IPv6 is the only way forward(ankshilp.in) |
IPv6 is the only way forward(ankshilp.in) |
IPv6 - still the same, but the space is large enough that any first-mover advantage is minuscule.
32 bits seemed practically infinite at the time IPv4 was created, and the whole thing started as a way for the American military-industrial-research complex to communicate with itself anyway. Why would you even want to assign addresses on your defense network to foreign adversaries?
Now that it's a commercial thing, a more equitable distribution would have, with hindsight, been a good thing.
Both IPv4 and IPv6 addresses are 'just' u_ints: one is 2^32 and the other is 2^128. The fact that we display them in a particular format (10.11.12.13; ff:ee::bb:aa) is only for human UX purposes.
Strictly speaking everything in a computer is 'just' a number represented in base-2 (binary digits: bits) that we affix certain labels to (char, int, float, struct).
Many here will be familiar with the second system effect [1]. Usually people want to avoid making breaking changes but once they do, they can go a little nuts. My personal opinion is only major versions should make breaking changes and a lot of thought should go into making them as painless as possible.
IPv6 is fascinating for these reasons but also that it's a product of its time in two main ways:
1. It doesn't do anything about roaming because that wasn't an issue in the 1990s but it certainly is now;
2. A 64 bit address space would've basically been infinite addresses but instead they went with 128 bit addresses (rolling in ports) but then giving individual users a /64 address range. For some reason people deny it now or simply weren't aware but that too is a historical artifact because it was intended to put a 48 bit MAC address into that space but later we realized that's a huge PII and tracking issue; and
3. History has shown that upgrading network backbone hardware (in particular) is incredibly difficult through a process that's been described as "ossification", which is a nice description. Basically, network relays and routers wanted to avoid security issues and decided to discard things they didn't understand.
That's interesting because it violates Postel's Law [2], which basically says be liberal in what you accept and conservative in what you send.
But this shows up in all sorts of interesting ways, like it's practically impossible to reliably use MTUs larger than about 1536. When IPv4 was designed, that wasn't an issue. With 1-100G+ networks it is. There are RFCs about using large MTUs but you're dependent on backbone hardware you have no control over.
Even Linux struggles with this, to the point where you need to do some configuration for high-bandwidth networks (eg RPS [3]). Just handling all those interrupts presents a bunch of problems beyond the original scope. And again, it's hard to fix through no fault of Linux's.
I'm old enough to remember the talk about us running out of IPv4 addresses back in the 1990s. It's been interesting to watch how this has consistently been kicked down the street (eg cgNAT).
What is funny though is large companies (eg Facebook) actualy ran out of internal addresses on a 10/8 network and there's no good solution for that (with IPv4 at least).
[1]: https://en.wikipedia.org/wiki/Second-system_effect
Winamp 3 -> Winamp 5 was closer to Winamp 2. Windows 8 -> Windows 10 was closer to Windows 7.
Though I don't expect this to happen with IP.
It’s clumsier than ipv4. It’s unnecessary since NAT was invented. In practice IPv6 requires dual stack, which means twice as many firewalls, names and routes to manage — so 4x the debugging because you have 2 dimensions that can either be working or failing. Addresses are too long to remember, too clumsy to write, and after 30 years still don’t have consistent representation (how many colons and brackets?).
Look, IPv6 has some benefits, but until the usability is fixed, it will be another 30 years before it’s close to 95% adoption.
What makes you suggest that it's backbone hardware that is the problem? It's largely enterprise customers and tier 3 providers that don't really do IPv6 afaics.
Would say the opposite is true. Core routers were the first to enable V6 support in any network as they would need support it for anything else to even use it. They got regularly replaced as bandwidth needs keeps rising as well.
Plenty of isps advertise ipv6 but haven't managed to give it to customers yet.
Interrupts are hardly a problem with any nics of the last decade really.
Companies like Facebook can and do use 240/4.
This is a privileged view of someone whose ISP has enough money (or was around early enough) to get enough IPv4 addresses to assign one to every customer's WAN interface. Not everyone is so lucky.
A lot of folks get non-publicly-routable 100.64.0.0/10[1] on their WAN interface with no way to do hole punching because they're behind CG-NAT.
10 years ago I was all gung-ho about IPv6, but it's annoying at every level.
Having to deal with the separate socklen_t is mildly annoying, but you can just make a little struct that holds both.
How are you going to make v8 addressable from v4? Because you need to do this too for communication to work.
Also, you've made v4 addressable from v8, and you're about to explain how you make v8 addressable from v4... but that's just addressing, i.e. identifying the right host. How are you going to actually send packets from v8 to v4, and also from v4 to v8?
> The IPv6 critics shout out that this would be a viable solution.
But they never bother to understand enough of the problem to contribute anything useful. Either they can't come up with something that works, or they come up with something that they didn't realize v6 already did.
I expected this question and have thought about it. Here is an idea: all nodes (PCs, routers etc) run an updated stack, which sends/receives 64bit addresses. If it receives 1:2:3:4:0:0:0:0, that's v4 and continues as such. It's on the ISP when the switch happens because they deliver the addresses. The user notices nothing. Edge cases can arise and be handled accordingly.
The update from 32-to-64 will be massively pushed to all kernels and userspaces in a short time so to shorten outages.
The idea that any ISP would do a Dagen H is very alien to how an ISP thinks. https://en.wikipedia.org/wiki/Dagen_H
> If it receives 1:2:3:4:0:0:0:0, that's v4 and continues as such
1:2:3:4:0:0:0:0 isn't v4, so it can't "continue as v4"... perhaps you meant that a router somewhere converts the packet to a v4 packet, but this is still only the v8->v4 direction. How do you map v8 into v4 so that the destination can reply?
> The update from 32-to-64 will be massively pushed to all kernels and userspaces in a short time so to shorten outages.
Right, add support for the new stack everywhere like we did with v6's 32-to-128 update. But just saying that it'll be done in a short time doesn't mean it will be.
https://radar.offseq.com/threat/ipv4-mapped-ipv6-addresses-t...
If you want to handle two protocols, it is not unreasonable to use two sockets.
And the billion people in India? The billion in China? The billion on the continent of Africa? And even in the US:
> Our [American Indian] tribal network started out IPv6, but soon learned we had to somehow support IPv4 only traffic. It took almost 11 months in order to get a small amount of IPv4 addresses allocated for this use. In fact there were only enough addresses to cover maybe 1% of population. So we were forced to create a very expensive proxy/translation server in order to support this traffic.
> We learned a very expensive lesson. 71% of the IPv4 traffic we were supporting was from ROKU devices. 9% coming from DishNetwork & DirectTV satellite tuners, 11% from HomeSecurity cameras and systems, and remaining 9% we replaced extremely outdated Point of Sale(POS) equipment. So we cut ROKU some slack three years ago by spending a little over $300k just to support their devices.
* https://community.roku.com/t5/Features-settings-updates/It-s...
* Discussion: https://news.ycombinator.com/item?id=35047624
It's okay for the folks that got in early on the IPv4 address gold rush to tell them "fuck you, we got ours"?
PSINet/Cogent got 38/8 in 1994: did they invent it? Ford got 19/8 in 1995: how about them?
How many places and people/companies didn't have the ability to go to a RIR in the 1990s or 2000s and get an allocation because their local infrastructure (power, telecom) wasn't developed at the time? So because they got computers, fibre, smartphones later they're SOL?
There are two groups that should update to v8 in order to be fully functional: users' OS net stack and ISPs' infra.
The incompatibility of IPvs between two endpoints can be solved by a couple of mechanisms. One is to make a preflight check if all nodes support v8, another is to start with a flag isv8=1 and change it along the path. If a single node is still at v4, all the communication continues v4-like (the v8 nodes send 0 at the ls32b).
