back to article IPv4 apocalypse means we just can't measure the internet any more

IPv4 address exhaustion is making it harder to measure the size of the Internet, even as IPv6 deployment accelerates. While IPv6 activity doubled in 2015 (to 400 million addresses by year-end), the vast majority of users are still on IPv4 addresses, mostly via dynamic assignment or behind carrier-grade Network Address …

  1. J. R. Hartley

    The title is no longer required

    IPv6 is the work of the devil. Not on my network!!

    1. Anonymous Coward
      Anonymous Coward

      Re: IPv6 is the work of the devil.

      I see the devil at work on the picture on the top of the article. Why the bizarre cropping? What are you hiding?

    2. Roland6 Silver badge

      Re: The title is no longer required

      Actually, the title is totally misleading!

      NAT etc. has been around for decades, so there has (as far as the WWW incarnation of the Internet is concerned) always been a discrepancy in the numbers, just that now with increasing usage of NAT is the discrepancy become both visible and significant.

      1. Anonymous Coward
        Anonymous Coward

        Re: The title is no longer required

        > NAT etc. has been around for decades,

        And IPv6 won't make it go away. NAT has too many advantages (OK it has horrendous disadvantages too) for client systems to want to go to an open addressing model. Even when I switch networks to v6 they'll still be running NAT.

        1. imanidiot Silver badge

          Re: The title is no longer required

          Correct me if I'm wrong, but wasn't one of the points of contention on IPv6 implementation that it did not support NAT? So how to you plan to roll this?

          1. Anonymous Coward
            Anonymous Coward

            Re: The title is no longer required

            > Correct me if I'm wrong, but wasn't one of the points of contention on IPv6 implementation that it did not support NAT? So how to you plan to roll this?

            From Linux you can just use

            ip6tables -t nat -A POSTROUTING ... -j MASQUERADE

            So in pretty much the same way I can do it for IPv4

            (apparently there are other sorts of routers, but I can't comment on those)

            1. Yes Me Silver badge

              Re: The title is no longer required

              You can do it, but you don't need to do it, and the stuff that NAT breaks will work if you don't do it. You don't need NAT for security or privacy, and you certainly don't need it because of address shortage, so why bother?

      2. bombastic bob Silver badge
        Black Helicopters

        Re: The title is no longer required

        perhaps "they" need to stop TRACKING us by our IP addresses?

        (it's true, IPv6 would make THAT easier)

        1. PNGuinn
          Facepalm

          Re: The title is no longer required @bb

          Yup, you've hit the nail on the head there all right.

          If we don't all move to IPv6 all the advertisers' kittens will DIE. Or something.

          Well, if they have to die may they do so somewhere where they poison the ad slingers' water supply. Or something.

          Here's a prediction. If that internets of stuff thingie really does take off we'll have run out of addresses again in five years or so, 'cos every grain of sand really does want to be connected to the net, if only to watch all those dying kitten videos on spewtube. Or something.

          1. Yes Me Silver badge

            Re: The title is no longer required @bb

            " If that internets of stuff thingie really does take off we'll have run out of addresses again in five years or so"

            Actually, no. The reason for picking 128 bits addresses was exactly that - visions of a future with every light switch on the network - back in 1994. IoT is the current buzzword but the idea is 20+ years old.

        2. Yes Me Silver badge

          Re: The title is no longer required

          No, IPv6 doesn't make tracking easier, because you should use pseudo-random interface identifiers, and temporary ones if you prefer. It does make address scanning *much* harder, too.

      3. Joe Montana

        Re: The title is no longer required

        NAT was in use at endpoints, but not really at ISPs... One IP usually correlated to one customer.

        Now widespread NAT at ISPs, as well as dynamic addressing makes it much harder to block abusive users by IP... Spammers know this too, and will release/renew or redial a ppp connection to get a fresh IP.

      4. gnarlymarley

        Re: The title is no longer required

        >NAT etc. has been around for decades

        Which is why I have been successfully using NAT on IPv6 since January of 2011. Works great when you need a private IPv6 address to access the internet. They changed the name of the address from "private" to "site local" to "unique local". All in attempts to avoid folks implementing NAT6. Oh well, folks have had NAT on IPv6 since before 2006. Just means no matter what folks say, we already have it.

        1. Vic

          Re: The title is no longer required

          Oh well, folks have had NAT on IPv6 since before 2006. Just means no matter what folks say, we already have it.

          And that should be the end of it.

          With IPv6, no-one should be forced to use NAT. That's a good thing.

          But numerous people are trying to *prevent* anyone using NAT. and that's a bad thing.

          Give people the freedom to decide for themselves whether or not to NAT, and the progress of IPv6 will be comparatively easy.

          But try to enforce dogma that really isn't necessary, and you will get push-back.

          Vic,

          1. Trevor_Pott Gold badge

            Re: The title is no longer required

            Amen.

    3. Herby

      Work of the Devil, etc...

      I always want to ask the same question:

      Why do we need an addressing scheme that can accommodate every grain of sand on the planet and have some left over. If they went to 6 byte addresses with a simple translate scheme, we would all be using it now.

      Yes, it is terrible!!

      Me? Yes, I have a nice NAT router that works very nicely, thank you. I use the same model for at least 3 installations.

      1. Yes Me Silver badge

        Re: Work of the Devil, etc...

        "Why do we need an addressing scheme that can accommodate every grain of sand on the planet and have some left over."

        We don't. But while we're making the address space bigger, we might as well make it plenty bigger.

        "If they went to 6 byte addresses with a simple translate scheme, we would all be using it now." No. Any increase whatever from 32 bits creates the same problem, since (as has been said here very recently) IPv4 has no, zero, zilch provision for forward compatibility.

      2. teebie

        Re: Work of the Devil, etc...

        "Why do we need an addressing scheme that can accommodate every grain of sand on the planet "

        So we can internet enable ebvery grain of sand, which is good because connectivity internetofthings future

        1. Charles 9

          Re: Work of the Devil, etc...

          "So we can internet enable ebvery grain of sand, which is good because connectivity internetofthings future"

          It's basically a way to ensure we don't run out again, much like how ZFS uses 128-bit provisioning to ensure filesystem limitations are never reached in real life (and before you quote 640K, physical limits would be hit first).

  2. AMBxx Silver badge
    Boffin

    How much is a IPv4 address worth

    As title, what's my fixed address worthg?

    1. Anonymous Coward
      Anonymous Coward

      Re: How much is a IPv4 address worth

      Probably nothing. It is surprising how many ISPs now do not offer NAT. You can only have a reserved IPV4 address.

      I tried unsuccessfully to get Demon/Thus to move me to a NAT for extra protection - as I never use my address for unsolicited incoming traffic. They apparently were in the middle of changing their business model and were getting out of the home domestic market that used NAT. It was apparently a given that SOHO users always needed a reserved address.

      1. Anonymous Coward
        Anonymous Coward

        Re: How much is a IPv4 address worth

        You are confusing "static IP" (or conversely, "dynamically allocated address from a pool") with "NAT".

        You are almost certainly using NAT. If the IP address on your PC's network card (shown by e.g. "ipconfig /all") is different from the public IP address you're using on the Internet (shown by e.g. visiting www.whatsmyip.org) then you are using NAT.

        Now, "static" or "dynamic/pool" IP means whether the public IP address you're using on the Internet stays the same, or changes every time you disconnect and reconnect.

        A dynamic IP address doesn't really offer you any "protection". Your ISP is still logging every time you connect/disconnect from the Internet and what address you are using at each time, so any malicious activity from that address can be traced back to you.

        And in any case, if you have a stable DSL line and don't power off your router every night, you are likely to stick with the same IP address for days or weeks at a time.

        And Demon/Thus is very much an oddball here, by giving a static IP address. Most ISPs won't give you this unless you ask for and/or pay for it. Many don't even offer it at all.

        1. Anonymous Coward
          Anonymous Coward

          Re: How much is a IPv4 address worth

          "You are almost certainly using NAT. If the IP address on your PC's network card (shown by e.g. "ipconfig /all") is different from the public IP address you're using on the Internet (shown by e.g. visiting www.whatsmyip.org) then you are using NAT."

          The address used by my local devices is irrelevant to the point I made about ISP NAT - or rather what could be called PAT (Port and Address Translation). That multiplexes my connections onto an arbitrary IPV4 address from the ISP's groups.

          My presence on the internet has an IPV4 address that resolves in network-tools.com to mydomain.demon.co.uk. It is always the same address assigned by Demon to my router when it connects to the ADSL. The only NAT is my router turning that address into a 192.168.0.1 local net for my home devices.

          If I set up a DMZ in my router then I could route unsolicited connections from the internet to selected local devices to handle the protocol. Those callers will have either used DNS to resolve my subdomain - or have used my raw IPV4 address.

          1. SImon Hobson Bronze badge

            Re: How much is a IPv4 address worth

            > The address used by my local devices is irrelevant to the point I made about ISP NAT

            Err, no it isn't. That was given as a way to see that you are indeed using NAT. But in any case, the "problem" you have is that you have a static IP address - if you don't want that, just ask your ISP for a dynamic one and it'll change every time your connection drops and has to be re-established. If Demon won't do that, then you can switch ISP - I switched ISP not long ago for the reverse reason, apart from being a sh*te ISP, they didn't do static IPs for residential connections at all and I want one for various reasons.

            If you aren't using any inbound connections, then just ignore them. If you haven't configured your router to send them somewhere, they'll just be dropped.

            Sorry, but it's a non-problem. Getting the ISP to put you behind a CGN gateway won't actually make that much difference since (for various reasons) you are still likely to have a "slightly sticky" public IP. And trust me, if you had a truly dynamic (as in every outbound connection got mapped differently) IP then you would hate it due to the amount of stuff it would break.

        2. Anonymous Coward
          Anonymous Coward

          Re: How much is a IPv4 address worth

          "A dynamic IP address doesn't really offer you any "protection"."

          The protection it gives is that no one can use my subdomain name via DNS to attack my router specifically. All they can do is attack my ISP's firewall - which will know if it is expecting a reply on that address and port for a prior outward connection eg FTP.

          Depending on the way the ISP has set up their PAT (Port and Address Translation) then my outward connections will be multiplexed with other users' onto dynamic ports on IPV4 addresses from the ISP's allocations. How they log the mapping of ports and addresses to comply with legal processes is up to the ISP.

          1. Anonymous Coward
            Anonymous Coward

            Re: How much is a IPv4 address worth

            "The protection it gives is that no one can use my subdomain name via DNS to attack my router specifically. "

            You're still confusing a few items... if you have "a subdomain name" pointing to your connection, you must have a dynamic DNS service updating per your current IP address, which negates the "advantage" of dynamic vs. static.

            If you are relying on a router to "know if it is expecting a reply..." that's NAT.

            I used to work with some people who thought that a randomly changing IP would protect them from the bad guys, "because then they don't know where to find me". Here's the thing: there aren't any hackers out there that are targeting *you*. I know you're picturing some guy with green characters projected on his face who is going to reverse-couple the firewall to the uplink in order to hack you. In reality, 99% or more of what you need to worry about are automated attacks that scan the Internet looking for vulnerable computers. dynamic IPs don't help against those, they'll just scan by eventually.

          2. Blotto Silver badge
            FAIL

            Re: How much is a IPv4 address worth

            proof a little knowledge is dangerous in the wrong hands.

            "The protection it gives is that no one can use my subdomain name via DNS to attack my router specifically" -- WTF?

            "All they can do is attack my ISP's firewall - which will know if it is expecting a reply on that address and port for a prior outward connection eg FTP" -- Double WTF, FTP has 2 modes, one requires fw's to inspect the unencrypted comms to know which ports to open.

            "Depending on the way the ISP has set up their PAT (Port and Address Translation) then my outward connections will be multiplexed with other users' onto dynamic ports on IPV4 addresses from the ISP's allocations." -- WTF not even close, this is proxying.

            i'd suggest you forget all you know about networking and start again

            1. Anonymous Coward
              Anonymous Coward

              Re: How much is a IPv4 address worth

              "i'd suggest you forget all you know about networking and start again"

              I fear there is a disjunct between what I am saying and what people are reading into it. Nothing I have said contradicts the way that network kit works. Afraid all I can offer as credentials is 45 years in computer networking development and troubleshooting a large number of very convoluted large system problems.

              1. SImon Hobson Bronze badge

                Re: How much is a IPv4 address worth

                >I fear there is a disjunct between what I am saying and what people are reading into it.

                No, I see no disjunct there.

                > Nothing I have said contradicts the way that network kit works.

                Wrong again, sorry.

                > Afraid all I can offer as credentials is 45 years in computer networking development and troubleshooting a large number of very convoluted large system problems.

                "Oh dear".

                The DNS is irrelevant - because as stated, the bad guys won't be using it. Fixed vs dynamic IP is irrelevant, because the bad guys aren't targeting YOU, they will be scanning address ranges just looking for open ports etc. And if you don't trust your own router, then YOU have the power to install a decent one - expecting your ISP to do it better is (in many cases) ... err lets just call it optimistic !

                So basically your rant comes down to paranoia over a DNS entry that the bad guys won't be using, paranoia over the potential for your router to have flaws, and an irrational belief that your ISP will do it better.

          3. Anonymous Coward
            Anonymous Coward

            Re: How much is a IPv4 address worth

            > Depending on the way the ISP has set up their PAT (Port and Address Translation) then my outward connections will be multiplexed with other users' onto dynamic ports on IPV4 addresses from the ISP's allocations.

            That is absolutely wrong, wrong, wrong, wrong, wrong. ISPs simply don't work like that.

            The Internet, including your ISP's network, is build out of devices called "routers". They forward things called "IP datagrams". They do not modify the datagram, except for reducing a field called the TTL (Time To Live) and making an update to the IP header checksum to compensate.

            Your home router likely also does NAT and/or PAT; it has enough CPU grunt to handle the tiny amount of traffic passing through it, and to retain all the state necessary to perform the same updates on related packets, e.g. packets belonging to the same TCP strea.

            But in the core of an ISP, you're talking tens or hundreds of gigabits of traffic or more. All the datagram forwarding is done in hardware, by the line cards. And they do NOT modify addresses or ports on a packet-by-packet basis; they simply pass them onto the next device and instantly forget about them.

            Now, at the time your home device connects to the ISP, they allocate you a single IP address which is dedicated to you for the duration of your connection. Any packet which arrives at the ISP with that address is forwarded down your link.

            In the case of Demon or any other ISP static-IP service, they assign you the same IP address every time you connect - and don't give it to anyone else while you are not connected.

            On an ISP which does dynamic IP addressing, they assign you a different IP address out of a pool each time you connect.

            By "connect" this means "when your router establishes the link to the ISP", not each time you open a TCP connection to a different web site or whatever.

            But for a long as that link is established, any packets you send out of your router with a particular header [source address, source port, destination address, destination port] will arrive at the destination *exactly* the same, apart from the TTL having been decremented.

        3. Anonymous Coward
          Anonymous Coward

          Re: How much is a IPv4 address worth

          "And Demon/Thus is very much an oddball here, by giving a static IP address"

          I was thinking of switching to Andrews and Arnold - as an ISP with the good reputation that Demon once had amongst techies. Their service offerings seem to assume you will take up a real IP address that will be in some way assigned to you. If that is an incorrect assumption then please will an AAISP user tell me.

          1. Dazed and Confused

            Re: How much is a IPv4 address worth

            A&A will give you static IP addresses and not bugger about with them for you. You can can have addresses blocks from them too, unless they've now run out.

      2. bombastic bob Silver badge
        Devil

        Re: How much is a IPv4 address worth

        "Probably nothing. It is surprising how many ISPs now do not offer NAT. You can only have a reserved IPV4 address."

        and yet, for a FIXED IP address, you'll be charged EXTRA, and may ONLY be able to do so with a "business class" subscription, and so the cost inflates...

        But with IPv6, everyone's address could be static. I assume we'll get assigned netblocks, for our entire network, and by doing so, will have a fixed IPv6. Byby need for "all that" we have to pay EXTRA for in the IPv4 world...

        1. Blotto Silver badge

          Re: How much is a IPv4 address worth

          you will likely get a dynamic /56

          reboot the router and your address changes

          1. SImon Hobson Bronze badge

            Re: How much is a IPv4 address worth

            reboot the router and your address changes

            And of course, with no address translation, this means all your internal addresses also change. That's one heck of a PITA for anyone but the "consume only" ones for whom the internet consists of Google and FarceBork.

          2. Vic

            Re: How much is a IPv4 address worth

            you will likely get a dynamic /56

            Why?

            IPv6 gives 264 MAUs, which is enough for one each for up to 1.8x1019 people. Each MAU gives you 1.8x1019 addresses, which is more that I'm likely to need this week.

            So the only reason to have more than a /64 is if you're sub-allocating (which most people won't be), and there are more than enough MAUs to have a static allocation.

            I would expect the standard allocation to be a static /64; is there reason to suspect something else?

            Vic.

            1. SImon Hobson Bronze badge

              Re: How much is a IPv4 address worth

              I would expect the standard allocation to be a static /64; is there reason to suspect something else?

              Err, how about because most large ISPs are run by complete sh**s who will do anything to make it easier to squeeze more money out of "power" users. Given that some ISPs will not give a static IPv4 address, and others will only do it if you pay extra for a business connection AND also charge you extra rent for the address - I see no reason they won't do exactly the same with IPv6.

              These are the ISPs in the race to the bottom of the murky pond where life is a muddy mess of squeezed margins and gullible punters who can't see past the headline price. Having outcompeted themselves on how cheap they can sell the service, they then need every trick they can muster to make a profit.

              Needless to say, I'm with an ISP that costs more, but doesn't do this sort of stuff.

              1. Vic

                Re: How much is a IPv4 address worth

                how about because most large ISPs are run by complete sh**s

                Fair point.

                Given that some ISPs will not give a static IPv4 address, and others will only do it if you pay extra for a business connection AND also charge you extra rent for the address - I see no reason they won't do exactly the same with IPv6.

                Given the scarcity of IPv4 addresses, there are *some* grounds for this - although I agree that many ISPs just gouge such customers because they can. But with IPv6, it actually requires more effort on their behalf to allocate dynamically than to do so statically.

                Needless to say, I'm with an ISP that costs more, but doesn't do this sort of stuff.

                Likewise. AAISP have done a fantastic job for me...

                Vic.

            2. Trevor_Pott Gold badge

              Re: How much is a IPv4 address worth

              Er....my ISP assigns me one IPv6 address. Not a block. An address. I have to set up a sixxs tunnel and use my block from there to do anything useful with IPv6. An the other two ISPs in the area don't assign IPc6 at all!

              So, yeah, that whole thing where ISPs will do whatever ivory tower intellectuals tell them to do? That's not how the real world works. People are shit. ISPs and ivory tower engineers alike.

    2. Roland6 Silver badge
      Pint

      Re: How much is a IPv4 address worth

      what's my fixed address worthg?

      Suggest you look it up on Zoopla or Rightmove... :)

      However, I think the premise "It's quite likely that as address value rises, more static addresses will be returned by the organisations that hold them." only applies where an organisation has to pay a subscription to their ISP for their static IP address.

      If you are one of the lucky one's who was assigned an IP address block way back and thus pay nothing, there is no real incentive to cash in at the present time - instead use them to benefit your business by running your own bit barn and hosting service...

      If you have purchased a static block of address'es from ARIN et al then you are paying the going rate and have probably sized your allocation to your needs and so have little room to manoeuvre, but 250USD pa for a /24 isn't all that expensive.

      Finally, given the current price's BT are charging (£5.50 pcm for 1 and £15.50 pcm for 13), whilst 'high' compared to ARIN's prices, I suggest retail prices for static IP addresses are going to have to rise significantly before businesses begin to treat individual addresses as gold dust. but then I suggest those who are purchasing from their ISP are smaller businesses and hence are between a rock and a hard place and so typically need only a handful of static addresses and hence aren't going to be giving any back, whilst they remain in business...

      1. Anonymous Coward
        Anonymous Coward

        Re: How much is a IPv4 address worth

        > Suggest you look it up on Zoopla

        No, really no, IMHE this is basically a random number generator.

