• Frezik@lemmy.blahaj.zoneEnglish
    1661·
    5 months ago

    I know it’s a joke, but the idea that NAT has any business existing makes me angry. It’s a hack that causes real headaches for network admins and protocol design. The effects are mostly hidden from end users because those two groups have twisted things in knots to make sure end users don’t notice too much. The Internet is more centralized and controlled because of it.

    No, it is not a security feature. That’s a laughable claim that shows you shouldn’t be allowed near a firewall.

    Fortunately, Google reports that IPv6 adoption is close to cracking 50%.

    • iii@mander.xyzEnglish
      13·
      5 months ago

      Fine, I won’t invite you to our bi-annual TURN server appreciation event.

      • Frezik@lemmy.blahaj.zoneEnglish
        14·
        5 months ago

        There is something there, but mostly I think existing net admins try to map their existing IPv4 knowledge onto IPv6. That doesn’t work very well. It needs to be treated as its own thing.

    • Auli@lemmy.caEnglish
      4·
      5 months ago

      Ipv6 took awhile for me to understand. One of the biggest hurdles was how is it secure without NAT.

    • IrateAnteater@sh.itjust.works
      45·
      5 months ago

      We use NAT all the time in industrial settings. Makes it so you can have select devices communicate with the plant level network, while keeping everything else common so that downtime is reduced when equipment inevitably fails.

        • IrateAnteater@sh.itjust.works
          31·
          5 months ago

          This is equipment that uses all statically addressed devices. And ignoring the fact that IPv6 is simply unsupported on most of them, there are duplicate machines that share programs. Regardless of IP version you need NAT anyway if you want to be able to reach each of the duplicates from the plant network.

  • Blaster M@lemmy.worldEnglish
    421·
    5 months ago

    Skill issue

    IPv6 is easy to do.

    2000::/3 is the internet range

    fc00::/7 is the private network range (for non routing v6)

    fe80::/64 is link local (like apipa but it never changes)

    ::1/128 is loopback

    /64 is the smallest network allocation, and you still have 64 bits left for devices.

    You don’t need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.

    Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).

    Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don’t have to play the static ip game to connect to it after changing your router or net config.

    The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.

    • kieron115@startrek.websiteEnglish
      3·
      5 months ago

      On my home network I make sure that my PDs are the same as my VLAN IDs so that I can at least know where a device is based on its IP. If I was smart I would also line them up with the IPv4 subnets as well.

  • nonentity@sh.itjust.works
    33·
    5 months ago

    The reason IPv6 was originally added to the DOCSIS specs, over 20 years ago, is because Comcast literally exhausted all RFC1918 addresses on their modem management networks.

    My favourite feature of IPv6 is networks, and hosts therein, can have multiple prefixes and addresses as a core function. I use it to expose local functions on only ULA addresses, but provide locked down public access when and where needed. Access separation is handled at the IP stack, with IPv4 it’s expected to be handled by a firewall or equivalent.

    • Bytemeister@lemmy.worldEnglish
      21·
      5 months ago

      My favorite feature of IPv6 is that there are so many addresses available. Every single IPv4 address right now could have its own entire IPv4 range of addresses in IPv6. It’s mind-boggling huge.

    • gens@programming.dev
      3·
      5 months ago

      They kept talking it was because address exaustion, and IANA sold all the remaining blocks they had…

      I tested it at the time. Ran nmap ping scan across a block all night with zero results. IANA sold the internet

  • thejml@sh.itjust.works
    31·
    5 months ago

    I use IPv6 every day and everywhere I can. It solves so many issues in large corporate and ISP network setups. And yes 10. Wasn’t big enough, and NATing is a PitA.

    Honestly we just keep pushing it off when it’s not that bad. Workaround after workaround just because people are lazy.

  • LaLuzDelSol@lemmy.world
    231·
    5 months ago

    Just my perspective as a controls (SCADA engineer):

    I work for a large power company. We have close to 100 sites, each with hundreds of IP devices, and have never had a problem with ipv4. Especially when im out in the field I love being able to check IPs, calculate gateways, etc at a glance. Ipv6 is just completely freaking unreadable.

    I see the value of outward-facing ipv6 devices (i.e. devices on the internet), considering we are out of ipv4s. But I don’t see why we have to convert private networks to ipv6. Put more bluntly: at least industry, it just isn’t gonna happen for decades (if it ever does). Unless you need more IPs it’s just worse to work with. And there’s a huge amount of inertia- got one singular device that doesn’t talk ipv6 at a given generation site? What are you supposed to do?

    • kieron115@startrek.websiteEnglish
      31·
      5 months ago

      If you set up your DNS correctly then you don’t even need the IPs. Just give devices unique, human-readable names and maybe do separate sub-domains for each site or something.

        • kieron115@startrek.websiteEnglish
          4·
          5 months ago

          Oh, now that you mention it I’ve never tried to map a static DNS entry to a device without DNS. Welp, time to get thousands of raspberry pi’s to act as IP KVMs!