It will be a gradual migration, in some regions faster or slower, but it will be SEAMLESS for the user, without the awful v6 UX that we have now.
Obviously there should be simulations and refining to avoid edge cases and conflicts. I will not design the full spec.
> There are two groups that should update to v8 in order to be fully functional: users' OS net stack and ISPs' infra.
A lot of software hardcodes AF_INET or sockaddr_in, and so can only handle 32-bit addresses. Also, there's the end-user's border router, and any internal routers on the client or server side, and the LANs on the client and server sides. There are databases, protocols and data structures that store IP addresses. Any attempt to use v8 with any of these will break them even if half of the v8 address is set to zeros, because they can't handle the 64 bits of a v8 address. They'll either reject the address or it'll corrupt the next 32 bits of memory. A seamless update to the OS net stack and ISP infra isn't sufficient to make them work with v8, because they'll still be limited to 32 bits.
I understand that your core idea is to say that a subset of the v8 address space maps directly to the v4 address space, so that you can convert that subset to v4 to work with the above things. This idea itself isn't bad; it's a perfectly sensible backwards compatibility mechanism that's used by v6 too. You're correct that it allows just that subset to be passed to an application over an AF_INET socket, used to send/receive v4 packets to the corresponding v4 address and so on. This approach is seamless if you stick to exposing the addresses as v4 addresses rather than as v8, because then they could be handled the same way v4 addresses are.
The problem is, you can only make it seamless by hiding the full v8 addresses and pretending they're v4, which can only be done for a small fraction of v8 addresses. What about the rest of them? You haven't actually extended v4's address space past 32 bits, so if you want to use v8's extra addresses you'll have to expose the full v8 addresses as v8 addresses, which is no longer seamless because that's a whole new stack the user and their software has to deal with.
If it was possible to seamlessly switch to bigger addresses, there would be no reason to restrict yourself to the subset of v8 addresses that end in :0:0:0:0 in the first place. You're doing that because using bigger addresses isn't seamless, which is an acknowledgement that a seamless upgrade to bigger addresses isn't possible. It would be if they were the same size, but then you've failed your goal of extending the address space.
So no, you can't claim this upgrade would be seamless unless you can remove the part that's only in there because it's not.
> If a single node is still at v4, all the communication continues v4-like (the v8 nodes send 0 at the ls32b).
If a single node is still at v4, that node will drop your v8 packets even if you set the ls32b to 0, because it doesn't understand the v8 packet format in the first place. This node will prevent you from switching to v8 even if you stick with the limited v4-compatible subset of v8 addresses.
> it will be SEAMLESS for the user, without the awful v6 UX that we have now
That "awful v6 UX" is the same UX you'd get with v8 if you tried to use the expanded address space. Or, if you limited yourself to just the v4-mapped subset of v6 then it would be just as seamless as v8 is. This should be obvious, because you already lived through OSs adding support for v6 in their net stacks and it was seamless so long as you stuck to the part of v6 which maps directly to v4. Which is what you were asking for, wasn't it?
curl URL Format curl -6 "[2001:db8::1]:8080/"
wget URL Format wget "[2001:db8::1]"
ssh Standard Login ssh user@2001:db8::1
ssh Specified Port ssh -p 2222 user@2001:db8::1
scp Remote Path scp file.txt [2001:db8::1]:/tmp/
rsync Remote Path rsync -av file.txt [2001:db8::1]:/tmp/
nc (netcat) Positional nc -6 2001:db8::1 80
telnet Positional telnet 2001:db8::1 80.
nmap Target nmap -6 2001:db8::1Nobody will want to switch to the new stack if it means instantly losing clients that don't have the new stack yet, so the only way to switch would be to coordinate everybody on the planet to switch simultaneously. This is as far away from a gradual deployment as you can get. A flag day for the Internet isn't viable, no matter how much you shout it.
These are not edge case questions we're asking here. They're fundamental questions about how to expand the v4 address size without ultimately doing the same things v6 had to do. You don't need to design the full spec, but you don't get to argue we should replace v6 if the best alternative approach you can come up with works the same way v6 does and has the same limitations v6 does.
So any place that can only take addresses, not some sort of URL, should/can (of course, the program author can do whatever he/she wants!) accept addresses without delineation.
90% of HN replies are debating trivialities to attempt to skirt the point. The point is that ipv6 usability is worse. CLI usability is a good example.
There are many benefits to ipv6, but let’s at least admit the faults so they can be addressed and encourage further adoption.
The lack of self awareness is appalling.
``` > ping6 google.com PING6(56=40+8+8 bytes) 2605:59c0:236f:3a08:7883:9d04:c26d:5fa1 --> 2607:f8b0:4005:806::200e 16 bytes from 2607:f8b0:4005:806::200e, icmp_seq=0 hlim=117 time=22.262 ms 16 bytes from 2607:f8b0:4005:806::200e, icmp_seq=1 hlim=117 time=26.124 ms 16 bytes from 2607:f8b0:4005:806::200e, icmp_seq=2 hlim=117 time=26.807 ms ^C --- google.com ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 22.262/25.064/26.807/2.001 ms ```
Networking is a lot more than being able to ping a single host.
As a concrete counter-example, IPv6 routinely broke for me when I was using pfSense as a router. Why? Because pfSense, with no way of disabling this behavior, published its public IP as the DNS server for internal clients.
So each time I got a new prefix from my ISP, which happens about once a week or more often, machines stopped being able to perform DNS lookups for hours or until I rebooted them.
And, if I had bothered configuring IPv6 firewall rules, those would have had to be reconfigured manually with the new prefix. I understand this is mostly fixed in pfSense recently, but this was the case for many, many years.
Another counter-example is that Android only supports SLAAC, and SLAAC only supports providing a few key infrastructure details like router and DNS. If you want to tell the Android client something else, like NTP server, you're outta luck. Also, if Android successfully gets an IPv6 address via SLAAC, it requires the DNS server IP to also be an IPv6 address. So your internal DNS server must then also serve on IPv6. If that wasn't the case, it would just silently use Google's own DNS servers, breaking any local configuration you had.
Another point is that a lot of us tried using IPv6 decades ago, and so we still have scars from that time. IPv6 today is a lot better, but I still have a lot of IPv6 frustration associated with it from 15-20 years ago.
Why would you have to reconfigure your firewall rules when you're getting a new IPv6 prefix?
I mean, I have a router that is trash with IP4. Therefore IP4 is trash!
I used to. When I had a home network I'd carefully assign `10.52.1.x` where `x` was the periodic number corresponding to the machine name! (I write from `lutetium`.)
Now, with Tailscale's magic DNS – `lutetium` being all I need – why on Earth would I give a crap about an IP address? I've gone from being obsessed to truly not caring at all.
So, give me IPv6. Auto-assign everything! All I want is a name.
The main thing all those have in common is they are either something I frequently use (all mentioned local IPs) or just stupid easy to remember (DNS servers), neither of which isn't possible for IPv6.
From memory isn't localhost for IPv6 not shorter than for IPv4? The answer is yes, it is ::1 and I was thinking of the Multicast and Link-local address prefixes which are ff00:: and fe80:: respectively.
Introducing a more complex system without easing any of the cognitive load and making fun of it is just cruel at this moment.
Users need a simpler way to connect to their devices, and what tailscale did with magic dns shows that users don’t even care about IPv4 they just want to connect to their devices with something simple they can remember.
https://www.rfc-editor.org/rfc/rfc7084
It describes in detail what a home router needs to be doing to make all of this work seamlessly.
Things work so well that half the world has working IPv6 already.
Openwrt pretty much implements all of this out of the box.
If you are struggling with IPv6 I recommend reading up on where it is at today and figuring out how whatever makes your network special can be done using IPv6 with no fuss.
Personally I have moved several times changing ISPs in the process and my IPv6 setup involving multiple LANs on my home network has just continued to work. IPv6 renumbering events just work seamlessly and completely automatically.
