Comment by throw0101a
5 days ago
> I can’t think of any common requirement that will be afforded to users having devices that will never need to be publicly reachable be publicly addressable.
Because you do not know ahead of time which devices may have such a need, and by allowing for the possibility you open up more flexibility.
> [Residential customers] don't care about engineering, but they sure do create support tickets about broken P2P applications, such as Xbox/PS gaming applications, broken VoIP in gaming lobbies, failure of SIP client to punch through etc. All these problems don't exist on native routed (and static) IPv6.
> In order for P2P to work as close as possible to routed IPv6 in NATted IPv4, we had to deploy a bunch of workarounds such as EIM-NAT to allow TCP/UDP P2P punching to work both ways, we had to allow hairpinning on the CGNAT device to allow intra-CGNAT traffic to work between to CGNAT clients, as TURN can only detect the public-facing IP:Port, hairpinning allow 100.64.0.0/10 clients to talk to each other over the CGNATted public IP:Port.
* https://blog.ipspace.net/2025/03/response-end-to-end-connect...
By having (a) a public address, and (b) a CPE that supports PCP/IGD hole punching, you eliminate a whole swath of infrastructure (ICE/TURN/etc) and kludges.
When it was first released, Skype was peer-to-peer, but because of NAT "super nodes" had to be invented in their architecture so that the clients/peers could have someone to 'bounce' off of to connect. But because of the prevalence of NAT, central servers are now the norm.
A lot of folks on HN complain about centralization and concentration on the Internet, but how can it be otherwise when folks push back against technologies that would allow more peer-to-peer architectures?
> by allowing for the possibility you open up more flexibility.
The problem is that flexibility is often the enemy of security, and that’s certainly true here. Corporate networks don’t want to allow even the possibility of devices that are supposed to be private being publicly addressable. Arguing that it’s “simpler” or “more flexible” is like arguing that we don’t need firewalls, for the same reasons. And in fact, that argument used to be made quite regularly. It’s just that no-one who deals with security has ever taken it seriously.
It's baffling to argue that NAT is the real driver of centralization for internet technologies.
It surely was a big factor.
When internet finally became popular, hosting a website on your own machine already became infeasible.
What do you mean by popular? I hosted a site on a home machine in the early teens. If you don't know how to do that with NAT, you should not have a web server under your control exposed to the internet.
9 replies →
> It's baffling to argue that NAT is the real driver of centralization for internet technologies.
It doesn't help.
What is then?
Capitalism, essentially. Companies can make more money from centralized control over systems than from truly distributed systems, and customers are suckers for the simplicity of delegating their needs to single providers.
The reason Google bought and destroyed dejanews.com, for example (try visiting that site) was to weaken one of the distributed sources of competition. Similar for RSS.
I'd like to know the average number of broadband customers that make support tickets because of NAT. I'll bet it's far less than 1%. And you really think NAT, rather than SV betting huge on cloud services and surveillance capitalism, was the reason that everything is centralized? Come on...