Today in our newest take on “older technology is better”: why NAT rules!

  • sep@lemmy.world
    link
    fedilink
    arrow-up
    92
    ·
    1 month ago

    I felt dirty! and broke so much shit when i had to implement NAT on networks in the mid 90’s. Nowdays with ipv6 and getting rid of NAT is much more liberating. The difference is staggering!

    • you do not need NAT any longer, firewall is the security, just like on ipv4, just less obscurity.
    • you do not need dns views, to workaround NAT any more
    • you do not need hairpin NAT to workaround NAT any more
    • you do not need to renumber to resize a network. they are always /64, and the answer to how many hosts can it fit is: ALL of them!
    • many ALG’s will be unnecessary since there is not NAT.
    • vpn’s are easier, since it can be the same address both inside and outside the vpn, the firewall (or host even) enforces the encryption.
    • vpn’s are MUCH easier since you will have less rfc1918 collisions due to some other network using the rfc1918 of the vpn’s network
    • vpn’s are MUCH MUCH easier since you will have less rfc1918 collisions due to you using the rfc1918 of the vpn partner network, to 1:1 nat a previous vpn network you collided with some months ago… ARGH!!!
    • vpn are generally less required, heck i swear 95% of the time the VPN are just to workaround the NAT problem and the data is pointlessly double or triple encrypted.
    • you can make more granular firewall rules (eg the spesific host, or network of the source address, instead of the whole enterprise’s public ip) this is real tangible improved security, where any random machine in a network you do not control. do not automatically have openings into your own network.
    • firewall objects can if it is suited easily use and depend on FQDN DNS objects when allowing traffic. reducing the need of coordinating firewall object ip address changes between 15 companies.
    • firewall rules are easier, more readable, and much more predictable how they will work. All the hairpin nat, public to private nat, private to public nat for a thing that need a different public ip, 1:1 nat for a separate zone, NAT to a vpn or 50 (where 10 of them are 1:1 nat due to collisions, making you require 4 dns views of the same ip space!! ) very quickly gets messy and unreadable. this is probably the largest security benefit. just to reduce the complexity.
    • much easier to get people to use dns, since nobody wants to remember ipv6 addresses :D
    • nibbles in the ipv6 address can have meanings you assign to them, making the networks and structure both easy to remember and logically structured.
    • aggregating routes becomes very easy if you design your network that way.
    • firewall policies can become easier if you design your network that way.
    • your routing tables is leaner and easier, and of a better consistency. We have 1 large public ipv6 prefix, but 25ish ipv4 prefixes of all kinds of various sizes.
    • no need to spend $$ to buy even more ipv4 prefixes.
    • no need to have spent hundreds of $$ on a new ipv4 prefix only to be unable to use them for over a year because you need to sanitize the addresses from all the reputation filters. and constantly hound geo ip database providers to update the new country of the prefix. (i am bitter, can you tell…)
    • did i mention no need to renumber since you need to grow the /24 to /23 due to to many hosts in a network ?
    • did i mention no need to renumber 2 /24’s to /25’s to make space for that larger /23.
    • you do not even need any ipv4 addresses any more, use a public NAT64 service, for outgoing. and for incoming just use one of the many free public ipv4 to ipv6 proxies for your services online. for a homelab i really like http://v4-frontend.netiter.com/ (go support them) But most large business l networks use cloudflare, or akamai
    • since you do not need your ipv4 address space any more, you can ~~sell them for a profit $$$ ~~ return them to the RIR and give some address space to one of the thousands of companies struggling because they do not have any IPv4 : https://www.ripe.net/manage-ips-and-asns/ipv4/ipv4-waiting-list/
    • much lower latency on ipv6, since you do not go across a cloud based ipv4 to ipv6 proxy in order to reach the service ;)

    Now the greatest and best effect of ipv6 is none of the above. It is that with ipv6 we have a slim hope of reclaiming some of what made the Internet GREAT in the first place. When we all stood on equal footing. Anyone could host their own service. Now we are all vassals of the large companies that have made the common person into a CGNAT4444 using consumer mindlessly lapping up what the large company providers sees fit to provide us. with no way to even try to be a real and true part of the Internet. Fight the companies that want to make you a eyeball in their statistic, Set up your own IPv6 service on the Internet today !

      • jdeath@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        1 month ago

        i got like a third through it before scrolling to the bottom to see how long it was. omg! should be the canonical example of the opposite of a shitpost ha

    • GTG3000@programming.dev
      link
      fedilink
      arrow-up
      4
      ·
      29 days ago

      Imagine actually having ipv6 available through your ISP.

