[nsbq71]

>we still have around nine million recovered IPv4 addresses in our available pool. Under current policy and growth rates, we expect these to last a further two years.

And by then they will have recovered even more. The end of IPv4 is a lie, and how bad IPv6 is and the lack of good transitioning systems doesn't help.

[space_fountain]

We do have more and more people in the world. Things like NATing can help get around it to some extent, but at the end of the day there aren't enough addresses to give every human alive today even one IP address. That doesn't strike me as a problem that can be solved by buybacks.

[beobab]

Trouble is that NAT solved a huge chunk of the problem. The current setup is not quite painful enough for people to want to fix it. The good is the enemy of the great, as it were.

[pdkl95]

> not quite painful enough

NAT was (and is) destructive and painful that some of us gave up writing network software in the late-90s/early-00s. I personally abandoned several network-focused projects in the early 2000s.

The current status quo only seems "not quite painful enough" if you accept that most people cannot use true network software, limited to client-server architecture where party lines[1] communicate with each other only with the permission of central privileged imprimatur[2].

[1] https://en.wikipedia.org/wiki/Party_line_%28telephony%29

[2] https://www.fourmilab.ch/documents/digital-imprimatur/

[PeterisP]

"if you accept..." I mean, isn't that a very reasonable assumption? Do you really disagree with the notion that more than half of global population don't care at all about the ability to "use true network software", wouldn't use it if they could, and, as long as they're not restricted too much, knowingly avoid solutions with more freedom and actually prefer centralized solutions as long as they're even just a bit more convenient? Heck, if we don't listen at what people are claiming and look at their actions, then even in the techie crowd the majority aren't ready to sacrifice minor conveniences to choose decentralized models over a client-server run and entirely controlled by someone else.

[takeda]

Interrent would be very different (better) today if not for NAT.

NAT restricts what is possible to do over network for example we only use TCP and UDP protocols, because those protocols are supported by most devices. Similarly we have very minimal number of peer to peer applications. P2P currently is mostly popular with piracy, but it could be beneficial for other uses.

NAT + asymmetric speeds (which started because of DSL, but ISPs decided to keep things that way even though it is no longer necessary) are responsible that's why we haven't a lot of services that are centralized. IPv6 has chance to fix this and I am so glad NAT wasn't included in its design.

[jjrh]

> Trouble is that NAT solved a huge chunk of the problem.

Well it solved the roof collapsing, but the problem is it makes innovation difficult and straight up impossible in some cases.

[gsich]

NAT is the problem. If you are behind a CGNAT, then you effectively can't use the Internet properly.

[ozim]

Also I do not need to have directly accesible stuff on my home network. I can use dropbox or buy cheap VPS if I want to keep my data in sync.

One is security, NAT is nice for that a lot smaller attack surface. Second keeping your stuff always running at home is unreliable and annoying.

Would be nice if I would not have to pay for VPS but $5 a month cheapest linode is more than enough for my hobby projects.

[z3t4]

ipv6 solve the problem of one ip per device, with ipv6 you can have both local and public IP's on the same interface! Then your app's and services can choose whether they like to listen on local or public IP's.

Without NAT you can do so much more stuff, like peer-to-peer (p2p) networking. Yes, you can do p2p with ipv4 behind NAT but it's super complicated and brittle.

Also bypassing the NAT is complicated, you have to fiddle with the router settings, and often you have to call your ISP to give you a public IP. This makes it hard or impossible to sell "Internet of things" (IoT) devices to regular people as you can't just plug them in.

Networks today are very good with high bandwidth and low latency, which enables some interesting use cases, for example virtual reality (VR) where you just have a thin client plugged in to the network and then have all the compute power located in a data-center a few miles away, with sub ms latency.

Another usecase is apps with service like functionality, like decentralized Facebook, and chat messengers.

[zAy0LfpBZLC8mAC]

> Also I do not need to have directly accesible stuff on my home network. I can use dropbox or buy cheap VPS if I want to keep my data in sync.

You also can walk everywhere instead of using machines to move around ... but why would you?

> One is security, NAT is nice for that a lot smaller attack surface.

No, it doesn't. It's a common myth, but NAT does not provide any security, it only hides insecurity.

> Second keeping your stuff always running at home is unreliable and annoying.

Complete non-sequitur?

[ozim]

Do you have redundant power supply at home, redundant internet connection? Keeping your own server up and running at home is unreliable and annoying. Having animals, kids, makes it even more difficult. If I would have to rely on it beeing up while I am abroad, I would rather pay for VPS.

Hiding insecurity is perfectly valid. It is making attack surface smaller. I do not get pings of death, constant scanning, login attempts all the time on my local machine which is always behind NAT. Every server that has public IP gets scanned or tried out with vulnerabilities. I can connect totally new PC to router with NAT and not be owned in matters of minutes by some botnet. My router might be exposed but it is something I know. All machines behind router are perfectly fine for remote vulnerabilities.

[stordoff]

> Do you have redundant power supply at home, redundant internet connection?

Depends what you need. My last power outage was over a year ago, and Internet issues will generally resolve themselves in a relatively short period of time. That's reliable enough for a lot of use cases.

