[Hnrobert42]

Wow. It's like your reply is doing an impression of IPv6! (I'm just teasing. I hope you are having a happy new year.)

Not GP, but:

> What happens when multiple devices in your /8 want to listen on port 80 and 443 on the public address? Only one of them can. Now you're running a proxy.

I don't want any of my devices listening on the public address, much less multiple.

> It's called a firewall. You want a firewall. IPv6 also has a firewall. NAT is not a firewall. NAT is usually configured as part of your firewall, but is not a firewall.

That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

> DHCPv6 Okay? DHCPv4

> What are you supposed to do with a /8? Do you have several million computers? That's GP's point. Running out of address space is not a problem even on IPv4 with NAT.

> What happens if your ISP changes your IPv4 address? Well, an ostensible advantage of IPv6 is publicly routable addresses. I know how to configure my internal IPv4 network with host table entries and so on. If I move to IPv6 then my "internal" network address space is at the whim of my ISP.

[MindSpunk]

Been having a nice break over the new year, thank you :)

I can't argue with sticking on IPv4 when you have no need for IPv6. However, people saying no NAT means no firewall really bothers me because it's just wrong and usually gets thrown around as part of a point around "who needs IPv6 anyway".

The two layers IMO don't make a practical difference. A deny by default firewall will fail closed, unless poorly configured. A poorly configured firewall for IPv4 with NAT can still leave machines exposed. This is not an IPv4/IPv6 problem this is down to your router. However you do expose what used to be private addresses with IPv6, but there's not much to do with the address that couldn't be done with your IPv4 address assuming sane firewalls that both stacks run.

On the other side of the coin IPv6 being ubiquitous would make my life much easier. I self host a few things across a few different machines. IPv6 offers me a much simpler solution, both to managing firewalls and not needing to fight over port 80/443, but also because I can't get a public IPv4 address from my ISP without spending ungodly amounts of money. They support IPv6 but many of the services I host don't support it. I have to use a second site + machine, wireguard tunnels, and nginx socket proxies to expose stuff publicly (this is cheaper than the public IPv4 address from my ISP).

My point about DHCPv6 is to say that if you want to use DHCP in IPv6 you can. It's right there, it's just not the default.

IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things because, to be fair, they don't need them. But people who do need IPv6 are stuck behind garbage ISPs and this "not my problem" attitude throwing around ignorant arguments. Complaints about long addresses really get me too :), use a DNS.

[everdrive]

>IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things

I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers. Yes, a firewall can prevent these connections, but the whole standard is built around this use case most people don't need most of the time.

Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.

[stavros]

> There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers.

Ever tried to call someone over the internet? Well, now you need a publicly reachable device.

Please, stop spreading this ignorance. You rely on your devices being reachable from the internet every single day, you're just not aware of it, because you're using a barely-working pile of duct tape and string that sort-of allows peer to peer connections to happen, after some arcane STUN/TURN/whatever magic.

If you wanted to send someone a file in the Olden Days, you'd just click on their IRC username, the client would open a connection to them and you'd send the file. Now you need to use iCloud or some nonsense, because apparently people believe that peer-to-peer connections aren't needed and shouldn't even work.

[brewmarche]

I’m wondering, wouldn’t a default deny inbound firewall still need hole punching with IPv6? You wouldn’t need STUN to find your global address but if you use varying ports you’d need to communicate the port first, and you’d also need to time the simultaneous open. So a coordinating party is still needed somewhere. Getting rid of TURN relays (if you’re affected by symmetric NATs) is of course a huge plus.

[stavros]

No, you'd have something like UPnP open a port on the firewall, I imagine. It depends on the setup, which can now be much more flexible, since the firewall can run on the machine itself. You also have the benefit that multiple machines can listen on the same port, so you don't need a proxy any more.

[fluoridation]

>Ever tried to call someone over the internet? Well, now you need a publicly reachable device.

Uhh... Is this the '90s? People don't type in IP addresses (or phone numbers, back in the day) to connect with other people anymore. They connect to a common, publicly reachable server that deals with peers being behind NAT.