      …and ever if my ISP actually provided one, getting a static one costs money so there’s no difference in the end.

      • sep@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        29 days ago

        I guess I am lucky. 3 out of 3 isp’s available from in my region provide IPv6 with a dhcp-pd assigned stable address by default. (Norway)

        • GTG3000@programming.dev
          link
          fedilink
          arrow-up
          2
          ·
          29 days ago

          Yeah, here in Russia the ISPs and IT infrastructure guys seem to be treating IPv6 like it has cooties. I can’t find an article (and it’d be in russian anyway) but as far back as 2022, if you get IPv6 you can expect a variety of issues with it, ranging from “you need to reboot your router every once in a while” to “you technically have v6 but good luck actually browsing v6 internet”.

          And of course, why would they give you a stable IP when they can charge for it :T. At least it’s only a third the price of a stable IPv4.

          My current ISP technically provides v6 according to their site - but my connection doesn’t have it, and since there’s nothing about it in the years-old contract, I’d need to redo that if I want to complain.

          • sep@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            29 days ago

            You have my sympathy. I do not know of a sure way to get isp’s to behave. Espesially not if they have regional monopoly

            • GTG3000@programming.dev
              link
              fedilink
              English
              arrow-up
              2
              ·
              29 days ago

              There are usually plenty of choices for ISPs here, actually. But switching between them isn’t likely to give me IPv6 since either they share a magistral or the hardware is just plain old. That, and IPv6 is just not a thing anyone markets.

              …and with the current fuckery going on, I doubt many of them have budget for big upgrades. Or maybe even access to hardware to buy.

      • Kazumara
        link
        fedilink
        arrow-up
        2
        ·
        29 days ago

        I just get that included. Like the Norwegian guy, but in Switzerland from Init7

    • dan@upvote.au
      link
      fedilink
      arrow-up
      4
      ·
      29 days ago

      This is one of the best comments I’ve ever read on Lemmy. Thanks for writing it. I fully agree with all your points!

      • sep@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        29 days ago

        Thank you! :) I also notice i compleatly forgot the port exhaustion issue we see with larger networks behind roo few ipv4 NAT addresses…

    • stoy@lemmy.zip
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      30 days ago

      But IPv4 addresses are easier to remember!

      /s

      I could see a point of having home networks stay on IPv4 and NAT with an external v6 address.

      That would keep the current security model for home networks where we can assume general tech litteracy is low.

      • sep@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        29 days ago

        That is not how it works. You can have a home network on ipv6. And it can reach all of ipv4 via nat ( just like ipv4 do today). A net with only ipv4 can not reach any ipv6 without a proxy that terminst the v4 connection and make a new v6 connection. since ipv6 is backwards compatible. But ipv4 is naturally not forwards compatible.

        Also it is the default deny of the stateful firewall that always coexist with NAT, since NAT depends on that state, that is the security in a NAT router.
        That default deny is not in any way dependant on the NAT part.

          • sep@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            29 days ago

            If there is a ipv6 service online. That you want to reach from a v4 only client. You can set up a fixed 1:1 nat on your firewall where you define a fake internal ipv4 address -> destination NAT onto the public ipv6 address of the service. And SRC NAT64 embed your clients internal v4 into the source ipv6 for the return traffic. And provide a internal dns view A record pointing to the fake internal ip record. It would work, but does not scale very well. Since you would have to set this up for every ipv6 ip.

            A better solution would be to use a dualstack SOCKS5 proxy with dns forwarding where the client would use the IPv6 of the proxy for the connection. But that does not use NAT tho.

            The best solution is to deploy IPv6 ofcourse. ;)

    • Tja@programming.dev
      link
      fedilink
      arrow-up
      5
      arrow-down
      8
      ·
      1 month ago

      Con: you are now even more dependent on DNS, increasing the blast radius even more if when it breaks.

      • sep@lemmy.world
        link
        fedilink
        arrow-up
        7
        arrow-down
        1
        ·
        30 days ago

        But DNS rarely break. The meme about it beeing DNS’s fault is more often then not just a symptom of the complexity of IPv4 NAT problem.

        If i should guesstimate i think atleast 95% of the dns issues i have ever seen, are just confusion of what dns views they are in. confusion of inside and outside nat records. And forgetting to configure the inside when doing the outside or vice verca. DNS is very robust and stable when you can get rid of that complexity.

        That beeing said, there are people that insist on obscurity beeing security (sigh) and want to keep doing dns views when using IPv6. But even then things are much easier when the result would be the same in either view.