Historically the only practical hold up to IPv6 adoption has been the ISPs not rolling it out to their customers.
1. IPv6 addresses are too long to remember
2. IPv6 doesn't need NAT and people are uncomfortable with their devices having a public address as they see NAT as an additional layer of securitySo 10.20.30.40 would be an IPv4 address, and 10.20.30.40:fa:be:4c:9d could be an IPv6 address. With the :00:00:00:00 suffix being equivalent to the IPv4 version.
I just made this up, so I'm sure that a couple years of deep thought by a council of scientists and engineers could come up with something even better.
But to stick with the ASCII->UTF-8 comparison: how would you have done the transition if you had to stay within ASCII's size of 7 bits?
Just split the address into two 32-bit chunks (call the top word the "pool", bottom word "address") and assign the full IPV4 range to pool 0x00000000. Done.
Found this visual breakdown of IPv4 -> IPv6 transition.
Dual stack and tunneling sections show how much complexity came from not having a clean migration path - https://vectree.io/c/ipv4-vs-ipv6-address-architecture-nat-a...
I have my own /24 that I registered back in the 90's. It is, in fact, routed and announced globally. I know several "early Internet" nerds with the same.
I know three local companies with /16's that aren't even announcing their blocks! Perhaps they use them internally.
I speak as someone who worked at an institute that had similar abundance of address space.
https://en.wikipedia.org/wiki/Unique_local_address
If your intranet has no IPv4 addresses, this is better than a NAT somehow?
> A home network running IPv6 should deploy ULAs alongside its globally unique prefix(es) to allow stable communication between devices (on different subnets) within the homenet
[1] https://datatracker.ietf.org/doc/html/rfc7368.html#section-2...
But yeah, SLAAC's paradigm of moving assignment logic into the node (away from network infra like in DHCP) is definitely a stumbling point.
But that should be a perfect playground for an IPv6-only network that has gateways to the IPv4 content; eventually the home-developed content will begin to drive demand elsewhere.
If India were to turn off IPv4, it would be a great incentive for IPv4-only sites in the US and Europe to add an IPv6 address.
PS: I'm talking about MSO hardware. But client hardware should be at the same level of compatibility for years too.
$ ping6 github.com
ping6: github.com: Address family for hostname not supportedWe already had that, it's called shortwave radio. The internet, especially as it's implemented and as it's used, is a terrible way to achieve this. It's service providers the whole way down.
Obviously. Anyone who does understand how networks work aren't going to spend any time talking about it. People don't talk about things they are certain about. They talk about what they don't know much about to feel out what they're missing. You will never find a discussion where pushing back reveals that you found the world's utmost expert. The world's utmost expert is bored with the subject and has moved on to talking about the things he has gaps in.
Listen here, if there is a networking technology or feature that I wasn't forced learn when I half-assed a SOHO router config in 2005, then it shouldn't exist at all.
I'll tell you that if you just think of it on its own, it's really no harder than IPv4 + ARP + DHCP, just one or two extra things to remember.
The difficulty of adoption is the featureset and the UX of operating systems and home routers in particular. It is really difficult to find a consumer router, or even home networking OS, that exposes sensible working defaults for IPv6. The problem extends to the ISPs.
The spec is fine.
I never use them on my web, chat, voice, IRC and other servers as I personally find blocking shenanigans on IPv4 and not having to implement the same checks on IPv6 is just easier for a lazy person like me. IPv6 just feels like an after-thought bolt on to me. Clunky, not well thought out. Some privacy gotchas that can be disabled but some will not. That's just my take. I doubt anyone will have the same take.
I think IPv4 will be fine for another 100 years even if we have to re-purpose some DoD/MoD ranges given they don't use them and maybe annex some /8's from a few greedy companies. But that's a problem for Gen Delta. Gen Foxtrot can deal with repurposing some multicast ranges.
IPv6 is for the people (countries, continents) who did not get in early on the IPv4 address gold rush. Your take is basically "got mine, F you".
The trouble is that 1) my employers do not have native ipv6 access; 2) neither does my mobile connection; and 3) really nor do a lot of my friends. Moreover, 4) if you browse a website from a native world-reachable ipv6 address, you're fingerprinted by it and it's overwhelmingly unique to you. So, it doesn't really work for hosting, and I don't get any direct benefits from it.
Instead I have a vps with a public ipv4 address and have a router that creates a wireguard tunnel to it. The reverse proxy works great over ipv6 and I am now in a position where I can forward ports and have direct connections -- albeit with hugely increased technical complexity. Ipv6 has many great ideas in it. If it's universally used it might just catch on...
IPv6 privacy extensions exist & are enabled by default in most (if not all) operating systems today, which (this is my understanding; take it with a grain of salt) create what essentially are extra IPv6 addresses, used for outbound traffic, that aren't generated via your MAC address.
Even after reading about them many times and using them in (an albeit limited) fashion, they still just don't feel human friendly. Not like the more straightforward IPv4 addresses do. (Or even like a hypothetical "IPv5" that simply prefixes one extra octet).
Whenever I bring this up I'm told something like "Don't bother memorizing IPv6 addresses. Use DNS instead."[1]
That take completely overlooks the fact that if the numbers exist, you will inevitably wind up needing to deal with them at various points along the way. Eg. Debugging logs, sniffing network traffic, ruling out if DNS is down, etc. I'm a big fan of ergonomics to make things intuitive and reduce unnccessary cognitive overhead, and the new scheme is a regression in that regard.
If anyone has tips on how they became more fluent with IPv6 I'd love to hear.
[1] https://www.networkworld.com/article/934784/mission-impossib...
All I want to do is give every machine on my network a friendly hostname like storage.lan, timsPhone.lan, etc without having to run BIND (if possible), or dhcpd.
I have heard of zeroconf for ipv4, but the catch is I want this to work across several different platforms like Windows , freebsd, Linux, etc. I also don't want to use static addresses, but I feel like that's asking too much.
mDNS supports IPv6 just fine/works on IPv6 only LANs.
[1] https://datatracker.ietf.org/doc/html/rfc7368.html#section-3...
And corporate networks: in Google's stats you'll see IPv6 usage jumps on weekends as people do stuff not using their work computer.
> ...
> Historically the only practical hold up to IPv6 adoption has been the ISPs not rolling it out to their customers.
Yep, that's where I am. Frontier FTTH, IPv4 only. Because....I have no idea why. Because Frontier sucks, basically? They have at least started their rollout:
https://stats.labs.apnic.net/ipv6/AS5650?c=US&p=1&v=1&w=30&x...
...but it's going to be slow going. Don't get me wrong, I'd rather cut off my fingers than go back to Comcast, but at least Comcast gave me a /56.
I later moved and my current ISP does not have ipv6 support but my ULA setup kept working fine with some minor tweaks.
> A home network running IPv6 should deploy ULAs alongside its globally unique prefix(es) to allow stable communication between devices (on different subnets) within the homenet
> When an IPv6 node in a homenet has both a ULA and a globally unique IPv6 address, it should only use its ULA address internally and use its additional globally unique IPv6 address as a source address for external communications.
But at the same time there is a quote by Stanisław Lem...
"Until I used the Internet, I didn't know there were so many idiots in the world"
The "slow intellectual decline" has circular causality with advancement of mass media and convenience tech.
It's been in crisis for decades, but it's also getting increasingly worse every year.
The only lesson to learn from IPv6 deployment is that if there's a workaround available and the world isn't burning, it'll take 30 years from initial design to actual adoption. So if you went out and took 10 years to design IPv7, it'd likely take until 2070 for it to gain some adoption. This is because big network hardware is costly and has very long replacement cycles.
IPv6 was already designed as a lessons-learnt protocol from IPv4 issues. The header is greatly simplified and it's more hardware-friendly, it incorporates the required features into the protocol and leaves extensibility as an optional add-on that doesn't slow down routing packets, all the while granting an infinite address space.