  3. Anonymous Coward
    Anonymous Coward

    And who told you I want to be measured?

    My (on last count) 20+ devices on my home network are my own F*** business.

    The v6 people should really take their end to end principle, chose a high priest of v6 of choice and make him stuff it. Attached to a chainsaw. I know it is difficult for people who have made their career on starting every second sentence with "v4 is obsolete".

    All the IoT devices (usually used as the primary justification for v6) SHOULD NOT be entitled to talk to anything but the gateway and I would like that gateway to be on _MY_ premises under _MY_ control. For that v4 suffices. End of story.

    All the data leaching admen scum with their ideas that that they will talk to the "cloud" so they can monetize the refresh cycle of my dirty laundry can join the aforementioned v6 priest in gently buggering themselves with a chainsaw (though so far they are very happily showing that they do need no end-to-end principle to spy on me).

    So, going back to the article - I am very happy that I did not get measured correctly. Can we have a repeat of that for as long as possible.

    1. Lee D Silver badge

      Re: And who told you I want to be measured?

      At the very least, get yourself one outside IPv6 address and map it through.

      Still only one address to handle.

      Only your gateway to upgrade / reconfigure.

      Works just the same and hides stuff just the same.

      Allows you to get onto IPv6-only resources when the inevitable happens.

      It bugged me from day one that people were told that they "can't" use NAT with IPv6. Of course you can. And the easiest way to transition is to transition your NAT device to have a IPv6 address to the outside world and let it handle the conversion to your legacy IPv4 network.

      Then NOBODY cares when you transition the clients themselves, if at all.

      For years the IPv6 crowd were up in arms against the idea and look what that's done. Everyone with NAT has INCREASED usage and stayed on IPv4.

      P.S. Hello, The Reg. How's that IPv6 transition coming along? For the twenty-seventh time of asking and only ever being told "it's in the works" while still pushing IPv6 articles that try to make US feel guilty.

      1. Anonymous Coward
        Anonymous Coward

        Re: And who told you I want to be measured?

        At the very least, get yourself one outside IPv6 address and map it through

        I had a /64 for 5+ years.

        I let my RIPE record lapse which resulted in SIXX turning it off. I initially considered going through the motions to re-enable it, but why? The use was so little that nobody noticed it disappearing. It was in use initially with a lot of mail going through it, but dropped to nearly nil after I had to turn off the v6 MX for my domain because of Google/Microsoft idiocies - not retrying v4 MXes if there is a v6. I am not the only one there too - even Comcast turned their v6 MXes off.

        So actually my v6 use has _DROPPED_ off over time, not increased (as preached by the v6 high priesthood).

        I do not see a point in getting one for now. When and if the inevitable happens I have the config for it, I will enable it. So far - I do not see it happening for at least 10 more years due to trade in ip addresses and virtually zero residential growth in the developed world.

        1. Blotto Silver badge

          Re: And who told you I want to be measured?

          just 1 /64?

          are you sure

        2. Yes Me Silver badge

          Re: And who told you I want to be measured?

          "So actually my v6 use has _DROPPED_ off over time"

          Yes, and nobody in v6-land cares. Because the growth at the moment is in v6 use by very large mobile networks who ran out of IPv4 space several years ago; most users have no idea they're using v6. If they have a domestic ISP with IPv6 support, who ships v6-capable home routers, most home users have no idea either. The heroic days of Teredo, 6to4 and even SixXs.net are almost over now that production quality IPv6 is so easy. Of course, the IPv4 legacy will be around for many years.

          1. AndrueC Silver badge

            Re: And who told you I want to be measured?

            Of course, the IPv4 legacy will be around for many years.

            Certainly will in Blighty where all but one of our biggest ISPs do not yet fully (or at all) support IPv6. Last I heard of the 'big six' only Sky was getting close to complete with their roll out. BT might be complete in early 2017. TT I don't think has current plans. Plusnet appears not to have current plans.

      2. Anonymous Coward
        Anonymous Coward

        Re: And who told you I want to be measured?

        > Allows you to get onto IPv6-only resources when the inevitable happens.

        It won't.

        Nobody's business plan includes making their content available to a tiny proportion of the Internet.

        Just look at what happened with IE5 support: people kept supporting IE5 until less than 1% of users were on it. And supporting IE5 was *hard* and *expensive*, often requiring a completely separate parallel version of the website.

        The Internet is about business, and business is about customers, and until 99% of customers have IPv6, all content of any significance will be available on IPv4 as well.

        > And the easiest way to transition is to transition your NAT device to have a IPv6 address to the outside world and let it handle the conversion to your legacy IPv4 network

        That won't work: your legacy devices will look up a DNS name, find there is no "A" record, and fail.

        It can work if you build a SOCKS5 proxy or HTTP proxy at the border, and configure your 'legacy' devices to access the Internet through that.

      3. Roland6 Silver badge
        Pint

        Re: And who told you I want to be measured?

        @Lee D. "And the easiest way to transition is to transition your NAT device to have a IPv6 address to the outside world and let it handle the conversion to your legacy IPv4 network.

        ...

        P.S. Hello, The Reg. How's that IPv6 transition coming along?"

        Are you sure El Reg aren't IPv6 internally and have not simply used a NAT device with an IPv4 address to the outside world to hide it's internal network... :)

        Actually given the power of today's 'routers' it isn't that far fetched for the router to provide an IPv4 to IPv6 gateway, given how practically everything revolves around URL's and DNS these days. Okay Voice over HTTP might be rubbish, but I suspect for the majority of 'home' users there will only be a few exceptions, just as there are todat with NAT.

    2. Novex

      Re: And who told you I want to be measured?

      Yep. Pretty much how I feel too.

      If the industry wants me to adopt IPv6, then give me a translation router that: allows my v4 network to work internally, via static addresses if necessary; allows my website and email servers to be connected either via v4 or v6; allows me to prevent snooping backwards into my individual devices.

      Otherwise, bugger off.

      1. AndrueC Silver badge
        Joke

        Re: And who told you I want to be measured?

        Otherwise, bugger off.

        But...but..NAT is the work of the Deviiiil! It breaks the internet. Just because every application you've ever used at home has worked just fine and just because it inherently improves your security is no excuse.

        We who own the internet don't like it. You should listen to us. Most of us have beards.

      2. Anonymous Coward
        Anonymous Coward

        Re: And who told you I want to be measured?

        Exactly.

        There is no way that I would allow any packets from the Device to device traffinc that is going on inside my private network to reach the outside world.

        for one thing, I don't want to pay my ISP for the traffic (yes, I'm a tightwad).

        What goes on inside my firewall is my effing business and not that of Google/Facbook/NSA/GCHQ/FSB or whatever company or agency is sniffing around.

        IPv6 is a spooks wet dream.

        The fact that my PC talks to my Lathe is nothing to do with anyone but me. I ceertainly don't want Google to know that I did some NC machining last thursday morning so that they can sling ads at me for NC machines or supplies.

        now where is that chainsaw?

        1. Alumoi Silver badge

          Re: And who told you I want to be measured?

          The fact that my PC talks to my Lathe is nothing to do with anyone but me. I ceertainly don't want Google to know that I did some NC machining last thursday morning so that they can sling ads at me for NC machines or supplies.

          But how would $3_letter_agency know you didn't make a bomb or a component for one? Or some kind of weapon?

          1. Neil Barnes Silver badge
            Holmes

            Re: And who told you I want to be measured?

            I'm just wondering if the chainsaw will have an IPv6 address...

            As others have said, there seems no rational reason why a domestic - or indeed a commercial - firewall can't be v6 on the outside and NAT v4 on the inside. There seems to my admittedly self-centred privacy-minded viewpoint exactly no advantages to v6 end-to-endness other than endpoint availability - which is a largely solved problem by NAT as far as I can see.

            One might even postulate a v4 DMZ and a v6 DMZ sticking out of the same box, for those amazingly rare occasions when we might want to run an internet facing service.

            1. Nanashi

              Re: And who told you I want to be measured?

              Oh good grief. v6 "high priest" here; let me try and call BS on some of the BS in here.

              > My (on last count) 20+ devices on my home network are my own F*** business.

              Yup. v6 doesn't change this; your devices on your network are still your own business.

              > The v6 people should really take their end to end principle, chose a high priest of v6 of choice and make him stuff it.

              Nope. This is crazy. There is absolutely no reason to make things difficult for people who do need inbound connections. If you don't want people connecting to your machine, drop the inbound connection yourself or _don't connect it to the internet in the first place_. Don't screw over everybody else just because you can't be arsed to do that.

              > All the IoT devices (usually used as the primary justification for v6) SHOULD NOT be entitled to talk to anything but the gateway and I would like that gateway to be on _MY_ premises under _MY_ control. For that v4 suffices. End of story.

              Damn straight. But even with v6, your gateway is still on your premises and it's still under your control. What made you think it wouldn't be?

              > All the data leaching admen scum with their ideas that that they will talk to the "cloud" so they can monetize the refresh cycle of my dirty laundry can join the aforementioned v6 priest in gently buggering themselves with a chainsaw

              I agree with the "don't talk to the cloud for IoT stuff". But the thing is... everything _has_ to talk to the cloud because peer-to-peer communication is so difficult on v4 with all the NAT. If you want to control something at home from your smartphone, it's difficult to just connect from the phone to the server at home because there's NAT in the way (and don't say you'll just forward the port; CGNAT makes that impossible). That's why all the IoT stuff ends up bouncing through a server owned by the company.

              > At the very least, get yourself one outside IPv6 address and map it through.

              This is dumb. The LAN is the easiest part of v6 deployment, just use your allocated global addresses on it. Adding NAT to the mix just adds headaches, and it doesn't actually get you anything that privacy addresses (which are enabled by default on roughly everything) don't get you on v6.

              > It bugged me from day one that people were told that they "can't" use NAT with IPv6. Of course you can.

              You certainly can, but as I say, it's dumb to actually do so. There is no reason to subject yourself to that in v6.

              > And the easiest way to transition is to transition your NAT device to have a IPv6 address to the outside world and let it handle the conversion to your legacy IPv4 network.

              This isn't the easiest way to transition. How are your v4-only devices going to specify which v6 host to connect to? Deploying v6 to your LAN is really damn simple (and, unlike "just translate to v4", it actually works), you don't need to worry that it'll be difficult. In fact it's so easy that millions of people in the UK have already done it, sometimes without even realizing.

              > The use was so little that nobody noticed it disappearing.

              I doubt the use was little. Most people with v6 see about 30-60% of their traffic go over v6.

              You may not have noticed it disappearing though, if you weren't paying attention. There's a very good reason for that: it's because the v6 transition was designed so that you could gradually roll it out without breaking your existing network. Obviously that necessarily means that you can un-roll it out without much disruption either. (Surely these are both good things?)

              But that doesn't mean you can just not do v6, because v4 is still insufficient and the internet still needs to be moving to v6.

              (As a side note: ugh Sixxs and their "ban you for anything" attitude.)

              > If the industry wants me to adopt IPv6, then give me a translation router that: allows my v4 network to work internally,

              Don't worry, this is exactly what's happening with v6 deployment. Just that your LAN will also have v6 on it as well as the v4.

              > allows me to prevent snooping backwards into my individual devices.

              This is also what's happening. There's no "just" caveats here, v6 routers (or routers in general) inherently allow you to do this.

              > But...but..NAT is the work of the Deviiiil! It breaks the internet. Just because every application you've ever used at home has worked just fine

              What, you've never seen an Xbox gamer have trouble with their NAT type? Even when stuff does work, it's because the software author has spent time dealing with NAT-related issues -- which means less time spent fixing bugs or adding new features, so your software is worse off that it would've been even if the NAT doesn't outright break it (which sometimes it does). NAT traversal often involves running a server to bounce through, which costs money to run (which could otherwise be funneled into more development work on the software) and also is a nice easy place to monitor whatever you're doing with the software.

              NAT is one of the reasons that games often don't let you run your own dedicated servers any more. Having to rely on some company keeping the servers up so you can do multiplayer kinda sucks.

              > and just because it inherently improves your security is no excuse.

              This is actually exactly the opposite of what NAT does; it inherently decreases your security, because the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make. Your machines would be a lot more secure if they couldn't connect out to the internet. It also lulls you into a false sense of security, because it gives the impression that nobody can connect to machines on your LAN, when in fact your ISP (or anyone who can strongarm them) can easily connect to your LAN machines, even with a NATing router in the path.

              If you really want to prevent inbound connections, use a firewall. And firewalls have nothing to do with NAT -- they work fine on v6 too.

              > There is no way that I would allow any packets from the Device to device traffinc that is going on inside my private network to reach the outside world.

              A sensible position. And guess what? It doesn't matter if you're using globally-unique addresses on your LAN. LAN traffic is still LAN traffic! It's not gonna leave your LAN just because you're not doing NAT.

              > for one thing, I don't want to pay my ISP for the traffic (yes, I'm a tightwad). What goes on inside my firewall is my effing business and not that of Google/Facbook/NSA/GCHQ/FSB or whatever company or agency is sniffing around.

              More stuff I completely agree with. But also more stuff that's totally unaffected by v6. Local traffic is local traffic.

              > IPv6 is a spooks wet dream.

              No, not really. Or at least... no more so than IPv4 already is. IPv6 doesn't somehow magically reveal more of your inner secrets than your use of v4 already does.

              > The fact that my PC talks to my Lathe is nothing to do with anyone but me. I ceertainly don't want Google to know that I did some NC machining last thursday morning so that they can sling ads at me for NC machines or supplies.

              And again, v6 doesn't somehow cause this to happen. In fact it may help prevent it from happening, because this "IoT thing talks to Google's server" business often happens _because_ of NAT. If your smartphone could connect directly to your widgets then it wouldn't need to bounce through some company's server.

              > But how would $3_letter_agency know you didn't make a bomb or a component for one? Or some kind of weapon?

              This is another thing that has absolutely nothing to do with v6.

              > As others have said, there seems no rational reason why a domestic - or indeed a commercial - firewall can't be v6 on the outside and NAT v4 on the inside.

              Yes, there is a rational reason: there are only 32 bits in the v4 "destination address" header to specify the host you want to connect to, and a v6 address's 128 bits won't fit into it, so your LAN hosts won't have any way to identify which host they want to connect to. (Sorta the whole problem right there.)

              For the sake of clarity I will just point out that your local network will have its current v4 addresses _as well as_ v6 addresses. v6 deployment won't disrupt any of your existing network, it'll just add on the extra capability of reaching v6 hosts.

              For the sake of extra clarity I'll also point out the existence of privacy addresses -- basically, every v6 host periodically generates a new random address for itself. It's hard to identify a host by its v6 address because it's constantly changing and no addresses are ever reused. If you're worried about people counting the number of machines you're running by using their v6 addresses, then don't.

              Worry about supercookies and browser fingerprinting instead.

              Phew... I think that about covers everything.

              1. AndrueC Silver badge
                Thumb Down

                Re: And who told you I want to be measured?

                when in fact your ISP (or anyone who can strongarm them) can easily connect to your LAN machines, even with a NATing router in the path.

                Rubbish. Even if you know my public IP address there's nothing you or anyone else can do to initiate an inbound connection to my PC. Even if I told you its IP address you'd still not be able to target it.

                A firewall could conceivably fail to block a new incoming connection to a LAN address. It's easy to imagine how a simple bug could let that happen. It is hard to imagine how a bug in NAT could result in an incoming connection request actually getting routed to a machine on the LAN.

                Now of course there are plenty of other things that NAT alone can't protect you against but NAT+<firewall> is more secure than just <firewall> alone.

                And no, I've not had any problems with games consoles. A friend has had but that's down to network fragmentation and Sony. Been doing a lot of things at home over NAT for over a decade. Ain't never caused me any problems.

              2. Anonymous Coward
                Anonymous Coward

                Re: And who told you I want to be measured?

                > But the thing is... everything _has_ to talk to the cloud because peer-to-peer communication is so difficult on v4 with all the NAT. ...

                > That's why all the IoT stuff ends up bouncing through a server owned by the company.

                That's not the only reason though. Other reasons include:

                1. Any sane home or business firewall will not allow unsolicited inbound connections from arbitrary outside addresses to inside addresses.

                2. IoT things are individually dumb. You need an application somewhere which has a database of all the devices, how they relate to each other, and issuing commands to them together.

                3. People want that control application to be shared - e.g. be able to view their house status from their laptop or their smartphone or their tablet, whatever they have in hand at the moment.

                IPv6 doesn't change any of that, especially not point (1). The whole architecture of IoT would still be client-server, even if the Internet had been IPv6 from day one.

                You may say point (1) is an antiquated way to build networks - that there is no such thing as a "secure network" behind a "perimeter" any more. I'd agree, but try convincing most business of that.

                In addition, becoming increasingly cynical:

                4. IoT devices are hopelessly insecure. If they are configured to accept authenticated commands from a trusted central server, there is some hope they will survive. If they accept random traffic from random endpoints, they will be broken into in no time.

                5. Many IoT devices are about consuming content (e.g. Sonos type devices), and somebody wants to control and sell you the content. That content will be held in the cloud.

                6. Vendors want to "value add" by integrating the control application with other applications and accounts you have, making it so coupled that you can't move away from them. This is otherwise known as "vendor lock-in" and is most easily achieved if they control everything centrally.

                7. Vendors want to collect all the juicy information they get from how your life runs, so they can sell you more products, and sell on your information to advertisers.

                IPv6 doesn't really affect any of that very much. Well, I suppose vendors could sell standalone servers to security-conscious customers, or clueful people could build their own servers from scratch - but 99.9% of people won't do that when they can just click on a web page instead, and click through a privacy statement without reading it.

                1. Doctor Syntax Silver badge

                  Re: And who told you I want to be measured?

                  'You may say point (1)[not allowing unsolicited inbound connections] is an antiquated way to build networks - that there is no such thing as a "secure network" behind a "perimeter" any more. I'd agree, but try convincing most business of that.'

                  Surely allowing such inbound connections is the antiquated way. It belongs to a time when internet users trusted each other and were largely justified in that trust. And as for there being no such thing as a secure perimeter that's a bug not a feature.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: And who told you I want to be measured?

                    > And as for there being no such thing as a secure perimeter that's a bug not a feature.

                    Most people these days get infected by either:

                    1. downloading E-mails with malicious attachments, then running them

                    2. browsing to websites with malicious content

                    These are "outbound" connections as far as the firewall is concerned, and will be permitted.

                    Once the malicious payload is running on your client device, it will also make "outbound" connections to its command-and-control servers. The attacker is now inside your network and can do whatever they like; further attacks on other machines are all internal and don't touch the firewall at all.

                    Basically, this means firewalls are useless. Even content scanning firewalls are useless, since the majority of traffic is TLS-secured (e.g. HTTPS, IMAPS). And don't mention man-in-the-middle firewalls which have fake root certificates and transparently decrypt and re-encrypt your traffic; they are evil.

                    The best that a firewall can do for you these days is to notice the signs that you are infected (such as your machines start spewing spam or connecting to known C&C servers) and let you know what needs to be cleaned up.

                    What you really need to do is to allow access only to registered, locked down devices and authenticated users. Have a look at what Google are doing with "BeyondCorp"

                    1. Missing Semicolon Silver badge
                      Unhappy

                      Re: And who told you I want to be measured?

                      @ Anonymous Coward

                      The secure perimeter we now all have with ISP-supplied routers (no more USB cable modems, yay!) is the reason why the crims have now moved to the client-based penetration attempts.

                      Take the perimeter wall away, and we're back to 1993.

                    2. Anonymous Coward
                      Anonymous Coward

                      Re: And who told you I want to be measured?

                      "Most people these days get infected by either:

                      1. downloading E-mails with malicious attachments, then running them

                      2. browsing to websites with malicious content"

                      Well of course most people get infected by those routes, because they are the routes that remain after the inbound connection routes are closed off by firewalls. To argue that this makes firewalls useless is akin to saying that because most murders in Britain are committed with knives, there's no need for gun laws. Firewalls may not be able to make the internet a perfect place, but clearly it would be worse without them.

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: And who told you I want to be measured?

                    Surely allowing such inbound connections is the antiquated way. It belongs to a time when internet users trusted each other and were largely justified in that trust.

