Hacker News new | ask | show | jobs
by throw0101d 73 days ago
> So you actually agree with me, that making all addresses public was stupid to begin with.

If an address is not public how can you start an connection from it, or end a connection at it? A web server needs a public address if you want to have people reach it. And you, at some point, also have to have a public address if you want to connect to pubic services: either on your end-host, at your CPE/router's WAN interface, or on an interface of your ISP's CG-NAT box.

But having a public address on your end-host also allows for much more functionality than if you were stuck behind CPE-NAT or CG-NAT. Now, you don't have to use this functionality—just like how I didn't when my printer gets an publicly addressable (but not publicly reachable) IPv6 address—but it opens up various possibilities.
1 comments
general1465 72 days ago
So having all devices on public addresses was stupid to begin with on IPv4 and it was arrogantly stupid on IPv6.
link
orangeboats 72 days ago
The fact that we are giving IP addresses an hierarchy is stupid. If you don't want outsiders to connect to your device use a firewall.
link
general1465 71 days ago
Or use NAT, which is actually better solution, because misconfigured NAT won't expose your whole network, while misconfigured firewall will.
link
Dagger2 71 days ago
Well, actually it will. In fact, even correctly configured NAT won't stop connections into your network.

On top of that, it lulls you into a false sense of security, so you confidently think it's protecting you even when it isn't. At least not having NAT makes the actual state of your network clearer.

link
general1465 71 days ago
> even correctly configured NAT won't stop connections into your network.

Yeah that's called port forwarding. It is like complaining that light is coming into your house through windows. Fully intentional.

link
Dagger2 70 days ago
Port forwarding requires a port forward rule that matches the inbound connection. If there's no such rule... NAT won't stop the connection, it will just ignore it.

If no other aspect of your setup blocks the connection, it'll be successful. If you were deploying NAT because you thought it would function as a firewall then this part is probably not intentional.

link
throw0101d 72 days ago
> So having all devices on public addresses was stupid to begin with on IPv4 and it was arrogantly stupid on IPv6.

"Yeah? Well, you know, that's just like uh, your opinion, man." — The Dude

Publicly addressable ≠ publicly reachable.

When I was with my last ISP which had IPv6, my printer had a public address, but the only people who could reach it were those on my home network.

link
general1465 71 days ago
With this logic, my printer can be reachable on google.com, but only from my private network, does not turn my printer into Google.
link