[arianvanp]

Most video calling software uses STUN NAT hole punching and not central relay servers. You are definitely publicly routed when you call through Google Meet or WhatsApp or FaceTime

[lazylizard]

https://atscaleconference.com/calling-relay-infrastructure-a...

if i read this right, whatsapp calls go thru relay servers?

[stavros]

To be fair, I think Google Meet with multiple participants still uses a relay server, instead of N^2 streams, but I may be wrong.

[jdiff]

Now you've got significant additional latency, which is why this is very often not what actually occurs in these situations if it's at all avoidable.

[aboardRat4]

It doesn't really matter. Any communications provider must keep call records for the FSB, so routing them through central servers and recording there is the only option anyway.

[patmorgan23]

May I introduce you to our Lord and Savior the Domain Name System.

[stavros]

How do you think this works, exactly?

[IgorPartola]

No it is not:

IPv4 header: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/IP...

IPv6 header: https://bitjunkie.org/wp-content/uploads/2023/10/ipv6-Header...

Notice how the IPv6 header is simpler? That’s because it is. It has normal working semantics, got rid of fragmentation, TTL is replaced by hop limit, and link-local addresses actually work as intended. The addresses look scary != more complicated. Please stop perpetuating this myth.

[everdrive]

If IPv6 were just an improved header and a longer address I'd be perfectly happy with it. I wasn't discussing either point you raised.

[IgorPartola]

That is literally all it is. There is nothing else to it. You get P2P connections and a longer address. The rest is what they removed from the protocol, not what was added.

[tsimionescu]

SLAAC is a huge and complex part of IPv6. Higher reliance on ICMPv6 is also a big part of it. Networking stacks for IPv6 are also more complex, especially if you want to support SLAAC, requiring things like multiple IPs on every machine by default, and so on. The very fact that you have to choose between static IP, SLAAC, and DHCPv6 is another complication - if the choice is even there, as some major devices don't support DHCPv6 (Android).

[binkHN]

> Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.

Not in the least; IPv6 has private address space just like IPv4.

[luckman212]

> Private IP space is incredibly useful ... This is _gone_ with IPv6

No, it's not. Learn about ULAs:

https://en.wikipedia.org/wiki/Unique_local_address

[notpushkin]

> Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control.

You can have that with IPv6, too. You can even get your own ULA prefix that (hopefully [1]) only you will ever use: https://ula.ungleich.ch/

[1]: Technically, it doesn’t prevent anybody else from using the same space as you. (And you can’t advertise it, of course.)

[antonvs]

> the whole standard is built around this use case most people don't need most of the time.

This seems to be a function of when it was developed, starting in the early 90s before the internet as we know it today, particularly the web, even existed. Security wasn’t seen the same way then, because the threats we have today simply didn’t exist.

Not every company in the world had its own private networks, so there weren’t even good examples to follow. The result was a system designed in the effective equivalent of a vacuum, without regard for how the internet would actually end up being used. The result is the situation you described.

[RiverCrochet]

> This is _gone_ with IPv6

Incorrect. There is the ULA range, fc00::/7, which is not routable and can be used in the same place you'd use 192.168.0.0/16 or similar.

You can even do something like fc00::192:168:0:0/120 if you really want.

> There is really no reason for most devices to be publicly reachable.

If you want things to work in one direction only, you really want television or radio. This is how most people really treat the Internet, unfortunately.

[throw0101a]

> I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable.

Sigh. This myth really won't die.

Publicly addressable ≠ publicly reachable.

With my last ISP I had IPv6: every device (including my printer) on my local network had a public IPv6 address, but exactly zero were reachable thanks to the stateful packet inspection (SPI) on my Asus.

[DrewADesign]

You’re either arguing about semantics or missed the point they were trying to make. If it doesn’t have to be publicly reachable, why should it be publicly addressable in the first place? I can’t think of any common requirement that will be afforded to users having devices that will never need to be publicly reachable be publicly addressable. Considering most peoples use cases solely involve home networks of devices that they definitely do not want to be publicly reachable, why is needing to explicitly disallow that better for them?

