Comment by Hnrobert42
5 days ago
Wow. It's like your reply is doing an impression of IPv6! (I'm just teasing. I hope you are having a happy new year.)
Not GP, but:
> What happens when multiple devices in your /8 want to listen on port 80 and 443 on the public address? Only one of them can. Now you're running a proxy.
I don't want any of my devices listening on the public address, much less multiple.
> It's called a firewall. You want a firewall. IPv6 also has a firewall. NAT is not a firewall. NAT is usually configured as part of your firewall, but is not a firewall.
That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.
> DHCPv6 Okay? DHCPv4
> What are you supposed to do with a /8? Do you have several million computers? That's GP's point. Running out of address space is not a problem even on IPv4 with NAT.
> What happens if your ISP changes your IPv4 address? Well, an ostensible advantage of IPv6 is publicly routable addresses. I know how to configure my internal IPv4 network with host table entries and so on. If I move to IPv6 then my "internal" network address space is at the whim of my ISP.
Been having a nice break over the new year, thank you :)
I can't argue with sticking on IPv4 when you have no need for IPv6. However, people saying no NAT means no firewall really bothers me because it's just wrong and usually gets thrown around as part of a point around "who needs IPv6 anyway".
The two layers IMO don't make a practical difference. A deny by default firewall will fail closed, unless poorly configured. A poorly configured firewall for IPv4 with NAT can still leave machines exposed. This is not an IPv4/IPv6 problem this is down to your router. However you do expose what used to be private addresses with IPv6, but there's not much to do with the address that couldn't be done with your IPv4 address assuming sane firewalls that both stacks run.
On the other side of the coin IPv6 being ubiquitous would make my life much easier. I self host a few things across a few different machines. IPv6 offers me a much simpler solution, both to managing firewalls and not needing to fight over port 80/443, but also because I can't get a public IPv4 address from my ISP without spending ungodly amounts of money. They support IPv6 but many of the services I host don't support it. I have to use a second site + machine, wireguard tunnels, and nginx socket proxies to expose stuff publicly (this is cheaper than the public IPv4 address from my ISP).
My point about DHCPv6 is to say that if you want to use DHCP in IPv6 you can. It's right there, it's just not the default.
IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things because, to be fair, they don't need them. But people who do need IPv6 are stuck behind garbage ISPs and this "not my problem" attitude throwing around ignorant arguments. Complaints about long addresses really get me too :), use a DNS.
>IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things
I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers. Yes, a firewall can prevent these connections, but the whole standard is built around this use case most people don't need most of the time.
Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.
> There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers.
Ever tried to call someone over the internet? Well, now you need a publicly reachable device.
Please, stop spreading this ignorance. You rely on your devices being reachable from the internet every single day, you're just not aware of it, because you're using a barely-working pile of duct tape and string that sort-of allows peer to peer connections to happen, after some arcane STUN/TURN/whatever magic.
If you wanted to send someone a file in the Olden Days, you'd just click on their IRC username, the client would open a connection to them and you'd send the file. Now you need to use iCloud or some nonsense, because apparently people believe that peer-to-peer connections aren't needed and shouldn't even work.
20 replies →
No it is not:
IPv4 header: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/IP...
IPv6 header: https://bitjunkie.org/wp-content/uploads/2023/10/ipv6-Header...
Notice how the IPv6 header is simpler? That’s because it is. It has normal working semantics, got rid of fragmentation, TTL is replaced by hop limit, and link-local addresses actually work as intended. The addresses look scary != more complicated. Please stop perpetuating this myth.
6 replies →
> Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.
Not in the least; IPv6 has private address space just like IPv4.
> Private IP space is incredibly useful ... This is _gone_ with IPv6
No, it's not. Learn about ULAs:
https://en.wikipedia.org/wiki/Unique_local_address
> Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control.
You can have that with IPv6, too. You can even get your own ULA prefix that (hopefully [1]) only you will ever use: https://ula.ungleich.ch/
[1]: Technically, it doesn’t prevent anybody else from using the same space as you. (And you can’t advertise it, of course.)
> the whole standard is built around this use case most people don't need most of the time.
This seems to be a function of when it was developed, starting in the early 90s before the internet as we know it today, particularly the web, even existed. Security wasn’t seen the same way then, because the threats we have today simply didn’t exist.