        • Tja@programming.dev
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          30 days ago

          I broke DNS plenty of times in my homelab independent from NAT. In the last few months:

          • didn’t turn off DNS server in a wifi router set up as bridged access point
          • dnsmasq failing to start because I removed an interface
          • dnsmasq failing to start because the kernel/udev didn’t rename an interface on time
          • dnsmasq failing to start because hostapd error didn’t set proper interface settings
          • forgot to remove static DNS entries in /etc/hosts used for testing
          • forgot to remove DNS entries from /etc/resolve.conf after visiting a friend and working on his setup

          Yes, most of them is my dumb ass making mistakes, but in the end it’s something that constantly breaks and it helps knowing the IP addresses of my servers and routers.

          Aditionally, obscurity is a security helper. The problem is relying only on obscurity. But if I have proper firewall rules in place and strong usernames and passwords I still prefer if you don’t even know the IP addresses of my servers on top of that (in case I break some of the other security layers).

        • Mr_Dr_Oink@lemmy.world
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          30 days ago

          That beeing said, there are people that insist on obscurity beeing security (sigh) and want to keep doing dns views when using IPv6. But even then things are much easier when the result would be the same in either view.

          OMG!!

          This guys a bee! Everybody run!!!

  • mholiv@lemmy.world
    link
    fedilink
    arrow-up
    83
    arrow-down
    1
    ·
    1 month ago

    I think it’s worth taking the time to learn IPv6 property. If you have a good understanding of IPv4 it shouldn’t take you more than an afternoon.

    Eliminating NAT and just using firewall rules (ie what NAT does behind your back) is incredibly freeing.

    I don’t get people complaining about typing out IPs. I like to give all of my clients full FQDNs but you don’t have to. Just using mDNS would be enough to avoid typing a bunch of numbers.

    • FrostyCaveman@lemm.ee
      link
      fedilink
      arrow-up
      33
      arrow-down
      3
      ·
      1 month ago

      Maybe I have Stockholm Syndrome, but I like NAT. It’s like, due to the flaws of IPv4 we basically accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections, which kinda implies you know what you’re doing (ssshh don’t talk about UPnP). Accidental security of a default deny policy even without any firewalls configured. Haha. I’m still getting into this stuff though, please feel free to enlighten me

      • mholiv@lemmy.world
        link
        fedilink
        arrow-up
        22
        ·
        1 month ago

        I don’t think you have Stockholm syndrome. You just like what you already understand well. It’s a normal part of the human condition.

        All those features of nat also work with IPV6 with no nat in the exact same way. When I want to open up a port I just make a new firewall rule. Plus you get the advantages of being able to address the ach host behind the firewall. It’s a huge win with no losses.

      • Domi@lemmy.secnd.me
        link
        fedilink
        arrow-up
        19
        arrow-down
        1
        ·
        1 month ago

        Anything connected to an untrusted network should have a firewall, doesn’t matter if it’s IPv4 or IPv6.

        There’s functionally no difference between NAT on IPv4 or directly allowing ports on IPv6, they both are deny by default and require explicit forwarding. Subnetting is also still a thing on IPv6.

        If anything, IPv6 is more secure because it’s impossible to do a full network scan. My ISP assigned 4,722,366,482,869,645,213,696 addresses just to me. Good luck finding the used ones.

        With IPv4 if you spin up a new service on a common port it usually gets detected within 24h nowadays.

        • RecallMadness@lemmy.nz
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          edit-2
          1 month ago

          Could a hypothetical attacker not just get you to visit a webpage, or an image embedded in another, or even a speculatively loaded URL by your browser. Then from the v6 address of the connection, directly attack that address hoping for a misconfiguration of your router (which is probable, as most of them are in the dumbest ways)

          Vs v4, where the attacker just sees either your routers IP address (and then has to hope the router has a vulnerability or a port forward) or increasingly gets the IP address of the CGNAT block which might have another 1000 routers behind it.

          Unless you’re aggressively rotating through your v6 address space, you’ve now given advertisers and data brokers a pretty accurate unique identifier of you. A much more prevalent “attack” vector.

          • Domi@lemmy.secnd.me
            link
            fedilink
            arrow-up
            9
            ·
            1 month ago

            There is this notion that IPv6 exposes any host directly to the internet, which is not correct. When the client IP is attacked “directly” the attacker still talks to the router responsible for your network first and foremost.