In non-abstract terms, I just don’t see how that works better.

[throw0101a]

> I can’t think of any common requirement that will be afforded to users having devices that will never need to be publicly reachable be publicly addressable.

Because you do not know ahead of time which devices may have such a need, and by allowing for the possibility you open up more flexibility.

> [Residential customers] don't care about engineering, but they sure do create support tickets about broken P2P applications, such as Xbox/PS gaming applications, broken VoIP in gaming lobbies, failure of SIP client to punch through etc. All these problems don't exist on native routed (and static) IPv6.

> In order for P2P to work as close as possible to routed IPv6 in NATted IPv4, we had to deploy a bunch of workarounds such as EIM-NAT to allow TCP/UDP P2P punching to work both ways, we had to allow hairpinning on the CGNAT device to allow intra-CGNAT traffic to work between to CGNAT clients, as TURN can only detect the public-facing IP:Port, hairpinning allow 100.64.0.0/10 clients to talk to each other over the CGNATted public IP:Port.

* https://blog.ipspace.net/2025/03/response-end-to-end-connect...

By having (a) a public address, and (b) a CPE that supports PCP/IGD hole punching, you eliminate a whole swath of infrastructure (ICE/TURN/etc) and kludges.

When it was first released, Skype was peer-to-peer, but because of NAT "super nodes" had to be invented in their architecture so that the clients/peers could have someone to 'bounce' off of to connect. But because of the prevalence of NAT, central servers are now the norm.

A lot of folks on HN complain about centralization and concentration on the Internet, but how can it be otherwise when folks push back against technologies that would allow more peer-to-peer architectures?

[antonvs]

> by allowing for the possibility you open up more flexibility.

The problem is that flexibility is often the enemy of security, and that’s certainly true here. Corporate networks don’t want to allow even the possibility of devices that are supposed to be private being publicly addressable. Arguing that it’s “simpler” or “more flexible” is like arguing that we don’t need firewalls, for the same reasons. And in fact, that argument used to be made quite regularly. It’s just that no-one who deals with security has ever taken it seriously.

[everdrive]

It's baffling to argue that NAT is the real driver of centralization for internet technologies.

[DrewADesign]

I'd like to know the average number of broadband customers that make support tickets because of NAT. I'll bet it's far less than 1%. And you really think NAT, rather than SV betting huge on cloud services and surveillance capitalism, was the reason that everything is centralized? Come on...

[everdrive]

>>Yes, a firewall can prevent these connection

>Publicly addressable ≠ publicly reachable.

I already addressed this, and I know how firewalls work. It would be nice if on a per-device basis I could opt into a choice to be publicly addressable. Instead, the entire standard is built around this.

[avianlyric]

You literally can. You can just use local link addresses, IPv6 routers are guarantee not to forward those packets out of the network, or forward traffic into the network addresses to one of those IPs. Devices within the network can all still talk to each other.

If you really want to do the full Monty, add a NAT to your IPv6 router to have it translate to the local-link addresses, just like it would on IPv4.

I would highlight this is also identical to IPv4, which notably is also a standard built around the idea that every device in the world can, and should, be given a publicly addressable IP. Many large corporations and universities with /8 IP blocks do exactly this. Unfortunately when they originally wrote the IPv4 standard they slightly underestimated how many devices would eventually connect to the internet.

[s1gsegv]

If you disable the firewall with a “master disable” I suspect IPv6 routes through on at least some routers. Meanwhile if the NAT is disabled, it almost surely takes the route with it, and even if it somehow routes thorugh you probably won’t get a DHCP lease from your ISP for more than a device or two.

[lazystar]

> you do expose what used to be private addresses with IPv6

its been 10 years since i first rolled my eyes at ipv6 due to this problem. youre saying its still a problem, over a decade later? ugh. bring on ipv7 or ipv8.