[zAy0LfpBZLC8mAC]

> Do you have redundant power supply at home, redundant internet connection? Keeping your own server up and running at home is unreliable and annoying.

That's all besides the point. When you want to share a file with someone while you are both working on it, say, there is no need for a "server". IP is perfectly fine for transfering a file from your machine to theirs. When you want to talk to someone over the net, there is no need for a "server". IP is perfectly fine for transmitting voice calls between your machine to theirs.

Your mistake is in your assumption that you even need a server in the first place. For some things, that might be useful. For other things, that is only needed as a workaround for NAT in the first place.

Also, reliably running a server at home isn't hat hard either, even today. With hardware offerings that are a better fit, it could be even easier. There isn't really any reason why hosting your own "server" at home needs to be any more difficult than hosting your own vacuum cleaner.

> Hiding insecurity is perfectly valid. It is making attack surface smaller.

No, it doesn't. It simply makes it harder for you to notice that you are not secure, that's all. This is not about whether firewalling insecure services off from public access makes the attack surface smaller. It does. But NAT doesn't, a firewall does. If you have a firewall, you don't need NAT. If you don't have a firewall, NAT won't protect you.

> I do not get pings of death, constant scanning, login attempts all the time on my local machine which is always behind NAT. Every server that has public IP gets scanned or tried out with vulnerabilities.

Which is just completely irrelevant. None of these things are a security risk. They are annoyances when trying to debug the network, that's all. And none of that is in any way fundamentally helped by even a firewall. You have a huge attack surface in your web browser that is completely unaffected by your firewall and by NAT as well, pretending that a service listening on a port is somehow a huge security problem, but executing untrusted code inside a massively complicated virtual machine is harmless is just completely focusing on the wrong problem. Also, all those pages that you load into your browser sort-of have access to your local network anyway, because your browser is inside your firewall and can connect to all those services that you pretend your NAT protects.

> I can connect totally new PC to router with NAT and not be owned in matters of minutes by some botnet.

You are constantly confusing firewalls and NAT. That is done by a stateful firewall, not by a NAT.

> My router might be exposed but it is something I know. All machines behind router are perfectly fine for remote vulnerabilities.

That is an extremely naive perspective.

[TeMPOraL]

AKA "worse is better", biting us in the arse once again.

[freeone3000]

What's wrong with IPv6? The only complaints I've seen are "the numbers are bigger", as if that's not the point, and that makes them harder to remember.

[chrisper]

My "main issue" with it is that if people are used to being behind NAT, they now have to be a bit more careful about securing their computers (firewall etc.) because every computer now is publicly accessible. Most routers do not even seem to have an IPv6 firewall.

[toast0]

The 'residential gateway' for my attached fiber connection doesn't allow incoming syns for the ipv6 addresses it hands out and I couldn't even find a way to tell it to let me actually use the internet as intended, other than bypassing it (which works fine).

Most endpoints these days don't have much if anything listening by default though. The reality is that even trusted local networks are hostile networks, and vendors have responded to that.

[api]

Ultimately we do need to secure our endpoint devices. They need to be secure by default. NAT and firewalls let us get away with insecure broken OSes and services for a while, but not forever, and they create the "soft underbelly problem" where once someone manages to hop your firewall everything is vulnerable.

[zAy0LfpBZLC8mAC]

NAT does not provide access protection. NAT only hides the lack of access protection when it isn't there. A stateful firewall provides access protection, and that works with both IPv4 and IPv6.

[randomdestructn]

Same. And its only really an issue for me because around here the home/SOHO IPv6 rollout is transparent to clients.

So people who have been trusting NAT to be a firewall wake up one day to their network being directly routable, and are none the wiser.

[nsbq71]

Also some implementations (including Windows) [0] expose the MAC address of your device to the Internet, creating a huge privacy problem. IPv6 is a mess.

[0] https://social.technet.microsoft.com/Forums/windows/en-US/57...

[arca_vorago]

One of these days yall are going to see it my way... in which I think ipv6nat is important to use despite everything you hear about ipv6nat saying it should never be used, usually by people theorycrafting instead of being responsible for actual systems. (Cue the "but nat was never very secure" etc comments.)

[ars]

It's harder to block spammers and DOS attackers. It's not obvious with IPv6 how large of a subnet to block.

[pgeorgi]

That's approximately a /17 worth of IPv4 addreses, recovered over multiple years going through all the low hanging fruit (eg the original /8 networks).

9 million addresses for 2 years is a burn rate of ~375k/month. Another 2 million newly obtained addresses in the next 2 years will last 6 more months.

At some point IPv6 will become more economical.

[tialaramex]

It's already more economical, it's just not surfaced very well economically. People hide the price of IPv4.

One of the IPv6 ISPs did a talk about this, they realised that rather than hiding this cost they could surface it and then magically instead of "Try to persuade technical people to choose IPv6" the situation is "Make technical people explain to their finance department why they're spending the extra money" and what do you know, "Learn IPv6" is way more popular than "Argue with accountants".

[markonen]

IP addresses accumulate reputations as well as background noise traffic bound for them. While "plenty" of these recovered addresses exist, there is something to be said for being able to get allocations of unused addresses.

[cuckcuckspruce]

If the address is used you must refuse.