            While a misconfiguration on the router is possible, the same is possible on IPv4. In fact, it’s even a “feature” in many consumer routers called “DMZ host”, which exposes all ports to a single host. Which is obviously a security nightmare in both IPv4 and IPv6.

            Just as CGNAT is a thing on IPv4, you can have as many firewalls behind one another as you want. Just because the target IP always is the same does not mean it suddenly is less secure than if the IP gets “NATted” 4 times between routers. It actually makes errors more likely because diagnosing and configuring is much harder in that environment.

            Unless you’re aggressively rotating through your v6 address space, you’ve now given advertisers and data brokers a pretty accurate unique identifier of you. A much more prevalent “attack” vector.

            That is what the privacy extension was created for, with it enabled it rotates IP addresses pretty regularily, there are much better ways to keep track of users than their IP addresses. Many implementations of the privacy extension still have lots of issues with times that are too long or with it not even enabled by default.

            Hopefully that will get better when IPv6 becomes the default after the heat death of the universe.

            • cmnybo
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 month ago

              Since you can have multiple IPv6 addresses on one machine, you can use a rotating address for all outbound connections and a permanent address for inbound connections. If you visit a malicious website that tries to attack the IP that visits it, there will be no ports open. They would have to scan billions of addresses to find the permanent address. All of that scanning would be easily detected and blocked by an IDS.

            • dan@upvote.au
              link
              fedilink
              arrow-up
              2
              ·
              29 days ago

              There is this notion that IPv6 exposes any host directly to the internet, which is not correct.

              TP-Link routers used to actually do this. They didn’t have an IPv6 firewall at all. In fact they didn’t add an IPv6 firewall to their “enterprise-focused” 10Gbps router (ER8411) until October 2023.

        • Forbo@lemmy.ml
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          1 month ago

          I wouldn’t rely on the size of the address space to provide security. It’s possible to find hosts through methods other than brute force scanning. I remember seeing a talk from a conference (CCC? DEF CON? I can’t remember) where they were able to find hosts in government IPv6 address space (might have been DOD?) through stuff like certificate transparency logs and other DNS side channels.

          Man, I need to go find that talk now…

          Edit: I don’t think this is the one I saw previously but is in a similar vein: https://www.youtube.com/watch?v=AayifEqLbhI

          • Domi@lemmy.secnd.me
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 month ago

            Will take a look at the talk once I get time, thanks. If you can find the original one you were talking about, please link.

            For servers, there is some truth that the address space does not provide much benefit since the addressing of them is predictable most of the time.

            However, it is a huge win in security for private internet. Thanks to the privacy extension, those IPs are not just generated completely random, they also rotate regularily.

            It should not be the sole source of security but it definitely adds to it if done right.

        • FrostyCaveman@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          1 month ago

          Ahh, woah, I never thought about the huge address space would affect network scans and such.

          With NAT on IPv4 I set up port forwarding at my router. Where would I set up the IPv6 equivalent?

          I guess assumptions I have at the moment are that my router is a designated appliance for networking concerns and doing all the config there makes sense, and secondly any client device to be possibly misconfigured. Or worse, it was properly configured by me but then the OS vendor pushed an update and now it’s misconfigured again.

          • Domi@lemmy.secnd.me
            link
            fedilink
            arrow-up
            5
            ·
            1 month ago

            With NAT on IPv4 I set up port forwarding at my router. Where would I set up the IPv6 equivalent?

            The same thing, except for the router translating 123.123.123.123 to 192.168.0.250 it will directly route abcd:abcd::beef to abcd:abcd::beef.

            Assuming you have multiple hosts in your IPv6 network you can simply add “port forwardings” for each of them. Which is another advantage for IPv6, you can port forward the same port multiple times for each of your hosts.

            I guess assumptions I have at the moment are that my router is a designated appliance for networking concerns and doing all the config there makes sense, and secondly any client device to be possibly misconfigured. Or worse, it was properly configured by me but then the OS vendor pushed an update and now it’s misconfigured again.

            That still holds true, the router/firewall has absolute control over what goes in and out of the network on which ports and for which hosts. I would never expose a client directly to the internet, doesn’t matter if IPv4 or IPv6. Even servers are not directly exposed, they still go through firewalls.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          29 days ago

          Good luck finding the used ones.

          That and the IPv6 address on client systems will periodically rotate (privacy extensions), so the IPs used today won’t necessarily be the ones used tomorrow.