[deng]

Not really, privacy extensions are usually on by default, at least on Windows and Linux. This means temporary ipv6 addresses will be used for outbound traffic and rotated regularly (usually every 24h by default, if I'm not mistaken). And if you're worried about tracking, we have lost this war ages ago, ipv6 wouldn't meaningfully change that.

[simoncion]

> its been 10 years since i first rolled my eyes at ipv6 due to this problem.

You might find this comment [0] informative.

You might also be interested to know that the ULA space was defined and reserved in October, 2005. If you of ten years ago had done a little more research, you'd have discovered that the problem had been solved ~ten years prior.

[0] <https://news.ycombinator.com/item?id=46468426>

[aragilar]

A NAT is part of a firewall, not a separate thing, so if the firewall is misconfigued, then your NAT may not be working either.

On not running out of (private) IPs, I guess you've never had the fun of having to deal with overlapping ranges (because it isn't the number of IPs that's the issue, it's how the ranges are allocated). While this can still happen on IPv6, there are so many more subnets that this is far less likely.

Also, a key thing that IPv6 makes obvious (which is also true to some extent of IPv4, but that most systems try to avoid showing) is that each link can have multiple IPs (there will be at least one link-local address), and so while your ISP can provide you a public range, you don't need to use it if you do not want to, you can always use an Unique Local Address (ULA - https://en.wikipedia.org/wiki/Unique_local_address), which reduce the chance of overlapping ranges.

[yrand]

Why do you think NAT is part of a firewall? NAT and firewall are two completely separate things that can exist independently of each other.

Also overlapping ranges are an orthogonal issue that can occur with IPv6 private network range as well.

IPv6 brings not only bigger address range but also a big bag of other things that one cannot ignore, are complicated and which are often a source of problems. That's why people stick with IPv4 even at the cost of NAT, because the number of things they have to care about is much smaller.

[da_chicken]

> NAT and firewall are two completely separate things that can exist independently of each other.

This is kind of like saying that web browsers don't have to have a graphical interface. Or that a web browser doesn't necessarily support HTTPS. It's correct, but not practically correct.

The reality is that essentially all NAT software you'll actually encounter will be integrated into a stateful firewall because the two systems share so many functions that most projects and products that do one will also do the other. If you have a system with NAT set up and there is no packet filtering, it's most often because you've intentionally gone and disabled all the packet filtering, not because you need separate software for it.

It is important to understand that NAT doesn't have any inherent security to it, but criticizing people for talking like NAT is a feature built into firewalls when NAT is overwhelmingly a feature built into firewalls is a pretty unfair reading when we're talking about general deployments. Even with the technical audience of HN, we're not discussing carrier grade NAT here or other highly specialized or exceptional deployments.

[Rapzid]

SNAT absolutely has intrinsic features that are utilized for security purposes.

This isn't to disagree with your main point. Many people in this topic have an oddly narrow definition "firewall" that tends to fall along the lines of "whatever makes me right and you wrong".

A statefull SNAT implementation itself has most of the characteristics of a "firewall".

[da_chicken]

> SNAT absolutely has intrinsic features that are utilized for security purposes.

Yes, but those features aren't there because they're security features. They're incidental to how NAT functions. It's not inherently secure. The intention of the design is to permit hosts on a network that is not Internet-routable to be able to send traffic that is Internet-routable. That's not a security feature. That's allowing traffic to pass that would ordinarily get black-holed.

> A statefull SNAT implementation itself has most of the characteristics of a "firewall".

Sure, but you should recognize that that's the same as saying a stateful SNAT implementation is an incomplete stateful firewall.

If your goal is to use private addresses, you should use NAT. The point is that if your goal is security, then you should configure a firewall.

Don't expect software that isn't designed to provide you security to provide you with any security.

[Rapzid]

SNAT is often a feature built on a network stack that also provides other "firewall" functionalities like filtering packets. Configuring SNAT is configuring a firewall? Or is only dropping packets a firewall? Or does the device need "firewall" printed on it? Does a device that has "firewall" printed on it still count as a firewall if it's not configured to filter packets? What type of filtering makes it a firewall? If an SNAT implementation drops packets is it a firewall? Is a linux/windows/bsd box with multiple interfaces a firewall? What if I slap "firewall" label on the box; a firewall now?