Not every company in the world had its own private networks, so there weren’t even good examples to follow. The result was a system designed in the effective equivalent of a vacuum, without regard for how the internet would actually end up being used. The result is the situation you described.
> This is _gone_ with IPv6
Incorrect. There is the ULA range, fc00::/7, which is not routable and can be used in the same place you'd use 192.168.0.0/16 or similar.
You can even do something like fc00::192:168:0:0/120 if you really want.
> There is really no reason for most devices to be publicly reachable.
If you want things to work in one direction only, you really want television or radio. This is how most people really treat the Internet, unfortunately.
> I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable.
Sigh. This myth really won't die.
Publicly addressable ≠ publicly reachable.
With my last ISP I had IPv6: every device (including my printer) on my local network had a public IPv6 address, but exactly zero were reachable thanks to the stateful packet inspection (SPI) on my Asus.
21 replies →
If you disable the firewall with a “master disable” I suspect IPv6 routes through on at least some routers. Meanwhile if the NAT is disabled, it almost surely takes the route with it, and even if it somehow routes thorugh you probably won’t get a DHCP lease from your ISP for more than a device or two.
> you do expose what used to be private addresses with IPv6
its been 10 years since i first rolled my eyes at ipv6 due to this problem. youre saying its still a problem, over a decade later? ugh. bring on ipv7 or ipv8.
Not really, privacy extensions are usually on by default, at least on Windows and Linux. This means temporary ipv6 addresses will be used for outbound traffic and rotated regularly (usually every 24h by default, if I'm not mistaken). And if you're worried about tracking, we have lost this war ages ago, ipv6 wouldn't meaningfully change that.
> its been 10 years since i first rolled my eyes at ipv6 due to this problem.
You might find this comment [0] informative.
You might also be interested to know that the ULA space was defined and reserved in October, 2005. If you of ten years ago had done a little more research, you'd have discovered that the problem had been solved ~ten years prior.
[0] <https://news.ycombinator.com/item?id=46468426>
A NAT is part of a firewall, not a separate thing, so if the firewall is misconfigued, then your NAT may not be working either.
On not running out of (private) IPs, I guess you've never had the fun of having to deal with overlapping ranges (because it isn't the number of IPs that's the issue, it's how the ranges are allocated). While this can still happen on IPv6, there are so many more subnets that this is far less likely.
Also, a key thing that IPv6 makes obvious (which is also true to some extent of IPv4, but that most systems try to avoid showing) is that each link can have multiple IPs (there will be at least one link-local address), and so while your ISP can provide you a public range, you don't need to use it if you do not want to, you can always use an Unique Local Address (ULA - https://en.wikipedia.org/wiki/Unique_local_address), which reduce the chance of overlapping ranges.
Why do you think NAT is part of a firewall? NAT and firewall are two completely separate things that can exist independently of each other.
Also overlapping ranges are an orthogonal issue that can occur with IPv6 private network range as well.
IPv6 brings not only bigger address range but also a big bag of other things that one cannot ignore, are complicated and which are often a source of problems. That's why people stick with IPv4 even at the cost of NAT, because the number of things they have to care about is much smaller.
> NAT and firewall are two completely separate things that can exist independently of each other.
This is kind of like saying that web browsers don't have to have a graphical interface. Or that a web browser doesn't necessarily support HTTPS. It's correct, but not practically correct.
The reality is that essentially all NAT software you'll actually encounter will be integrated into a stateful firewall because the two systems share so many functions that most projects and products that do one will also do the other. If you have a system with NAT set up and there is no packet filtering, it's most often because you've intentionally gone and disabled all the packet filtering, not because you need separate software for it.
It is important to understand that NAT doesn't have any inherent security to it, but criticizing people for talking like NAT is a feature built into firewalls when NAT is overwhelmingly a feature built into firewalls is a pretty unfair reading when we're talking about general deployments. Even with the technical audience of HN, we're not discussing carrier grade NAT here or other highly specialized or exceptional deployments.
6 replies →
> if the firewall is misconfigued, then your NAT may not be working either.
But in that case, it's very obvious because your access to the WAN side of your router won't work from anywhere except the router itself.
I like this "fail-secure" nature of NAT. If your firewall fails on a network with globally-routable IPv6 addresses, it might not be so obvious as traffic might still flow through.
