[everdrive]

>IPv6 doesn't make things substantially harder, just different. But people don't want to learn new things

I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers. Yes, a firewall can prevent these connections, but the whole standard is built around this use case most people don't need most of the time.

Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.

[stavros]

> There is really no reason for most devices to be publicly reachable. Everyone keeps holding this up as a positive, but it's absolutely not. Most devices aren't servers.

Ever tried to call someone over the internet? Well, now you need a publicly reachable device.

Please, stop spreading this ignorance. You rely on your devices being reachable from the internet every single day, you're just not aware of it, because you're using a barely-working pile of duct tape and string that sort-of allows peer to peer connections to happen, after some arcane STUN/TURN/whatever magic.

If you wanted to send someone a file in the Olden Days, you'd just click on their IRC username, the client would open a connection to them and you'd send the file. Now you need to use iCloud or some nonsense, because apparently people believe that peer-to-peer connections aren't needed and shouldn't even work.

[brewmarche]

I’m wondering, wouldn’t a default deny inbound firewall still need hole punching with IPv6? You wouldn’t need STUN to find your global address but if you use varying ports you’d need to communicate the port first, and you’d also need to time the simultaneous open. So a coordinating party is still needed somewhere. Getting rid of TURN relays (if you’re affected by symmetric NATs) is of course a huge plus.

[stavros]

No, you'd have something like UPnP open a port on the firewall, I imagine. It depends on the setup, which can now be much more flexible, since the firewall can run on the machine itself. You also have the benefit that multiple machines can listen on the same port, so you don't need a proxy any more.

[fluoridation]

>Ever tried to call someone over the internet? Well, now you need a publicly reachable device.

Uhh... Is this the '90s? People don't type in IP addresses (or phone numbers, back in the day) to connect with other people anymore. They connect to a common, publicly reachable server that deals with peers being behind NAT.

[arianvanp]

Most video calling software uses STUN NAT hole punching and not central relay servers. You are definitely publicly routed when you call through Google Meet or WhatsApp or FaceTime

[lazylizard]

https://atscaleconference.com/calling-relay-infrastructure-a...

if i read this right, whatsapp calls go thru relay servers?

[stavros]

To be fair, I think Google Meet with multiple participants still uses a relay server, instead of N^2 streams, but I may be wrong.

[jdiff]

Now you've got significant additional latency, which is why this is very often not what actually occurs in these situations if it's at all avoidable.

[aboardRat4]

It doesn't really matter. Any communications provider must keep call records for the FSB, so routing them through central servers and recording there is the only option anyway.

[jdiff]

Of course it matters. STUN isn't theoretical, it's in actual, practical use across a great many things. There's plenty of things that aren't "calls" in a telecommunications sense. Discord, Telegram, Zoom, Slack, Jitsi, and far more. And there are plenty of other things entirely that use the same tactics to get direct peer-to-peer connections.

[aboardRat4]

>Discord, Telegram, Zoom, Slack, Jitsi

All of them are blocked for not complying with government's regulations where I live.

[patmorgan23]

May I introduce you to our Lord and Savior the Domain Name System.

[stavros]

How do you think this works, exactly?

[IgorPartola]

No it is not:

IPv4 header: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/IP...

IPv6 header: https://bitjunkie.org/wp-content/uploads/2023/10/ipv6-Header...

Notice how the IPv6 header is simpler? That’s because it is. It has normal working semantics, got rid of fragmentation, TTL is replaced by hop limit, and link-local addresses actually work as intended. The addresses look scary != more complicated. Please stop perpetuating this myth.

[everdrive]

If IPv6 were just an improved header and a longer address I'd be perfectly happy with it. I wasn't discussing either point you raised.

[IgorPartola]

That is literally all it is. There is nothing else to it. You get P2P connections and a longer address. The rest is what they removed from the protocol, not what was added.

