← Back to context

Comment by MindSpunk

5 days ago

Been having a nice break over the new year, thank you :)

I can't argue with sticking on IPv4 when you have no need for IPv6. However, people saying no NAT means no firewall really bothers me because it's just wrong and usually gets thrown around as part of a point around "who needs IPv6 anyway".

The two layers IMO don't make a practical difference. A deny by default firewall will fail closed, unless poorly configured. A poorly configured firewall for IPv4 with NAT can still leave machines exposed. This is not an IPv4/IPv6 problem this is down to your router. However you do expose what used to be private addresses with IPv6, but there's not much to do with the address that couldn't be done with your IPv4 address assuming sane firewalls that both stacks run.

On the other side of the coin IPv6 being ubiquitous would make my life much easier. I self host a few things across a few different machines. IPv6 offers me a much simpler solution, both to managing firewalls and not needing to fight over port 80/443, but also because I can't get a public IPv4 address from my ISP without spending ungodly amounts of money. They support IPv6 but many of the services I host don't support it. I have to use a second site + machine, wireguard tunnels, and nginx socket proxies to expose stuff publicly (this is cheaper than the public IPv4 address from my ISP).

My point about DHCPv6 is to say that if you want to use DHCP in IPv6 you can. It's right there, it's just not the default.

IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things because, to be fair, they don't need them. But people who do need IPv6 are stuck behind garbage ISPs and this "not my problem" attitude throwing around ignorant arguments. Complaints about long addresses really get me too :), use a DNS.

60 comments

MindSpunk

Reply
everdrive  4 days ago

>IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things

I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers. Yes, a firewall can prevent these connections, but the whole standard is built around this use case most people don't need most of the time.

Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.

  • stavros  4 days ago

    > There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers.

    Ever tried to call someone over the internet? Well, now you need a publicly reachable device.

    Please, stop spreading this ignorance. You rely on your devices being reachable from the internet every single day, you're just not aware of it, because you're using a barely-working pile of duct tape and string that sort-of allows peer to peer connections to happen, after some arcane STUN/TURN/whatever magic.

    If you wanted to send someone a file in the Olden Days, you'd just click on their IRC username, the client would open a connection to them and you'd send the file. Now you need to use iCloud or some nonsense, because apparently people believe that peer-to-peer connections aren't needed and shouldn't even work.

    • brewmarche  3 days ago

      I’m wondering, wouldn’t a default deny inbound firewall still need hole punching with IPv6? You wouldn’t need STUN to find your global address but if you use varying ports you’d need to communicate the port first, and you’d also need to time the simultaneous open. So a coordinating party is still needed somewhere. Getting rid of TURN relays (if you’re affected by symmetric NATs) is of course a huge plus.

      1 reply →

    • fluoridation  4 days ago

      >Ever tried to call someone over the internet? Well, now you need a publicly reachable device.

      Uhh... Is this the '90s? People don't type in IP addresses (or phone numbers, back in the day) to connect with other people anymore. They connect to a common, publicly reachable server that deals with peers being behind NAT.

      17 replies →

  • IgorPartola  4 days ago

    No it is not:

    IPv4 header: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/IP...

    IPv6 header: https://bitjunkie.org/wp-content/uploads/2023/10/ipv6-Header...

    Notice how the IPv6 header is simpler? That’s because it is. It has normal working semantics, got rid of fragmentation, TTL is replaced by hop limit, and link-local addresses actually work as intended. The addresses look scary != more complicated. Please stop perpetuating this myth.

  • binkHN  4 days ago

    > Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.

    Not in the least; IPv6 has private address space just like IPv4.

  • notpushkin  4 days ago

    > Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control.

    You can have that with IPv6, too. You can even get your own ULA prefix that (hopefully [1]) only you will ever use: https://ula.ungleich.ch/

    [1]: Technically, it doesn’t prevent anybody else from using the same space as you. (And you can’t advertise it, of course.)

  • antonvs  4 days ago

    > the whole standard is built around this use case most people don't need most of the time.

    This seems to be a function of when it was developed, starting in the early 90s before the internet as we know it today, particularly the web, even existed. Security wasn’t seen the same way then, because the threats we have today simply didn’t exist.

    Not every company in the world had its own private networks, so there weren’t even good examples to follow. The result was a system designed in the effective equivalent of a vacuum, without regard for how the internet would actually end up being used. The result is the situation you described.

  • RiverCrochet  4 days ago

    > This is _gone_ with IPv6

    Incorrect. There is the ULA range, fc00::/7, which is not routable and can be used in the same place you'd use 192.168.0.0/16 or similar.

    You can even do something like fc00::192:168:0:0/120 if you really want.

    > There is really no reason for most devices to be publicly reachable.

    If you want things to work in one direction only, you really want television or radio. This is how most people really treat the Internet, unfortunately.

  • throw0101a  4 days ago

    > I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable.

    Sigh. This myth really won't die.

    Publicly addressable ≠ publicly reachable.

    With my last ISP I had IPv6: every device (including my printer) on my local network had a public IPv6 address, but exactly zero were reachable thanks to the stateful packet inspection (SPI) on my Asus.

    • DrewADesign  4 days ago

      You’re either arguing about semantics or missed the point they were trying to make. If it doesn’t have to be publicly reachable, why should it be publicly addressable in the first place? I can’t think of any common requirement that will be afforded to users having devices that will never need to be publicly reachable be publicly addressable. Considering most peoples use cases solely involve home networks of devices that they definitely do not want to be publicly reachable, why is needing to explicitly disallow that better for them?

      In non-abstract terms, I just don’t see how that works better.

      18 replies →

    • everdrive  4 days ago

      >>Yes, a firewall can prevent these connection

      >Publicly addressable ≠ publicly reachable.

      I already addressed this, and I know how firewalls work. It would be nice if on a per-device basis I could opt into a choice to be publicly addressable. Instead, the entire standard is built around this.

      1 reply →

s1gsegv  5 days ago

If you disable the firewall with a “master disable” I suspect IPv6 routes through on at least some routers. Meanwhile if the NAT is disabled, it almost surely takes the route with it, and even if it somehow routes thorugh you probably won’t get a DHCP lease from your ISP for more than a device or two.

lazystar  4 days ago

> you do expose what used to be private addresses with IPv6

its been 10 years since i first rolled my eyes at ipv6 due to this problem. youre saying its still a problem, over a decade later? ugh. bring on ipv7 or ipv8.

  • deng  4 days ago

    Not really, privacy extensions are usually on by default, at least on Windows and Linux. This means temporary ipv6 addresses will be used for outbound traffic and rotated regularly (usually every 24h by default, if I'm not mistaken). And if you're worried about tracking, we have lost this war ages ago, ipv6 wouldn't meaningfully change that.

  • simoncion  4 days ago

    > its been 10 years since i first rolled my eyes at ipv6 due to this problem.

    You might find this comment [0] informative.

    You might also be interested to know that the ULA space was defined and reserved in October, 2005. If you of ten years ago had done a little more research, you'd have discovered that the problem had been solved ~ten years prior.

    [0] <https://news.ycombinator.com/item?id=46468426>