It provides no security by itself. There have been (and still are) countless vulnerable Internet reachable NAT routers which can easily be exploited to provide access to the whole private network behind it. NAT by itself can't be relied on to provide any security – you need correctly configured firewalls for that. An ISP provider might provide a sensibly configured firewall with the home router, but they may also be operating an easily exploitable backdoor into your private network.
1 reply →
>If I move to IPv6 then my "internal" network address space is at the whim of my ISP.
This is a major problem to me before I'd go wholesale IPv6 at home as the primary way I address and connect to hosts
I have IPv6 enabled, but it's just all defaults. My traffic is going out over the internet on IPv6, my home automation stuff in the house using Matter is on IPv6, but for the few server-types that I have in the house they are still identifiable by me by their IPv4, and my addressing to get into my network from outside is via my ISP's IPv4 address
There really needs to be a universal way to bring IPv6 addresses to your ISP, so they're portable like a phone number. Both so that I can take them with me if I switch providers and so that my ISP can't arbitrarily change them from underneath me
> There really needs to be a universal way to bring IPv6 addresses to your ISP...
There is. It's "Provider-Independent" address space.
It's used sparingly because widespread use of it would explode the size of routing tables.
I think you could also "simply" [0] become your own AS/LIR/whatever and negotiate with your ISP to route your prefix/subnet/whatever to your site (or some box in a colo somewhere that you attach to your site with some sort of tunnel).
[0] It is my understanding that it is often not at all simple to do this.
With IPv6, it's common to have multiple addresses on an interface.
So on options is to assign yourself an [RFC 4193](https://datatracker.ietf.org/doc/html/rfc4193) fc00::/7 random prefix that you use for local routing that is stable, while the ISP prefix can be used for global routing.
Then you don't need to renumber your local network regardless of what your ISP does.
What if I want my devices visible on the public internet? Then I'm tied to my ISP's addresses. Or, I have to maintain both addressing schemes
5 replies →
I doubt this will ever happen, as it would make things extremely easy for spammers and scammers.
Why? You could easily block their range and it'd be blocked no matter where they went
IPv6 is already a nightmare for dealing with scammers and spammers. It's very often I get weirdly blocked because someone has abused my ISP's (AT&T) IPv6 block that I'm on and Wikipedia or whoever has blocked an entire /48 or something and it's virtually impossible to get a delegation outside of that range
> That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.
You have two layers of indirection and one layer of security. If you failed to configure your firewall correctly, you would be better off without NAT because you would become aware of it quicker and not rely on NAT.
NAT doesn't really do anything other than address conservation because of NAT-punching techniques like STUN/TURN/UPnP, which are nessisary because NAT's features are bugs.
> That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.
You talk about NAT like it's a single thing: it is not. There are at least three major varieties of NAT:
* https://blog.ipspace.net/2011/12/is-nat-security-feature/
See also various 'cones' that add complexity to getting things to work (and for which kludges like ICE/TURN/etc had to be invented):
* https://en.wikipedia.org/wiki/Network_address_translation#Me...
See also RFC 4787 which distinguishes between NAT mapping and NAT filtering. Also, also see perhaps "NAT Traversal Mess":
* https://blog.ipspace.net/2025/04/response-nat-traversal/
> Well, an ostensible advantage of IPv6 is publicly routable addresses. I know how to configure my internal IPv4 network with host table entries and so on. If I move to IPv6 then my "internal" network address space is at the whim of my ISP.
This is not quite correct. You have two simple options for avoiding this: DNS and SLAAC. By giving all of your hosts dns names you don’t have to care about the individual addresses much. If they change just update the dns zone.
The second is to configure a Unique Local Address for each host using SLAAC. Have your router announce a prefix inside of fd00::/7 so that every one of your computers ends up with a private address as well as the public one. This is like using a reserved private address in IPv4, such as 10.0.0.0/8, except that there are a lot more possible networks. There is only one 10.0.0.0/8, but the convention with IPv6 ULAs is to generate 40 random bits and use them to make a /40. Add 16 more bits for a subnet id to create a /64 that your router will advertise as a prefix. This is probably overkill for most of us, but it does enable us to merge networks without causing address collisions. You can keep using them no matter what happens. Even changing ISP won't change these addresses.
Of course the third option is to buy IP transit service instead of internet access service. You can then go to your local RIR and ask them to assign you your own address block. Announcing that address block using BGP gives you a permanent block of routable addresses that follows you from ISP to ISP. But most people find that to be a bit of a hassle compared to consumer–grade internet service.