SNAT can be used to mask source IP and that can absolutely be utilized strategically as a layer of "security".

[immibis]

If your ISP delivered you a packet with a destination address of 192.168.0.5, there's a good chance your router would deliver it to that device without consulting the port forwarding table. In this way, NAT isn't a firewall and you're relying on your ISP's routing policy as your actual firewall.

[Rapzid]

If my ISP sent me a billion dollars I would be a billionaire.

What's represents a "good chance" the router is so grossly misconfigured as to allow inbound traffic no destined for the IP assigned to the WAN interface to be routed to one of the internal interfaces? I wouldn't be surprised, but what's a "good chance"? Is there data on this?

A typical, correctly configured SNAT implementation would most likely have the characteristics commonly attributed to a "firewall". An incorrectly configured network device may not have the characteristics commonly attributed to a "firewall", regardless of its ability to actually inspect and drop packets(which just about every commonly used OS network stack can do out of the box).

But even an SNAT implementation without typical "firewall" characteristics has intrinsic characteristics related to security; such as source IP masking. Which doesn't even need to be private.

[yrand]

> when NAT is overwhelmingly a feature built into firewalls

This is just not correct. NAT and firewall are simply orthogonal concepts and can and often are deployed separately. A simple example is your average small SOHO router, which usually has NAT but quite a lot of them lack a firewall.

[Sophira]

> if the firewall is misconfigued, then your NAT may not be working either.

But in that case, it's very obvious because your access to the WAN side of your router won't work from anywhere except the router itself.

I like this "fail-secure" nature of NAT. If your firewall fails on a network with globally-routable IPv6 addresses, it might not be so obvious as traffic might still flow through.

[abujazar]

It provides no security by itself. There have been (and still are) countless vulnerable Internet reachable NAT routers which can easily be exploited to provide access to the whole private network behind it. NAT by itself can't be relied on to provide any security – you need correctly configured firewalls for that. An ISP provider might provide a sensibly configured firewall with the home router, but they may also be operating an easily exploitable backdoor into your private network.

[icedchai]

Practically speaking, even without any firewall, NAT provides some level of security. If I can't route to your network, I can't access it. Yes, theoretically someone may establish a route to an RFC-1918 address block across the Internet or within your ISP, but doing so without ISP cooperation is unlikely. To say it is "easily" exploitable is an over-exaggeration.

[mixdup]

>If I move to IPv6 then my "internal" network address space is at the whim of my ISP.

This is a major problem to me before I'd go wholesale IPv6 at home as the primary way I address and connect to hosts

I have IPv6 enabled, but it's just all defaults. My traffic is going out over the internet on IPv6, my home automation stuff in the house using Matter is on IPv6, but for the few server-types that I have in the house they are still identifiable by me by their IPv4, and my addressing to get into my network from outside is via my ISP's IPv4 address

There really needs to be a universal way to bring IPv6 addresses to your ISP, so they're portable like a phone number. Both so that I can take them with me if I switch providers and so that my ISP can't arbitrarily change them from underneath me

[_ikke_]

With IPv6, it's common to have multiple addresses on an interface.

So on options is to assign yourself an [RFC 4193](https://datatracker.ietf.org/doc/html/rfc4193) fc00::/7 random prefix that you use for local routing that is stable, while the ISP prefix can be used for global routing.

Then you don't need to renumber your local network regardless of what your ISP does.

[mixdup]

What if I want my devices visible on the public internet? Then I'm tied to my ISP's addresses. Or, I have to maintain both addressing schemes

[_ikke_]

That's why I mentioned multiple addresses. The public addresses (assigned using SLAAC or DHCPv6) are for global reachability, while you use the local prefix for stable addresses within your network.

If you want stable global addresses, you should request an AS number and prefix, and choose a provider that allows you to announce it with BGP.

[parineum]

> and choose a provider

Lots of people don't have much choice.