                    The new way says: "trust no-one: not even devices which are on the corporate network"

                    All resources have controls which allow only access if (a) the device is able to prove it is managed by the organization and meets all the organization's current security requirements; and (b) the user is able to prove who they are.

                    You don't grant enhanced access to something based on the fact they're using a corporate network IP address, because this would imply that devices inside the perimeter are more trustworthy than devices outside, and that's a fallacy.

              3. Missing Semicolon Silver badge
                Boffin

                Re: And who told you I want to be measured?

                @ Nanashi

                So, What happens when the various devices in my house talk to the Internet? Right now, they all appear as one address, so that Google (say),or my ISP, has no idea what's inside my LAN

                My understanding is that V6 allows a version of the LAN address to get out as the return address for the connection. So the manufacturer can be detected, and the number of different addresses used from my subnet gives an indication as to how many devices I have.

                I don't want that leakage.

                1. heyrick Silver badge

                  Re: And who told you I want to be measured?

                  "my ISP, has no idea what's inside my LAN"

                  Exactly. The outside world sees ONE address, there is no knowledge of what is on the other side. Indeed, different ports at my public facing IP address go to different machines, not that this is necessarily evident from the outside.

                2. Vic

                  Re: And who told you I want to be measured?

                  My understanding is that V6 allows a version of the LAN address to get out as the return address for the connection

                  Each device will have several addresses - e.g. one for link-local work, and another for Internet connection. The latter is the one that will be seen by external servers.

                  So the manufacturer can be detected

                  No. The MAC address is *one way* to form link-local addresses, but it is not mandatory to use that method. And the link-local address does not leave the LAN.

                  the number of different addresses used from my subnet gives an indication as to how many devices I have

                  Technically, yes, I suppose. But there's no need for addresses to be allocated sequentially - indeed, for privacy reasons, that's unlikely to be the case. Enumerating your devices is going to be very difficult.

                  Vic.

                3. bombastic bob Silver badge
                  Devil

                  Re: And who told you I want to be measured?

                  "My understanding is that V6 allows a version of the LAN address to get out as the return address for the connection."

                  not entirely true, but lemme 'splain.

                  IPv6 addresses are assigned to a particular netblock, which the router will know about. The router can advertise this information and assign IPv6 addresses using some protocol I can't remember the name of. You can then allow an automatically assigned IPv6 address from the netblock, or assign a static one (your choice) from within the same netblock.

                  Now, about IPv6 routing: the routers use the advertisements to say "send your IPv6 outgoing traffic to me." They know about the upstream router, which was either assigned statically, or also advertised itself. that's how IPv6 routing works. In theory, you don't have to set up gateways, just routers [and the rest is automatic].

                  Now, because you were assigned an IPv6 netblock, your IP addresses are UNIQUE TO YOUR MACHINE, FOREVER. This also exposes every listening port onto the intarwebs using that IPv6 address if you didn't bother to firewall it. The router CAN firewall [mine does, it's running FreeBSD, and Linux could do the same thing]. In particular, I don't want a VNC port, or an X11 port, or any of the dozen-or-so ports that Windows listens on to be exposed to the outside world. So I block ALL of them at the IPv6 gateway.

                  BUT, whenever you visit some web site, the web site knows who connected, YOUR publicly visible IPv6 address that is NOT translated. A rogue web server could then scan you for open (listening) ports on that address and determine whether or not you can be cracked. Specific ones are well-known for windows, X11, VNC, Samba sharing, SQL Server, SVN, mail servers, and whatever OTHER things you might not want accessed from the outside [so you better firewall them all or risk getting CRACKED].

                  Anyway, that's pretty much an executive summary of what's going on.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: And who told you I want to be measured?

                    @Bombastic Bob

                    you helpfully mentioned that with IPv6 the web site knows who connected

                    and what is more - with IPv6 packets you visited the website with digitally signed evidence

                    which is fine by me, but some sensitive, furtive sort of characters do have reasons not to splurge digitally signed evidence crumbs across the universe. . . forever

                    or maybe I'm wrong, this thread is a great thrashdown of the aspects of IPv4/IPv6 - don't we need a connectivity, privacy and security balancing IPv8 yet?

                  2. Blotto Silver badge

                    Re: And who told you I want to be measured?

                    @ bob,

                    "Now, because you were assigned an IPv6 netblock, your IP addresses are UNIQUE TO YOUR MACHINE, FOREVER"

                    not quite bob

                    you'll most likely get a dynamic /56 from your ISP.

                    the problem is the auto assigned /64 portion of the address is uses EUI and is made up from the machines MAC address. MAC addresses are well defined, from a known pool and are therefore in a small enough pool to be scanned. In addition, any receiving system can determine what vendor the originating machine is and from your subnet a collating service can determine how many hosts are on your network. in addition every time you connect it can track you from net to net, like from home, work, star bucks etc as the /64 can be the same across nets as it can be globally unique (as it uses the MAC address)

                    this is a great write up

                    http://serverfault.com/questions/426183/how-does-ipv6-subnetting-work-and-how-does-it-differ-from-ipv4-subnetting

              4. Nanashi

                Re: And who told you I want to be measured?

                > Phew... I think that about covers everything.

                Except, of course, for the comments made while I was in the moderation queue.

                > Nobody's business plan includes making their content available to a tiny proportion of the Internet.

                It is not actually so tiny. In some specific areas (for instance, mobile networks in the US) it's >50%. Still too low to drop v4 _yet_, but what if it was 90%? Would you bother adding legacy v4 support to your new mobile service for that last 10%? Maybe you'd charge v4-only customers a bit extra to cover the costs (which are steadily increasing; v4 addresses aren't free).

                > Why should I broadcast to the world that I have an NC Lathe?

                You shouldn't. And IPv6 won't magically force you to do that. This is not a reason to not want v6.

                > Why should I broadcast all the NC commands to the world? There is no reason at all.

                You shouldn't! You won't have to! Just send the commands to your lathe over your local network. Where's the problem?

                1. Nanashi

                  Re: And who told you I want to be measured?

                  > Rubbish. [...] It is hard to imagine how a bug in NAT could result in an incoming connection request actually getting routed to a machine on the LAN.

                  Not rubbish. If you think this then you don't understand how the internet works.

                  If an inbound connection comes into your router from the WAN interface, and the dst address of the connection is (say) 192.168.1.10, then your router will route that connection to 192.168.1.10. NAT won't affect this at all -- NAT (in the form that you see it on home routers) only affects outbound connections.

                  Now obviously, it's hard to send a packet to you with 192.168.1.10 as the dest address [which is one of the reasons that v6 needs to hurry up and be here], but your ISP can do it. NAT will not prevent your ISP, or anyone who can strongarm them, from making connections to any of your LAN machines.

                  > You see: my router supports IPv6 on the outside (also has an IPv6 address) but only provides IPv4 on the inside. It gets more bizarre: my IPv6 address is an /128 one. In other words: one fixed address, I'd have expected some kind of subnet for sure.

                  A /128 on the WAN is fairly common. You're generally expected to have only one machine on the WAN link (the router), so a single address is fine. Typically you then have to make a DHCPv6-PD request to pick up a /64 (or a /56, preferably) to use on the LAN side.

                  Which ISP is it? If it's Sky then the above is what's going on. Do the PD request and you'll get a /56, from which you can pick one /64 for your LAN.

                  > I'm happy to have a gateway between my PC and the Internet instead of having my PC's firewall act as the first and last line of defense. But this wasn't the way they intended IPv6 to be used, that's for sure!

                  It kinda was. You're expected to have a router between you and the rest of the internet -- that's just how the internet works. And typically you'll run a firewall on that router. Your PC firewalls won't be your only line of defense.

                  >> That's why all the IoT stuff ends up bouncing through a server owned by the company.

                  > That's not the only reason though. Other reasons include:

                  You're right, and you make a lot of good points. Vendor lock-in and an inability to keep their mitts off your private data is going to make a lot of companies go the central server route anyway. But still, if all of their devices live behind CGNAT then they're pretty much _required_ to go that route even if they don't want to. Removing NAT (and thus deploying v6) is a basic requirement to making it _possible_ for a non-evil company to design something where the server lives in your home and under your control.

                  > So, What happens when the various devices in my house talk to the Internet? [...] My understanding is that V6 allows a version of the LAN address to get out as the return address for the connection. So the manufacturer can be detected, and the number of different addresses used from my subnet gives an indication as to how many devices I have.

                  For the purpose of outbound connections, your machines generate a random address (which they change frequently). You can't detect the manufacturer from a random address, and the number of computers you use is also obscured (but instead of looking like one computer, it looks like thousands and thousands).

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: And who told you I want to be measured?

                    Now obviously, it's hard to send a packet to you with 192.168.1.10 as the dest address [which is one of the reasons that v6 needs to hurry up and be here], but your ISP can do it. NAT will not prevent your ISP, or anyone who can strongarm them, from making connections to any of your LAN machines.

                    In addition, NAT itself may allow in more than you realise.

                    Many NAT implementations are "full cone NAT" which means that if I make an inbound connection from 192.168.1.10 port 1234 to something on the outside, and the source gets translated to 1.2.3.4 port 5678, then *anyone on the Internet* can send a packet to 1.2.3.4 port 5678 and it will be forwarded inbound to 192.168.1.10 port 1234.

                    Yes, I thought it was crazy when I first saw it. But that's how it is, and indeed NAT-traversal mechanisms for peer-to-peer communication like STUN rely on this.

                    What you might *expect* is that an outbound connection to a specific remote host/port combination would only accept reply packets from just that remote host and port. This is called a "Symmetric NAT", and some NATs do indeed work that way. But if both parties are behind this sort of NAT then they can't communicate peer-to-peer; they must relay all their traffic via a third-party server.

                    There are some in-between options as well: if you want the full details see

                    https://en.wikipedia.org/wiki/Network_address_translation#Methods_of_translation

                    But in essence: if you want to allow communication from A to B but not from B to A, then what you need is a *stateful firewall*, not a NAT.

                    A NAT is inherently stateful, but may let in more inbound traffic than a proper stateful firewall would.

                  2. AndrueC Silver badge

                    Re: And who told you I want to be measured?

                    NAT will not prevent your ISP, or anyone who can strongarm them, from making connections to any of your LAN machines.

                    But even if you have a router that does that it still excludes 99% of miscreants on the WAN side and therefore still provides significant security benefits. If someone has strong-armed my ISP to that extent all bets are off anyway.

                    Of course NAT on its own is not enough but NAT+<firewall> is still (IMO) more secure than <firewall> on its own.

                    1. Dwarf

                      Re: And who told you I want to be measured?

                      NAT is not a security measure, it never was, it never will be, even though all the home grade firewall manufacturers claimed it was "an extra layer". It was just an earlier approach to try and work around the shortage of IPv4 addresses. Don't forget that it was only ever a work-around, not a permanent solution.

                      A standard firewall rules base is more than effective enough on its own, irrespective of the version of IP passing through it. The principles are identical across v4 and v6, its just the network definitions that are a tiny bit different.

                      Yesterdays /24 becomes a today's /48 or /64 depending on what you are doing.

                      Removing NAT is also quicker as there is one less layer of translation to have to go through.

                      1. Vic

                        Re: And who told you I want to be measured?

                        NAT is not a security measure

                        Yes it is.

                        Millions of users around the world have their ports shielded by a NAT router that does not know how to route unsolicited connection requests. I don't care how many times you tell me it doesn't provide any security - it fucking does. There are better ways of doing the job, but that doesn't meant the technique has no merit.

                        A standard firewall rules base is more than effective enough on its own, irrespective of the version of IP passing through it.

                        It ids, but only if you have someone capable of maintaining those rules. Without that knowledge, you either have a user largely disconnected form the Internet, or you have a bunch of open ports (perhaps all of them) that should not be so exposed. And the number of people on the Internet who cannot maintain a set of firewall rules is orders of magnitude higher than the number who can.

                        Removing NAT is also quicker as there is one less layer of translation to have to go through.

                        Who cares? Dealing wih NAT might have been a problem 15 years ago, but it isn't any more. We plug boxes in and they work. That;s all that matters.

                        Vic.

                        1. Yes Me Silver badge
                          Headmaster

                          why you have [not] just added an extra two fields

                          Once again for emphasis: because IPv4 doesn't allow that. Whatever you do to the address format is incompatible with an IPv4-only host. So you have no choice but to make a new, incompatible, version. Yes, we could have done it with fewer features (like, say, no automatic address configuration, or no increase in the normal packet size, or no improvement to the fragmentation mechanism) but then your question would have been "why have you not fixed the gaps in IPv4?"

                        2. Yes Me Silver badge
                          Coffee/keyboard

                          The mythical NAT router firewall

                          NAT, router and firewall are three different functions. They're often found in the same box, but they are separate. It isn't NAT that blocks incoming crap. It's the firewall function. (For example, on my FritzBox, there's NAT on the IPv4 traffic and no NAT on the IPv6 traffic; but the firewall applies to both, and I have to open a port for IPv6 just the same as for IPv4.)

                          The router function is separate again.

                          1. itzman

                            Re: The mythical NAT router firewall

                            It IS the NAT function that blocks incoming, because it HAS to.

                            By default there is no map between and internal IP address: port and an external one unless the internal; machine has requested an outgoing connection in which case the router assigns one until the connection is closed.

                            NAT enforces a default of 'drop all incoming connections' .

                            That may not be what it was actually designed to do, but that is in fact what it does.

                            IP4 addresses behind NAT are UNROUTEABLE. You cant reach them, and unless they make an outbound connection, you dont even know for sure they are there. And even if they do, you cant be sure which internal machine is originating the connection.

                            NAT is what makes consumer level broadband safe enough to do e-commerce over. The thought of machines with clearly identifiable unique routeable IP6 addresses on the public Internet, relying on user set up firewalls to protect them, scares me ****less.

                            If I ever setup V6 I will still want a NAT equipped router between me and it.

                          2. This post has been deleted by its author

                          3. Vic

                            Re: The mythical NAT router firewall

                            NAT, router and firewall are three different functions.

                            Yes.

                            They're often found in the same box, but they are separate.

                            Yes.

                            It isn't NAT that blocks incoming crap. It's the firewall function

                            No.

                            It is NAT that provides the first line of defence; if there is no port forwarding defined, then an unsolicited connection simply cannot be forwarded, as the NAT router has no idea what to do with that packet. This is how the vast majority of Internet users have their networks configured.

                            Firewalls give you a furtherl ine of defence - and a more effective one as well. But they require far more knowledge to maintain, and the majoprity of users simply do not have that knowledge.

                            Until you acknowledge that it is NAT that is shielding most users and not a firewall, you will not understand the objections raised against you. And nor will you get buy-in from users that don't want to have to learn about firewall configuration just to keep doing what they are currently doing.

                            Now it's up to you whether or not you want to continue patronising those who disagree with you, but there is an important point here that you simply haven't understood. Where you go with that is entirely up to you.

                            Vic.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: And who told you I want to be measured?

                  It is not actually so tiny. In some specific areas (for instance, mobile networks in the US) it's >50%. Still too low to drop v4 _yet_, but what if it was 90%? Would you bother adding legacy v4 support to your new mobile service for that last 10%?

                  As a hypothetical example then: given that 93% of Sky customers now have IPv6, if you were making a service which was aimed *only* at Sky customers then arguably you could make it IPv6.

                  But what about the costs of locking out the other 7%? Not just lost business from that proportion of the user base, but the cost of handling support calls from people saying "it works for my friend but not for me" or "why can't I access it from my office/hotel?"

                  This means that it would almost certainly be simpler and cheaper to make it dual-stack and be done with it. If your CTO said to make it IPv6 only, they would (rightly) be out of a job.

                  Maybe you'd charge v4-only customers a bit extra to cover the costs (which are steadily increasing; v4 addresses aren't free).

                  They are essentially free, at $10-$20 *one off* cost per address. Compared to the recurrent monthly cost of hosting, or leased lines, or support staff, or hardware renewal or software licences, they are free.

                  Even if an IPv4 address cost $1000, content providers would still deploy them to get the customer reach. They are happy to pay much more than that for a decent domain name.

                  In any case, content providers have been sharing IPv4 addresses for years (CDNs, reverse proxies, HTTP virtual hosts, HTTPS SNI). It's easy to do this at the content provider side.

                  Of course, deploying IPv6 *in addition* to IPv4 shouldn't really cost them that much more. But if organisations like the BBC which are highly regarded for their engineering excellence aren't making their content available over IPv6, who will? And why should they, given that they know all their users have either IPv4 or IPv4+IPv6 capability?

                  The squeeze for IPv4 addresses is felt acutely at the access ISP side of course. But since almost the Internet runs IPv4, they have no choice but to provide IPv4 access, with or without IPv6.

                  I don't see Sky turning off IPv4. They *could* decide to share public IPv4 addresses between customers, but as soon as they do that they are into a world of pain when it comes to handling police enquiries, having to log or lock down the port ranges used by each customer.

                  It seems to me there's a genuine risk of "peak IPv6" - where the majority of the marketplace rejects it, and it ends up as a playground for Google and Facebook. They have enough power between them to keep it going, and probably quite enjoy running their own parallel Internet; but it could end up that a heavily-NAT'd IPv4 is the real Internet and (oddly) IPv6 is the legacy.

                  Sooner or later, someone is going to propose a 64-bit port number extension to TCP and UDP, and that will be the end of it.

              5. Vic

                Re: And who told you I want to be measured?

                Oh good grief. v6 "high priest" here

                And therein lies your disconnect with those who disagree with you: you understand the networking concepts. You need to consider the position of those who have no idea what an IP protocol is - neither v4 nor v6. That's most of the Internet users in the world, buy a significant margin.

                There is absolutely no reason to make things difficult for people who do need inbound connections.

                Yes there is. The majority of users do not want inbound connections - or when they do, they want those connections very carefully controlled. At present, with IPv4, they've got that; the default is for connections to be denied, with explicit work required to enable them. Moving to an IPv6 stack without further work reverses that - connections are enabled by default, with work required to disable them. That's not what most users want.

                everything _has_ to talk to the cloud because peer-to-peer communication is so difficult on v4 with all the NAT

                So the High Priests keep telling me. And yet, here I am, running peer-to-peer communication through at least one layer of NAT (two for my wireless devices). And the only work *I* did to get that working was to set up the second layer of NAT; most users wouldn't want my network topology.

                That's why all the IoT stuff ends up bouncing through a server owned by the company.

                It isn't. That's partly because it's the zero-configuration option, and partly because it's how the IoT companies monetise their marks.

                Most people with v6 see about 30-60% of their traffic go over v6.

                That's going to depend on what you're doing. I've seen negligible traffic over IPv6. I might even take it down.

                As a side note: ugh Sixxs and their "ban you for anything" attitude

                With you on that. Having to earn reputation to get anywhere (so it's some while before you can get an allocation) meant that my first tunnel was through Hurricane (who were much more helpful). Having to trade that reputation to change my tunnel IP address when I changed ISP. And now they won't even offer allocations. Looks like they actually *want* to become irrelevant...

                Even when stuff does work, it's because the software author has spent time dealing with NAT-related issues

                Not really. Very little of that sort of code is written from scratch any more - there are many code fragments and examples freely available. It's a solved problem.

                NAT traversal often involves running a server to bounce through, which costs money to run (which could otherwise be funneled into more development work on the software) and also is a nice easy place to monitor whatever you're doing with the software.

                Running a STUN server is a trivial matter; there's hardly any cost involved. And there are many already available at no cost, as it's such a trivial addition to add to an already-running server.

                But it's not going to monitor what you're doing because there's no application data in it; all STUN gives you is your external IP address and your NAT type. And that's all you need.

                NAT is one of the reasons that games often don't let you run your own dedicated servers any more.

                It really isn't. Those servers are the subscription revenue stream for the games company. They represent real money. That's why you can't run your own any more.

                This is actually exactly the opposite of what NAT does; it inherently decreases your security, because the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make

                That's incorrect. You are perfectly able to make outgoing connections on a non-NATted connection as well; it is the firewall that prevents such outgoing traffic - and setting up a firewall for a NATted IPv4 connection is just the same as for a non-NATted IPv6 connection.