[tsimionescu]

SLAAC is a huge and complex part of IPv6. Higher reliance on ICMPv6 is also a big part of it. Networking stacks for IPv6 are also more complex, especially if you want to support SLAAC, requiring things like multiple IPs on every machine by default, and so on. The very fact that you have to choose between static IP, SLAAC, and DHCPv6 is another complication - if the choice is even there, as some major devices don't support DHCPv6 (Android).

[IgorPartola]

SLAAC is stupid simple. The router just sends out its address, the netmask and optionally DNS servers. You can configure each host on your network to use the MAC address based suffix, a privacy one (random and changes several times an hour), or a static suffix. This is way simpler than DHCP which is stateful and requires multiple back and forths with the DHCP server.

And yes each host/interface can have more than one address which is amazing compared to having to create virtual interfaces for IPv4. You can literally just add more addresses.

Oh and when working with Docker or other container systems you can just use a link-local subnet instead of setting up a virtual network which makes things so much easier and nicer. There it really is zero configuration, not even firewall rules. It takes less effort to do this than to use IPv4.

[eqvinox]

> SLAAC is a huge and complex part of IPv6.

Complex? Could you elaborate what exactly is complex about SLAAC? Are you referring to the various address generation modes?

[xorcist]

SLAAC doesn't exist with IPv4. If you want SLAAC, you have to run v6. Nobody forces you to use SLAAC. It's not an argument against the use of v6.

[binkHN]

> Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control. This is _gone_ with IPv6 and it makes things much more complicated than they need to.

Not in the least; IPv6 has private address space just like IPv4.

[luckman212]

> Private IP space is incredibly useful ... This is _gone_ with IPv6

No, it's not. Learn about ULAs:

https://en.wikipedia.org/wiki/Unique_local_address

[notpushkin]

> Private IP space is incredibly useful. I build it and set it up -- my ISP does not have control.

You can have that with IPv6, too. You can even get your own ULA prefix that (hopefully [1]) only you will ever use: https://ula.ungleich.ch/

[1]: Technically, it doesn’t prevent anybody else from using the same space as you. (And you can’t advertise it, of course.)

[antonvs]

> the whole standard is built around this use case most people don't need most of the time.

This seems to be a function of when it was developed, starting in the early 90s before the internet as we know it today, particularly the web, even existed. Security wasn’t seen the same way then, because the threats we have today simply didn’t exist.

Not every company in the world had its own private networks, so there weren’t even good examples to follow. The result was a system designed in the effective equivalent of a vacuum, without regard for how the internet would actually end up being used. The result is the situation you described.

[RiverCrochet]

> This is _gone_ with IPv6

Incorrect. There is the ULA range, fc00::/7, which is not routable and can be used in the same place you'd use 192.168.0.0/16 or similar.

You can even do something like fc00::192:168:0:0/120 if you really want.

> There is really no reason for most devices to be publicly reachable.

If you want things to work in one direction only, you really want television or radio. This is how most people really treat the Internet, unfortunately.

[throw0101a]

> I learn new things all the time. IPv6 is much more complicated, and importantly, more complicated than it needs to be. There is really no reason for most devices to be publicly reachable.

Sigh. This myth really won't die.

Publicly addressable ≠ publicly reachable.

With my last ISP I had IPv6: every device (including my printer) on my local network had a public IPv6 address, but exactly zero were reachable thanks to the stateful packet inspection (SPI) on my Asus.

[DrewADesign]

You’re either arguing about semantics or missed the point they were trying to make. If it doesn’t have to be publicly reachable, why should it be publicly addressable in the first place? I can’t think of any common requirement that will be afforded to users having devices that will never need to be publicly reachable be publicly addressable. Considering most peoples use cases solely involve home networks of devices that they definitely do not want to be publicly reachable, why is needing to explicitly disallow that better for them?

In non-abstract terms, I just don’t see how that works better.

[throw0101a]

> I can’t think of any common requirement that will be afforded to users having devices that will never need to be publicly reachable be publicly addressable.