Per Google, quite a few countries (including the US) are at >50%:
* https://www.google.com/intl/en/ipv6/statistics.html#tab=per-...
Every handset on T-Mobile US's network gets IPv6 (and they're not the only carrier like that):
* https://www.youtube.com/watch?v=d6oBCYHzrTA
So I'm not quite sure where "failed" enters the equation.
And what exactly would be different with IPv7? Anything that needs more address bits would have to update DNS to create new resource record types ("A" is hard-coded to 32-bits) to support the new longer addresses, and have all user-land code start asking for, using, and understanding the new record replies. Just like with IPv6. (A lot of legacy code did not have room in data structures for multiple reply types: sure you'd get the "A" but unless you updated the code to get the "A7" address (for "IPv7" addresses) you could never get to the longer with address… just like IPv6 needed code updates to recognize AAAA, otherwise you were A-only.)
You need to update socket APIs to hold new data structures for longer addresses so your app can tell the kernel to send packets to the new addresses. Just like with IPv6.
Big companies believe that they have plenty of IPv4 space, especially because they've always been lax in how they read IPv4 RFCs and use IPv4 routing behind corporate firewalls. Big companies also have the most cash to buy IPv4 blocks as they go to auction. Big companies have massive firewalls and strict VPNs which also insulate them from IPv4 scarcity.
IPv4 leases don't impact enough companies' bottom lines today that they need to assess IPv6 support.
Solving those economic incentive problems would likely be a massive sociopolitical problem: you would need IANA and the RIRs to agree to inflate costs in various ways (and in the short term that might have done a lot of harm to small countries already facing IPv4 inequity and their RIRs that lost the very earliest IPv4 assignment lotteries). You'd probably need new RFCs and political enforcement to support things like "taxing" company to company IPv4 block assignments. You'd probably need collusion or regulation from the big "Cloud Providers" to enforce higher costs on IPv4-only networking.
It would take those kind of "strong handed" tactics to speed up IPv6 adoption in corporate networks. Waiting for the "invisible hand" of the "free market" can be very slow and takes patience. That's mostly what we've been seeing with IPv6 adoption: the "invisible hand" is a lot slower than some people predicted. Especially engineers that hoped technical superiority alone would be a market winner.
Sure everything above IPv6 have, but it took years and years of screaming to get it.
Here's some roughly equivalent IP addresses:
203.0.113.45+192.168.1.1 ↔ 2001:db8:2d4f:1::1
203.0.113.45+192.168.1.2 ↔ 2001:db8:2d4f:1::2
203.0.113.45+192.168.1.3 ↔ 2001:db8:2d4f:1::3
203.0.113.45+192.168.2.1 ↔ 2001:db8:2d4f:2::1
When you look at 2001:db8:2d4f:X::Y, it should be pretty easy to see that it's host Y on subnet X, under your prefix which is the same for your whole network. Even if it's 2001:db8:2d4f:X:YYYY:YYYY:YYYY:YYYY it's still the same thing, just with more characters.
And has the practice of generating portions of the address from your MAC address been universally (or at least mostly) abandoned?
If you need to remember random WAN IPv6 addresses without being able to use DNS or at least a hosts file you've probably got a bunch of other more pressing problems.
But yeah. On my own LAN, everything is DHCP for IPv4 and SLAAC for v6. Everything uses mDNS and I connect to everything by name, not address. I can only remember the static IP of one of the servers; the rest are purely names.
I agree with the sibling comment: crummy CPE is crummy CPE. This is a solvable problem, but people end up with junky routers and it causes them anguish.
Put in something more interesting, e.g. OpenWRT, or there are proprietary options too, that provides simple & reliable local LAN DNS, then the problem just goes away.
But in substance, if you have several subnets, then using ULA may make sense depending on what you're trying to do. However most home networks don't subnet.
But then think about what the routing tables would look like, how would an IPv4-only host find an IPv6 host not in pool 0? You'd be reinventing NAT, but in a less-structured context than how NAT works today. There's more issues to it too.
If it was really that simple they would have done exactly that. "Just adding more bits to IPv4" just isn't possible to do backwards-compatibly. IPv6 is the closest you can get to that while also dealing with the complexity that arises with longer addresses.
Ah.
https://news.ycombinator.com/item?id=47355046
This article that "begs to differ" is inventing IPv6 all over again. It just refuses to call itself so.
I quote from the top comment:
>So you have to ship new code to every 'network element' to support IPv4x. Just like with IPv6.
and
>So you have to update DNS to create new resource record types [...] Just like with IPv6.
and
>You need to update socket APIs to hold new data structures for longer addresses so your app can tell the kernel to send packets to the new addresses. Just like with IPv6.
The point is less about the technology proposed, but the point that there could be an interoperable version of a next generation IP and IPv4.
IPv6 did the braindead thing and completely threw out the idea of transition and interoperability for a clean slate. We're paying for it many decades later.
Also, rather than regurgitate a comment, perhaps you should read the article, because that comment misunderstands what is being proposed and thus completely missing the point.
> but the point that there could be an interoperable version of a next generation IP and IPv4
Yes, it's IPv6. The thing you linked basically took one of the interoperability methods of v6 and described it in weird terms.
You don't do dual stack with v6 either, unless you want to -- you can do the incremental rollout and tangible relief thing with v6 just fine. (But it turns out most people do want to do dual stack.)
Regarding firewall policies:
just because most network OS are plain dumb, does not implies that's the fault of IPv6.
A zone based firewall solves that already. And for instance OpenWrt fw4 can make rules for suffixes in a zone too.
For 5€/mo additional I get a static /32 v4 (for NAT64) and a /60 v6 prefix.
> And has the practice of generating portions of the address from your MAC address been universally (or at least mostly) abandoned?
Somewhere around mostly. Windows, OSX, and network-manager/dhcpcd/systemd-networkd on Linux all enable RFC7217 (uses a hash of your MAC and a secret value), temporary addresses (random addresses used for outbound connections) or both by default. Either of these will prevent people from seeing your MAC when you connect to them.
I'm not sure about mobile devices. I'd expect temporary addresses there, but also MAC randomization is a thing these days which would do the job too.
Notably absent from that list is Linux's in-kernel SLAAC client. Client-oriented distros often enable tempaddrs by default (or they install one of the network daemons that does it), but server-oriented distros tend not to.
UTF-8 is convenient because ASCII has a spare bit, but UTF-8 is fundamentally possible because ASCII is variable-length. IPv4 is not variable-length.
I get the impression that this fact is fundamentally lost on a lot of the people who want a "compatible" IPv6. Like, their mental model does not distinguish between how we as humans write down an IPv4 address in text and how that address is represented in the packet.
So they think "let's just add a couple more dots and numerals and keep everything else the same"
UTF-7 was possible because there was an out-of-band mechanism to signal its use, "Content-Type: text/plain; charset=UTF-7":
* https://datatracker.ietf.org/doc/html/rfc2152
What's the OOB signalling in IP packet transmission between two random nodes on the Internet.
fddd::7 is easier to type than 10.0.0.7
edit: Well, you said easier to type. I guess I probably agree with that.
Instead of being able to run a groove in my head mentally, and read with any sort of rhythm, I have to read them like binary bytes. Every address feels like a foreign phone number where your normal rhythm doesn't fit, but it never gets better.
Perhaps, IMO, the greatest and only sin of IPv6. That and using fucking colons.
How pfSense works is fairly reasonable if every IPv6 deployment had been as the original designers intended, ie you have a static prefix.
It's just that the way IPv6 ended up getting deployed in practice was often not aligned with that original vision. And that has been a large source of IPv6 frustration.