                And that's the crux of the problem: moving to IPv6 means that end-users are going to *have* to be able to configure firewalls, or else they default to wide-open. And the vast bulk of the world's Internet users are not capable of that.

                Vic.

                1. Nanashi

                  Re: And who told you I want to be measured?

                  > That's incorrect. You are perfectly able to make outgoing connections on a non-NATted connection as well; it is the firewall that prevents such outgoing traffic - and setting up a firewall for a NATted IPv4 connection is just the same as for a non-NATted IPv6 connection.

                  I should've explained that a bit better. You can make outbound connections without NAT, but only if you're using public addresses for your network. Obviously ISPs don't have enough v4 addresses for you to do that, so that means your internal network will be on one of the shared RFC1918 ranges.

                  In that situation, you can't make outbound connections from your LAN. They just won't work -- nothing to do with any firewall, it's just that you can't make connections on the internet without using a globally-routed address as the source address. So what do 99% of people do in this situation? They add NAT to their network, so they can make outbound connections.

                  And now, hopefully, you see what I mean by "the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make".

                  1. Vic

                    Re: And who told you I want to be measured?

                    And now, hopefully, you see what I mean by "the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make"

                    No - your statement is simply incorrect. What NAT is doing, per your example, is allowing multiple devices to share a single external address. That's a good thing, and it means that being able to make outgoing connections is orthogonal to the firewall permitting it.

                    Where the NAT situation scores is that any other connection attempt - i.e. an unsolicited inbound connection - simply has nowhere to go. And that is why NAT is such a nice setup for people who don't know about networking - which is most people.

                    I have no problem at all with people who want to run IPv6 without NAT. That's just dandy, and will work for everyone who knows what they're doing. I have a real problem with people who want to force everyone not to use NAT; it works perfectly well for IPv6, it provides an easy setup for those that don't know how to maintain a firewall, and it is entirely transparent to everyone else.

                    Vic.

                    1. Nanashi

                      Re: And who told you I want to be measured?

                      > IPv4 nat is accidental security, where is the IPv6 security by default equivalent?

                      On your router, and on Windows. Both of those will block inbound connections on v6 by default.

                      > The vast number of /64 host addresses is no deterrent to address scanning when you know part of the address resides in the known manufacturer ranges limiting scanning to a vastly reduced subset of the total, plus you could scan for apple, HP, Sony devices etc to target those conceivably more affluent marks.

                      This depends, there's an RFC (RFC 7217) to address this and Apple just added support for it. Windows has done basically the same thing since Windows 7, and dhcpcd has support for it on Linux. And even knowing the MAC prefix still leaves you with 16 million addresses to scan -- which is no longer an utterly impossible number but it's still over half a gigabyte of traffic _per OUI_, multiplied by however many /64s you're interested in. And your traffic is still blocked by the firewall so finding a computer doesn't even help you much.

                      > Where the NAT situation scores is that any other connection attempt - i.e. an unsolicited inbound connection - simply has nowhere to go.

                      But this is not true. It's a nice and easy way of explaining NAT, but it's not actually true.

                      Consider what happens if your router gets a packet on its WAN interface with, say, 192.168.1.20 as the destination address. What will it do with it? You can't say the packet has nowhere to go, because it certainly does -- it can go to 192.168.1.20. And that's exactly where it'll go if the router doesn't have a firewall configured to drop the packet.

                      (The other possibility is that it receives a packet with a dest address of the WAN interface. In that case, the packet also has somewhere to go: the router itself.)

                      If you don't believe me, feel free to try it.

                      > [NAT] provides an easy setup for those that don't know how to maintain a firewall

                      NAT is no easier or harder to set up than a firewall is. With netfilter on Linux, an inbound firewall is two rules which you copy/paste from a website, and NAT is one rule which you also copy/paste from a website (but don't forget the firewall rules as well, or your ISP will be able to connect into your network like I explained above).

                      If you can't manage one of those then you can't manage the other. Anybody that can manage to set up NAT can manage to set up a firewall. The problem with NAT is that actually running a network with NAT is harder than running one without it, because translating addresses mid-flight is an extra layer of unnecessary complexity to deal with.

                      > it is entirely transparent to everyone else.

                      Ah, well, if only that was the case, but I run networks that don't use any NAT at all and I still have to deal with NAT (when I help other people or when I write -- or use -- software that's affected by it). If we can get NAT down to <1% of connections then it'll be ignorable, but we can't do that without doing v6.

                      1. Vic

                        Re: And who told you I want to be measured?

                        On your router, and on Windows. Both of those will block inbound connections on v6 by default.

                        Not on my router,. And I don't have any Windows machines.

                        But if you're running any services on those machines - e.g. RDP - can you be sure those connections will be blocked? That requires an understanding of the firewall rules - which means additional knowledge over and above what is required to run a NAT router.

                        Consider what happens if your router gets a packet on its WAN interface with, say, 192.168.1.20 as the destination address. What will it do with it? You can't say the packet has nowhere to go, because it certainly does -- it can go to 192.168.1.20. And that's exactly where it'll go if the router doesn't have a firewall configured to drop the packet.

                        Have you actually tried this? Because when I did, it was only true for some real shit routers. Now I've not done the experiment for a while, but I actually do doubt your assertion here. And if my ISP is sending bogons, both he and I have got bigger problems.

                        If you don't believe me, feel free to try it.

                        I no longer work for an ISP, so I can't.

                        NAT is no easier or harder to set up than a firewall is

                        Of course it is. Plug in router, stuff works. Incoming packets are dropped/rejected until such time as a connection is established, at which time they become accepted.

                        Now try doing that with a simple firewall - changing the rule from DROP to ACCEPT on the basis of the state of outgoing packets. It's possible, but it;s not easy.

                        If you can't manage one of those then you can't manage the other.

                        That's simply untrue. There are millions of people in the world doing just fine with NAT. It provides all the protection they seek. Taking that away from them means they have to learn to program a firewall - now you might claim that it's "two rules which you copy/paste from a website", but the vast bulk of these users couldn't even get a text editor to change the correct file. That's the reality of users. And even if you are capable of this, that doesn't mean you are in the majority.

                        And that's before we go anywhere near whether or not the website has got it right in the first pace; the number of times I've seen someone post a "fix" for a problem that ends up being chmod 777 doesn't bear repeating.

                        The problem with NAT is that actually running a network with NAT is harder than running one without it, because translating addresses mid-flight is an extra layer of unnecessary complexity to deal with.

                        It isn't harder, as you can tell by the number of people doing it without even knowing that they are. And if you're doing anything about that translation, you either work for a network appliance vendor or you're doing it wrong.

                        I run networks that don't use any NAT at all and I still have to deal with NAT (when I help other people or when I write -- or use -- software that's affected by it).

                        I run networks that do use NAT, and I don't have to deal with it - it just works. If I'm writing software that has to deal with NAT, I just use STUN to cope with it. Stuntman, for example, gives you everything you need.

                        Vic.

                        1. Nanashi

                          Re: And who told you I want to be measured?

                          > Have you actually tried this? Because when I did, it was only true for some real shit routers. Now I've not done the experiment for a while, but I actually do doubt your assertion here.

                          Yeah, I have, and I just tried it again for the sake of argument. I have a network running here with a Linux router and no NAT, and I can connect inbound to a few whitelisted host:port combinations. I just added NAT by doing this:

                          iptables -t nat -A POSTROUTING --out-interface wan0 -j MASQUERADE

                          and confirmed that outbound connections were NATed. Then I tried the inbound connections again, and... they still worked.

                          You should be able to tell that would happen by inspection of the iptables command though. Only the first packet of each connection goes through the nat table, and the MASQUERADE rule has "--out-interface wan0" in it. The first packet of any inbound connection will be coming _in_ from wan0, not going out of it! This masquerade rule doesn't match inbound connections at all, so whether or not you're doing NAT with this rule clearly can't affect inbound connections in any way, because the rule won't do anything to packets that don't match it.

                          > Of course it is. Plug in router, stuff works. [...] Now try doing that with a simple firewall - changing the rule from DROP to ACCEPT on the basis of the state of outgoing packets. It's possible, but it;s not easy.

                          Here's how you do a firewall in iptables:

                          iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

                          iptables -A FORWARD -i lan0 -j ACCEPT

                          iptables -P FORWARD DROP

                          which does exactly what you said: packets corresponding to established connections are ACCEPTED, new connections from lan0 are ACCEPTED and new connections from any other interface are DROPed. This isn't hard.

                          And again, you're doing an unfair comparison. You're assuming that NAT is already set up on the router but that a firewall won't be. Why isn't it "plug in router, stuff works" for a firewall too, given that the firewall will be set up (and indeed apparently was on most of the routers you tested) by default out of the box too?

                          > Taking that away from them means they have to learn to program a firewall - now you might claim that it's "two rules which you copy/paste from a website", but the vast bulk of these users couldn't even get a text editor to change the correct file.

                          It doesn't mean that. That's like saying that those people couldn't set up NAT because they can't work out a text editor -- which they probably couldn't, but that's okay because it's already set up for them. Just like the firewall is.

                          1. Vic

                            Re: And who told you I want to be measured?

                            Yeah, I have, and I just tried it again for the sake of argument.

                            I really doubt that you have.

                            iptables -t nat -A POSTROUTING --out-interface wan0 -j MASQUERADE

                            Fine. You've enabled NAT on your outbound connections.

                            Then I tried the inbound connections again, and... they still worked.

                            OK - so tell us how you put bogons onto your WAN--side connection.

                            This is something I could do when I worked for an ISP. It;s not something I can do now. I'd be interested to hear how you did it. If you did it.

                            You should be able to tell that would happen by inspection of the iptables command though.

                            No you shouldn't, because what you claim depends on bogons being routed by your ISP (which *never* happens unless your ISP is deliberately doing such) *and* it depends on the behaviour of your WAN-side equipment. These are at least two things over which you ave little, if any, control.

                            And again, you're doing an unfair comparison. You're assuming that NAT is already set up on the router but that a firewall won't be

                            I have quite a few pieces of equipment that do exactly that - including the one I'm using right now. Are you trying to tell me that they can't exist?

                            That's like saying that those people couldn't set up NAT because they can't work out a text editor

                            Perhaps it is. But as they are already running NAT, that irs an entirely specious argument.

                            Just like the firewall is.

                            Is it? Because I see a lot of equipment where that is demonstrably untrue - including the router I am using right now[1]. Am I hallucinating, and actually have everything set up, or are you perhaps wrong?

                            Vic.,

                            [1] a Draytek Vigor 2600v. Which does NAT out of the box, but the firewall is almost entirely blank...

                2. Blotto Silver badge

                  Re: And who told you I want to be measured?

                  @ vic

                  That plus NAT is stateful in that it must hold a record if outgoing comms to match to incoming, which is essentially what a fw does, especially a home users fw who has no clue how to amend its policy from block all in allow all internal out. Security is blocking all unsolicited incoming comms and only permitting return traffic for what went out. IPv6 philosophy is to permit 2 way comms. IPv4 nat is accidental security, where is the IPv6 security by default equivalent? The vast number of /64 host addresses is no deterrent to address scanning when you know part of the address resides in the known manufacturer ranges limiting scanning to a vastly reduced subset of the total, plus you could scan for apple, HP, Sony devices etc to target those conceivably more affluent marks.

                  Yes I want IPv6 nat.

                3. Charles 9

                  Re: And who told you I want to be measured?

                  "And that's the crux of the problem: moving to IPv6 means that end-users are going to *have* to be able to configure firewalls, or else they default to wide-open. And the vast bulk of the world's Internet users are not capable of that."

                  Tell me. Why MUST an IPv6 firewall ACCEPT by default? Instead of the standard ACCEPT outgoing (optionally ACCEPT manually configured ports) and DENY everything else?

              6. Peter2 Silver badge

                Re: And who told you I want to be measured?

                "Oh good grief. v6 "high priest" here"

                Ok, i'll say it.

                GET THE PITCHFORKS AND BURN THE HERETIC.

                Just kidding.

                Honest.

                Sort of.

                Look, all everybody wanted was a larger address space. Can we planitively ask why you have just added an extra two fields to IPv4 (ie 192.168.0.1 becomes 0.0.192.168.0.1, taking the address space from (254*254*254*254) ~four point one billion addresses to (254*254*254*254*254*254) ~two hundred sixty-eight trillion, five hundred thirty-five billion addresses? That's the better part of fifty thousand addresses per person, which ought to be enough for any reasonable use case excepting individually assigning addresses to nanobots.

                Everybody would have been perfectly happy. IPv4 devices could be patched to the new version (IPv4.1?) relatively easily and IPv4 skills and tools would be easily and directly transferrable. Older devices could have been accomodated simply at the network layer by discarding the extra two address blocks. You could still actually memorise network addresses and layouts and talk to people about them. You can say (and remember) 10.0.1.20, you can't say (or reasonably be expected to remember) 3ffe:1900:4545:3:200:f8ff:fe21:67cf. It's utterly meaningless gobbledygook that you can't even be expected to scribble on a sheet of paper and type in to something by hand without the addition of transcription errors. This is not exactly an abnormal use case in the real world.

                As a result we have a situation where *NOBODY* wants IPv6. Pretty much everybody hopes it will go away and die a death, from network architects to network admins and even including the equipment manufacturers who by rights should be the most enthusiastic about it, since they at least stand to make some money out of it.

                I judge the equipment manufacturers enthusiasm by the lack of cheap firewalls suitable for home users for under 50% of a users monthly takehome pay a decade on. I'd like to see you justify to a home user who cares for IPv6 even less than an IT professional why they should pay that much to... well, gain absolutely nothing. But it's new and "better". But you won't notice any difference, other than the fact that none of the local "fix your PC" services will touch it with a bargepole.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: And who told you I want to be measured?

                  "Look, all everybody wanted was a larger address space. Can we planitively ask why you have just added an extra two fields to IPv4 (ie 192.168.0.1 becomes 0.0.192.168.0.1, taking the address space from (254*254*254*254) ~four point one billion addresses to (254*254*254*254*254*254) ~two hundred sixty-eight trillion, five hundred thirty-five billion addresses?"

                  In a word, ROUTING.

                  With IPv6, routing can be strictly geographical again, which means the routing tables can be shrunk back down to manageable levels and resolved quickly by going programmatically from the front bits. Because of all the IPv4 reuse, that model's hopelessly broken right now, which results in routing tables so large some routers can't keep up, which results in critical Internet infrastructure falling over and that makes EVERYONE miserable.

            2. Blotto Silver badge

              Re: And who told you I want to be measured?

              ipv4 & v6 have different incompatible headers.

              you'd need a proxy to translate between the 2.

          2. Anonymous Coward
            Anonymous Coward

            Re: And who told you I want to be measured?

            That's the whole point.

            Why should I broadcast to the world that I have an NC Lathe?

            If I am of interest to the TLA's then they'll come a knocking with their size 15's in the early hours of the morning. IMHO, I'm not of interest to them but I am of interest to the likes of Amazon, Google etc.

            They will want to sell me stuff or send me adverts for things I don't want.

            That is the nature their business.

            Why should I broadcast all the NC commands to the world? There is no reason at all.

            If IPv6 becomes the norm then people like me will have to totally independent networks. Sure it is inconvenient but some of us value our privacy.

            We are not a number (6 or anything else)

          3. PNGuinn
            Trollface

            Re: And who told you I want to be measured?

            "Or some kind of weapon?"

            Like a chainsaw?

      3. Anonymous Coward
        Anonymous Coward

        @Novex

        "If the industry wants me to adopt IPv6, then give me a translation router that: allows my v4 network to work internally, via static addresses if necessary; allows my website and email servers to be connected either via v4 or v6; allows me to prevent snooping backwards into my individual devices."

        Well, fun fact: I actually have an IPv6 connection but mostly use IPv4, for the simple reason that apparently my provider doesn't fully realize how IPv6 should (or could) work.

        You see: my router supports IPv6 on the outside (also has an IPv6 address) but only provides IPv4 on the inside. It gets more bizarre: my IPv6 address is an /128 one. In other words: one fixed address, I'd have expected some kind of subnet for sure.

        As such my connection still relies on IPv4. Heck, because of the lack of IPv6 on the inside its the only thing I can do. Note that I don't mind all that much: I'm happy to have a gateway between my PC and the Internet instead of having my PC's firewall act as the first and last line of defense. But this wasn't the way they intended IPv6 to be used, that's for sure!

        1. Anonymous Coward
          Anonymous Coward

          Re: @Novex

          > You see: my router supports IPv6 on the outside (also has an IPv6 address) but only provides IPv4 on the inside. It gets more bizarre: my IPv6 address is an /128 one. In other words: one fixed address, I'd have expected some kind of subnet for sure.

          Name and shame the provider?

          * It might be that they are indeed routing a /64 or larger subnet towards your router, and need to manually configure the LAN side of the router with this block. (Only if the ISP gives you a static IPv6 range)

          * It might be that your router is expected to use DHCPv6 to learn and apply the /64 assignment, but is not currently configured to do so.

          * It might be that you have the whole /64 which contains that /128, and you just need to configure your LAN side with that range (icky, but some providers do it). This is more likely if your /128 ends with ::2 or ::1

          It depends if the ISP is also responsible for configuring your router. If they are, then maybe they've done a half-assed job.

          But if you bought and installed your own router, then maybe you have to do more stuff to get IPv6 to work.

        2. Vic

          Re: @Novex

          my IPv6 address is an /128 one.

          The Minimum Allocation Unit for IPv6 is a /64; it's not standard-compliant to allocate any less.

          That's probably why you've got no IPv6 on the inside; it's not a valid network configuration.

          Vic.

        3. Joe Montana

          Re: @Novex

          Chances are your ISP allocates a WAN address (/128) for the router itself, and should delegate a prefix (typically /64 but might be bigger) for your own use... If your router doesn't support prefix delegation properly then you might have to configure it manually.

      4. Vic

        Re: And who told you I want to be measured?

        If the industry wants me to adopt IPv6, then give me a translation router that: allows my v4 network to work internally

        That's not completely possible, although at present most of it will work.

        The IPv4 address space is entirely mapped within the IPv6 space, so you could exchange data with any machine in IPv4 space over an IPv6 connection. But as time goes by, more and more systems will take up residency in IPv6 addresses that simply cannot be mapped into IPv4.

        That's quite a way away. Most of the IPv6-only services at present are set up by IPv6 proponents who want to offer differentiated services.

        Vic.

      5. Yes Me Silver badge
        Happy

        Re: And who told you I want to be measured?

        "a translation router that: allows my v4 network to work internally"

        That'll work up to a point, but once you want a home network with several internal routers and probably more than one outside connection, you'll discover that you need IPv6 in the home or office too, to get the needed flexibility. But help is at hand. It's still at the geek stage, but it will definitely be production level in a few years: Homenet router.

      6. Joe Montana

        Re: And who told you I want to be measured?

        That's precisely how pretty much every ISP that has implemented v6 has done it:

        1, although every device behind has a routable address, inbound connections are blocked by default, you can enable them if you want.

        2, no isp is v6 only, they are all dual stack for now, if your client devices support v6 they will use it by default otherwise they will fall back to v4, it will usually be transparent and sites that use v6 will be accessed in that way without you even realising.

        3, in some cases your v4 is natted by the isp and not just by your own router, so you cant control port forwards etc... the only way to allow any inbound connectivity is via v6, which you control.

        4, most systems support ipv6 privacy addressing whereby the clients will generate random addresses within your own local (/64 huge) range for making outbound connections, as far as the remote end is concerned a /64 is equivalent to a single ipv4 address - one network that might contain any number of devices, and advertisers etc will use other means (cookies, browser fingerprinting etc) to try and identify unique users or devices just like they do now.

        with v6 you're no worse off, you're better off

    3. Joe Montana

      Re: And who told you I want to be measured?

      Nothing about v6 prevents you from retaining control of your own gateway, it just gives you extra options if you choose to use them, makes certain things easier if you choose to do them and makes certain undesirable things (like people scanning your range) more difficult.

      There is no downside to v6, and plenty of upsides. Just because you choose to ignore the benefits of v6, doesn't mean you should hold other people back out of spite.

      1. Vic

        Re: And who told you I want to be measured?

