I have been averse to IPv6 until recently,and used to disable IPv6 altogether. Couple of weeks back, the ISP silently shifted to CGNAT, and I could no longer forward ports. Out of sheer desperation, I gave IPv6 a try and was shocked to find that the demon which I had feared all along, was in fact the solution to most of the concerns.
A few things to note though:-
1. Default router settings - as configured by the ISP - defaulted to IPv4 only. I had to change it to enable IPv6 too in the WAN settings.
2. Had to lower Firewall security levels (which in fact makes sense).
3. In firewalld, had to enable ipv6-icmp protocol
4. Technologies such as IRC (to take an example), does not support IPv6, but many torrent clients do.
ISP still has CGNAT logs and can presumably still be lawfully subpoenaed. it's a false cloak.
and in terms of identity tracking—all teh marketeers (who sleep with the CGNAT ISPs mind you) can still exceedingly accurately profile you and keep tabs on what you're up to whether behind your CGNAT ISP or CGNAT telecom alike. it's a false sense of privacy.
> see CGNAT as a feature as it obfuscates my IPv4 address - then get millions of IPv6 addresses that are not CGNAT
It's tough trying to connect to home IPv6 services - when all the locations you visit are served by an ISP that doesn't support IPv6. That's the scenario here.
> With my ISP, I see CGNAT as a feature as it obfuscates my IPv4 address.
It can become an issue when sites like The Economist don't vet their blocklists - and then someone behind the NAT does something that makes the list-author grumpy.
> Had to lower Firewall security levels (which in fact makes sense).
Sounds suspicious to be honest. If you get a direct IPv6 address to your computer (as opposed to an IPv4 behind a NAT), shouldn't you raise firewall instead of lowering?
some components, like RA and SLAAC, require specific ICMP to function properly. a properly configured IPv4 firewall on the other hand would allow no inbound and filter most outbound ICMP by default.
the only actually suspicious part of the original comment is...
Default router settings - as configured by the ISP
> a properly configured IPv4 firewall on the other hand would allow no inbound and filter most outbound ICMP by default.
A properly configured IPv4 firewall would allow at least the "destination unreachable - fragmentation needed and DF set" inbound ICMP, otherwise path MTU discovery will break; it probably should also allow the rest of the "destination unreachable" inbound ICMP, and probably also the "time exceeded" inbound ICMP, so that connection failures are instantaneous instead of having to wait for a timeout.
Allowing no inbound ICMP at all is always an incorrect firewall configuration.
a properly configured (stateful) firewall permits replies to unfiltered outbound connections. you've made no corrections to anything i said, but merely added context to "filter most outbound connections" and with fair points.
but reasonable plumbers could and certainly do disagree on whether to allow any ICMP connections initiated from outside the firewall whatsoever.
I forward/open IPv4 & IPv6 as needed, limited to trusted sources.
I allow IPv6 ICMP from approved countries. IIRC, this functionality goes beyond the needs of SLAAC and RA. It is a required criteria for IPv6 testing sites - but I'm not clear why.
> The project had its highlight in 1999, when the first-ever production-stage IRC6 server was featured on IRCnet by Project IRC6 of Europe. This resulted in a movement for more rapid evolution and evaluation of IPv6 services by IRC-users, which can still be seen as a rather interesting effect of the nature of competition in advances in technology...
This Tailscale blog [1] from 2020 has been posted on HN many times before I’m sure but is worth highlighting again as it does a great job outlining the technical complexities that CGNAT (and NAT in general) introduce.
I have my head in this space at the moment as I’m trying to implement NAT detection (as pioneered by Dublin traceroute [2]) into Trippy [3].
could you say a little bit more about the design and/or purpose of NAT detection in this context? i'm unfamiliar but see what the service generally does in lay terms. curious more about the technical necessity.
Maybe it's more like IPv6 is the solution we got, rather than the solution we want. Not unlike Wayland vs X11. Both over-corrections to the problems they set out to fix.
Then again, my code doesn't get good until the third time I rewrite it...
As someone with a small home lab, IPv6 feels much more complex compared to IPv4. And it's still in significant flux despite decades old, while IPv4 hasn't changed significantly since I deployed my own m0n0wall box back before y2k.
It also requires more infra. DNS for everything is non-optional due to long addresses and dynamic prefixes. DHCPv6 is needed for all configuration settings to be set on clients. And there's still software that doesn't play well with IPv6.
It's just too much hassle for my home lab for now. Maybe in another decade.