          • inktvip@lemmy.dbzer0.com
            4·
            5 months ago

            That would imply en existence of display/usb outputs…

            We’re essentially talking a bunch of embedded devices talking to each other. You can give them all the dns entries you want, but if they (or the programming environment) don’t support DNS lookup you might as well put your dns server in excel.

            • kieron115@startrek.websiteEnglish
              2·
              5 months ago

              The microcomputers (raspberry pi, arduino, whatever) could have a modern network interface and relay the communication to the embedded devices over oldschool serial. But yeah, straight DNS wouldn’t work. I like the idea though, gonna start posting my 10 favorite IP addresses on a piece of paper on the fridge. Who needs excel!

    • Captain_Faraday@programming.devEnglish
      1·
      5 months ago

      I’m a protective relay settings engineer at a contractor for lots of power companies. I’m dipping my toes into my first substation automation project. Getting to design the device native files, IPs, and other networking parts from the drawings package of site and device manuals. It’s all SEL equipment with a gateway at the top and local powerWAN, RTAC, annunciators, and relays below. I live thousands of miles from the site, so local testing would be challenging but probably have to fly or something lol. I have been doing some research on how to emulate this is a lab setting when all you have is the RTAC and some relays. Is this something SCADA engineers have to do sometimes? Like if you need to test a scheme when you can’t build it physically first?

    • the rizzler@lemmygrad.ml
      1·
      5 months ago

      i’ve done both ipv4 and v6, but never embedded. from my perspective, ipv6 addresses can be easier to remember and use, with a little clever arrangement of zeros and especially because they’re hexadecimal. that’s in addition to the way more elegant way the protocol itself handles various things. obviously not worth upgrading systems that don’t even need dhcp, but that applies to a lot of things in that field

  • MissingGhost@lemmy.ml
    22·
    5 months ago

    I’m surprised by the comments here. I use 90% IPv6. For me v4 is only present for retro compatibility. The transition was hard however.

  • Voyajer@lemmy.world
    18·
    5 months ago

    CGNATs suck ass though, I had to buy a vps just to access my own network outside my home.

    • atotalblank@lemmy.world
      5·
      5 months ago

      I’ve recently changed isp and am now hitting CGNAT problems. I have been running Nextcloudpi for years and now I can’t access it from outside. I’ve trying to understand if I can fix the problem using IPv6 but from what you’ve said I’m now wondering if a vps is the solution?

      • Voyajer@lemmy.world
        3·
        5 months ago

        My ISP doesn’t properly support IPV6, otherwise it should work. I use wireguard to route just my server traffic to the vps.

      • couch1potato@lemmy.dbzer0.com
        2·
        5 months ago

        I deal with cgnat on my 2 isps at home. Install tailscale on your vps and your router at home and then on your router you can share subnet devices over your tailscale network. Install a reverse proxy on your vps.

        If set up correctly you can route a human readable web address (jellyfin.example.com) to your vps static ip address and then to, for example, a docker container with local address 192.168.100.1:8096, via reverse proxy.

    • A Wild Mimic appears!@lemmy.dbzer0.com
      2·
      5 months ago

      Yeah, had the same issue with my ISP, but at least they switched me back to ipv4 after a support call. Didn’t want to pay extra for the privilege of not being reachable from the outside anymore.

    • TheFogan@programming.devEnglish
      14·
      5 months ago

      Well of course, how else would you trick script kiddies that figured out when they DDOSed 127.0.0.1 and learned what a loop back was, and get them again in a few weeks with “ok ok my real address is 127.34.21.2”

        • TheFogan@programming.devEnglish
          10·
          5 months ago

          not sure if you are joking, but any valid IP4 address starting with 127. does the same thing, loopback. 127.0.0.1 is just the standard most people use, you could use 127.127.127.127, or 127.1.1.1 or any random numbers 0 and 254 for the second 2, and 1 and 254 for the last and the effects will be identical.

          • Frezik@lemmy.blahaj.zoneEnglish
            7·
            5 months ago

            In fact, it’s so standard that there’s a bunch of shitty code out there that thinks 127.0.0.1 is the only loopback address.

            I’m thinking of a networked Chinese laser cutter that we put on our 10.0.0.0/16 network in the makerspace. It seems to think that 10.0.1.1 and 10.0.2.1 are on different networks. Wouldn’t be surprised if it does a similar mistake with loopback addresses.

        • ramjambamalam@lemmy.caEnglish
          5·
          5 months ago

          A /8 subnet is basically everything after the first of the four segments, e.g. 127.*.*.*. marine_mustang was saying that loopback (what you think of as only 127.0.0.1) is actually an entire subnet, so any address that starts with 127 will hit the loopback interface. TIL, never thought about it much before.

  • empireOfLove2@lemmy.dbzer0.comEnglish
    9·
    5 months ago

    bro just add another octet to the end of ipv4. That goes from 4 billion to a trillion and will most definitely outlast modern electronics and capitalism