        There is no downside to v6

        There is no downside to v6 if you understand networking. If you don't, Internet use will become much trickier.

        Vic.

        1. Nanashi

          Re: And who told you I want to be measured?

          Many people above have argued that v6 needs you to manually go out of your way to set your own firewall up in order to be safe.

          It's not true. ISPs are deploying v6 with routers that have a firewall configured out of the box, and on top of that Windows ships with its own firewall that's also enabled out of the box. If you're just a clueless end user that knows nothing of anything... you'll have a firewall. This is a solved problem.

          The difference with v6 is that it's actually possible to selectively disable bits of the firewall to allow an inbound connection. That's still mostly doable on v4 at the moment, but with CGNAT coming soon you won't be able to do that (because your ISP will put you behind their own NAT, and you won't be able to configure a port forward on their NAT). Having the ability to do this is a good thing, but going forwards you'll need v6 for it.

          1. Nanashi

            Re: And who told you I want to be measured?

            And here's the megapost. I'm shooting myself in the foot by responding to everybody in a giant wall of text that nobody will ever read (except the moderators – sorry guys), but there's just so much outright wrong stuff being posted that somebody's got to do it.

            > I don't see Sky turning off IPv4. They *could* decide to share public IPv4 addresses between customers, but as soon as they do that they are into a world of pain when it comes to handling police enquiries, having to log or lock down the port ranges used by each customer.

            This will definitely happen. There plain and simply aren't enough v4 addresses to avoid doing this forever. It probably won't be next week or anything, but it'll happen. And yes, it'll suck -- which is why we need to be doing v6 _now_ so we're in a position to ignore the suckage when it happens.

            > It seems to me there's a genuine risk of "peak IPv6" - where the majority of the marketplace rejects it

            I worry about this sometimes. It's part of the reason that I'm in here trying to dispell people's misconceptions of v6 -- if too many people disable it then we'll never get to the point where random websites go v6-only, which means we'll be stuck with v4 forever. Surely that's not something we want, but a lot of people seem to be masochists when it comes to networking...

            > Yes there is. The majority of users do not want inbound connections - or when they do, they want those connections very carefully controlled. At present, with IPv4, they've got that; the default is for connections to be denied

            I could easily rephrase this to "the majority of people want to be capable of accepting inbound connections in at least some circumstances", and for that we're going to need v6. v4 just isn't going to cut it.

            > And yet, here I am, running peer-to-peer communication through at least one layer of NAT (two for my wireless devices).

            Behind CGNAT? If not then I suspect that'll be a nasty surprise for you when it happens.

            Also... I'm doing this too, on v4. I know it's possible. But I'm also doing it on v6, and I can tell you that it's just easier on v6. NAT doesn't seem hard until you get rid of it, and suddenly you realize how much of a pain it really was.

            > It isn't. That's partly because it's the zero-configuration option, and partly because it's how the IoT companies monetise their marks.

            And partly because there's no other choice. Do you want it to be _possible_ for a company to release something that isn't trivial to spy on, or not? Not every company wants all your info (just most), but none of them will have any choice if everybody is behind CGNAT.

            > Look, all everybody wanted was a larger address space. Can we planitively ask why you have just added an extra two fields to IPv4 (ie 192.168.0.1 becomes 0.0.192.168.0.1, taking the address space from (254*254*254*254) ~four point one billion addresses to (254*254*254*254*254*254) ~two hundred sixty-eight trillion, five hundred thirty-five billion addresses?

            You can, and I can answer, but it's not that hard to figure out.

            Adding two bytes is exactly as hard as adding 12 bytes. If you're going to add bytes, you may as well add enough bytes that you don't need to go "whoops, we didn't add enough, we need to go through all that again" later on.

            (Perhaps you're thinking that 48 bits would be enough? But no, it wouldn't. It probably wouldn't even be enough to avoid NAT for more than a decade or two, let alone the thousands of years that I expect the internet to be around for. Read RFCs 1715 and 3194 for an explanation of why we need a lot more space than you'd think.)

            > You could still actually memorise network addresses and layouts and talk to people about them. You can say (and remember) 10.0.1.20, you can't say (or reasonably be expected to remember) 3ffe:1900:4545:3:200:f8ff:fe21:67cf.

            Okay, for starters: DNS. It's awesome and it's been around for years now and it makes your life a lot easier; I really suggest you read up on it.

            For seconds: why did you pick such an awkward v6 address? If you needed to remember this address you should've picked something easier to remember, like 3ffe:1900:4545:3::2 (read that as "address 2 on subnet 3").

            For thirds: it's not just "10.0.1.20" on v4, you also have your public v4 address to remember. So really, this comparison isn't "10.0.1.20 vs 3ffe:1900:4545:3:200:f8ff:fe21:67cf" but rather "203.0.113.45+10.0.1.20 vs 3ffe:1900:4545:3::2". The v6 address is actually three characters SHORTER than the v4 address pair. It's actually _easier_ to remember.

            Finally, I think that if you refuse to use DNS _and_ you deliberately pick hard to remember addresses, then you can't really complain about how hard the addresses are to remember. You brought it on yourself.

            > I judge the equipment manufacturers enthusiasm by the lack of cheap firewalls suitable for home users for under 50% of a users monthly takehome pay a decade on.

            Most people can get appropriate hardware from their ISP for free. It does not cost you £500+ to start doing v6 at home.

            > Now, because you were assigned an IPv6 netblock, your IP addresses are UNIQUE TO YOUR MACHINE, FOREVER.

            Your post was good up until this line. This line is completely wrong. Your addresses aren't unique to your machine forever. Your address changes whenever you move between networks, and in fact it changes regularly even on the same network (if you have privacy extensions enabled, which is the default on most OSs).

            > BUT, whenever you visit some web site, the web site knows who connected, YOUR publicly visible IPv6 address that is NOT translated.

            This is true. The address will become useless after a while, because you won't be using it for long, but in that period the website could attempt to connect to you. At which point your firewall will block the connection.

            Meanwhile the website served you a supercookie so it can track you wherever you go, and one of its adverts used a drive-by security vulnerability to infect you with a virus. But for some reason nobody worries about that.

            > and what is more - with IPv6 packets you visited the website with digitally signed evidence

            Uh, no. It's just an IP packet, it's no different to v4. No digital signatures here (unless you're using IPsec, but you could be using that in v4 too).

            > IP4 addresses behind NAT are UNROUTEABLE. You cant reach them, and unless they make an outbound connection, you dont even know for sure they are there.

            I do like to point out that this isn't completely true: your ISP (or anyone who can strongarm them) can connect to you even if you're behind a NATing router, unless you prevent them with a firewall.

            > And even if they do, you cant be sure which internal machine is originating the connection.

            The same is true in v6 with privacy extensions, which are enabled out of the box on most OSs.

            > NAT is what makes consumer level broadband safe enough to do e-commerce over.

            No. *Firewalls* are what make consumer-level broadband safe enough to do e-commerce over. NAT just saves you from having to set up a proxy server. (Or are you saying that Sky aren't secure enough for e-commerce now that they have v6?)

            > The thought of machines with clearly identifiable unique routeable IP6 addresses on the public Internet, relying on user set up firewalls to protect them, scares me ****less.

            It shouldn't. This is nothing like as big a deal as you think it is. The addresses aren't clearly identifiable (they're just random numbers that change often) and firewalls are set up automatically by ISP routers and by your OS.

            > If I ever setup V6 I will still want a NAT equipped router between me and it.

            You are free to do this to yourself. I accept your right to make your own life more annoying than it needs to be for no real benefit. Just don't force it on anybody else.

            > The secure perimeter we now all have with ISP-supplied routers (no more USB cable modems, yay!) is the reason why the crims have now moved to the client-based penetration attempts. Take the perimeter wall away, and we're back to 1993.

            IPv6 does _not_ take this perimeter away. You will still have the ISP-supplied router and it'll still be the perimeter to your network. Your network will still be yours and you'll still be in control of who gets to connect to machines on it. In fact v6 is what will let you keep that control – with CGNAT, you're going to lose it on v4.

            > There is no downside to v6 if you understand networking. If you don't, Internet use will become much trickier.

            This is backwards. NAT is the tricky thing to understand; things are a lot easier without it. Note that I'm basing this on actual experience, not fear of the unknown like most other people in this thread.

            1. Vic

              Re: And who told you I want to be measured?

              I could easily rephrase this to "the majority of people want to be capable of accepting inbound connections in at least some circumstances", and for that we're going to need v6. v4 just isn't going to cut it.

              This is simply incorrect. Incoming TCP connections might need some assistance in the event of CGNAT, but UDP doesn't. And if you're looking for the sort of isochronous connections that end-users might generally want - games, VoIP, that sort of thing - then UDP is going to be what you're after. If you want to set up web or mail servers, CGNAT probably isn't for you. But how many of us want to run web or mail servers and don't know how to work around CGNAT?

              Behind CGNAT? If not then I suspect that'll be a nasty surprise for you when it happens.

              Effectively, yes. My second tier of NAT - which I put on place - gives me the same effect. My first tier probably does - but as I didn't build that, I can't actually be certain without a load of work that I cannot be arsed to do.

              And yet - it still works.

              Indeed - the only time I've had difficulty with such setups is when the router tries to do something clever; a colleague of mine from years ago use to love putting Juniper kit anywhere he could. I soon found that the best way to use this was to turn off every ALG it offered; they were all crap. Running STUN sorted the problem every single time.

              Also... I'm doing this too, on v4. I know it's possible. But I'm also doing it on v6, and I can tell you that it's just easier on v6.

              Well, I can install SIP phones on an IPv4 network without a firewall, and they just work. If I install them on an IPv6 network, I must have a firewall to prevent the administration interfaces being visible to the Internet at large. I fail to see how this is "easier".

              NAT doesn't seem hard until you get rid of it, and suddenly you realize how much of a pain it really was.

              I can't agree with you. I run NAT on my IPv4 network, and not on my IPv6 networks. The IPv4 network takes much less thinking about.

              And partly because there's no other choice

              Nonsense. There are numerous application that run over IPv4 - there's VoIP that I've already mentioned, or there's BitTorrent, for example. Or any other P2P app - the original Skype? There are choices. They work. Game vendors are not eschewing this technology because it doesn't work, they are preventing it because it doesn't pay.

              Do you want it to be _possible_ for a company to release something that isn't trivial to spy on, or not?

              That's FUD. The visibility of your data to an attacker is entirely unrelated to the transport mechanism chosen.

              Not every company wants all your info (just most), but none of them will have any choice if everybody is behind CGNAT.

              No. That's just bollocks. CGNAT does not preclude TLS. Nor, indeed, does it make any difference in either direction to the snoopability of plaintext.

              Adding two bytes is exactly as hard as adding 12 bytes.

              In protocol terms, yes. In human terms, no. Any time you have to get humans to modify their behaviour in any significant way in order to accommodate a computer, you've almost certainly screwed up.

              If you're going to add bytes, you may as well add enough bytes that you don't need to go "whoops, we didn't add enough, we need to go through all that again" later on.

              A 64-bit address space with a MAU of /16 would give you individual prefixes for nearly 3x1014 users, with 65K addresses for each. Given that this planet really can't support 1010 people, and that no individual is going to be able to maintain 65K devices, that would have been enough until approximately the time we've colonised 10,000 other worlds. I can't see that happening before Christmas, if I'm honest.

              Okay, for starters: DNS. It's awesome and it's been around for years now and it makes your life a lot easier; I really suggest you read up on it.

              Until it breaks. Some of us make a living fixing stuff like that; having memorable addresses really does make life easier. Holding more than four numbers in memory at any time is actually quite difficult for dyslexics like myself. Now I know this is my problem, but just claiming "DNS makes it go away" entirely ignores the situation where DNS has gone down. And DNS does go down...

              For seconds: why did you pick such an awkward v6 address? If you needed to remember this address you should've picked something easier to remember, like 3ffe:1900:4545:3::2 (read that as "address 2 on subnet 3").

              For starters, that's all very well if you know the prefix. But the prefix is the bit that will need memorising; most public addresses are likely to be on low subnet/address pairs, but the prefix is going to be utterly unpredictable. For a MAU, it's a 64-bit number with no memorable cues.

              So we all know that Google runs a DNS server on 8.8.8.8. But if you want to do that over IPv6, it's on 2001:4860:4860::8888. They've clearly worked hard to get the repetition into that prefix, but that's still not a number I can carry in my head.

              [Of forging local network addresses]

              I do like to point out that this isn't completely true: your ISP (or anyone who can strongarm them) can connect to you even if you're behind a NATing router, unless you prevent them with a firewall.

              It's quite a few years since I worked for an ISP, but when I did, our experiments with forging LAN addresses on the WAN port only got through to the LAN side on a few really shitty routers. I cannot tell you whether or not that is still the case.

              You are free to do this to yourself. I accept your right to make your own life more annoying than it needs to be for no real benefit. Just don't force it on anybody else.

              That last is the only thing that actually needs saying; there are many people for whom NAT is a really useful thing. With IPv6, no-one is forced to use NAT, but similarly, no-one should be prevented from using it either. If the High Priests would stop telling us we can't use NAT, most of the objections would disappear...

              IPv6 does _not_ take this perimeter away.

              Yeah, it does unless you do something to replace the perimeter. A NAT router in front of an RC1918-based LAN gives you a default DENY configuration. An IPv6 router gives you a default ACCEPT. To get the perimeter afforded by the first, you need to add a stateful firewall, which is another piece of equipment that needs maintenance. This is an increase in complexity, which might well be a show-stopper for those not versed in networking.

              This is backwards. NAT is the tricky thing to understand; things are a lot easier without it.

              It really isn't. NAT might be tricky to understand if you're trying to program it, but the vast majority of users never do that. They just use it, and it just works. If you want them to use firewalls in addition to what they've done before, that's a bunch of new learning they have to do. Now you and I might not think that a big deal - but for substantially all[1] Internet users, that's a huge amount of work that will never happen.

              Note that I'm basing this on actual experience, not fear of the unknown like most other people in this thread.

              As am I. I am a networking professional and I run both IPv4 and IPv6. But I also have a fair bit of contact with "home users", for whom the transition to IPv6 without NAT will be a total nightmare. Now I could make quite a bit of cash out of that - but I'd rather see standards working for users, rather than the reverse. That will transition us to IPv6 more rapidly, with fewer catastrophes along the way. And the single biggest thing we need to happen is for IPv6 proponents to stop trying to prevent NAT; it's not going to harm you, no-one is going to force it on you, and it will make many people's lives much easier.

              Vic.

              [1] I was going to write "the vast majority" or somesuch, but it is so close to "everyone" as to make no difference.

              1. Nanashi

                Re: And who told you I want to be measured?

                > This is simply incorrect. Incoming TCP connections might need some assistance in the event of CGNAT, but UDP doesn't. And if you're looking for the sort of isochronous connections that end-users might generally want - games, VoIP, that sort of thing - then UDP is going to be what you're after. If you want to set up web or mail servers, CGNAT probably isn't for you. But how many of us want to run web or mail servers and don't know how to work around CGNAT?

                There's a huge pile of problems here. Even if it works in theory, it's not going to work so great in practice if the CGNAT is overloaded, or on a non-optimal network path, or if it has a super-aggressive timeout period. Even if none of those are a problem, it still costs money for the hardware and to maintain it. And sure, I know how to work around it (I buy a VPS with a public IP address -- which makes the huge assumption that those are even available. You DID get the "we're out of v4 addresses" memo, right?), but I shouldn't have to work around it in the first place. Nobody should.

                I notice you didn't even mention all the protocols that aren't TCP and UDP. Those should work too.

                CGNAT is no way to run an internet. It's a good way to phase out v4, but it's not what we should be picking for the next thousand years of internet growth.

                > Indeed - the only time I've had difficulty with such setups is when the router tries to do something clever; a colleague of mine from years ago use to love putting Juniper kit anywhere he could. I soon found that the best way to use this was to turn off every ALG it offered; they were all crap.

                Of course if it wasn't for NAT then they wouldn't have had the ALGs in the first place...

                > Well, I can install SIP phones on an IPv4 network without a firewall, and they just work. If I install them on an IPv6 network, I must have a firewall to prevent the administration interfaces being visible to the Internet at large. I fail to see how this is "easier".

                That's not a fair comparison. Either include the cost of setting up NAT on v4, because the phones won't work without it, or don't include the cost of setting the firewall up on v6. You can't argue "but the NAT was already set up for me" because the same will be true of the firewall on v6 (unless you're configuring your own router, in which case neither NAT nor a firewall will be configured by default).

                > The visibility of your data to an attacker is entirely unrelated to the transport mechanism chosen. [...] CGNAT does not preclude TLS. Nor, indeed, does it make any difference in either direction to the snoopability of plaintext.

                If your plaintext is going via a company's server, then it's a lot more snoopable for that company than if it wasn't.

                TLS (or rather end-to-end encryption) is a good point. Can be hard to verify though, and we do still have all the other issues associated with relaying (it costs more money, it relies on servers that can get shut down, it's slower than direct). Relaying is a decent workaround for the inability to make direct connections, but again it's not something that should be a permanent requirement of the future internet. That's something we should be working to avoid.

                > In protocol terms, yes. In human terms, no. Any time you have to get humans to modify their behaviour in any significant way in order to accommodate a computer, you've almost certainly screwed up.

                The good news is that you use v6 the same way you use v4: by plugging in all of the stuff your ISP sent you and then pointing your browser to a search engine, typing into the search box, and then clicking a link. No significant changes there.

                > A 64-bit address space with a MAU of /16 would give you individual prefixes for nearly 3x1014 users, with 65K addresses for each. Given that this planet really can't support 1010 people, and that no individual is going to be able to maintain 65K devices, that would have been enough until approximately the time we've colonised 10,000 other worlds. I can't see that happening before Christmas, if I'm honest.

                It's funny, here you are arguing that v6 is too big and yet there's a poster earlier on that thinks it'll run out in five years. Your estimate for v6 use is at minimum _nineteen orders of magnitude_ lower than his. That's just crazy.

                I'm not convinced 64 bits would be enough. It might be, but I'm not convinced we'd be able to avoid NAT on it indefinitely. And this is something we really don't want to be wrong on, because we'll be stuck with whatever we pick. 128 bits is definitely overkill (I'd say 80-96 is probably right, but those aren't powers of 2), but it's better to be stuck with overkill than a shortage.

                > For starters, that's all very well if you know the prefix. But the prefix is the bit that will need memorising; most public addresses are likely to be on low subnet/address pairs, but the prefix is going to be utterly unpredictable.

                There's some structure, for instance you should be getting a /48 or maybe a /56 so the last 8-16 bits will be zero, and the first 16 bits will usually be 2a0X or so in Europe. You end up with 32 bits of randomness and 16-24 bits that are selected from a small set of possibilities -- which is very similar to v4 with the WAN address (random) and LAN prefix (selected from small set of possibilities).

                If you work on a v6 network for a while, you won't have any trouble remembering the prefix for it, and if you can't then it's just a copy/paste away in `ifconfig`.

                Really the biggest downside is that you have to type the entire damn thing out. There needs to be some way to do "~::53" or something to refer to an IP in the current subnet. Between DNS and the clipboard it's rare to need to type an IP, but it could do with being easier when you do.

                In any case, none of this is a show-stopper for v6, which we still need to do. You're a networking professional and it's your job to deal with it on behalf of users. And you yourself said that users aren't even "the vast majority" but "as close to everyone as makes no difference", so why would the job of the DNS repairman make a difference?

                > So we all know that Google runs a DNS server on 8.8.8.8. But if you want to do that over IPv6, it's on 2001:4860:4860::8888. They've clearly worked hard to get the repetition into that prefix, but that's still not a number I can carry in my head.

                This is another unfair comparison. You're comparing an easily-remembered v4 address to a less-easily-remembered v6 address. How about we use the IP of www.sprint.net instead?

                www.sprint.net. 3560 IN A 208.24.22.50

                www.sprint.net. 3555 IN AAAA 2600::

                Suddenly, v6 is easier to remember.

                > It's quite a few years since I worked for an ISP, but when I did, our experiments with forging LAN addresses on the WAN port only got through to the LAN side on a few really shitty routers.

