IPv6 genuinely made some really good decisions in its design, but I do question the default “no NAT, no private network prefixes” mentality since that’s not going to work so well for average Janes and Joes
Routers simply need to block incoming unestablished packets (all modern routers allow for this) to replicate NAT security without NAT translation. Then you just punch holes through on IP addresses and ports you want to run services on and be done with it.
Now, some home routers aren’t doing this by default, but they absolutely should be. That’s just router software designers being bad, not IPv6’s fault, and would get ironed out pretty quick if there was mass adoption and IPv4 became the secondary system.
To be clear, this is not a reason not to be adopting IPv6.
Not the person you were replying too, but I was there when we had modems and raw-dogged the internet.
The average person clicks “Yes” on everything without reading it, has no idea what a firewall is, and they never update anything unless it does it without asking.
Having things accessible from outside your network is great if you’re a network nerd and that’s what you want, but most people are going to be in a world of unprotected shit. Especially in a world of pointlessly online devices. I don’t trust any of those fuckers to have their shit in order.
Honestly the more I think about it the more I realize I’m wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4
Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.
Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you’ve technically exposed your laptop. It’s not quite that simple but that’s the essence of it.
But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.
As a tech nerd who self hosts stuff, I’m more like “what is IPV6 and why is it causing me issues, I can’t figure this out, I guess I’ll disable it, wow my problems are fixed now.”
I guess I can see why people don’t like it, as it’s caused me issues, but just because I don’t understand it doesn’t mean it’s dumb. I’d need to understand how it works before I could say anything about it, positive or negative. I guess all I could say is that it’s been way less intuitive to me, I can’t memorize the numbers, and the reason it exists makes sense. Beyond that, I unno.
I should probably spend the time to learn about it, but I already have a full time job where I work on computers all day, I’d rather focus on my other hobbies while I’m at home.
Back in the days I had an ISP that offered me IPv6 network, it was really easy to self host things over the internet, because IPv6 is unique to all devices, so the server had its own IPv6 global address, which I could access from anywhere with IPv6 connectivity. No more dealing with port forwarding (considering that the ISP didn’t block the forwarding of ports). Just a firewall setting and voila, the service was accessible. It’s that simple.
As a networking nerd, I am endlessly frustrated with how many otherwise smart people are just ‘fuck ipv6 lmao’
Giving me goddamn flashbacks to this https://www.youtube.com/watch?v=v26BAlfWBm8
IPv6 genuinely made some really good decisions in its design, but I do question the default “no NAT, no private network prefixes” mentality since that’s not going to work so well for average Janes and Joes
Routers simply need to block incoming unestablished packets (all modern routers allow for this) to replicate NAT security without NAT translation. Then you just punch holes through on IP addresses and ports you want to run services on and be done with it.
Now, some home routers aren’t doing this by default, but they absolutely should be. That’s just router software designers being bad, not IPv6’s fault, and would get ironed out pretty quick if there was mass adoption and IPv4 became the secondary system.
To be clear, this is not a reason not to be adopting IPv6.
Why would you think it wouldn’t work for the average Jane and Joe?
Not the person you were replying too, but I was there when we had modems and raw-dogged the internet.
The average person clicks “Yes” on everything without reading it, has no idea what a firewall is, and they never update anything unless it does it without asking.
Having things accessible from outside your network is great if you’re a network nerd and that’s what you want, but most people are going to be in a world of unprotected shit. Especially in a world of pointlessly online devices. I don’t trust any of those fuckers to have their shit in order.
Honestly the more I think about it the more I realize I’m wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4
Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.
Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you’ve technically exposed your laptop. It’s not quite that simple but that’s the essence of it.
But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.
Ye fuck ipv6 lol. I still have no need to move to it lol.
As a tech nerd who self hosts stuff, I’m more like “what is IPV6 and why is it causing me issues, I can’t figure this out, I guess I’ll disable it, wow my problems are fixed now.”
I guess I can see why people don’t like it, as it’s caused me issues, but just because I don’t understand it doesn’t mean it’s dumb. I’d need to understand how it works before I could say anything about it, positive or negative. I guess all I could say is that it’s been way less intuitive to me, I can’t memorize the numbers, and the reason it exists makes sense. Beyond that, I unno.
I should probably spend the time to learn about it, but I already have a full time job where I work on computers all day, I’d rather focus on my other hobbies while I’m at home.
Back in the days I had an ISP that offered me IPv6 network, it was really easy to self host things over the internet, because IPv6 is unique to all devices, so the server had its own IPv6 global address, which I could access from anywhere with IPv6 connectivity. No more dealing with port forwarding (considering that the ISP didn’t block the forwarding of ports). Just a firewall setting and voila, the service was accessible. It’s that simple.