Every time I used IPv6 I found it solved more problems than it created. E.g. with v6 you can make sure a VPN addresses will not collide with the user's actual address. No more nats or port forwadings, etc.
The main problem is that v4 has not yet been retired and that means many times you have to support both.
Hehehe... writing this from behind NPTv6 (a form of a prefix-to-prefix NAT). I have to use it because this is currently the only working method for a fail-over configuration with two ISPs.
Even worse - isps give different prefix lengths - I am curious how you are running npt -i spent WAY too long trying to get basic ipv6 failover working - what vendor / etc. Ipv4 failover is basically flawless and internal network doesn't renumber as routes flap
over-corrections to the problems they set out to fix.
IPv4 space will—not a matter of if, it will eventually be exhausted. given that i don't know if IPv6 could reasonably be considered an 'over-correction' in the context of needing a larger address space, unless you strictly refer to complexity of the successor analogies (i.e. IPv6 and Wayland).
a comment elsewhere in this post makes some informed projections about when the transition will go from being gradual to necessarily fully (at least for IPv4) co-operational.
I vastly prefer CGNAT to IPv6, because CGNAT preserves my privacy by default, and IPv6 eliminates it by default. It’s that simple.
While it’s possible for an ISP to unmask me on CGNAT (Verizon and AT&T did in the early smartphone days)- and it’s possible for an ISP to NAT/Wildcard my IPv6 address for privacy - it’s the default in 99% of the cases; and I prefer default privacy to the ability to be directly addressable at home.
Well, I'm inside a CGNAT. It's like living in an apartment building with 20,000 other families. Maybe it's all fine when everything is normal, but one day, the water pipe on the top floor might go burst while no one is answering the door.
It is true that a NAT could give you some privacy, but the downside is also very obvious. For example, your network neighbor might rub some service in the wrong way, then the service ended up sanction/ban the shared NAT exit.
Then, you might be thinking, "just use a smaller CGNAT then". Well, then a smaller CGNAT will allow the website to track you more easily.
If I really really don't want to be tracked, I'd rather use Tor.
In that analogy, the /64 is their specific apartment, not the whole building. That is, they wouldn't get banned for something their neighbor did, because their neighbor would be in a separate /64.
That is, the whole /64 is equivalent to the single IPv4 address they have in their home router, not to the CGNAT which combines several home routers into a single IPv4 address.
Ding ding ding. IPv6 doesn't solve this problem either because not all malicious activity from a given IP address is guaranteed to be conducted with the knowledge or consent of the folks paying for the connection anyway.
There should only ever be discrimination against traffic, not against addresses. Addresses should not be presumed to be fixed, and it should therefore never be assumed that seeing the same client IP twice means it's the same end user.
It's something I had said before in another thread, but oh well... Here goes again:
The so called privacy-presevation of CGNAT is a double edged sword. Other websites can't track you, simultaneously that also means other internet users can't reach you.
The most obvious consequence is that to host a server, you must purchase a VPS or rent an public IP address from your ISP, and the price for a public IPv4 address is getting higher and higher.
The less obvious consequence is that you're giving up control to the VPS providers (and other centralized services). Does your VPS provider allow you to host Tor services? Run BitTorrrent?
It's rather ironic that people on HN, a website whose name literally includes the term "hacker", would support things like CGNAT which hurt hackers/hobbyists/"privacyists" the most.
The CGNAT makes it impossible for random websites to correlate my actions among them - which is something they try to do while profiling me. It is, as you point out, useless against state actors and similarly funded-and-legally-equipped bodies; For those, you indeed need Tor and VPN and likely that's not enough even then.
But I care about the civilian "spies" following me; like Facebook, Google, Microsoft, and friends. I use as little of their services as possible, with add blockers, a restrictive JS policy, ultra restrictive cookie policy, etc. It's unlikely any of them can correlate me with the other (or with myself from yesterday, for many uses). Giving me an externally imposed unique identifier (and a /64 prefix is just that, regardless of randomizing the remaining bits) makes it trivial for them and impossible for me -- unless I do all my browsing through Tor or something like that.
For the record, I have no proper FB or G account, but cannot avoid Whatsapp and an occasional Google product.
> I will be blunt: Long term, IPv4 and any technology that extends the lifetime of IPv4 will actually result in the death of online privacy.
Can you explain why you believe that? To me it sounds like baseless scaremongering.
>Can you explain why you believe that? To me it sounds like baseless scaremongering.
One word: centralization.