                Right, this is kinda my point: they only got through to the LAN side on routers that didn't have firewalls. On routers that did have firewalls, they didn't get through. I was very careful to say "unless you prevent them with a firewall".

                Take note here, because it's important: those routers had firewalls. How much effort were those firewalls to set up? Right: none, because you didn't set them up, they just came with them, and they worked. The same is true on the v6 side of v6-supporting routers.

                > To get the perimeter afforded by the first, you need to add a stateful firewall, which is another piece of equipment that needs maintenance. This is an increase in complexity, which might well be a show-stopper for those not versed in networking.

                In practice it's the same piece of equipment that does your NATing, and it does it out of the box. There is no practical increase in complexity here for those not versed in networking, because the only required steps are "plug in the box from the ISP". (Not to say that there aren't people who have trouble doing that...)

                > But I also have a fair bit of contact with "home users", for whom the transition to IPv6 without NAT will be a total nightmare.

                Over 5 million UK internet users have already been through this transition, and it wasn't a nightmare. (Just to be clear: they aren't using NAT and they are using a firewall, and they didn't have to learn or do anything extra to do that.)

                This is good news: your fears aren't reflected in reality.

                1. Vic

                  Re: And who told you I want to be measured?

                  Oh $deity, War and Peace again...

                  You DID get the "we're out of v4 addresses" memo, right?

                  I got the "last /8s have been allocated to RIRs" memo. Since then I have acquired quite a few static IPv4 addresses.

                  I notice you didn't even mention all the protocols that aren't TCP and UDP. Those should work too.

                  I didn't - because I'm not trying to claim that CGNAT is some sort of panacea, it isn't. But many of the things claimed about it are simply bullshit, which is what I responded to. There's no point in discussing this sort of technology if we're going to base everything on wild claims that are not supported by facts and eveidence.

                  Of course if it wasn't for NAT then they wouldn't have had the ALGs in the first place...

                  The ALGs only make things worse, not better, so it's a bit of a stretch to make the claim that you have; it would be more appropriate to say that certain manufacturers have made a prize cock-up in their kit. Actually, that's all that needs saying; - those ALGs are simply broken software deployed by someone who didn't know how to do the job properly.

                  That's not a fair comparison. Either include the cost of setting up NAT on v4, because the phones won't work without it, or don't include the cost of setting the firewall up on v6

                  OK - fine. Cost of setting up NAT on my network - £0. It was pre-installed. Cost of setting up firewall - I don't know. I've never costed it. But it took effort on my behalf.

                  So actually - it's a very fair comparison.

                  Actually, you know, I really can't be arsed to rebut this any further. It's far too late, and I've got better things to do.

                  Vic.

                  1. Nanashi

                    Re: And who told you I want to be measured?

                    >>Yeah, I have, and I just tried it again for the sake of argument.

                    >I really doubt that you have.

                    If you're not going to believe me, then what was the point of asking me if I've done it?

                    > Fine. You've enabled NAT on your outbound connections.

                    Yep, and inbound connections still worked. That was the point that I've been making all along: NAT doesn't block inbound connections.

                    > OK - so tell us how you put bogons onto your WAN--side connection.

                    > This is something I could do when I worked for an ISP. It;s not something I can do now. I'd be interested to hear how you did it. If you did it.

                    With "ip addr add". I have a routed internal network, so essentially my main router is the WAN-side interface of the second router. I have full control over both and can put whatever IPs I like on any interfaces.

                    > No you shouldn't, because what you claim depends on bogons being routed by your ISP (which *never* happens unless your ISP is deliberately doing such) *and* it depends on the behaviour of your WAN-side equipment.

                    Didn't I say that right from the start? "Your ISP could access your network" and "if you don't have a firewall". Obviously that requires your ISP to deliberately do something, and it requires your equipment to not have a firewall. That was the whole point: NAT doesn't block inbound connections, and you need to have a firewall to do that. If you do in fact have a firewall (which is far more common than you think it is) then it won't work -- but the reason is because of the firewall, not because of the NAT.

                    > I have quite a few pieces of equipment that do exactly that - including the one I'm using right now. Are you trying to tell me that they can't exist?

                    Of course they do exist, but they're not what ISPs are using to deploy v6. Look at Comcast or Sky, they have millions and millions of users doing v6 and they aren't using routers that have no firewall out of the box.

                    Also you said this: "our experiments with forging LAN addresses on the WAN port only got through to the LAN side on a few really shitty routers". I guess your Vigor 2600v is one of those really shitty routers. Most enterprise routers probably fall into this category too (at least for the purpose of mass-market v6 deployment), since they make you configure everything yourself, but those aren't what ISPs are using to deploy v6 to their user base.

                    > Really? How do I pick my prefixes, then? Because the ones I've got were allocated to me by my upstream providers, and they're really not very memorable.

                    In exactly the same way you pick your v4 WAN addresses. Which, yes, means that they're assigned to you and not very memorable, but that's the same as in v4 so if you're happy with it there then you should be happy with it here.

                    > Yes you do. If the address is routable - as it is with v6 - it will be routed. Thus you have moved from default DENY to default ACCEPT.

                    This really depends very much on the firewall you have. Your traffic won't be routed if it's dropped by the firewall, which inbound traffic will be by default on the routers issued by ISPs doing v6.

                    > The ALGs only make things worse, not better, so it's a bit of a stretch to make the claim that you have; it would be more appropriate to say that certain manufacturers have made a prize cock-up in their kit. Actually, that's all that needs saying; - those ALGs are simply broken software deployed by someone who didn't know how to do the job properly.

                    Sure, but the point was that the manufacturers added the ALGs to try to fix up protocols that have trouble working through NAT. So it cost you money to pay them to program the ALGs, and then it cost you again when you tried to use them and they made things worse and you had to figure out what went wrong. And the root trigger for all of this was our use of NAT.

                    > OK - fine. Cost of setting up NAT on my network - £0. It was pre-installed. Cost of setting up firewall - I don't know. I've never costed it. But it took effort on my behalf. So actually - it's a very fair comparison.

                    Not for the vast majority of internet users ("as close to everybody as makes no difference"). You're using an outdated "really shitty" router, whereas ISPs are deploying routers where the inbound firewall /is/ set up by default. A fair comparison would use the routers that people are actually using.

                    1. Vic

                      Re: And who told you I want to be measured?

                      If you're not going to believe me, then what was the point of asking me if I've done it?

                      You were making an extraordinary claim. Such claims require extraordinary proof - I'm prepared to believe it only if you can come up with some evidence to support what you claimed. You didn't - you just posted how you could perform NAT at your perimeter, which is a world of difference from showing an ISP inserting bogons onto your WAN link to be forwarded onto your LAN. That last requires assistance from your ISP, and rarely works anyway. Thus - as a number of us have claimed - using a NAT router gives you a first line of defence because an attacker simply has no route to the machines inside your perimeter by default. You've had a chance to disprove that - and have done nothing of the sort.

                      With "ip addr add". I have a routed internal network, so essentially my main router is the WAN-side interface of the second router

                      No you haven't. The packets do not leave the kernel in that situation, Put a real analyser on the wire and you will see that you are not putting packets WAN-side.

                      Didn't I say that right from the start? "Your ISP could access your network"

                      And, like I've said, that is only ever possible in the event that you have a malicious ISP and you've got a rare and shitty type of router that bridges WAN to LAN rather than routes. We can discount that last - I only ever found one design that did it, and it is clearly a broken design. So that leaves us with the simple situation of "no, your ISP cannot access your network", which is the opposite of your claim.

                      That was the whole point: NAT doesn't block inbound connections

                      Yes it does. Try it - set up a NAT router with no firewall an no configured forwarding. Now try to connect from an external source to one of your internal machines - it doesn't work unless you deliberately set up something like STUN to defeat the NAT. You keep claiming that this is the firewall rather than the NAT, but if you actually set this up on a NAT router without a firewall, you'll see that the connection drop must be from the NAT because there is no firewall to do that job. This is an extremely common scenario - I'm using it right now. Your refusal to accept this simple truth leads to any number of misunderstandings, but that is what they are - if you were to port-scan my external IPv4 address right now you will get no access to my internal network except on ports I have deliberately forwarded, despite there being no firewall on the connection. Denying this is a fool's game - this is my network, and yes, I have checked it. Telling me that the firewall is what stops anyone getting to my machines is wrong because there is no firewall there. Do I need to repeat this a few more times? Your claim is wrong. It is demonstrable wrong, and it does not survive simple inspection. Reality must take precedence over public relations, for Nature cannot be fooled.

                      Of course they do exist, but they're not what ISPs are using to deploy v6

                      No, but they are what ISPs have been using to deploy v4. And there is exactly the source of this argument - for v4, NAT gives you a default DENY situation, but a v6 deployment gives you a default ACCEPT, with an additional firewall required to give you the same effect. So yes - we all <b.knwo</b> you need a firewall for v6-without-NAT, and that is the bone of contention. Were IPv6 proponents to stop demanding that v6 be deployed with globally-routable addresses everywhere and no NAT, the same situation would occur. But apparently, we need to accept the dogma, rather than use our own kit as we see fit.

                      Also you said this: "our experiments with forging LAN addresses on the WAN port only got through to the LAN side on a few really shitty routers". I guess your Vigor 2600v is one of those really shitty routers.

                      No, it isn't. Forge a bogon on the WAN side and it doesn't make it through the router. That is why NAT is useful as a first-line defence to prevent external agents from looking at my network.

                      In exactly the same way you pick your v4 WAN addresses. Which, yes, means that they're assigned to you and not very memorable

                      Precisely. o claiing that IPv6 addresses are memorable i entirely bogus.

                      but that's the same as in v4 so if you're happy with it there then you should be happy with it here.

                      It's not the same a v4. v4 is a 32-bit address space, and that's really not too difficult to remember. v6 i a 128-bit adress space, of which at least 64 bit must be remembered if we're allocating MAUs. If you're tryin to make v6 as memorable a v4, you would need to change the MAU to a /32, and that will give you all the exhaustion problems of v4 with te complexity of v6.

                      the point was that the manufacturers added the ALGs to try to fix up protocols that have trouble working through NAT

                      That might be why ALGs were written, but the practical effect was to take a protocol that worked flawlessly through NAT an turn it into something that didn't.

                      ISPs are deploying routers where the inbound firewall /is/ set up by default. A fair comparison would use the routers that people are actually using.

                      That's what I am doing. If you think IPv6 router are in common operation, you ave a nasty shock coming. Your configuration i very far from usual. I would go so far as to say "niche". IPv6 just isn't widely deployed, however much anyopne might like it to be.

                      Now I'm siure you want to have the last word on this, so you go ahead and do it. I've wasted far too much time on this already, and your assertions are simply not supported by reality. I don't intend to engage further with you on this thread.

                      Vic.

                      1. Nanashi

                        Re: And who told you I want to be measured?

                        What exactly am I supposed to say here? Even looking at the theory, NAT doesn't block inbound connections, and I just demonstrated it in practice too. I can even traceroute in from the upstream side:

                        traceroute to 192.168.128.2 (192.168.128.2), 30 hops max, 60 byte packets

                        1 203.0.113.2 (203.0.113.2) 1.160 ms 1.007 ms 0.678 ms

                        2 192.168.128.2 (192.168.128.2) 1.056 ms 1.632 ms 0.542 ms

                        and it works perfectly fine. Obviously I had to add a route to 192.168.128.0/24 via 203.0.113.2, but I did say that originally: "your ISP [who can add such a route on their side] can access your network if you don't have a firewall, even if you have NAT".

                        This is just bog standard routing, it's nothing close to an extraordinary claim.

                        > No you haven't. The packets do not leave the kernel in that situation, Put a real analyser on the wire and you will see that you are not putting packets WAN-side.

                        Ah, I suppose you misunderstood my network layout (or I phrased it badly). I have one router attached to the ISP, and I have a separate Linux server attached behind that router. The Linux server runs LXC, and has a software bridge interface to which all the containers are attached. The server then routes (not bridges) between the bridge interface and my main LAN. Getting out to the internet from an LXC container requires going through two routing hops (the Linux server and the main router) before hitting the ISP's network.

                        From the perspective of the Linux server, my main router occupies the position that the ISP router normally occupies for most people's home router.

                        FWIW I do see the packets in tcpdump, on all parts of the link:

                        21:21:48.601083 IP 203.0.113.1 > 192.168.128.2: ICMP echo request, id 19286, seq 4, length 40

                        21:21:48.601188 IP 192.168.128.2 > 203.0.113.1: ICMP echo reply, id 19286, seq 4, length 40

                        (203.0.113.1 is the main router, 192.168.128.2 is the VM. The Linux server is sitting between them, with 203.0.113.2 on its upstream side and 192.168.128.1 on its downstream side.) TCP works too, in case you think it's just ICMP:

                        21:22:52.828393 IP 203.0.113.1.58732 > 192.168.128.2.443: Flags [S], seq 3300493212, [...], length 0

                        21:22:52.828516 IP 192.168.128.2.443 > 203.0.113.1.58732: Flags [S.], seq 1444074273, [...], length 0

                        21:22:52.829588 IP 203.0.113.1.58732 > 192.168.128.2.443: Flags [.], ack 1, [...], length 0

                        The three-way handshake completes, even when I'm applying NAT to outbound connections. (This is after all an inbound connection, so it's unaffected by what I do to outbound connections.)

                        Incidentally, I had to add this on the Linux server to get that inbound TCP connection to work, otherwise I got "connection refused" back:

                        iptables -I FORWARD -d 192.168.128.2 -p tcp --dport 443 -j ACCEPT

                        In other words, the connection didn't work unless I poked a hole in my firewall. Which is just more evidence that a firewall is necessary to block inbound connections even when NAT is involved.

                        > If you think IPv6 router are in common operation, you ave a nasty shock coming. Your configuration i very far from usual. I would go so far as to say "niche". IPv6 just isn't widely deployed, however much anyopne might like it to be.

                        80% of Sky users are using v6 as we speak. That's not a majority of the UK (it's about 15%), but it's far from niche -- it's millions of networks. The 15% is straight from Google, if you don't believe me:

                        https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption

                        And Sky's default router (which is exactly what some crazy high percentage -- I think 95-98% -- of their user base uses) does indeed have a firewall out of the box (and doesn't use NAT for v6 either).

                        1. Blotto Silver badge

                          Re: And who told you I want to be measured?

                          @Nanashi

                          you got that all wrong

                          your router to ISP = 203.0.113.1

                          your linux server outside ip = 203.0.113.2

                          your linux server inside ip = 192.168.128.1

                          your Linux VM host = 192.168.128.2

                          1) you configuiered your nat to just nat your outbound connections it will have no affect on your inbound connection

                          2) you did a traceroute to an internal host, if you where testing nat you would be addressing the outside ip, 203.0.113.2, on some port its nat process would know to translate to an inside IP.

                          3) You are initiating a connection from outside to inside, effectively just routing from 1 subnet to another.

                          nat maps inside IP's and source ports to the outside IP and creates a new source port, same dst port and dst ip. it then watches return traffic for the reverse src, dst ports & ip's and knows to swap the dst IP and port for the inside IP and port mapped earlier and then route the traffic inbound.

                          think about it, its impossible to come from the outside to inside over nat if the port mapping relationship hasn't been created first from teh tarffic initiated from the inside. How can the nat process route to the correct inside host when it doesn't know what host it needs to send to.

                          > Fine. You've enabled NAT on your outbound connections.

                          Yep, and inbound connections still worked. That was the point that I've been making all along: NAT doesn't block inbound connections.

                          https://en.wikipedia.org/wiki/Network_address_translation#One-to-many_NAT

                          http://www.team-cymru.org/bogon-reference.html

                          1. Nanashi

                            Re: And who told you I want to be measured?

                            No, your understanding of my network layout (and NAT) is wrong. It actually looks like this:

                            My router to ISP = <my WAN address that I don't really want to post>

                            My router to my Linux server: 203.0.113.1

                            My Linux server outside (upstream) IP = 203.0.113.2

                            My Linux server inside (downstream) IP = 192.168.128.1

                            My Linux VM host = 192.168.128.2

                            The NAT I installed to test with was on the Linux server, NATing outbound connections from 192.168.128.x to appear to come from 203.0.113.2. The pings/traceroutes above started at my router -- that's why there's two hops in the traceroute rather than just one.

                            > 1) you configuiered your nat to just nat your outbound connections it will have no affect on your inbound connection

                            Yep. This is the normal way of doing NAT. (Port forwards are slightly different, but I'm not setting any port forwards up here -- even for that port 443 connection I made.)

                            > 2) you did a traceroute to an internal host, if you where testing nat you would be addressing the outside ip, 203.0.113.2, on some port its nat process would know to translate to an inside IP.

                            No, I'm definitely testing the NAT here. I'm showing what a NATing router does if you send it a packet with the dest IP set to one of the LAN machine IPs. Setting the dest IP to 203.0.113.2 wouldn't demonstrate that very well.

                            > 3) You are initiating a connection from outside to inside, effectively just routing from 1 subnet to another.

                            This is completely correct. I am indeed just routing from one subnet to another. That's why I said this isn't an extraordinary claim at all. Routers route, it's what they do. Even if the router is also NATing, it'll still process packets that don't meet the condition to be NATed, which means that your ISP can send you packets with the dest IP set to one of your LAN machines and those packets will happily be routed onwards (unless you dropped them with a firewall).

                            >think about it, its impossible to come from the outside to inside over nat if the port mapping relationship hasn't been created first from teh tarffic initiated from the inside. How can the nat process route to the correct inside host when it doesn't know what host it needs to send to.

                            Did you read my posts above? There's no need to involve the NAT part of the router here at all. All that needs to happen is that a packet comes in from your WAN interface with the dest IP already set to one of your LAN machine IPs. Then NAT doesn't need to rewrite the address to one of your LAN machines, because it's already set to one!

                            (Note that NAT doesn't route, it just changes IPs/ports in packet headers. Routing is a completely separate thing that doesn't rely on NAT at all. When you set up a port forward, you're essentially pre-processing packets to have a LAN dest IP before they hit the routing engine -- but there's no need to do that if they already have a LAN dest IP.)

                            And there's no point linking to a page about bogons. If your ISP (or whoever is strong-arming them into helping) is trying to access your network this way, then they aren't going to filter their own traffic. You need to be dropping these packets yourself (NAT won't do the job, as I keep explaining).

                            1. Blotto Silver badge

                              Re: And who told you I want to be measured?

                              @Nanashi

                              my understanding is correct, you have 1 router that has a interface to your ISP and another interface with your RFC 5737 address. Everything else you have confirmed is as i wrote.

                              2) you are not testing NAT, you are routing from outside in, Network Address Translation as its name suggests translates network addresses. It maps inside addresses to tcp ports on outbound connections so that when the traffic comes back it can translate that outside dst address to the correct inside address. That is what NAT is.

                              >Did you read my posts above?

                              yes but your still routing and not nat'ing despite how much you write.

                              If your ISP supplied home router is so crap that it accepts and forwards traffic with dst addresses being in the same rfc 1918 address range as those on the inside of your network then you need to get a better router. it won't work with connections originating from the internet.

                              1. Anonymous Coward
                                Anonymous Coward

                                Re: And who told you I want to be measured?

                                The point is that the network between you and the ISP is basically an INTRAnet, so RFC1918 doesn't have to apply here. In such a scenario, if you know the LAN's topology (and the ISP can sniff it from the router or through other means), the ISP can construct a translated route through the router to your internal machine without the router having to change the packets along the way. NAT doesn't apply because the route is PRE-translated. Put it this way. How was his INBOUND packet able to get through to the inside machine without an existing OUTBOUND relationship?

                                1. Blotto Silver badge

                                  Re: And who told you I want to be measured?

                                  exactly its routed not NAT'd

                                  i think they are trying to suggest NAT does not block traffic being routed, which is correct.But you can't test NAT by simply routing through a router that also does NAT you have to emulate a legitimate inbound packet that has a response to a previously NAT'd packet.

                                  1. Nanashi

                                    Re: And who told you I want to be measured?

                                    Right, exactly: the existence of NAT does not stop routing from happening. It's nice that somebody gets it.