Frankly, my IoT washing machine having a public IP address sounds like it'll get shut off when I don't let it online or don't pay my subscription fee.

[Dylan16807]

> Lots of people don't have much choice.

Yeah but it's not like IPv4 is any better at giving you a stable public address.

[preisschild]

Funfact my washing machine has a public ipv6 address, but egress/ingress conns to the WAN are blocked. works great.

[patmorgan23]

This is also the case with IPv4.

[simoncion]

> There really needs to be a universal way to bring IPv6 addresses to your ISP...

There is. It's "Provider-Independent" address space.

It's used sparingly because widespread use of it would explode the size of routing tables.

I think you could also "simply" [0] become your own AS/LIR/whatever and negotiate with your ISP to route your prefix/subnet/whatever to your site (or some box in a colo somewhere that you attach to your site with some sort of tunnel).

[0] It is my understanding that it is often not at all simple to do this.

[cromka]

I doubt this will ever happen, as it would make things extremely easy for spammers and scammers.

[mixdup]

Why? You could easily block their range and it'd be blocked no matter where they went

IPv6 is already a nightmare for dealing with scammers and spammers. It's very often I get weirdly blocked because someone has abused my ISP's (AT&T) IPv6 block that I'm on and Wikipedia or whoever has blocked an entire /48 or something and it's virtually impossible to get a delegation outside of that range

[fruitworks]

> That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

You have two layers of indirection and one layer of security. If you failed to configure your firewall correctly, you would be better off without NAT because you would become aware of it quicker and not rely on NAT.

NAT doesn't really do anything other than address conservation because of NAT-punching techniques like STUN/TURN/UPnP, which are nessisary because NAT's features are bugs.

[dvdkon]

> I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

That's not true. When you configure just NAT (with e.g. nftables on Linux), the NATed devices are still reachable from the outside, you just have to add an entry to your routing table to reach that internal address space using the router.

[icedchai]

"Just add an entry to your routing table" ... it's virtually impossible to do that for RFC-1918 addresses across the internet. It will be filtered at the ISP border or an upstream. Is it theoretically possible? Yes. Is it an actual risk? Probably not.

[megous]

Well, if you're other customer of the ISP on the same network, then that may get more interesting... (or inside VPS provider's network)

[db48x]

> Well, an ostensible advantage of IPv6 is publicly routable addresses. I know how to configure my internal IPv4 network with host table entries and so on. If I move to IPv6 then my "internal" network address space is at the whim of my ISP.

This is not quite correct. You have two simple options for avoiding this: DNS and SLAAC. By giving all of your hosts dns names you don’t have to care about the individual addresses much. If they change just update the dns zone.

The second is to configure a Unique Local Address for each host using SLAAC. Have your router announce a prefix inside of fd00::/7 so that every one of your computers ends up with a private address as well as the public one. This is like using a reserved private address in IPv4, such as 10.0.0.0/8, except that there are a lot more possible networks. There is only one 10.0.0.0/8, but the convention with IPv6 ULAs is to generate 40 random bits and use them to make a /40. Add 16 more bits for a subnet id to create a /64 that your router will advertise as a prefix. This is probably overkill for most of us, but it does enable us to merge networks without causing address collisions. You can keep using them no matter what happens. Even changing ISP won't change these addresses.

Of course the third option is to buy IP transit service instead of internet access service. You can then go to your local RIR and ask them to assign you your own address block. Announcing that address block using BGP gives you a permanent block of routable addresses that follows you from ISP to ISP. But most people find that to be a bit of a hassle compared to consumer–grade internet service.

[everdrive]

>Of course the third option is to buy IP transit service instead of internet access service. You can then go to your local RIR and ask them to assign you your own address block.

Or I could just log into my router and disable IPv6

[db48x]

That’s boring.

[ninkendo]

> By giving all of your hosts dns names you don’t have to care about the individual addresses much. If they change just update the dns zone

"just" update the zone? Yikes. I prefer to not take that downtime in the first place. (And I know from experience, I've written hooks for dhcpcd that automatically reconfigure my zone file, firewall rules, rad.conf, etc, if I get a new network prefix! But I don't pretend that this is a workable approach for everyone.)