As we have seen throughout the years, all means of IPv4 lifetime extension have involved the introduction of state, which is bound to a central node. The HTTP/1.1 Host request header allowed the existence of reverse proxies, the invent of NAT allowed routers to no longer be "just" a dumb packet forwarder. Both technologies are involved in state tracking.
NATs also destroyed the possibility for any two nodes on the Internet to communicate with each other directly, unless workarounds like port forwarding are used. This means that all messages on the Internet must go through a central server, where there can be malicious actors sniffing your traffic. Remember Mark Zuckerberg's infamous "they trust me"? [0]
But it was still somewhat managable during the early 21st century, when free IPv4 addresses were available. Most people had only one layer of NAT (in their routers) which they owned and controlled back then, so P2P were still mostly doable, and services like Skype relied on that. Life went on.
Fast forward to the 2010s, we ran out of IPv4 addresses. CGNATs were starting to be widely deployed so even port forwarding had become impossible. P2P communications ceased to work. Virtual hosting were now ubiquitous. TURN was invented, which of course increased more centralization. [1] Since central servers have to carry even more traffic now (back then they merely mediated the communication between two nodes behind NAT, now they have to relay the entire traffic), it had become more costly to host web services, increasing the barrier to entry.
In the 2020s, people can no longer host servers inside their homes, many have come to rely on centralized technologies or services e.g. VPSes for that purpose. By now, we have mostly given up on peer-to-peer, and moved onto "federation" where we have a web of central servers that clients can connect to -- in the end though, a central server is still a central server that you have to implicitly trust, and some admins of the Fediverse had been discovered performing suspicious activities.
Perhaps I worded my thoughts too strongly in my previous comment, but the trend of centralization is there and continuing. Your own comment has alluded to that fact. Time has shown repeatedly that privacy never fares well under centralization.
The thing is, the Internet as a whole doesn't have to go down this route, had we simply moved onto IPv6 and restored end-to-end communication. Then P2P is possible again. [2] It's IPv4 and its lack of address space that created an environment where people expect there to be a central node. It's just the natural consequence of the statefulness of IPv4-extending technologies like NAT and CGNAT.
I disagree it’s the limited IPv4 address space that promotes centralization, which seems to be the essence of your thesis.
Incumbents and laziness promote centralization. First, people stopped hosting email because gmail (and friends) were free. Now, it’s become hard regardless of whether you own a pristine IPv4 or not - because msft+goog+amzn+etc make it hard, and effectively own email.
I don’t see how the IPv4/CGNAT/IPv6 thing is related. To be decentralized, we need thousands of directly addressable nodes (which IPv4 even today easily and cheaply provides), not that every single node be addressable.
It's a fact that with NATs, many nodes are hidden from the Internet -- it's in fact how it works. The only way for two hidden nodes to communicate with each other then, is through a central service. And the hiddenness (statefulness) is what caused you to think that CGNAT provides privacy.
So, in essence, you are already believing in my thesis! There's no agreeing nor disagreeing here, we are effectively on the same page but looking at the different sides of it.
As a side note, the early internet had a lot of P2P phenomenons, Napster etc were all based on the technology, but we don't see them nowadays except maybe BitTorrent. The entire Web 2.0 (so GOOGL, AMZN, etc) was built on the already-existing expectation that there is a central node somewhere.
Yes, ISP's can still track but the other websites-that-are-not-the-ISP that depend on logging unique ip addresses for tracking can't identify you behind a CGNAT. My previous comment about how CGNAT can be another layer of privacy for things like torrents: https://news.ycombinator.com/item?id=38176079
EDIT reply to : >Sure except for the like 800 other metrics they use to track you besides IP lol. Advertisers
My comment was specifically talking about those websites that depend on ip addresses and not fingerprinting. Examples are torrent trackers, torrent honeypots, and Wikipedia articles' edits history where their server logs keep track of ip addresses instead of browser fingerprints. CGNAT will make users more anonymous in those situations. Lawsuits and subpoenas from RIAA and movie studios against torrenters for copyright infringements were filed against ip addresses and not browser fingerprints.
As for Google/Facebook sophistication levels of browser fingerprints tracking and surveillance, I'm not so sure how paranoid I should be about it because they still think I'm in Idaho because I happen to open my laptop in a hotel one time there 10 months ago.
No one “depends” on IP addresses. Wikipedia could very easily (and likely does) use browser fingerprints for some things. They don’t serialize to something human-readable, though, so I wouldn’t expect them to appear anywhere but debug interfaces.
IPs havent been a viable way to ban or identify people since the early 00’s. For sure with the launch AWS, and the ease of swapping IPs there. It’s been laughably easy to swap source IPs on requests for at least a couple of decades.
