I know it's a joke, but the idea that NAT has any business existing makes me angry. It's a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don't notice too much. The Internet is more centralized and controlled because of it.

No, it is not a security feature. That's a laughable claim that shows you shouldn't be allowed near a firewall.

Fortunately, Google reports that IPv6 adoption is close to cracking 50%.

[–] Auli@lemmy.ca 2 points 13 hours ago (1 children)

Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.

[–] AnUnusualRelic@lemmy.world 1 points 9 hours ago

IPv6 is the natural Internet. Things are either allowed or forbidden to connect.
NAT is just a kludge.

[–] truthfultemporarily@feddit.org 87 points 1 day ago (3 children)

I think NAT is one reason why the internet is so centralized. If everyone had a static IP you could do all sorts of decentralized cool stuff.

[–] frezik@lemmy.blahaj.zone 61 points 1 day ago

Right, not the only reason, but it's a sticking point.

You shouldn't need to connect to your smart thermostat by using the company's servers as an intermediary. That makes the whole thing slower, less reliable, and a point for the company to sell your personal data (that last one being the ultimate reason why it's done this way).

[–] Creat@discuss.tchncs.de 33 points 1 day ago (1 children)

Everyone having a static IP is a privacy nightmare.

There's a reason the recommendation in the standard for ipv6 had to be amended (it whatever the mechanic was) so that generated local suffixes aren't static. Before that, we were essentially globally identifiable because just the second half of your v6 address was static.

[–] frezik@lemmy.blahaj.zone 21 points 1 day ago

IPv4 centralization creates far more privacy issues than everyone having a static IP. The solutions are still things like VPNs and onion routing.

[–] PacMan@sh.itjust.works 7 points 1 day ago

Which is why IPv6 was created. Everything used to get a public routable IP. Large company’s such as ATT and IBM got a whole /8 to themselves. NAT made it so we did not run out of IP’s in the 2000’s

[–] irelephant@lemmy.dbzer0.com 13 points 1 day ago

My isp and router both claim to have IPv6 but every test site has failed.

[–] iii@mander.xyz 13 points 1 day ago

Fine, I won't invite you to our bi-annual TURN server appreciation event.

[–] lemmylommy@lemmy.world 9 points 1 day ago (3 children)

You are right, but I wish ipv6 was less shitty of a replacement.

[–] mitch@piefed.mitch.science 39 points 1 day ago (1 children)

I worked with one of the inventors of IPv6 for a bit of time, and I think knowing Carl really gave me an insight into who IPv6 was invented for, and that's the big, big, big networks — peering groups that connect large swaths of the Internet with other nations' municipal or public infrastructure.

These groups are pushing petabytes of data every hour, and as a result, I think it makes their strategists think VERY big picture. From what I've seen, IPv6 addresses very real logistical problems you only see with IPv4 when you're already dealing with it on a galactic scale. So, I personally have no doubt that IPv6 is necessary and that the theory is sound.

However, this fuckin' half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.

Imo there's not much to be done besides go forward with IPv6. It's there, it's tested, it's basically ready for primetime in terms of NIC chip support... I just wish it weren't so obtuse to learn. :/

[–] drosophila@lemmy.blahaj.zone 5 points 15 hours ago

However, this fuckin’ half-in/half-out state has become the engine of a manifold of security issues, primarily bc nobody but nerds or industry specialists knows that much about it yet. That has led to rushed, busy, or just plain lazy devs and engineers to either keep IPv6 sockets listening, unguarded, or to just block them outright and redirect traffic to IPv4 anyway.

Its kind of interesting to me how conservative the IT industry is with stuff like this.

The industry loves to say "move fast and break things" or "innovate and disrupt", but that generally only applies to things that can be shat out in a two week long Python project (or shat out in 2 weeks after publicly funded universities spent years figuring out the algorithm for you). For anything foundational, like CPU architecture, operating systems, or the basic assumptions about how UI should work, they're terrified of change.

[–] frezik@lemmy.blahaj.zone 25 points 1 day ago (1 children)

There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn't work very well. It needs to be treated as its own thing.

[–] drkt@scribe.disroot.org 9 points 1 day ago

I couldn't figure it until I turned my brain off and just read the documentation. I was thinking in IPv4 logic, because everyone had told me it was just "bigger IPv4" - it's not. It's so much more, and better.

[–] IrateAnteater@sh.itjust.works -5 points 1 day ago (1 children)

We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.

[–] frezik@lemmy.blahaj.zone 24 points 1 day ago (3 children)

That's nothing that can't be done with a good set of firewalls on IPv6.

[–] socsa@piefed.social 9 points 1 day ago

The one thing you can't do with IPv6 is yell the address across the room to the technician plugged into the switch trying to ping the node.

[–] IrateAnteater@sh.itjust.works 3 points 1 day ago

This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.

[–] Hotzilla@sopuli.xyz 0 points 22 hours ago* (last edited 22 hours ago)

Good luck trying to find industrial stuff that supports IPv6, hell most of it is still serial.

I have legit heard that serial is security mechanism because it cannot communicate long distance like ethernet.

Of course you can do IPv6 magic that hides IPv6 from the end device, but nobody understands how that magic works.