I can't see why an ISP is dynamically changing the IPv6 addressing for a client, but if that's what is going on, then v6 NPT is your friend (RFC6296 - https://datatracker.ietf.org/doc/html/rfc6296).
But pfsense's behaviour is a bit iffy too, unless when you say 'public IP', you mean the IPv6 address being used on the pfsense facing the clients? (I'm assuming it's using DHCPv6 prefix delegation, and the delegation is being changed? And potentially the uplink subnet as well).
So NAT is the one true solution after all.. /s
> unless when you say 'public IP', you mean the IPv6 address being used on the pfsense facing the clients?
Well, that's kinda the thing, pfSense seems to assume global means it's also the IP facing the local clients. I couldn't get pfSense to advertise its ULA as the DNS server for example. But if you have a static prefix, that's not a bad assumption. And a static prefix is what the IPv6 designers envisioned.
> I'm assuming it's using DHCPv6 prefix delegation, and the delegation is being changed?
ISP indeed uses DHCPv6 prefix delegation. The prefix I get can change "randomly". It always changes when my router or modem reboots, but other times too (perhaps when their equipment reboots).
I should note that after getting very frustrated with pfSense, I threw it away a few years ago and switched to OpenWRT which has worked much, much better when it comes to IPv6.
Because the IP address of the target changes when you get a new prefix.
There's some discussion in this[1] old pfSense ticket.
With IPv4 you typically do address translation (NAT) and so the internal target address is not tied to the global address.
But I think it further strengthens my case, software support for IPv6 has been quite spotty over the years, which combined with the less-than ideal deployments out there has made things frustrating for many users over the past couple of decades.
IPv4 is 32 bits. It has a hard cap of ~4 billion addresses. China and India alone have 2.85 billion people.
Add in the United States and Europe, and now nobody else gets an IP address. South America, Canada, Mexico, Australia, Africa, the middle east, the rest of Southeast Asia, etc. don't get to use the internet. That's 4 billion people who don't get to use the internet.
You are not supposed to use it for „communication” as in Facebook. You are supposed to use spectrum to test your gear and keep transmissions short to leave space for others.
I was in local HAM club and passed the exam for license but never got license to transmit mostly because you are not supposed to chat frivolously over the radio.
And still likely better than heavily regulated airwaves.
I do want some hardcoded addresses. In particular, some of the daemons I run get twitchy when the remote address changes unexpectedly.
This is not the case for the addresses returned. See eg https://www.rfc-editor.org/rfc/rfc6762
6.2. Responding to Address Queries
When a Multicast DNS responder sends a Multicast DNS response message
containing its own address records, it MUST include all addresses
that are valid on the interface on which it is sending the message,
and MUST NOT include addresses that are not valid on that interface
(such as addresses that may be configured on the host's other
interfaces). For example, if an interface has both an IPv6 link-
local and an IPv6 routable address, both should be included in the
response message so that queriers receive both and can make their own
choice about which to use. This allows a querier that only has an
IPv6 link-local address to connect to the link-local address, and a
different querier that has an IPv6 routable address to connect to the
IPv6 routable address instead.
I guarantee, we will be having this same exact discussion 10 years from now. And then so on, and so on.
If you don't want to deploy v6 like that, consider why -- because the people who live in the world described by that article will also have the same reasons as you to not deploy it that way.
> If IPv6 gave tangible relief, then IPv4 today would not be an important mainstay of the Internet
No, that argument doesn't hold. v6 can give tangible relief even while v4 is an important mainstay of the Internet. You only have to listen to the people doing CGNAT, or the people turning on v6-mostly and seeing their v4 address use drop by 75% to hear examples of that.
Deployments of v6 reduce the pressure on v4, because they allow us to deploy new networks without needing v4 and because migrating existing networks frees up v4 that can be repurposed. This is also a benefit that's making v4 more viable that it would be without v6.
Plus you're making assumptions about the time needed to replace the Internet's L3 protocol. It's nice to fantasize about finishing it in 10 years, but that doesn't mean that finishing it in 10 years is realistically possible. Deployment of v6 is ongoing and v4's importance is dropping over time; you can't know what the ultimate impact of v6 will be until we're finished deploying it.
There was always going to be a long tail of v4-only hosts, no matter what we did. That's why v6 has a large number of compatibility methods for dealing with them (yes, including the method described in the linked article). It wouldn't be possible to deploy it at all if it didn't.
As addresses started running out, the NAT RFC was published in 1994 and described NAT as a "short-term solution". NAT was never meant to be an integral part of IPv4. https://www.rfc-editor.org/rfc/rfc1631
NAT broke a ton of things which required more and more hacks piled on, making it more complex to build services on top if it (e.g., a server in the middle to proxy all the traffic needed between peers is a 100% requirement, with all the maintenance and scaling headaches that come with it).
If an address is not public how can you start an connection from it, or end a connection at it? A web server needs a public address if you want to have people reach it. And you, at some point, also have to have a public address if you want to connect to pubic services: either on your end-host, at your CPE/router's WAN interface, or on an interface of your ISP's CG-NAT box.
But having a public address on your end-host also allows for much more functionality than if you were stuck behind CPE-NAT or CG-NAT. Now, you don't have to use this functionality—just like how I didn't when my printer gets an publicly addressable (but not publicly reachable) IPv6 address—but it opens up various possibilities.
The people who have to make networks work need to know how IPv6 works - but there is no getting around that - they know how IPv4 works too.
All of those things exist in IPv6.
And it is physically impossible for DNS to be the same, as you have to create new resource record types ("A" is hard-coded to 32-bits) to support the new longer addresses, and have all user-land code start asking for, using, and understanding the new record replies. Just like with IPv6. A lot of legacy code did not have room in data structures for multiple reply types: sure you'd get the "A" but unless you updated the code to get the "A7" address (for "IPv7" addresses) you could never get to the longer with address… just like IPv6 needed code updates to recognize AAAA, otherwise you were A-only.
And it has not existed at the start of the IPv6 and is one of the many reasons why after all those years we are having a poor penetration of IPv6.
Hey, how awesome you live in an area where you have a choice of ISPs and can dismiss one that doesn't meet your spec, rather than having to simply shut up and eat what you're served!
Sorry, IPv6 is absolutely not the hill I'm going to die on.
I can't take seriously the claim that someone would literally refuse to move into an apartment purely on the basis of not having IPv6 support. Bad internet in general? Sure, that's plausible; I work from home, and like I said, the outages were annoying, and if there were no decent speed options my (now) wife and I might have ruled it out? But literally just the lack of IPv6? That's an absurd reason to pick another place to live entirely.
- How they would format the display of the bits
- Where in the bit pattern IPv4 mapped addresses should go
- Coming up with some variation of NAT64, NAT464, or similar concepts to communicate between/over IPv4 and IPv6 networks
- Blaming the optional extensions/features of IPv6 for being too complex and then inventing something which has 90% of the same parts which are actually required to use
It's even easy to get distracted in a world of "what you can do with IPv6" instead of just using the basics. The things that actually make IPv6 adoption slow are:
- A change in the size of the address field which requires special changes and configuration in network gear, operating systems, and apps because it's not just one protocol to think about the transport of again until the migration is 100% complete.
If IPv4 were more painfully broken then the switch would have happened long ago. People just don't care to move fast because they don't need to. IPv6 itself is fine though and, ironically, it's the ones getting the most value out of the optional extensions (such as cellular providers) who actually started to drive IPv6 adoption.
Interestingly, what you're describing really is similar to how many languages represent an IPv4 address internally. Go embeds IPv4 addresses inside of IPv6 structs as ::ffff:{IPv4 address}: https://cs.opensource.google/go/go/+/go1.26.2:src/net/ip.go;...
This is super useful because (at least on Linux) IPv6 sockets per default are dual-stack and bind to both IPv6 and IPv6 (except if you are using the IPV6_V6ONLY sockopt or a sysctl), so you don't need to open and handle IPv4 and IPv6 sockets separately (well, maybe some extra code for logging/checking properly with the actual IPv4 address).