Because you do not know ahead of time which devices may have such a need, and by allowing for the possibility you open up more flexibility.

> [Residential customers] don't care about engineering, but they sure do create support tickets about broken P2P applications, such as Xbox/PS gaming applications, broken VoIP in gaming lobbies, failure of SIP client to punch through etc. All these problems don't exist on native routed (and static) IPv6.

> In order for P2P to work as close as possible to routed IPv6 in NATted IPv4, we had to deploy a bunch of workarounds such as EIM-NAT to allow TCP/UDP P2P punching to work both ways, we had to allow hairpinning on the CGNAT device to allow intra-CGNAT traffic to work between to CGNAT clients, as TURN can only detect the public-facing IP:Port, hairpinning allow 100.64.0.0/10 clients to talk to each other over the CGNATted public IP:Port.

* https://blog.ipspace.net/2025/03/response-end-to-end-connect...

By having (a) a public address, and (b) a CPE that supports PCP/IGD hole punching, you eliminate a whole swath of infrastructure (ICE/TURN/etc) and kludges.

When it was first released, Skype was peer-to-peer, but because of NAT "super nodes" had to be invented in their architecture so that the clients/peers could have someone to 'bounce' off of to connect. But because of the prevalence of NAT, central servers are now the norm.

A lot of folks on HN complain about centralization and concentration on the Internet, but how can it be otherwise when folks push back against technologies that would allow more peer-to-peer architectures?

[antonvs]

> by allowing for the possibility you open up more flexibility.

The problem is that flexibility is often the enemy of security, and that’s certainly true here. Corporate networks don’t want to allow even the possibility of devices that are supposed to be private being publicly addressable. Arguing that it’s “simpler” or “more flexible” is like arguing that we don’t need firewalls, for the same reasons. And in fact, that argument used to be made quite regularly. It’s just that no-one who deals with security has ever taken it seriously.

[everdrive]

It's baffling to argue that NAT is the real driver of centralization for internet technologies.

[aboardRat4]

It surely was a big factor.

When internet finally became popular, hosting a website on your own machine already became infeasible.

[DrewADesign]

What do you mean by popular? I hosted a site on a home machine in the early teens. If you don't know how to do that with NAT, you should not have a web server under your control exposed to the internet.

[throw0101a]

> It's baffling to argue that NAT is the real driver of centralization for internet technologies.

It doesn't help.

[nish__]

What is then?

[antonvs]

Capitalism, essentially. Companies can make more money from centralized control over systems than from truly distributed systems, and customers are suckers for the simplicity of delegating their needs to single providers.

The reason Google bought and destroyed dejanews.com, for example (try visiting that site) was to weaken one of the distributed sources of competition. Similar for RSS.

[DrewADesign]

I'd like to know the average number of broadband customers that make support tickets because of NAT. I'll bet it's far less than 1%. And you really think NAT, rather than SV betting huge on cloud services and surveillance capitalism, was the reason that everything is centralized? Come on...

[everdrive]

>>Yes, a firewall can prevent these connection

>Publicly addressable ≠ publicly reachable.

I already addressed this, and I know how firewalls work. It would be nice if on a per-device basis I could opt into a choice to be publicly addressable. Instead, the entire standard is built around this.

[avianlyric]

You literally can. You can just use local link addresses, IPv6 routers are guarantee not to forward those packets out of the network, or forward traffic into the network addresses to one of those IPs. Devices within the network can all still talk to each other.

If you really want to do the full Monty, add a NAT to your IPv6 router to have it translate to the local-link addresses, just like it would on IPv4.

I would highlight this is also identical to IPv4, which notably is also a standard built around the idea that every device in the world can, and should, be given a publicly addressable IP. Many large corporations and universities with /8 IP blocks do exactly this. Unfortunately when they originally wrote the IPv4 standard they slightly underestimated how many devices would eventually connect to the internet.