                                    It was a valid test for what I was trying to demonstrate with it: that you *can* simply route through a router even when the router does NAT. There's no point constructing a packet that will hit the NAT engine, because the whole point was to show that inbound connections _don't_ touch the NAT.

                                    I know this is all obvious stuff, but there were quite a few people above that argued pretty strongly that it didn't work like this.

                                    > If your ISP supplied home router is so crap that it accepts and forwards traffic with dst addresses being in the same rfc 1918 address range as those on the inside of your network then you need to get a better router.

                                    I agree, but the key thing to realize is that "better router" means "a router with a firewall". And that firewall is exactly what you need to prevent inbound connections on v6 too. You don't need any NAT for that.

                                    > it won't work with connections originating from the internet.

                                    Right, but not because of the NAT, only because people on the internet can't send packets with a dst IP of 192.168.y.x and have them show up at your router. It's just important to note that your ISP (or someone capable of strongarming them) could in fact do this.

                                    There are some highly upvoted posts above to the effect of "but v6 will let the NSA/GHCQ/etc get access to my network" (so apparently this _is_ something people worry about, or else why use it as an argument?). But if you're relying on NAT for this then you've already screwed up, and in fact the lack of NAT in v6 will help because it'll remove your false sense of security. For some reason there are people arguing against doing this.

                                    1. Blotto Silver badge

                                      Re: And who told you I want to be measured?

                                      >Right, exactly: the existence of NAT does not stop routing from happening. It's nice that somebody gets it.

                                      everyone has been saying this from the start, your test did not test NAT it tested routing.

                                      >It was a valid test for what I was trying to demonstrate with it: that you *can* simply route through a router even when the router does NAT

                                      it wasn't a valid test, if you said "i can still route through a NAT router", thats what you tested, no one would have contested you.

                                      >I agree, but the key thing to realize is that "better router" means "a router with a firewall".

                                      not correct, if you did not have NAT or a FW, your inside machines would have to have valid publicly routable IP's and would be susceptible to attack from anyone on the Internet. If you have NAT on, no FW and RFC1918 or "Martian address" internally then no one on the internet can reach those addresses without being NAT'd by your NAT device. Someone at your ISP specifically targeting your home network could conceivably still get at your internal kit but would need to sniff your internet traffic to know your internal range then go to great lengths to get traffic from their machine to your internal hosts all the while hopeing you've not got a NAT device that only allows 1 way traffic or not got a FW. If this is a scenario your worried about then i'd suggest the real thing to be worried about is why someone wants to scrutinise you that way.

                                      An analogy: its like saying a car with disk brakes allround and ABS disabled is no safer than a car with no ABS and drum brakes allround, if your nwondering, Disk brakes enable the use of ABS.

                                      >Right, but not because of the NAT, only because people on the internet can't send packets with a dst IP of 192.168.y.x

                                      correct. its only possible to use RFC 1918 addresses because of NAT

                                      >There are some highly upvoted posts above to the effect of "but v6 will let the NSA/GHCQ/etc get access to my network"

                                      yes, this is true, without NAT your internal addresses are publicly routable.

                                      with NAT they can be whatever you want even addresses that publicly route to large organisations or are owned by large organisations but route nowhere, call it an extra bump in the road for those across the internet who want to do harm to your systems.

                                      A FW that drops all inbound comms is good.

                                      NAT that masks all outbound comms to be from 1 or a limited collection of addresses is also good.

                                      A router or FW that knows what addresses should only be on what interfaces is also good.

                                      Private IP's that most of the planet use internally is good

                                      Security is a number of defences that combine to thwart attackers. NAT is 1 of the most powerful defences that thwarts would be attackers from a cross the internet with no configuration needed by billions of users.

                                      with basic NAT your network is safe from everyone apart from perhaps some convoluted arrangement from your ISP, its just not worthwhile portscanning unless you've port forwarded (would also go through a fw). With just a basic fw you'd be DDOS'd in no time, be pawn'd & its totally worthwhile for scammers & hackers to do.

                                      if you have NAT you almost have a stateful FW which is much better than a basic FW.

                                      If IPV6 had NAT at its heart we'd all have it now.

                                      1. Charles 9

                                        Re: And who told you I want to be measured?

                                        "if you have NAT you almost have a stateful FW which is much better than a basic FW."

                                        But not necessarily. He's basically stated and proved that NAT alone doesn't block incoming connections, and in the world of Don't Trust Anyone, you can't trust the ISP, either. One DOES NOT necessarily imply the other.

                                        Anyway, why do you think the ISP wouldn't supply a stateful IPv6 router when they're already doing the same with IPv4. You assume the ISP is a Janus: providing good firewalls on IPv4 but crappy ones with IPv6.

                                      2. Nanashi

                                        Re: And who told you I want to be measured?

                                        Which doesn't seem to be the case, e.g. both Comcast and Sky have big v6 deployments and they deploy working firewalls on their CPEs. Their customers are no more vulnerable to "somebody on the internet can try to connect to me" on v6 than they are on v4.

                                        > With just a basic fw you'd be DDOS'd in no time, be pawn'd & its totally worthwhile for scammers & hackers to do.

                                        Um... no. Just no to all of those. Removing NAT and using only a basic firewall (which these days means "blocks inbound connections while blindly permitting all outbound connections") doesn't make any of these more likely.

                                        >>There are some highly upvoted posts above to the effect of "but v6 will let the NSA/GHCQ/etc get access to my network"

                                        > yes, this is true, without NAT your internal addresses are publicly routable

                                        It's not true. "Routable" doesn't mean "connectable". Not having NAT does not mean that anybody can connect to any of your machines whenever they want. You still have to permit the connection on your firewall.

              2. Anonymous Coward
                Anonymous Coward

                Re: And who told you I want to be measured?

                > Incoming TCP connections might need some assistance in the event of CGNAT, but UDP doesn't

                If your CGNAT is a cone NAT then it can work for UDP, but with symmetric NAT it won't.

            2. Blotto Silver badge

              Re: And who told you I want to be measured?

              @Nanashi

              lots of wrong in that, not sure where to start.

              IP's are much harder to memorise in v6

              if your /64 is constantly changing how are you meant to set your firewall rules to secure some hosts and not others, yes you can assign some hosts to a particular subnet and secure that instead but you've lost granularity.

              NAT is easy to understand, especially for those who had no clue it was protecting their home setups.

              >It shouldn't. This is nothing like as big a deal as you think it is. The addresses aren't clearly identifiable

              the whole point of public addressing is to be able to route from point to point. no matter how often the IP changes it is clearly identifiable as it routes back to your continent, country, ISP and then your subnet they provide to you.

              >> NAT is what makes consumer level broadband safe enough to do e-commerce over.

              this is correct

              http://serverfault.com/questions/426183/how-does-ipv6-subnetting-work-and-how-does-it-differ-from-ipv4-subnetting

              1. Nanashi

                Re: And who told you I want to be measured?

                > the problem is the auto assigned /64 portion of the address is uses EUI and is made up from the machines MAC address. MAC addresses are well defined, from a known pool and are therefore in a small enough pool to be scanned. In addition, any receiving system can determine what vendor the originating machine is and from your subnet a collating service can determine how many hosts are on your network. in addition every time you connect it can track you from net to net, like from home, work, star bucks etc as the /64 can be the same across nets as it can be globally unique (as it uses the MAC address)

                Not quite. There are two things you've missed here: RFC 7217-style opaque identifiers and privacy extensions.

                Privacy extensions basically means that your host picks a random IP (which it changes frequently) from the subnet for outbound connections. People you connect to won't get your MAC address, and since the IP changes every time you change network you can't be tracked between subnets either. (The MAC-based v6 address is still assigned on the system, but it's only used for incoming connections.)

                RFC 7217 opaque identifiers replaces the MAC-based addresses with a hash of the network prefix, the MAC and some secret value. Essentially this means you get a random address for each network you're on, but you always get the same address per network. Note that you still get privacy extensions (which are completely random) on top of this for outbound connections.

                Privacy extensions are enabled by default on pretty much everything, and the RFC 7217 stuff is available and enabled by default on Windows 7+, the current version of OS X and in some cases on Linux. So the conclusions from your paragraph generally aren't what happens in practice.

                > IP's are much harder to memorise in v6. if your /64 is constantly changing how are you meant to set your firewall rules to secure some hosts and not others

                It's honestly really isn't (provided you've picked easy to remember addresses; it's possible to pick hard to remember addresses but if you do that _and_ refuse to use DNS then you only have yourself to blame). It's about as hard as v4's pair of two addresses is.

                Firewalls can match on just the last 64 bits (or can generate the full 128 bits based on your current network setup). Although I do agree that dynamic prefixes suck and really should be avoided.

                > NAT is easy to understand, especially for those who had no clue it was protecting their home setups.

                I could grant you this, but not having NAT is still easier to understand than having it. There's no way that rewriting the address of packets in mid-flight is easier to understand than not doing it.

                > the whole point of public addressing is to be able to route from point to point. no matter how often the IP changes it is clearly identifiable as it routes back to your continent, country, ISP and then your subnet they provide to you.

                But it's no more identifiable than a NATed v4 network. Your v6 prefix is as identifiable as your WAN v4 address is, and the host part of the v6 address is basically random so it doesn't reveal any useful information.

                You can certainly argue how identifiable an IP address is, but v6 addresses are no worse than v4 ones in this regard.

                >> NAT is what makes consumer level broadband safe enough to do e-commerce over. [...] this is correct

                No, what makes it safe is that people can't connect to machines on your network without manually permitting the connection. This isn't something you lose by deploying v6, so it's not a valid argument for not going to v6.

                (Or, well, are we just ignoring TLS, remote code execution vulnerabilities in browsers and the fact that users are idiots and will run whatever dodgy crap they feel like? It feels like you have a conveniently narrow definition of security here.)

                1. Vic

                  Re: And who told you I want to be measured?

                  It's honestly really isn't (provided you've picked easy to remember addresses;

                  Really? How do I pick my prefixes, then? Because the ones I've got were allocated to me by my upstream providers, and they're really not very memorable.

                  No, what makes it safe is that people can't connect to machines on your network without manually permitting the connection. This isn't something you lose by deploying v6

                  Yes you do. If the address is routable - as it is with v6 - it will be routed. Thus you have moved from default DENY to default ACCEPT.

                  Vic.

  4. Anonymous Coward
    Anonymous Coward

    ISPs and company intranets know how many end users they have - and can measure their internet traffic through their firewalls. Why should anyone external to them want to know that information? It strikes me as essential business and user privacy.

  5. Mage Silver badge

    I don't want to be measured!

    1) Reputation-based security systems;

    2) Address geolocation; and

    3) Network troubleshooting.

    Item1:

    Reputation-based security systems; Basing that on URL, IP address (IP4 or IP6) is madness, doesn't really work. You need a handshake and private tokens + public key encryption.

    Item2:

    Address geolocation; Go piss off. That ought to be illegal. Besides it's notoriously unreliable.

    Item 3:

    Network troubleshooting: Whose Network? Makes no difference to your own and irrelevant to the public network or do you want to peer inside OTHER people's networks?

    Sorry, none of these reasons are arguments against IP4 and NAT. There may be good reasons to go all IP6, but these three reasons don't apply.

    I certainly don't want anyone to know how many things are on my LAN and what their addresses are. If all was IP6, for privacy and security, I'd still have a firewall / router and hide all my network.

    There are only BAD reasons why a 3rd party would want me to have everything using public IP6.

    1. Lee D Silver badge

      Re: I don't want to be measured!

      Item 2) Facebook gave me the weather for Cardiff yesterday.

      Very odd as I was sitting in London at the time.

      Even odder, as we have a fixed static IP on a leased line that only goes to one site, which we've had for years and has never moved.

      If even then you can't get right, what hope for mobile, dynamic IP, etc. users.?

      1. Doctor Syntax Silver badge

        Re: I don't want to be measured!

        " Facebook gave me the weather for Cardiff yesterday.

        Very odd as I was sitting in London at the time."

        Where's your ISP based? I've certainly seen one site try to tell me where it thought I was. It thought I was at my ISP's address.

        1. Lee D Silver badge

          Re: I don't want to be measured!

          "Where's your ISP based? I've certainly seen one site try to tell me where it thought I was. It thought I was at my ISP's address."

          What does it matter? That's not where the connection was. That information is thus incorrect and useless for geographically limiting anything.

          In the same way that everything geographically-limited can be got around with a half-decent VPN.

    2. Nanashi

      Re: I don't want to be measured!

      The good reasons are that v4 is too small, and that NAT is an unnecessary headache (or would be unnecessary if it wasn't for the "v4 is too small" bit).

      > I certainly don't want anyone to know how many things are on my LAN and what their addresses are. If all was IP6, for privacy and security, I'd still have a firewall / router and hide all my network.

      Yeah. But you don't need NAT for this. You'll still have a firewall/router with v6. Your network will still be just about as "hidden" as it is with v4 (that is to say, not hidden at all because you connected it to the internet, but nobody can count your computers from your IPs because the IPs are constantly and randomly changing).

      > There are only BAD reasons why a 3rd party would want me to have everything using public IP6.

      There are good reasons too, for instance software authors won't need to add NAT traversal support if you don't use NAT. IoT widgets won't need to connect to a central server to allow for remote control. Games will benefit from both of those aspects, which frees up more money to make the game more awesome.

      There are reasons you don't want NAT yourself either. Imagine a version of Skype where the calls go directly to the other party, rather than through a Microsoft server. Wouldn't that be better for your privacy? But we can't even attempt to do that without dealing with ubiquitous NAT.

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't want to be measured!

        A router doesn't change the packet, so outside you'll see how many machines are inside. Expect ISP to limit the number of internal devices you use, until you pay for a "premium package". Believe they won't? I know some that already tried it with MAC addresses connected to their routers.

        NAT automatically works as a DENY ALL rule for incoming connections. A firewall needs to be properly setup, expect people bork their own security by opening access to make some silly application work. Usually ALLOW ALL is what ensures it works...

        If ever I allow an IoT device on my LAN, it MUST exactly being able to connect to a central server WITHIN my LAN ONLY. It's exactly some kind of remote control from outside that worries me the most.

        Skype is going to a client/<span class="strike">server</span>cloud model anyway, because peer-to-peer is not good for analyzing your contents... and once you have a NAT traversal library for games you don't have to waste precious resources which hinder "awesomeness"

        1. Nanashi

          Re: I don't want to be measured!

          I don't think trying to limit the number of devices you have is going to work well, in part because you could just run to NAT if they tried. But that doesn't mean everyone should be forced to use NAT all the time just in case some ISP somewhere goes retarded.

          ISPs do suck, but that's no reason to fight v6.

          > If ever I allow an IoT device on my LAN, it MUST exactly being able to connect to a central server WITHIN my LAN ONLY.

          Yeah, this is basically how I run my IoT-style stuff too. You are free to do this even if you're using v6 on your LAN, it won't stop you from doing it. v6 just gives you the _possibility_ of accepting selected inbound connections in any situation where you actually do want remote control (which is something you won't be able to do on v4 once CGNAT ends up being common).

          > Skype is going to a client/server model anyway, because peer-to-peer is not good for analyzing your contents...

          Well, yeah, but the point is that nobody can make a direct peer-to-peer program when everybody is behind multiple levels of NAT. If you don't want to run everything through a central server, then step 0 is to make it possible to avoid doing that. Whether anybody will come along and take advantage of the possibility is a separate matter, but they definitely won't if it's not possible.

          > and once you have a NAT traversal library for games you don't have to waste precious resources which hinder "awesomeness"

          In theory, except people seem to have trouble with NAT traversal quite frequently, and it still requires running some form of servers to set up the traversal. And some games opt not to bother and instead require multiplayer to use central servers hosted by the company, which they have to pay for and will eventually shut down. (And did I mention the extra latency caused by all this crap?)

          > Which makes extra work for whoever's programming the firewall and hence increases the probability of bugs

          It's not so bad. The random addresses are for outbound connections; for inbound connections you have a fixed address (which is difficult to find without knowing what it is, because a /64 is so extremely large that it's impossible to scan). So your inbound firewalls don't need to change frequently.

          What about firewalls/ACLs on servers that you connect to? For those, you just allow the /64, i.e. the whole network. That's what you had to do in v4 anyway, where the whole network was NATed behind one public IP.

          So actually this part of firewalling ends up basically identical to the current situation in v4.

          1. Duncan Macdonald

            Re: I don't want to be measured!

            Users do NOT control the code in a IoT device - the only way to limit its access to and from the internet is to have some type of firewall device that does not let its traffic through. A NAT router will stop J Random Hacker on the internet from connecting to the IoT device but will not block the IoT device from sending information out unless the NAT router has a firewall rule blocking outgoing traffic from the IoT device.

            Of course the best way to block traffic from IoT devices is to never buy them.

            For non-PC network devices (e.g. printers), access to and from the Internet should normally be completely blocked. (If IPv6 has to be used then such devices should ONLY be allocated a link local address to break any communication with the Internet.)

          2. Anonymous Coward
            Anonymous Coward

            Re: I don't want to be measured!

            I routinely do inbound connections with IPv4. Never heard about a thing called "VPN"? It works through NAT too...

            Games will keep on using central/cloud server more and more because that's how they make more and more money. Heck, today you need an account to a server even to download and install a game, often even to start it (and Adobe CC or Office 365 are no different) give me back software which doesn't need my data stored somewhere, thank you.

            Good luck, anyway, in maintaining firewall rules on crappy routers managed by your ISPs, which is what most non IT tech people are forced to use.

            Sure, I can use IPv6 and put enough security layers in front of my LAN so it won't change much - but it's not cheap because it means decent firewalls, routers, access point and switches. Many others with cheap hardware will start to live in a crystal box - which after all is what Google & C. really wants.

      2. Doctor Syntax Silver badge

        Re: I don't want to be measured!

        "You'll still have a firewall/router with v6. ... the IPs are constantly and randomly changing"

        Which makes extra work for whoever's programming the firewall and hence increases the probability of bugs. We have enough problems with leaky router/firewalls already without adding more places to leak.

        Pessimistic? Certainly - we're dealing with security here.

      3. Vic

        Re: I don't want to be measured!

        Imagine a version of Skype where the calls go directly to the other party, rather than through a Microsoft server

        What, like SIP?

        I've been using that for years. My wired phones trivially get through my NAT router to make this work. My wireless phones have to go through two layers of NAT. And yet it just works...

        Vic.

      4. Down not across

        Re: I don't want to be measured!

        There are good reasons too, for instance software authors won't need to add NAT traversal support if you don't use NAT. IoT widgets won't need to connect to a central server to allow for remote control. Games will benefit from both of those aspects, which frees up more money to make the game more awesome.

        How much software is actually needs NAT traversal? Thought so. And the few where it is required can easily reuse any of the many existing solutions.

        Sorry, games aren't suddendly going to get any more awesome if people move from IPv4 to IPv6. In fact whole IPv4 vs IPv6 is complete non-issue to game development.

        There are reasons you don't want NAT yourself either. Imagine a version of Skype where the calls go directly to the other party, rather than through a Microsoft server. Wouldn't that be better for your privacy? But we can't even attempt to do that without dealing with ubiquitous NAT.

        Which is what Skype used to do before Microsoft took it over and decided only they can run the supernodes, whereas before any client could be one. This is corporate decision rather than technical issue. Sure, Skype needed to open up wholes for UDP (bit like STUN) but that doesn't mean traffic needs to go via Microsoft for technical reasons.

        1. Nanashi

          Re: I don't want to be measured!

          > I routinely do inbound connections with IPv4. Never heard about a thing called "VPN"? It works through NAT too...

          Using a VPN for inbound connections is just piling more hacks on top of hacks (and it's a big headache compared to just connecting to the machine you want to connect to), and the fact that you _can_ do it doesn't mean we shouldn't do IPv6.

          > Games will keep on using central/cloud server more and more because that's how they make more and more money.

          Maybe. But again, this isn't a reason to not do v6; we should be laying the groundwork to at least make it _possible_ for games to avoid going the central server route, because they certainly will go that route if they can't do anything else.