That is also documented in ipv6(7):
IPv4 connections can be handled with the v6 API by using
v4-mapped-on-v6 address type; thus a program needs to support only
this API type to support both protocols. This is handled
transparently by the address handling functions in the C library.
IPv4 and IPv6 share the local port space. When you get an IPv4
connection or packet to an IPv6 socket, its source address will be
mapped to v6.
What I argued was that IPv4 could be embedded into IPv6 address space if they had designed for it. But I agree, that the actual packet header layouts would need to look at least a bit different.
Like:
> Addresses in this group consist of an 80-bit prefix of zeros, the next 16 bits are ones, and the remaining, least-significant 32 bits contain the IPv4 address. For example, ::ffff:192.0.2.128 represents the IPv4 address 192.0.2.128. A previous format, called "IPv4-compatible IPv6 address", was ::192.0.2.128; however, this method is deprecated.[5]
* https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresse...
& the following section for the follow-up embedding.
Like
> Addresses in this group consist of an 80-bit prefix of zeros, the next 16 bits are ones, and the remaining, least-significant 32 bits contain the IPv4 address. For example, ::ffff:192.0.2.128 represents the IPv4 address 192.0.2.128. A previous format, called "IPv4-compatible IPv6 address", was ::192.0.2.128; however, this method is deprecated.[5]
* https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresse...
Or:
> For any 32-bit global IPv4 address that is assigned to a host, a 48-bit 6to4 IPv6 prefix can be constructed for use by that host (and if applicable the network behind it) by appending the IPv4 address to 2002::/16.
> For example, the global IPv4 address 192.0.2.4 has the corresponding 6to4 prefix 2002:c000:0204::/48. This gives a prefix length of 48 bits, which leaves room for a 16-bit subnet field and 64 bit host addresses within the subnets.
* https://en.wikipedia.org/wiki/6to4
So you have to ship new code to every 'network element' to support your "IPv4+" plan. Just like with IPv6.
So you have to update DNS to create new resource record types ("A" is hard-coded to 32-bits) to support the new longer addresses, and have all user-land code start asking for, using, and understanding the new record replies. Just like with IPv6. (A lot of legacy code did not have room in data structures for multiple reply types: sure you'd get the "A" but unless you updated the code to get the "A+" address (for "IPv4+" addresses) you could never get to the longer with address… just like IPv6 needed code updates to recognize AAAA, otherwise you were A-only.)
You need to update socket APIs to hold new data structures for longer addresses so your app can tell the kernel to send packets to the new addresses. Just like with IPv6. In any 'address extension' plan the legacy code cannot use the new address space; you have to:
* update the IP stack (like with IPv6)
* tell applications about new DNS records (like IPv6)
* set up translation layers for legacy-only code to reach extended-only destination (like IPv6 with DNS64/NAT64, CLAT, etc)
You're updating the exact same code paths in both the "IPv4+" and IPv6 scenarios: dual-stack, DNS, socket address structures, dealing with legacy-only code that is never touched to deal with the larger address space.
Deploying the new "IPv4+" code will take time, there will partial deployment of IPv4+ is no different than having partial deployment of IPv6: you have islands of it and have to fall back to the 'legacy' IPv4-plain protocol when the new protocol fails to connect:
* https://en.wikipedia.org/wiki/Happy_Eyeballs
"Just adding more bits" means updating a whole bunch of code (routers, firewalls, DNS, APIs, userland, etc) to handle the new data structures. There is no "just": it's the same work for IPv6 as with any other idea.
(This idea of "just add more addresses" comes up in every discussion of IPv6, and people do not bother thinking about what needs to change to "just" do it.)
> If IPv4 were more painfully broken then the switch would have happened long ago.
IPv4 is very painful for people not in the US or Western Europe that (a) were now there early enough to get in on the IPv4 address land rush, or (b) don't have enough money to buy as many IPv4 addresses as they need (assuming someone wants to sell them).
So a lot of areas of the world have switched, it's just that you're perhaps in a privileged demographic and are blind to it.
The lack of pain is not really about the US & Western Europe have plenty of addresses or something of that nature, it's that alternative answers such as NAT and CG-NAT (i.e. double NAT where the carrier uses non-public ranges for the consumer connections) deployments are still growing faster in those regions than IPv6 adoption when excluding cellular networks (they've been pretty good about adopting IPv6 and are where most of the IPv6 traffic in those regions comes from).
However, I think people do get tripped up by the paradigm shift from DHCP -> SLAAC. That's not something that is an inevitable consequence of increasing address size. And compared to other details (e.g. the switch to multicasting, NDP, etc.), it's a change that's very visible to all operators and really changes how things work at a conceptual level.
For comparison IPv4 had:
- Static (1980 - original spec)
- RARP (1984 - standalone spec)
- BOOTP (1985 - standalone spec)
- DHCP (1993 - standalone spec)
- Static (1995 - pre, 1998 final spec)
- SLAAC (1996 - pre standalone, 1998 final standalone)
- DHCPv6 (2003 - standalone)
There are some nice benefits of SLAAC over DHCP such as modest privacy: if device addresses are randomized they become harder to guess/scan; if there's not a central server with a registration list of every device even more so (the first S, Stateless). That's a great potential win for general consumers and a far better privacy strategy than NAT44 accidental (and somewhat broken) privacy screening. It's at odds with corporate device management strategies where top-down assignment "needs to be the rule" and device privacy is potentially a risk, but that doesn't make SLAAC a bad idea as it just increases the obvious realization that consumer needs and big corporate needs are both very different styles of sub-networks of the internet and they are conflicting a bit. (Also those conflicting interests are why consumer equipment is leading the vanguard to IPv6 and corporate equipment is languishing behind in command-and-control IPv4 enclaves.)
So you just change the version number… like was done with IPv6?
How would this be any different: all hosts, firewalls, routers, etc, would have to be updated… like with IPv6. So would all application code to handle (e.g.) connection logging… like with IPv6.
I mean, yes, in practice you can peek at the first byte if you know you're looking at an IP packet, but down that route lies expensive datacenter switches that can't switch packets sent to a destination MAC that starts with a 04 or 06 (looking at you, Cisco and Brocade: https://seclists.org/nanog/2016/Dec/29).
Asking as a European who did not have his IPv4 address changed for months or even years. Or is it IPv6 specific? But I cannot see why.
In our exponentially growing world that wouldn't help. By the time we ran out of Class As we were allocating a new one every month. Reclaiming all the unused addresses would barely make a dent in demand.
Someone did the math on this:
> Now, average daily assignment rates have been running at above 10 /8s per year, for 2010, and approached 15 /8s towards the end. This means any reclamation effort has to recover at least 15 /8s per year just to break even on 2010’s growth. That’s 5.9% of the total IPv4 address space, or 6.8% of the assignable address space. Is it feasible to be able to reclaim that much address space? Even if there were low-hanging fruit to cover the first year of new demand, what about there-after? Worse, demand for address space has been growing supra-linearly, particularly in Asia and Latin America. So it seems highly unlikely that any reclamation project can buy anything more than a years worth of time (and reclamation itself takes time).
* https://paul.jakma.org/2011/02/03/why-dont-we-just-reclaim-u...
There are 'only four billion IPv4 addresses, and there are eight billion people on the planet. There are just as many smartphones (I have two: personal and work):
* https://www.weforum.org/stories/2023/04/charted-there-are-mo...
Even if you (CG-)NAT an IPv4 address for some number of people, you still need to have IPv4 addresses for public services (web, mail, NTP, etc).
There is no scenario where 2^32 addresses is enough for humanity's needs: as some point you need to go to a protocol with more that 32 bits of address space.
