITM.

I am running IPv6 only servers, and I think it's fair that v4 only people feel the same pain some time in the future.

Surely IPv6 support will spontaneously materialize on their networks once their pain becomes big enough!

Annoying things such as paying taxes, recycling/not polluting etc.?

Some things really can only be solved via central coordination, as there is no natural game-theoretic/purely economic path from one local minimum to another. Being able to dig a small trench and letting gravity and water do the rest is great, but sometimes you do need a pump.

I'm not convinced that IPv6 is such a case, but if it is, that's exactly the type of thing governments are much better at than markets.

Odido is the cheapest ISP for a reason. They refuse to implement anything that isn't strictly required.

Perhaps implementing an Odido tax might actually make Odido care enough to throw the switch on IPv6. They bought 2a02:4240::/32, they just refuse to make use of it.

Canadian ISPs are also extremely far behind on IPv6. Bell is the largest ISPs in the country and they still don't have IPv6. I'm with one of their wholly owned subsidiaries (EBOX) which offers static /56 allocations, but good luck trying to find anyone in tech support who understands WTF you're talking about.

Not sure if you're taking the piss or just missed it but allowing build with either protocol alone is one of the genuine ideas in this joke:

> Yeah. The date notwithstanding, I do actually think we should do most of this for real.

> Maybe we don't get away with the actual deprecation and the warnings on use just yet, and maybe we won't even get away with calling the config option CONFIG_LEGACY_IP, although I would genuinely like to see us moving consistently towards saying "Legacy IP" instead of "IPv4" everywhere.

> But we should clean up the separation of CONFIG_INET and CONFIG_IPV[64] and make it possible to build with either protocol alone.

Because mDNS usually doesn't work and just expecting it to work doesn't change that?

We could abbreviate that to SND!

Your bad attempt at humor makes it quite clear that you've never dealt with network engineering or administrating to any extent.

Admitting that ipv6 has some downsides, however minor they may seem to you, won't hurt your quest to render ipv4 obsolete.

In fact being less insufferable is how you win people to your causes, not by laughing at their genuine albeit minor issues.

This. Sure there are still some applications that might be difficult to v6 enable, so either patch it or use one of the myriad of options to give it a v6 front end.

When I accidentally had IPv6 only for a new Windows box it was very apparent what was a priority (worked regardless) and what wasn't important (only began working once I had IPv4 and everything fixed too).

Baked in advertising? Works with any network. The option to turn off the baked in advertising? That needs IPv4.

Around the same time, I think the Photoprism image also didn't work on IPv6 because of Traefik

It's particularly aggravating with AWS, since they charge for IPv4 addresses yet many of their services aren't IPv6 capable.

Coupling this patch with language about “legacy IP”, along with the follow up comments from the person who submitted the patch, it is clear that the submitter is hostile towards IPv4. I also see hostility towards IPv4 in the comments here and other similar discussions.

I have no problem with allowing optional IPv4 or IPv6 only builds as long as both are kept well-maintained.

The patchset is an April fools joke and even then it's not going this far.