> The second is to configure a Unique Local Address for each host using SLAAC

Yes, this is the way. Where you used to use RFC1918 addresses, just use ULA. It's simple and fits the mental model you used to have with IPv4. You don't even need NAT, just give both the GUA and ULA addresses to each host, and use the ULA everywhere you want LAN-like semantics.

[strenholme]

“There is only one 10.0.0.0/8”

Also:

- There are 16 172.{16-31}.0.0/16s (I used 172.23 because Docker uses one of these)

- There are 256 192.168.{0-255}.0/8s

And that’s just what RFC1918 gives us. There are other private subnets defined in newer RFCs.

I like IPv6 but it caused issues with browsers accepting my Letsencrypt certs on my website, so my website is now IPv4 only.

“Announcing that address block using BGP gives you a permanent block of routable addresses that follows you from ISP to ISP.”

Enough people have done this that BGP networking has become a real mess at the ISP level. Can BGP really handle every person in the world doing this?

[gerdesj]

Class B or the 12 block is 172.16.0.0/12. So: 10/8, 172.16/12, 192.168/16.

[db48x]

Yes, I know that there are other private subnets in IPv4. My comparison was specifically between IPv6 ULAs and 10.0.0.0/8 specifically because of the size. You won’t have to renumber your networks when you grow in size because 2⁷² addresses is enough for just about any organization.

> Can BGP really handle every person in the world doing this?

Eh, probably not. I did say that it wasn’t for everyone. You have to fill out a form, and then they announce to the world that you did it. And if you configure your BGP announcements wrong you’ll get laughed at by everyone who watches those things. Most people can’t handle it.

On the other hand, the VP of Network Operations at the ISP I used once promised that they’ll honor BGP announcements even from residential customers. I guess once it’s automated that it doesn’t cost them anything extra. Could be a fun hobby.

And if enough people do it then we can simply improve BGP. Anything we invent we can improve, right?

[cromka]

Very interesting, had no idea IPv6 had this as an option. Thanks for the write-up!

[db48x]

You’re welcome. Have fun with it!

[throw0101a]

> That's a non sequitur. I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

You talk about NAT like it's a single thing: it is not. There are at least three major varieties of NAT:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

See also various 'cones' that add complexity to getting things to work (and for which kludges like ICE/TURN/etc had to be invented):

* https://en.wikipedia.org/wiki/Network_address_translation#Me...

See also RFC 4787 which distinguishes between NAT mapping and NAT filtering. Also, also see perhaps "NAT Traversal Mess":

* https://blog.ipspace.net/2025/04/response-nat-traversal/

[paulddraper]

The RFC for NAT was extremely specific: this was only about creating more addresses, NOT security.

Because your devices are routable. You can’t be on the Internet without an IP. They just have some ephemeral addresses. But randomizing port numbers (that is NAT) is not a good security mechanism.

[throw0101a]

> The RFC for NAT was extremely specific: this was only about creating more addresses, NOT security.

It should also be noted that "NAT" is not some monolithic thing either, there are three 'major' varieties:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

[NewJazz]

Just FYI you can do ULA + NAT with IPv6 and get the same thing as RFC1918 + NAT on v4.

[unethical_ban]

>I don't want any of my devices listening on the public address, much less multiple.

That is good for you, but given the option between an address scheme that requires a proxy and one that does not, I would prefer the latter.

>I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

Why? NAT is a network tool. Firewall is a security control.

[imtringued]

>I don't want any of my devices listening on the public address, much less multiple.

If you don't listen to public ports on IPv4, then there is no point in touting any of the benefits of IPv4. Even if you think NAT is good, you're not using it in the first place so why care about it?

You basically ruined your entire case with that sentence.

[cromka]

Great response. Your last point is particularly convincing and I never thought of it before. Even better, what happens if you use a failover WAN on your router?

[fnord77]

> I don't want any of my devices listening on the public address, much less multiple.

Just because you don't shouldn't mean other people get denied this.