Unless all of these devices are running a dedicated full time server that must be reachable inbound by everyone this is not required. At any given time "all the people" are not online. That is why DHCP (per ISP) takes care of this. Maybe some day all the people may become terminally online but I would not count on it.
Yeah some day IPv6 may be required. Maybe in 100 years or so. IPv4 has plenty of unused allocated addresses that can be ripped away from greedy people. There was a time when ARIN would check to see what was in use and would take back anything people were squatting on. I think the reclamation project works if we dont assume everything has to be reachable as a server.
I should add that cell phones (where people are terminally online) were already IPv6 a long time ago for the most part so it's really a non issue. The only risk I see is if someone wanted to start a new massive dedicated server and VPS provider. Most of those are dual stack IPv4+IPv6 now and doing that means clawing some IPv4 space away from those I mentioned earlier.
I think this is a lack of imagination. The fact that (CG-)NAT is in the way could be precluding the development of software that could take advantage of incoming/P2P connections.
It's a form of (negative/inverse) survivorship bias: kind of like zoning for only single-family homes and yet saying "no one wants mid-rise towers/apartments as evidenced by the fact no one building them". The current rules/structure preclude any other options.
When we went from dial-up speeds to DSL/cable to fibre we were able to have all sorts new applications due to higher bandwidth. Are there classes of applications that we don't / can't have because of NAT? We're stuck with things that often need a central server (TURN/ICE/STUN) and I'd like people to have the ability to explore a more distributed/decentralized Internet.
"IPv4 is all we need because half the internet is already on IPv6 anyway" sounds like a weird argument to me.
I am very special, mama said so.
I stand by what I said. Get countries to do what I said and DHCP will take care of the rest. CGNAT can be binned once people do what I said.
Yeah, your mama was not wrong - you indeed are a special one. Now, let's bring you to a nearby playground...
Err... you do realize that the number of humans currently living on planet earth is twice the number of IPv4 addresses... right?
We can't all have an IPv4 address for each of our devices. We can't all even have one IPv4 address, period. But maybe they should just try not being poor, eh?
Not even by choice, mind you, but they naturally cement themselves in my mind over time as I work on systems because they're just that basic.
IPv6, on the other hand, I have literally one memorized (::1), likely because it's even shorter than a typical IPv4 address.
if verizon charges to connect the building and couldnt make an agreement with the owner. or maybe owner has non financial reasons (laziness & indifference) for denying them. or maybe some operational reason verzion wasnt confident in ability to install
Those billions can move right along doing what they're doing. They don't bother me; I don't bother them (other than you, it seems). Considering how "IPv6 exclusive" has worked for the last 25 years, I'm quite confident I'll be dead before I reach the point of caring about it (and even if I make it, I'm equally confident I'll be able to manage both stacks).
This sort of tiresome sophistry really gets old. "But what about camgunz nearly religious need to pretend IPv6 is the One True Way and all others are heretical" is not more relevant to the wider world than "but what about kjs3's ISP".
[1] Emphasis on "that I need". I'm a network engineer and architect. Passed tests even. I've done IPv6 in prod, and I can contrive all sorts of "that only works if you're IPv6 only" scenarios and have had to work around some of them. They aren't relevant to my ISP or me.
The difference is that your home router does not get a public IP on its WAN interface, but perhaps the non-publicly-routable 100.64.0.0/10 [1] with CG-NAT.
So if you don't have a public IP address, how exactly are you supposed to forward anything? What is the other end supposed to connect to as an IP address?
Yes...? I know that, but does that cause any issues in practice other than death of P2P?
> So if you don't have a public IP address, how exactly are you supposed to forward anything? What is the other end supposed to connect to as an IP address?
I already mentioned port forwarding because with something like CG-NAT, it is often not possible (or not allowed). But I am not aware of any issues that stem from this other than an inability for others to establish connections directly to you. In fact, my network has a public IPv4 without CG-NAT and yet I am already used to being unable to receive data other than back through a TCP stream. That is the entire reason reverse proxy tunnels (such as ngrok, etc.) exist.
Well:
> If you’re a gamer using PS5, Xbox, or PC in 2025, running into Double NAT or CGNAT port forwarding issues can make online play nearly impossible. Many 5G home internet and satellite services (like T-Mobile Home Internet and Starlink) put users behind carrier-grade NAT, which blocks direct connections and port forwarding. The good news? There are still workarounds that can open up your connection for smoother online gaming.
* https://www.modemguides.com/blogs/modemguides-blog/double-na...
See also:
* https://en.wikipedia.org/wiki/Carrier-grade_NAT#Disadvantage...
When we went from dial-up speeds to DSL/cable to fibre we were able to have all sorts new applications due to higher bandwidth. Smartphones are capable of all sorts of things because they're always online: back in the day people used to talk about "being online" and saying "sorry, I was offline", because you only had connectivity at the office or at home (where you dialed into your ISP).
What kind of applications and services are not being invented because we're stuck with the current non-P2P / centralized setup of IPv4+NAT?
>other
Well you just handwaved away the most significant difference between NAT and native IP, obviously there won't be any major difference to discuss about anymore!
No, we can't ignore port forwarding. The key thing to realize about NAT is that someone owns the NAT. Back then, the NAT lived inside each of the home routers, so even if you have a "strict" NAT (endpoint-dependent mapping NAT, i.e. one that doesn't allow for hole-punching), you can easily bypass it by setting up a manual port forwarding entry.
With CGNAT that's no longer possible, you do not control the NAT. If your ISP decides to screw you over, you essentially do not have a choice but to get a relay, which needlessly costs you money.
---
But if you really want to know what advantages native IP has over NAT, I'd say the lack of keepalive packets (to keep a holepunched NAT entry from being removed) is a pretty nice thing.
That alone is significant.
Furthermore, DHCPv6 holds you back from various desirable things like privacy addresses and (arguably even more importantly) IPv6 Mostly.
(What's up with people constantly suggesting that v6 should do things that it already does?)
The result is basically the same situation we are in today, except much more hacky. You'd still have to do a bunch of upgrades.
No, that would darn silly. For ISP allocation like all normal ISP's.
Gosh golly friend.
Port forwarding is nice, but everyone already knows you can hardly run a server at home (even in countries where port forwarding is standard). It's been this way for as long as I can remember. So yes I handwave it away because it doesn't matter. If that's the only drawback to CG-NAT (other than single IP address bans applying to entire nations or something) I hardly understand why it warrants treatment as such a terrible awful disaster.
I will raise you the opposite point: why deprive people of their ability to have a globally addressable IP address?
>But even UDP should work through CG-NAT.
I have already told you why it is wrong to make such as assumption, haven't I?
I have heard of stories coming from China and Vietnam that some ISPs implement so-called "type 4 NAT", otherwise known as symmetric NAT or NAT with endpoint-dependent mapping.
This kind of NAT is NOT hole-punchable. And because you don't control the NAT, you are simply SOL if one day your NAT decides to switch to it. Can't even use Tailscale without significant service degradation now, ouch.
Granted, I have only heard about it in Vietnam and China, and it's not a national thing -- only some provinces seem to have symmetric NAT implemented. But I feel the need to remind you that the ISPs there were able to get away with it, because the two countries have significant IPv6 presence. [0]
>Port forwarding is nice, but everyone already knows you can hardly run a server at home (even in countries where port forwarding is standard).
You can hardly run a server at home because we have been facing address space depletion since the dot com bubble.
>I hardly understand why it warrants treatment as such a terrible awful disaster.
You haven't faced an overloaded CGNAT gateway, have you? [1]
[0]: https://stats.labs.apnic.net/ipv6/XD
[1]: https://www.reddit.com/r/ipv6/comments/1as8dvy/is_there_a_wa...
Why would DHCPv6 hold back privacy addresses? Can't DHCPv6 servers generate random host address bits and assign them in DHCP Offer packets? Couldn't clients generate random addresses and put them in Request packets?