          > Sure, I can use IPv6 and put enough security layers in front of my LAN so it won't change much - but it's not cheap because it means decent firewalls, routers, access point and switches

          Actually it just needs a regular router, like the kind your ISP gives you. I realize ISP routers always suck, but they do function just fine as a firewall. Or you can replace it with your own router, roughly all of which support firewalling inbound v6. It's not expensive.

          > Many others with cheap hardware will start to live in a crystal box - which after all is what Google & C. really wants.

          Except not. Where did you get this "crystal box" idea from? IPv6 isn't a crystal box. Not having NAT doesn't magically make your network all open and visible for everybody. It's still your network, you're still behind a router and a firewall, it's still private. IPv6 is not some big conspiracy to make it easier to monitor you -- it's a conspiracy to make IP networks easier to run.

          > In fact whole IPv4 vs IPv6 is complete non-issue to game development.

          Anything that needs IP connectivity is affected by IP. Games in particular are affected because they're both latency sensitive and often peer to peer. CGNAT is bad for latency and it's definitely bad for peer-to-peer connections.

          > Which is what Skype used to do before Microsoft took it over and decided only they can run the supernodes, whereas before any client could be one. This is corporate decision rather than technical issue.

          Sort of... they may indeed have made the decision for corporate reasons, but the point is that us running out of v4 is forcing the decision on the technical side. If you want to have even the possibility of a competitor to Skype that doesn't run everything through an easily-monitored central server, then you want us to fix the technical side.

    3. Roland6 Silver badge

      Re: I don't want to be measured!

      Item 1: Whilst in some cases it may be valid to make assumptions about the relationship between an IP address and person/organisation, I suggest, given DHCP predates many of the WWW's security mechanisms and the security credential problems in recent years with multiple websites on the same IP address, this is, in general, a wholly invalid assumption being made by the arXiv researchers.

  6. Doctor_Wibble
    Headmaster

    Crap Counting Method

    1) If Akamai are one of the CDNs relentlessly pinging me to find out how far away I am, they should pss off because for the umpteenth fckn time it's not the network lag, it's the crappy response time of 'waiting for adserver.whatever' and their crappy scripts that are slow and my router doesn't respond to pings anyway.

    2) As an HTTP content delivery network they will only see content requests and content servers for HTTP though it doesn't surprise me to hear that they think there is nothing on the internet outside HTTP.

    3) Lots of things on the internet don't have anything to do with HTTP.

    4) No, really, see point 3.

    5) So what else happened in 2013/2014 that caused the 'stagnation', was there e.g. a large shift to the cloud or a bigger shift to mobile networks, i.e. clients behind proxies or IP6?

    Yes I have multiple annoyance +/- irrational issues with CDNs but that doesn't make me completely wrong...

  7. anthonyhegedus Silver badge
    Coat

    David Plonka?

  8. FuzzyWuzzys
    Thumb Up

    Good!

    Anything that pisses on Akamai's chips suits me just fine, they're nothing a bunch of parasites!

  9. Anonymous Coward
    Facepalm

    I thought we were IT pros here

    You know that you can set any firewall rules you like right?

    My firewall's default setup was to allow all WAN ipv4 (with no ports forwarded), but to block all incoming WAN ipv6.

    You just have to stop using NAT as your first line of defence, and create proper firewall rules, starting with DROP EVERYTHING.

    1. Doctor Syntax Silver badge

      Re: I thought we were IT pros here

      "You know that you can set any firewall rules you like right?"

      Most net users are using whatever bit of kit their ISP posted out. If a penny can be shaved off the cost of that kit they'll do that. So now you're relying on the built-in firewall from the cheapest possible PoS bought from numpties who leave hard-coded test credentials in their S/W. And you expect an interface which will enable users to set rules and a firewall that will reliably obey them?

      1. ZenaB

        Re: I thought we were IT pros here

        > And you expect an interface which will enable users to set rules and a firewall that will reliably obey them?

        Why not? You trust your device to firewall IPv4 don't you?

      2. Anonymous Coward
        Anonymous Coward

        Re: I thought we were IT pros here

        Most net users are using whatever bit of kit their ISP posted out. If a penny can be shaved off the cost of that kit they'll do that. So now you're relying on the built-in firewall from the cheapest possible PoS bought from numpties who leave hard-coded test credentials in their S/W. And you expect an interface which will enable users to set rules and a firewall that will reliably obey them?

        Often the router makers understand about as much about TCP/IP as the end users.

        One D-Link router we had here, refused to be assigned the LAN IP of 192.168.255.254/30. According to the firmware, you can't have 255 in an octet of an IP address. Anywhere.

        Some of the Netcomm NTC-6908 routers at my workplace (>$500 industrial things) have hard-coded root passwords accessed via Telnet and an out-of-the-box iptables firewall ruleset that is next to useless. Thankfully, because of that Telnet hole, we're able to edit the shell scripts to fix the iptables ruleset and configure OpenVPN the way we need it.

  10. GrumpyKiwi

    We lost

    IP v6. The result of a battle between Network Engineers and Programmers over who was going to have to do all the work.

    And we lost. Big time. Hiroshima level lost.

    Now all we can do is fight a rear-guard guerrilla battle against it.

  11. MR J

    Virgin Media

    Tells me that they have plenty of IPv4 capacity left, and there is no need for any user to need IPv4.

    1. bombastic bob Silver badge
      Trollface

      Re: Virgin Media

      maybe Virgin Media has enough, but China and India are apparently running out (or have already). And if your public IP interferes with your LAN IP, that could be a problem

      yeah, being assigned a 10.x.x.x or 192.168.x.x or whatever the other netblock is, and you just happened to be using that netblock for your LAN. whoops.

      I avoid 10.x.x.x but virtualbox uses it by default. I would think ISPs might want to use 10.x.x.x and just NAT 2^22 customers through it (accounting for the few unusuable IP address assignments for that which are dedicated to broadcast and stuff and/or might cause firmware to burp based on an earlier post of something that hated having a 255 in a position NOT as the final byte)

      1. Blotto Silver badge

        Re: Virgin Media

        @bob

        the problem with that is internet routers cannot route for rfc 1918 addresses as they do not mean anything to global routing. Your nat router needs to be globally addressable, hence why it has a public IP. CGNAT has been used and i gather is popular in asia, but causes huge problems as you have user nat then isp nat, if the cgnat ages the session before the usernat then the session must be restablished a new causes excess latency and other clunky problems.

        the only problem with rfc1918 addressing is when merging 2 organisations with overlapping address ranges and expecting traffic to go to the correct places when the same addresses are in 2 different places. systems must be reip'd or cludges put in place which always comes back to bite you down the line.

  12. Kevin McMurtrie Silver badge

    NAT gonna happen

    Routers default to allowing incoming IPv6 connections only by whitelist. It must be that way. Many LAN devices and appliances have received Linux upgrades giving them modern IPv6 networking but the apps on them wouldn't last even one second when exposed to the world.

  13. David Roberts

    NAT and firewalling and stuff

    There have been various technical sounding explanations about how NAT doesn’t really act as a firewall. I am not a current networking expert but please bear with me.

    (1) To accept an incoming call on any port, there has to be an active listening process. NAT routers by default should have no active listening processes on any port; think of a NAT router where the only PC on the network is turned off. The network stack sees the incoming request but has nowhere to send it. A touch of firewalling just drops the incoming call instead of helpfully responding with a failure message.

    (2) Most Internet access from within a NAT fronted network (at least home ones) is likely to be email or web browsing (or Microsoft Update, I suppose). These connections are initiated from the PC to a known host, and generally have bits of protocol included to ensure that the conversation proceeds as expected. Granted that while one of these connections is active an incoming packet from a 3rd party can hit the open port (if you randomly spray all possible port addresses for all possible IP addresses) but isn't the most likely result that the packet will be dropped as not part of the established session? Some DOS potential but not much compared to other routes. If the connection is encrypted (as hopefully most are these days) then there seems even less scope for disruption. Of course, I don't know enough about the subject to be sure what a web browser will do if it receives an incoming GET/POST from a random 3rd party. Saying you are vulnerable to your ISP is taken as read; that is the obvious Man In The Middle. However as far as I can see your ISP also handles your network traffic so sees your IPv6 connections and so can subvert them anyway.

    (3) If I am more or less on track so far then the most obvious vulnerability is online gamers. NAT has, as far as I know, had frigs added for years to acept incoming calls on ports with no outgoing connections. However I think that the game still has to enable this feature at the NAT router; else how does the router know where to send the call?

    So I think that NAT acts as an (unintentional) firewall against incoming calls, and that the main use of a firewall is to catch outgoing calls to suspect/dangerous addresses (such as the above mentioned Windows Update server if you are running W10 and ad networks and data loggers).

    More details of credible exploits through unsolicited incoming calls to NAT routers welcome.

    I will note that i use my ISP supplied router in "modem" mode because i don't trust them to tinker and the firmware was crap anyway. However that isn't an IPv4 vs IPv6 thing. You are always vulnerable at some level to ISP network engineers.

    1. Roland6 Silver badge

      Re: NAT and firewalling and stuff

      Re: (3) If I am more or less on track so far then the most obvious vulnerability is online gamers.

      I would disagree, from my experience the most obvious vulnerability is uPnP, where applications tell the firewall what settings it needs, without user intervention or oversight. What is not clear is how long such configurations last before the firewall closes ports.

      Also from my experience, I would suggest the most profitable port scans (ie. the one with a high probably of successfully detecting an open port) are:

      1. RDP ports: as these will pass all inbound traffic straight through to a waiting host... Naturally, if you are using one of the "server/man-in-the-middle" services such as LogMeIn then there should be no open RDP ports.

      2. Ports used by Outlook Web Access and MS Remote Desktops on WS 2012 and later, which also pass traffic straight through the perimeter firewall.

      The first is probably more of a feature of home networks and the second of business networks.

    2. Charles 9

      Re: NAT and firewalling and stuff

      OK, since you spoke so politely.

      1. For NAT to perform two-way communications, it can do one of two things:

      (a) the inside computer can initiate a connection to the outside. The NAT records this and maintains the relationship for as long as the connection is open. Once it closes, the relationship is removed. Now, this usually only works for stateful TCP-based connections (UDP doesn't work this way so requires something cleverer to deal with it) and only if the connection is initiated from the inside. Now, it works most of the time because most connections on the Internet are TCP-based and from the inside.

      (b) A skilled user can tell the NAT to forward certain classes of incoming connections (like specific ports) to specific machines. This is the usual means for a home user to expose a server or similar thing (like a P2P unit) to the outside. Otherwise, the server has to rely on outside help, making a bridging connection to some point on the outside.

      2. Going back to 1(a), since HTTP, POP3, etc. are all TCP-based (stateful) and initiated from the inside, NAT can maintain these connections.

      3. Gamers have one of two options. They can either open ports (solution 2) or use solution 1 to establish a bridge connection to a point outside. Your friends link up there and the system then passes the connections along.

      One of the arguments for using NAT is that it's a different kind of firewall operation: furthermore, it's one that (by design) has to block incoming connections by default, providing a line against automated attacks (targeted attacks can get around this by exploiting already-opened connections the way web exploits work). The counterargument is that in IPv6, this is little more or less than another firewall, and you can achieve the same function with a second (or better) firewall.

      Furthermore, it's not NAT in general that's being frowned upon: it's one-to-many NAT they don't want (because the spirit of the Internet is that any connected device should be reachable by any other device if it wishes to). Especially at the ISP/carrier level, this makes many endpoint invisible by force. They have no problem at all with one-to-one NAT, and indeed many techniques brought forth to mask a subnet's map rely on things that are essentially one-to-one NAT. It's like with the UNIX philosophy: one fundamental assumption is that policing should be a program's (or in this case, device's) own responsibility. Trouble is, reality intrudes and you find misbehaving UNIX programs and badly-configured endpoint devices, so the NAT proponents at least have a point. What some are wondering, though, is if the "automatic" shielding can't be achieved simply by offering a firewall with something like a "drop incoming by default, allow outgoing by default" ruleset.

      1. Vic

        Re: NAT and firewalling and stuff

        The NAT records this and maintains the relationship for as long as the connection is open. Once it closes, the relationship is removed. Now, this usually only works for stateful TCP-based connections (UDP doesn't work this way so requires something cleverer to deal with it) and only if the connection is initiated from the inside

        STUN passes through NAT very easily. It only requires that both endpoints know about each other and are happy to cooperate. This is a very easy way to get a zero-configuration UDP service set up...

        Gamers have one of two options. They can either open ports (solution 2) or use solution 1 to establish a bridge connection to a point outside.

        Well, if their games were to want to support it, they could also STUN their way through, just the same as we telephony types do. But that would mean that the gamers wouldn't need the games comany's services, and that means a reduction in revenue. Guess why those games don't support it...

        the spirit of the Internet is that any connected device should be reachable by any other device if it wishes to

        No, I don't think that's true. Any internet is a "network of networks"; the interaction between those networks is at the discretion of the network owners, not the endpoints.

        What some are wondering, though, is if the "automatic" shielding can't be achieved simply by offering a firewall with something like a "drop incoming by default, allow outgoing by default" ruleset.

        You'd need something a little more complex than that; you'd need to open those incoming ports in response to outgoing operations. Or just run NAT and forget all about it.

        We all know that IPv6 doesn't require NAT in the way that IPv4 now does; but the opposition to people using it if they want to is simply irrational. It solves a problem for some people, and doesn't impinge upon anyone else except those that believe they have a right to unfettered access to everyone else's devices.

        Vic.

        1. Charles 9

          Re: NAT and firewalling and stuff

          "Well, if their games were to want to support it, they could also STUN their way through, just the same as we telephony types do. But that would mean that the gamers wouldn't need the games comany's services, and that means a reduction in revenue. Guess why those games don't support it..."

          Guess why many PC games DO support it? Because many PC gamers are savvy and know company support disappears after a while but user support lasts as long as there are fans for the game, which is why they insist on systems that allow for user-run dedicated servers. Otherwise, players don't buy the game at all, leaving the sellers in a quandry: 50% of something or 100% of nothing?

          "No, I don't think that's true. Any internet is a "network of networks"; the interaction between those networks is at the discretion of the network owners, not the endpoints."

          Not AN internet. THE Internet (proper noun), and yes that was one of the basic goals: to be able to connect anyone to anyone. NAT (especially at the carrier level) breaks that promise. If you don't feel this is the case, perhaps one should produce a new Internet (proper noun again) based o DIStrust instead.

          "We all know that IPv6 doesn't require NAT in the way that IPv4 now does; but the opposition to people using it if they want to is simply irrational. It solves a problem for some people, and doesn't impinge upon anyone else except those that believe they have a right to unfettered access to everyone else's devices."

          Oh? What about carrier-grade NAT? That's definitely NOT the user's choice and prevents the user from choosing to be visible because it's hard to STUN or otherwise route through a carrier-grade NAT, and doubly so if BOTH ends are NAT-ed.

          1. Vic

            Re: NAT and firewalling and stuff

            Guess why many PC games DO support it?

            Well if they do support it, then there's no problem. NAT won't get in the way.

            Not AN internet. THE Internet (proper noun)

            The Internet is one instance of an internet, and follows all the same principles. That's like saying "THE Cat (proper noun)" when someone has described the features of a cat.

            yes that was one of the basic goals: to be able to connect anyone to anyone

            Perhaps you'd like to provide a reference for that statement, since it's never been true to my recollection.

            Oh? What about carrier-grade NAT? That's definitely NOT the user's choice and prevents the user from choosing to be visible because it's hard to STUN or otherwise route through a carrier-grade NAT, and doubly so if BOTH ends are NAT-ed.

            What about carrier-grade NAT? It's trivial to STUN through it. I've done it regularly. And both ends are frequently NATted when you're using STUN. This is an everyday occurrence. Your objection makes as much sense as someone saying "Oh? And what about if someone's using 110V to power their PC?"; it's a total irrelevance.

            Vic.

            1. Charles 9

              Re: NAT and firewalling and stuff

              "Perhaps you'd like to provide a reference for that statement, since it's never been true to my recollection."

              OK.

              "Despite its origination in the IETF, many in the Internet's standard-setting community have criticized increased NAT usage because it violates the end-to-end architectural philosophy which has underpinned the Internet (and precursor networks) since its inception. Internet engineers first articulated this philosophy in the mid-1980s and later formalized this Internet principle in the IAB's "Architectural Principles of the Internet" document."

              Protocol Politics: The Globalization of Internet Governance, Laura DeNardis, p157-8

              So like I said, end-to-end accessibility is part of the fundamental nature of the Internet, which NAT violates in one-to-many mode. NAT66 and other one-to-one NATs are fine, however, because they still allow endpoints the ability to be accessed at their discretion (and perhaps that's the thing we need to consider--granting the ability but expecting the responsibility to say no, much like allowing people the vote even if they (like dumb Internet devices) may be too stupid to use it properly).

              1. Vic

                Re: NAT and firewalling and stuff

                Protocol Politics: The Globalization of Internet Governance, Laura DeNardis, p157-8

                That's a paper from 2009, and as such, does not constitute substantiation for the statement "the spirit of the Internet is that any connected device should be reachable by any other device if it wishes to". The Internet predates that paper by some decades, and whatever claims it might make about what people thought in the 1980s are not going to bind the designers in the 1960s.

                Vic.

                1. Charles 9

                  Re: NAT and firewalling and stuff

                  A paper from 2009 which goes on to cite documents dating back to 1984, BEFORE the Internet went mainstream.

                  It helps to check the footnotes on page 157. Here's one cited work: "The Design Philosophy of the DARPA Internet Protocols" from the Proceedings of SIGCOMM 88 (meaning it dates back to 1988).

                  1. Blotto Silver badge
                    Facepalm

                    Re: NAT and firewalling and stuff

                    Charles, your debating a denier, he's correct everyone else is completely wrong, you can't win against that, despite what ever practical experience you may have his 2 mins clicking around his home router makes him a network guru.

                    i hope he comes back and reads all this once he has understood why he is wrong.

            2. Charles 9

              Re: NAT and firewalling and stuff

              "What about carrier-grade NAT? It's trivial to STUN through it. I've done it regularly. And both ends are frequently NATted when you're using STUN. This is an everyday occurrence. Your objection makes as much sense as someone saying "Oh? And what about if someone's using 110V to power their PC?"; it's a total irrelevance."

              Not as trivial as you think (especially if one end is multiple-NATted such would be the case with a CGN), plus there's performance penalties. It's all noted in RFC 7021: "Assessing the Impact of Carrier-Grade NAT on Network Applications".

    3. Blotto Silver badge

      Re: NAT and firewalling and stuff

      @ David

      Ip packets have a source port and destination port in addition to destination IP. the NAT device takes note of the source & destination ports and the destination IP and replaces the source IP with its own, it then looks for return traffic mating what went out to then change the destination IP from itself to be the origination internal host. the src & dst ports and the remote IP must match what went out for the traffic to be forwarded to the internal host, this is why NAT is essentially a stateful FW which is better than a non stateful fw as unsolicited inbound requests are dropped by default.

  14. Simulacra75

    Genuine query

    I read this article with interest, well, more the comments section. Something i was wondering, are there genuine tools (pen test i suppose) that i could use to test that my home setup is secure/insecure, from a WAN perspective?

    I'm not a complete novice but i'm certainly no firewall/NAT/routing expert either and if there were tools i could get my hands on that would give some pointers as to whether my setup was good/bad, etc i think it would be useful. Does anyone have any suggestions?

    1. Vic

      Re: Genuine query

      are there genuine tools (pen test i suppose) that i could use to test that my home setup is secure/insecure, from a WAN perspective?

      Go to grc.com, fight your way through the adverts for his other products, and look for "Shields Up". This will scan your WAN address.

      Take everything else you find there with a pinch of salt; Steve Gibson is one of those people who knows quite a bit about some things, is massively deluded about others, and it's often hard to tell which is which.,..

      Vic.

  15. gnarlymarley

    IPv6 tracking

    hmmmm, maybe the fault of all of us blocking ICMP? Not sure why they cannot see all the machines we are using. Deep packet analysis will show how many machines are behind NAT. makes me wonder if we need to open up our firewalls so they can accurately count addresses.

    1. Charles 9

      Re: IPv6 tracking

      How can you deep analyze ENCRYPTED packets?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon