[chatmasta]

I know it pains neckbeards to hear this, but IPv4 is not going anywhere, as long as it remains in the business interests of major cloud providers, and as long as people continue to deploy NAT based firewalls as a security feature.

Re: business interests: Cloud businesses can acquire IP addresses at price points far higher than the average developer can. Now that the ARIN address space is exhausted, cloud providers will begin to buy more and more IPv4 space until they have a complete monopoly and large portions of IPv4 are controlled by just a few companies. This will price other companies out of offering cloud services that are IPv4 compatible.

Re: security: Sure, the original intended purpose of NAT was not security, but people use it for that, and will continue to do so. If you want to put multiple boxes behind a single IP address, IPv4 is the easiest way to do it. In fact, IPv6 seems to be a step backward in terms of security. Every device does not need to be openly addressable from anywhere on the Internet, and developers will always choose the path of least resistance, especially when it's more secure.

[solidangle]

NAT is not a security feature, it never was and it will never be. Stateful connection tracking however is a security feature. NAT uses it to route the right packets to the right computers, but firewalls can also use the same feature to drop unsolicited packets. It's nearly trivial to do this with iptables, OpenWRT does it by default, and I'm sure most other IPv6-capable routers do it too. I'm just as secure on IPv6 as I'm on IPv4.

IPv6 also allows you to do weird stuff like using a single IP address per connection, which makes it even harder to address a single computer from the internet.

IPv6 is just as safe if not safer than IPv4, if you use it correctly.

[lisivka]

I use IPv4 (NAT) and IPv6 at home. I can access my desktop behind NAT using IPv6, which is good, but I see attempts to bruteforce root password via SSH, which is bad.

[simoncion]

Definitely don't permit root to log in with a password. It's strongly recommended that you don't allow anyone to log in with a password, only with (password protected) keys stored on their machines.

[solidangle]

So why don't you just run a firewall on your router?

[api]

NAT is not a security feature. Please stop repeating this toxic drivel.

NAT is not the same as firewalls, and firewalls do not require NAT. NAT is just an ugly hack to stretch IPV4's inadequate address space, and it's one that breaks quite a few protocols and generally makes a lot of things painful and complex.

Remember back when there were two dozen different networking layers vying for the ability to link Docker containers? (There still are, but Docker's hype wave has crested so you don't see them every 5 minutes on here.) With IPv6 and no NAT, none of that is necessary. Just give every container a real address, set your firewall rules accordingly, and every container anywhere can talk directly to every other container without any added complexity. Give each container host a /96 address and let it assign container IPs from the remaining /32, for up to four billion containers per host. Since IPv6 specifies that an ISP should hand out /64's to customers, each customer can have 4 billion container hosts.

Getting rid of NAT makes everything orders of magnitude simpler.

I do wonder about monopoly resistance. I wonder if IPv6 has been shunned by Amazon, Google, and Microsoft clouds because they see a long term advantage in preventing adoption. IPv6 makes peer to peer systems a lot easier to build, and peer to peer is direct competition to the 'run absolutely everything through the cloud' model. IPv6 could actually reduce the cloud's importance (especially for data transit) if it were widely deployed.

[chatmasta]

I didn't say NAT is a security feature. I said developers use NAT to benefit security. The security benefit of NAT is that it forces developers to assign a predictable, private IP address to each device/container/vm/box behind its "firewall," which the gateway can then use for enforcing QoS policies or port whitelisting. Sure, you can do this on IPv6. But IPv6 is more complicated to implement, because all tools support IPv4, and only some support IPv6.

[api]

How does that help security?

IPv6 has usability problems (I've written on this), but these are unrelated to security in any direct way.

The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption. It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.

There's a ton of superstition and cargo cultism in network security, since most people -- even developers -- don't understand much about how networks work.

[yusyusyus]

NAT is so painful. Even the specs are written with grossly overloaded terminology.

>The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption.

In all fairness, the common NAT implementation involves L4 params and the requisite state for ingress traffic. It makes like a filter that is "drop any" with respect to the NAT IP address (with the exception of in-state traffic). Further, it also limits the IP protocols available. Example, you will not likely be doing SCTP across your NAT and certainly it would be difficult to send directed OSPF packets during this[0] fun thing. It still leaves things to be done (like dropping internal IP space traffic on the external IFs), but the requisite components supply a lot.

I think I've seen the problem though. In general, network engineers have failed to break down the components of NAT: 1) State, 2) Rewrite, 3) A filter dropping traffic not matched by state. Fundamentally, the only thing we need to do in IPv6 is 1) state and 2) a filter. Their failure, combined with the packaging of components that NAT provides, feeds the valid points of the superstition while neglecting the details (what happens when we look at too big of a picture, or philosophical thing).

>It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.

The ignorance of management and "netwerk sekurity esperts" aside, NAT does have use cases in IPv6. Example, if we're performing renumbering frequently, does it make operational sense to roll over prefixes with RAs/DHCP? Maybe the expectation is for multiple prefix advertisement, but then which IP should be used for internal vs. external? Should all applications always rely on DNS? What are the implications for routing networks that may be designed with separate number spaces? The reasons for why these things may be done are not absolutely "wrong" or "bad design" and should not necessarily adopt a purist model.

[0]https://tools.cisco.com/security/center/content/CiscoSecurit...

[TimWolla]

> Give each container host a /96 address and let it assign container IPs from the remaining /32, for up to four billion containers per host.

A /80 for Docker is preferred because it can map 1 to 1 onto the mac address for SLAAC.

see also: https://docs.docker.com/v1.5/articles/networking/#ipv6

[dang]

> I know it pains neckbeards to hear this

Please edit acerbic swipes out of your comments to HN. It's distracting, provoking and detracts from your otherwise substantive comment.

[simoncion]

> In fact, IPv6 seems to be a step backward in terms of security. Every device does not need to be openly addressable from anywhere on the Internet...

Today I blow your mind: https://en.wikipedia.org/wiki/Unique_local_address https://www.sixxs.net/tools/grh/ula/

[mindcrime]

Now that the ARIN address space is exhausted, cloud providers will begin to buy more and more IPv4 space until they have a complete monopoly and large portions of IPv4 are controlled by just a few companies. This will price other companies out of offering cloud services that are IPv4 compatible.

I don't see that being effective. IPv6 is here, and you can't put the genie back in the bottle. See above where somebody linked to the TWC page where they point out that they have reach 100% IPv6 coverage. And they are one of the largest ISP's around. (And from my subjective perception, one of the laggards on implementing IPv6). Common home routers have been shipping with IPv6 support for years, and probably a huge swathe of the 'net population (in America anyway) have dual-stack and just don't know it.

And IPv6 adoption is only going to keep growing. Pretty soon there won't be any consumers who are stuck on v4, so there will be no reason to try and establish a monopoly on v4 addresses.

[drvdevd]

Regarding the path of least resistance for developers eventually, hopefully, perhaps traversing NAT will prove to be a bigger pain for the average developer than just using IPv6.