          (you can disable that of course, and it’s usually disabled by default on server-focused OSes)

      • Thiakil@aussie.zone
        link
        fedilink
        arrow-up
        7
        ·
        30 days ago

        Instead of nat and port forwards that rewrite, your firewall is set to only forward specific traffic, exactly how’d you’d configure outbound forwarding on a nat network (but opposite directions)

        Open forwarding is a router, not a firewall

      • frezik@midwest.social
        link
        fedilink
        arrow-up
        3
        ·
        29 days ago

        Every time I see a defense of IPv4 and NAT, I think back to the days of trying to get myself and my roommate to play C&C: Generals together online, with a 2v2 game, with one of us hosting. Getting just the right combination of port forwarding working was more effort than us playing C&C: Red Alert on dial up when we both lived at home.

        With IPv6, the answer is to open incoming traffic on the port(s) to the host machine (or just both since the other guy is might host next time). With IPv4, we have to have a conversation about port forwarding and possibly hairpin routes on top of that. This isn’t a gate for people “who know what they’re doing”, it’s just a bunch of extra bullshit to deal with.

      • dan@upvote.au
        link
        fedilink
        arrow-up
        2
        ·
        29 days ago

        accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections

        You can intentionally get that behaviour by using a firewall.

    • NeatNit
      link
      fedilink
      arrow-up
      19
      ·
      1 month ago

      What languages use this? I don’t like it!

      On the other hand it goes well with >= and <=. If >= means “either > or =” then <> means “either < or >”, it checks out.

      But I still don’t like it.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          29 days ago

          Depends on the dialect. I mostly use Presto and MySQL at work, and both allow !=.

          Presto also lets you use NOT for booleans - instead of WHERE foo = false, you can do WHERE NOT foo.

      • lambalicious@lemmy.sdf.orgOP
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        2
        ·
        1 month ago

        SQL uses it but yeah, not programming language :p.

        I was on mobile so I didn’t have a .XCompose available to type .

        • lemming@sh.itjust.works
          link
          fedilink
          arrow-up
          5
          ·
          1 month ago

          If you want to be able to write practically anything on mobile, including ≠, ≈, ‰, ℝ etc., have a look at Unexpected keyboard. No spellcheck or autocomplete, though.

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          1 month ago

          I was on mobile so I didn’t have a .XCompose available to type.

          I feel the opposite. On mobile I have much easier access to special characters. I just need to hold down characters to get more variants.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          2
          ·
          29 days ago

          SQL is definitely a programming language. Most dialects are Turing-complete in some way. Some allow custom functions and stored procedures.

      • azalty@jlai.lu
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 month ago

        Damn I never understood it but now it makes sense thanks to you

        Yea it’s ugly 😭

      • skulbuny@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 month ago

        F# definitely and maybe Haskell and OCaml as well? Elixir and Erlang use it as a binary concatenation operator.

        • Phoenix3875@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          30 days ago

          Yes for OCaml. Haskell’s inequality is defined as /= (for ≠). <> is usually the Monoid mappend operator (i.e. generalized binary concatenation).

    • orangeboats@lemmy.world
      link
      fedilink
      arrow-up
      15
      ·
      30 days ago

      And we are facing the effects of it as we’re speaking. CGNAT and protocols like TURN were not invented without a reason.

      • PaintedSnail@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        29 days ago

        And it took a lot of hard work by a lot of people to adopt new date standards to avoid that problem. Now it’s time to adopt new IP standards, and it’s going to take a lot of hard work by a lot of people.

  • tentacles9999@lemmynsfw.com
    link
    fedilink
    English
    arrow-up
    53
    ·
    1 month ago

    Honestly we should just use 4 bit ip addresses, it’s too hard for me to remember ipv4 addresses anyways. Carrier grade NAT will take care of the rest.

        • mholiv@lemmy.world
          link
          fedilink
          arrow-up
          8
          ·
          1 month ago

          You shouldn’t have to?? Maybe you might need to change the mask in your firewall settings if the ipv6 allocation block size changes but that should be it.

          Everything else should just work as normal.

        • r00ty@kbin.life
          link
          fedilink
          arrow-up
          2
          ·
          1 month ago

          You should only assign static ipv6 to servers, in theory you could just define a host id and use a prefix too. But, most people at home really aren’t running enough servers to make that worthwhile. Everything else should just pick up new addresses fine using ND.

          • frezik@midwest.social
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            1 month ago

            There ought to be more servers.

            Will the app for the smart thermostat be updated three years from now and still be useful? If it was instead a web server app on a routable IP, it wouldn’t matter provided they didn’t fuck up the authentication and access control.