>Of course the third option is to buy IP transit service instead of internet access service. You can then go to your local RIR and ask them to assign you your own address block.
Or I could just log into my router and disable IPv6
That’s boring.
> By giving all of your hosts dns names you don’t have to care about the individual addresses much. If they change just update the dns zone
"just" update the zone? Yikes. I prefer to not take that downtime in the first place. (And I know from experience, I've written hooks for dhcpcd that automatically reconfigure my zone file, firewall rules, rad.conf, etc, if I get a new network prefix! But I don't pretend that this is a workable approach for everyone.)
> The second is to configure a Unique Local Address for each host using SLAAC
Yes, this is the way. Where you used to use RFC1918 addresses, just use ULA. It's simple and fits the mental model you used to have with IPv4. You don't even need NAT, just give both the GUA and ULA addresses to each host, and use the ULA everywhere you want LAN-like semantics.
“There is only one 10.0.0.0/8”
Also:
- There are 16 172.{16-31}.0.0/16s (I used 172.23 because Docker uses one of these)
- There are 256 192.168.{0-255}.0/8s
And that’s just what RFC1918 gives us. There are other private subnets defined in newer RFCs.
I like IPv6 but it caused issues with browsers accepting my Letsencrypt certs on my website, so my website is now IPv4 only.
“Announcing that address block using BGP gives you a permanent block of routable addresses that follows you from ISP to ISP.”
Enough people have done this that BGP networking has become a real mess at the ISP level. Can BGP really handle every person in the world doing this?
Class B or the 12 block is 172.16.0.0/12. So: 10/8, 172.16/12, 192.168/16.
Yes, I know that there are other private subnets in IPv4. My comparison was specifically between IPv6 ULAs and 10.0.0.0/8 specifically because of the size. You won’t have to renumber your networks when you grow in size because 2⁷² addresses is enough for just about any organization.
> Can BGP really handle every person in the world doing this?
Eh, probably not. I did say that it wasn’t for everyone. You have to fill out a form, and then they announce to the world that you did it. And if you configure your BGP announcements wrong you’ll get laughed at by everyone who watches those things. Most people can’t handle it.
On the other hand, the VP of Network Operations at the ISP I used once promised that they’ll honor BGP announcements even from residential customers. I guess once it’s automated that it doesn’t cost them anything extra. Could be a fun hobby.
And if enough people do it then we can simply improve BGP. Anything we invent we can improve, right?
Very interesting, had no idea IPv6 had this as an option. Thanks for the write-up!
You’re welcome. Have fun with it!
> I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.
That's not true. When you configure just NAT (with e.g. nftables on Linux), the NATed devices are still reachable from the outside, you just have to add an entry to your routing table to reach that internal address space using the router.
"Just add an entry to your routing table" ... it's virtually impossible to do that for RFC-1918 addresses across the internet. It will be filtered at the ISP border or an upstream. Is it theoretically possible? Yes. Is it an actual risk? Probably not.
Well, if you're other customer of the ISP on the same network, then that may get more interesting... (or inside VPS provider's network)
The RFC for NAT was extremely specific: this was only about creating more addresses, NOT security.
Because your devices are routable. You can’t be on the Internet without an IP. They just have some ephemeral addresses. But randomizing port numbers (that is NAT) is not a good security mechanism.
> The RFC for NAT was extremely specific: this was only about creating more addresses, NOT security.
It should also be noted that "NAT" is not some monolithic thing either, there are three 'major' varieties:
* https://blog.ipspace.net/2011/12/is-nat-security-feature/
Just FYI you can do ULA + NAT with IPv6 and get the same thing as RFC1918 + NAT on v4.
>I don't want any of my devices listening on the public address, much less multiple.
That is good for you, but given the option between an address scheme that requires a proxy and one that does not, I would prefer the latter.
>I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.
Why? NAT is a network tool. Firewall is a security control.
>I don't want any of my devices listening on the public address, much less multiple.
If you don't listen to public ports on IPv4, then there is no point in touting any of the benefits of IPv4. Even if you think NAT is good, you're not using it in the first place so why care about it?
You basically ruined your entire case with that sentence.
Great response. Your last point is particularly convincing and I never thought of it before. Even better, what happens if you use a failover WAN on your router?
> I don't want any of my devices listening on the public address, much less multiple.
Just because you don't shouldn't mean other people get denied this.