See perhaps OPTION_IA_TA (Temporary Address):
* https://datatracker.ietf.org/doc/html/rfc8415#section-21.5
* https://en.wikipedia.org/wiki/DHCPv6#Option_Codes
DHCPv6 temporary addresses have the same properties as SLAAC
temporary addresses (see Section 4.6). On the other hand, the
properties of DHCPv6 non-temporary addresses typically depend on the
specific DHCPv6 server software being employed. Recent releases of
most popular DHCPv6 server software typically lease random addresses
with a similar lease time as that of IPv4. Thus, these addresses can
be considered to be "stable, semantically opaque". [DHCPv6-IID]
specifies an algorithm that can be employed by DHCPv6 servers to
generate "stable, semantically opaque" addresses.
How does DHCPv6 hold back IPv6-mostly? First, most clients will send out a DHCPv4 request in case IPv4 is the only option, in which case IPv6-mostly can be signalled:
* https://datatracker.ietf.org/doc/html/rfc8925
And hosts would also have to send out an IPv6 RS, and the RA can signal IPv6-mostly:
* https://datatracker.ietf.org/doc/html/rfc8781
* https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-6mops...
I was unaware of this, so thanks. Sounds like it addresses (pun intended) my concern.
> How does DHCPv6 hold back IPv6-mostly? First, most clients will send out a DHCPv4 request in case IPv4 is the only option, in which case IPv6-mostly can be signalled
It's not the signalling that's the problem--it's the configuration of the CLAT which requires SLAAC, afaiu. This is in fact the subject of the latest IPv6 Buzz podcast episode: https://packetpushers.net/podcasts/ipv6-buzz/ipb197-slaac-an...
"Yeah? Well, you know, that's just like uh, your opinion, man." — The Dude
Publicly addressable ≠ publicly reachable.
When I was with my last ISP which had IPv6, my printer had a public address, but the only people who could reach it were those on my home network.
No imagination required. P2P works fine if at least 20% to 30% have ports open inbound. 70%+ need not have open inbound ports. Where this could theoretically be a problem is if a specific sub-set of CG-NAT users were the only people seeding and downloading something. This non existent problem can be worked around using a VPN mesh. Tinc is an open source VPN that operates in user-space and while not as fast as Wireguard it can do things Wireguard could never dream of such as user space mesh routing, always discovering the shortest path. The advantage of this is keeping ambulance chasing lawyers off the P2P/VPN mesh. The only imagination required is how to keep the network semi-private. In my experience this is running a semi-private invite-only self hosted forum. In reality none of this is required for P2P however.
"Seeding"? "Downloading"? I think applications besides BitTorrent could be invented and become popular. Even now, existing things like SIP and WebRTC would probably be much less onerous.
> This non existent problem can be worked around using a VPN mesh. Tinc is an open source VPN that operates in user-space and while not as fast as Wireguard it can do things Wireguard could never dream of such as user space mesh routing, always discovering the shortest path.
So you're introducing another layer of software because the underlying network does not have the functionality available (just like STUN/TURN/ICE had to be invented to deal with NAT).
Here's another idea: have IPv6, and if folks want to have end-to-end encrypted communications, start up an IKEv2 process (that opens a hole for its port via UPNP/PCP), and we have IPsec (which is built into most OSes anyway) encrypted communications opportunistically enabled.
This operational difficulty has been recognized and alternatives are being put forward:
* https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-clato...
On top of that, it lulls you into a false sense of security, so you confidently think it's protecting you even when it isn't. At least not having NAT makes the actual state of your network clearer.
Yeah that's called port forwarding. It is like complaining that light is coming into your house through windows. Fully intentional.
If no other aspect of your setup blocks the connection, it'll be successful. If you were deploying NAT because you thought it would function as a firewall then this part is probably not intentional.
I don't know? I've never had CG-NAT and yet I've never seen a piece of software that takes advantage of that except maybe for games that use UPnP to open ports.
Maybe we haven't seen many products available on the market to take advantage of it because the current standard of NATs make such things practically unworkable?
Its pretty much impossible to ship smart home stuff that is hosted locally (i.e. not without it connecting to some cloud service) because people want to access these smart devices from outside their home. They're not likely to configure a VPN to connect home, they're not going to configure NATs in any workable fashion (or may be unable to, such as CGNAT), the applications probably don't want to have to handle having NAT hairpinning issues, etc.
So instead we continue down everything that's popular being something that requires a cloud proxy/relay (because that's the only way things actually work for most people), when in reality if things could just be public we could do a whole bunch more and empower people to easily host things themselves.
Which, as a sibling comments mentions, is the point.
The fact that (CG-)NAT is in the way could be precluding the development of "software that takes advantage of that". It's a form of (negative/inverse) survivorship bias: kind of like zoning for only single-family homes and yet saying "no one wants mid-rise towers/apartments as evidenced by the fact no one building them". The current rules/structure/architecture preclude any other options.
Is there anything you do on a computer that involves communicating with another user? That's not just anything - that's most things! All communication between two computers is improved by not requiring NAT.
Corporations love to keep us dependent on their central servers, of course.
I wouldn't. I just don't understand, if the alternative is having no internet access at all, why CG-NAT is so utterly deplorable.
> This kind of NAT is NOT hole-punchable. And because you don't control the NAT, you are simply SOL if one day your NAT decides to switch to it.
Can you clarify what you mean by hole-punchable? If all else fails, just use TCP, right? Does TCP also not work? I'm also not talking about connection between peers but connection to a server. Connection between peers has never been a 100% reliable strategy regardless of anything.
> You haven't faced an overloaded CGNAT gateway, have you? [1]
I have not, but that is not inherent to CG-NAT, is it? Any switch or other hop between you and your destination can be overloaded. The destination itself can be overloaded.
I... uh, what? Please... learn more about hole punching before trying to engage in the topic.
Hole punching, in the context of NAT, is a technique where you establish peer-to-peer connection between hosts behind a NAT.
It does not matter which protocol you use, UDP or TCP or chuckles SCTP. If you want to establish P2P connection, you must hole punch.
The only alternative is to use relays.
>I have not, but that is not inherent to CG-NAT, is it? Any switch or other hop between you and your destination can be overloaded.
A typical hop does not need to maintain a huge dynamic state table. NAT, due to its very own temporal nature, must do so.
>destination itself can be overloaded.
Apples and oranges. Destination overload is a service problem. Hop overload is an infrastructural problem.
I'm not engaging in the topic of hole punching though? The topic is whether CG-NAT has drawbacks other than lack of port forwarding. As I've said many times, expecting P2P connectivity has never been viable. But you ignore that and keep talking about how hard hole punching is, as if it's indispensable. What makes it so indispensable? Why is it so critical?
> Hole punching, in the context of NAT, is a technique where you establish peer-to-peer connection between hosts behind a NAT.
Good, that confirms I was never talking about that. I even explicitly clarified I was not talking about that (though you may have loaded my comment before that edit.)
> It does not matter which protocol you use, UDP or TCP or chuckles SCTP. If you want to establish P2P connection, you must hole punch.
You don't need to establish P2P connection so I don't see why that's such a problem. Again, it has never been safe to assume P2P connection is possible. Period. It is merely a progressive enhancement.
You don't mention port forwarding without mentioning about hole punching.
Because what port forwarding is for, if not to ease the establishment of direct connections?
>You don't need to establish P2P connection
If you are seriously suggesting Server-Client Is All You Need (TM), I feel we might as well stop the discussion now. VoIP essentially requires P2P, WebRTC is much better with P2P. BitTorrent etc obviously runs on P2P.
Services that provide relays (for people who can't establish P2P connection) for free, can only do so because they expect most connections to NOT go through the relay, and so they could simply stomach the costs of running one small relay.