            • r00ty@kbin.life
              link
              fedilink
              arrow-up
              2
              ·
              1 month ago

              Yeah, but they’re not. That’s the modern world. But also even if it was a web server there’s usually ways to advertise the IP for the app to connect to. I’ve seen other stuff do that. So getting an IP is easy. Once the app knows the IP and if you really want to allow connections from outside to your IOT devices (I wouldn’t) it could remember the IP and allow that.

              You really don’t need to give a fixed IP to everything. I think I’ve given 1 or 2 things fixed IPv6 IPs. Everything else is fine with what it assigns itself.

              • frezik@midwest.social
                link
                fedilink
                arrow-up
                2
                ·
                1 month ago

                The other app off the top of my head is VoIP. You should be able to “dial” a number directly. Most solutions go through the company’s data center first in order to pierce through NAT. Which makes it more expensive, less reliable, slower, and more susceptible to snooping.

                There’s a “if you build it, they will come” effect here. Once you can address hosts directly, a whole bunch of things become better, and new ideas that were infeasible are now feasible. They don’t exist now because they can’t.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          29 days ago

          You can use ULAs (unique local addresses) or that purpose. Your devices can have a ULA IPv6 address that’s constant, and a public IPv6 that changes. Both can be assigned using SLAAC (no manual config required).

          I do this because the /56 IPv6 range provided by my ISP is dynamic, and periodically changes.

          • Brkdncr@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            29 days ago

            Yes but you’d still be performing NAT. It’s at least 1:1.

            You’ll need to deal with firewall rules regardless, and drop IPs into policies. IPv6 doesn’t remove any of those chores but gets rid of having to maintain tables to deal with many-to-one NAT.

            • dan@upvote.au
              link
              fedilink
              arrow-up
              1
              ·
              29 days ago

              You wouldn’t need NAT. The ULA is used on the internal network, and the public IP is for internet access. Neither of those need NAT.

                • dan@upvote.au
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  29 days ago

                  There’s no translation between them. With IPv6, one network interface can have multiple IPs. A ULA (internal IP) is only used on your local network. Any internet-connected devices will also have a public IPv6 address.

                  ULAs aren’t too common. A lot of IPv6-enabled systems only have one IP: The private one.

              • Brkdncr@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                29 days ago

                If you use a single shared public ip then you’re using some amount of address translation.

                If you’re using an external ip address that’s different than an internal ip address but both are assigned to a single host the you’re doing 1:1 NAT.

                At least that’s how I understand ipv4 and I don’t think ipv6 is much different.

                • dan@upvote.au
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  29 days ago

                  If you use a single shared public ip then you’re using some amount of address translation

                  This is practically never the case with IPv6. Usually, each device gets its own public IP. This is how the IPv4 internet used to work in the old days (one IP = one device), and it solves so many problems. No need for NAT traversal since there’s no NAT. No need for split horizon DNS since the same IP works both inside and outside your network.

                  There’s still a firewall on the router, of course.

                  At least that’s how I understand ipv4 and I don’t think ipv6 is much different.

                  With IPv6, each network device can have multiple IPs. If you have an internal IP for whatever reason, it’s in addition to your public IP, not instead of it.

                  IPs are often allocated using SLAAC (stateless address auto config). The router tells the client "I have a network you can use; its IP range is 2001:whatever/64, and the client auto-generates an IP in that range, either based on the MAC address (always the same) or random, depending on if privacy extensions are enabled - usually on for client systems and off for servers.

      • Justin@lemmy.jlh.name
        link
        fedilink
        English
        arrow-up
        15
        ·
        edit-2
        1 month ago

        1:1 stateless NAT is useful for static IPs. Since all your addresses are otherwise global, if you need to switch providers or give up your /64, then you’ll need to re-address your static addresses. Instead, you can give your machines static private IPs, and just translate the prefix when going through NAT. It’s a lot less horrible than IPv4 NAT since there’s no connection tracking needed.

        This is something I probably should have done setting up my home Kubernetes cluster. My current IPv6 prefix is from Hurricane Electric, and if my ISP ever gives me a real IPv6 prefix, I will have to delete the entire cluster and recreate it with the new prefix.

        • Thiakil@aussie.zone
          link
          fedilink
          arrow-up
          7
          ·
          1 month ago

          It should only be needed if your ISP is brain-dead and only gives you a /64 instead of what they should be doing and also giving you a /56 or /48 with prefix delegation (I.e it should be getting both a 64 for the wan interface, and a delegation for routing)

          You router should be using that prefix and sticking just a /64 on the lan interface which it advertises appropriately (and you can route the others as you please)

          Internal ipv6 should be using site-local ipv6, and if they have internet access they would have both addresses.

          • Justin@lemmy.jlh.name
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 month ago

            Hurricane Electric gives me a /48.

            Site-local ipv6 would work here as well, true. But then my containers wouldnt have internet access. Kubernetes containers use Ipam with a single subnet, they can’t use SLAAC.

            • Thiakil@aussie.zone
              link
              fedilink
              arrow-up
              1
              ·
              30 days ago

              Point is, you should be able to have them have both. Or stick a reverse proxy in front that can translate. Unless they’re somehow meant to be directly internet reachable the public addresses could be autogenerated

              Full disclosure though I don’t know anything about kubernetes.

              • Justin@lemmy.jlh.name
                link
                fedilink
                English
                arrow-up
                1
                ·
                30 days ago

                Yeah, I wonder if there’s any proposals to allow for multiple IPV6 addresses in Kubernetes, it would be a much better solution than NAT.

                As far as I know, it’s currently not possible. Every container/Pod receives a single IPv4 and/or IPv6 address on creation from the networking driver.

          • LaggyKar@programming.dev
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 month ago

            64 for the wan interface

            Nitpicking, but the address for the wan interface wouldn’t have a prefix, so the host would just set it as a /128 (point-to-point)

            • Thiakil@aussie.zone
              link
              fedilink
              arrow-up
              1
              ·
              30 days ago

              Ehh, I’ve seen both. Perhaps not in a home router context though, never really bothered to check

          • Thiakil@aussie.zone
            link
            fedilink
            arrow-up
            2
            ·
            1 month ago

            And if you want static ips either use dhcp6 or disable the randomisation of eui64 addresses

            • Justin@lemmy.jlh.name
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 month ago

              I have static IPs for my Kubernetes nodes, and I actually use DHCPv6 for dynamic dns so I can reach any device with a hostname, even though most of my devices don’t have static IPs.

              The issue is those static IPs are tied to my current ISP, preventing me from changing ISPs without deleting my entire Kubernetes cluster.

          • dan@upvote.au
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            29 days ago

            My ISP does this right (provides a /56 for routing), but unfortunately both are dynamic and change periodically. Every time I disconnect and reconnect from the internet, I get a different prefix.

            I ended up needing to have ULAs for devices where I need to know the IPv6 address on my network (e.g. my internal DNS servers).

            • Thiakil@aussie.zone
              link
              fedilink
              arrow-up
              1
              ·
              29 days ago

              Indeed, that’s correct ula usage, but shouldn’t need nat rewriting. The global prefixes just need to be advertised by RA packets

              • dan@upvote.au
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                29 days ago

                Yeah I’m not using NAT, sorry for the confusion.

                My router doesn’t support RAs for a ULA range though, so I’m running radvd on my home server.

              • Thiakil@aussie.zone
                link
                fedilink
                arrow-up
                1
                ·
                29 days ago

                I use openwrt on my home network which uses dnsmasq for dhcp. It can give a static suffix which just works with the global prefix on the interface and the site local / ula prefix it uses

                • dan@upvote.au
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  29 days ago

                  Note that Android doesn’t support DHCPv6, just in case you have Android devices and ever have to debug IPv6 on them.

    • Morphit @feddit.uk
      link
      fedilink
      arrow-up
      13
      ·
      edit-2
      1 month ago

      2606:4700:4700::1111

      Hmm, maybe Google is easier:
      2001:4860:4860::8888

      Quad9 is 2620:fe::fe or 2620:fe::9

      I don’t understand why they can’t get better addresses than that. Like surely 1::1 would be valid?

      Edit: So IANA only control addresses 2001:: and up and there are quite a few IETF reservations within that. I don’t know why they picked such a high number to start at. Everything else seems IETF reserved with a little space allocated for special purposes (link-local, multicast, etc.).

      • Thiakil@aussie.zone
        link
        fedilink
        arrow-up
        1
        ·
        30 days ago

        Address space is so huge that iirc the only global addresses in use are 2xxx::

        Its so huge that it’s not needed to use anything else is the goal as far as I see. If it starts with 2, it’s global.

        • Thiakil@aussie.zone
          link
          fedilink
          arrow-up
          3
          ·
          30 days ago

          Also for routing table reasons. Ipv6 needs to use prefixes to do link aggregation or it just gets too bjg

          • Morphit @feddit.uk
            link
            fedilink
            arrow-up
            1
            ·
            29 days ago

            I can see that, but surely there wouldn’t be much difference matching the first 4bits (0x2XXX, 0xfXXX) vs the first 16 (0x0001)?
            0:: is presumably all for loopback-type stuff, but I don’t see a reason not to use 1:: through 1fff:: and they would be much easier to type/remember/validate for public DNS servers which are needed before name resolution is available.

        • JohnEdwa@sopuli.xyz
          link
          fedilink
          arrow-up
          2
          ·
          30 days ago

          IPv6 is big enough to give 10 billion unique addresses for every grain of sand on earth and still have some left over. Just in case we need to, I guess.

          • dan@upvote.au
            link
            fedilink
            arrow-up
            3
            ·
            29 days ago

            It’s great that the address space is so large. When designing a new system, you want to make sure it’ll hopefully never encounter the same issue as the old system, to ensure you don’t have to migrate yet again.

            • JohnEdwa@sopuli.xyz
              link
              fedilink
              arrow-up
              1
              ·
              29 days ago

              Sure. But the IPv6 implementation is a bit like if we went “you know the y2038 problem of 32 bit numbers, and how goin under 1970 is sometimes hard? Lets solve it by making it start from the big bang and store time as a 256 bit integer so we don’t run out until year 3.1 x 10^69”.

              IPv6 is big enough for 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses. Are we expecting to create an universe consuming army of exponentially replicating paper clip converting robots that each need an IPv6 address or something?

              • dan@upvote.au
                link
                fedilink
                arrow-up
                1
                ·
                29 days ago

                Having a large range has a number of benefits though. Companies that have dozens of IPv4 ranges may be fine with a single IPv6 range, which simplifies routing rules.

                A lot of features in IPv6 take advantage of the fact that networks have at least a /64 range (at least if they’re built correctly according to RFC4291 and newer specs). SLAAC is a major one: Devices can auto-configure IP addresses without having to use something like a stateful DHCP server.

        • Morphit @feddit.uk
          link
          fedilink
          arrow-up
          1
          ·
          29 days ago

          Why start at 0x2001 though? Why not 0x0001? Then we could have addresses like 1:1:1::1 or 1:2:3::4.

  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    29
    ·
    30 days ago

    Typing addresses in ipv4 is ingrained into my brain, but zero NATing with ipv6 is magical.

    • NeatNit
      link
      fedilink
      arrow-up
      6
      ·
      1 month ago

      Yes, you’ve got it right. <> means ≠. 16 is not equal to 6.

      • purplemonkeymad@programming.dev
        link
        fedilink
        arrow-up
        7
        ·
        1 month ago

        Because 48 bits over 32 bits does not really solve the problems with ip4. 128 bits basically gives one ip4 address space to each square meter of earth. Ip6 also drops all the unused and silly parts of ip4 too.

        • lambalicious@lemmy.sdf.orgOP
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          30 days ago

          128 bits basically gives one ip4 address space to each square meter of earth.

          That sounds like terminal stage capitalism to me. Why would we want every tree in the Amazons to be cybergorized with its own IP? I don’t know Rick, 64 kbits bits ought to be enough for everybody, and I’m already risking it.

          • orangeboats@lemmy.world
            link
            fedilink
            arrow-up
            8
            ·
            edit-2
            29 days ago

            Our network architecture has the tendency to waste IP addresses. A subnet may have 10 devices but have 256 IPs (e.g. a /24 network like 192.168.0.0 to 192.168.0.255) - that’s 246 wasted addresses. This wastage is kinda unavoidable since we’d need to keep our routing tables from being too fragmented.

            With that in mind it is entirely possible for 64-bit addressing space to not be enough, unless we revert to methods like NAT which come with their own disadvantages.

            We have already used up about one /11 block of the IPv6 internet. That’s 128-11=117 bits. If we replace the standardized /64 subnets of IPv6 with old /24 subnets typical in IPv4 networks, you get 61 bits. That’s dangerously close to the upper limit of a hypothetical 64-bit IPv5 internet.

          • brianorca@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            30 days ago

            Because bits are not expensive anymore, and if we used 64 bits, we might run out faster than the time needed to convert to a new standard. (After all, IPv4 is still around 26 years after IPv6 was drafted.) Also see the other notes about how networks get segmented in non-optimal ways. It’s a good thing to not have to worry about address space when designing your network.

  • deezbutts@lemm.ee
    link
    fedilink
    arrow-up
    26
    arrow-down
    2
    ·
    1 month ago

    Mystery of the universe, would IPv5 have hit the sweet spot and taken off?