I think the only people you’re getting privacy from is people who didn’t really care enough to invade it in the first place.
>IPs havent been a viable way to ban or identify people since the early 00’s.
You are factually wrong. Copyright holders have successfully won lawsuits as recently as 2023[1] by starting the process via subpoena of ip addresses from ISPs. The steps are:
1) obtain the ip addresses of anonymous users torrenting your intellectual property. (Because the studios monitor torrent trackers for ip addresses.)
2) Connect a real name to that ip address by having a court subpoena the ISP to reveal the owner of the ip address. If the ISP subscriber on the account is not the actual infringer, ask the owner of the account (via a court deposition) to further identify the actual user (e.g. a spouse, a roommate, etc)
3) get a financial settlement or judgement against that person
That type of identity unmasking doesn't happen with CG-NAT or other shared NAT scenarios like libraries/airports because the torrent trackers logs only have granularity of ip addresses which is useless when a thousand people share it.
You just have to have the source port as well as IP instead of just the IP (which the MPAA et al surely gather). CGNAT is basically just port-based DHCP; it still has to keep an inventory of what ports are available, practically requiring the ability to tell who was using what port at what time.
Even from a first principle's perspective, if they can't identify subscribers for relatively benign things like piracy, they also can't do it for something like CP. Those logs 100% exist, if only so the telecom has something to turn over when the FBI comes looking for pedophiles.
And yet that very tooling will detect if a hard-blocked user tries to log in from a new IP address and block that new IP address. It's almost like IP address blocking doesn't work very well...
You're of course free to do what you want, but it seems naive to me to assume that anyone operating even a moderately popular site isn't browser fingerprinting. Even if the site isn't, CloudFlare will if they use CloudFlare (and I wouldn't be surprised if other CDNs).
Yes, CGNAT can't give you any protection against state actors.
But if you are NOT under criminal investigation, having an IPv6 lets every single server on earth know who you are so they can correlate and profile you. That's happening with or without IPv6 of course, but is much less reliable through CGNAT - and essentially useless through a CGNAT if you have proper fingerprinting/cookie/js/3rd party protection. But if you HAVE IPv6, there is nothing you can do to remain anonymous except e.g. Tor.
I got kind of curious how UDP works with CGNAT, and in my travels I found this on the Wikipedia page [1]:
> STUN does not work with symmetric NAT (also known as bi-directional NAT) which is often found in the networks of large companies. Since the IP address of the STUN server is different from that of the endpoint, in the symmetric NAT case, the NAT mapping will be different for the STUN server than for an endpoint. TURN offers better results with symmetric NAT.
Not sure if that's related or if you're even having issues, but figured I'd drop it since I found it.
As for the privacy aspect, are you CGNAT'ed? My understanding is that bidirectional UDP streams generally don't work with CGNAT unless your ISP adds a proxying service that can construct "sessions" out of those packets. E.g. for DNS, you can proxy it across the CGNAT by having the DNS proxy record the transaction ID and the internal IP/port that requested it, and then looking for that txid in UDP packets coming to the DNS relay to forward it.
The solution I usually see for getting UDP across CGNAT is TURN, but then you're making a TCP connection which can be tracked by port easily.
I just can't see any way for an ISP to proxy UDP packets without knowing which subscriber they're going to. It seems like trying to make a router route without any routing tables; I just don't see how your ISP can forward that packet to you without knowing it's going to you.
For many people, that’s true. But not for those who care. The other metrics are under my control, and I actively scramble them to uselessness. An IP address … I can’t do much about.
For every ISP serving my area, it is indeed a "per customer, immutable" prefix. IIRC, some have a 96-bit prefix, some have a /64, but that's the kind of thing that a "maxmind" style database of prefix length per isp lets you nail down easily -- if those databases don't already exist today, they will soon.
You can’t. When my ISP switched me to CGNAT, I spent days upgrading everything to IPv6, only to discover that gmail didn’t even support it! (Mail Server to mail server, not the web app) I gave up, asked my ISP IPv4 back and, fortunately, got back a new IPv4. But I fear the day that option will disappear…
What year was this? While I can't find a source I believe Gmail has supported IPv6 for sending and receiving since the World IPv6 day back in 2011. I've certainly been doing it since 2017.
Your issue might be rather that Gmail actually enforces all their guidelines on IPv6 instead of silently degrading your reputation behind the scenes like they do for IPv4. So proper RDNS, SPF and DKIM are tablestakes with DMARC and MTA-STS strongly recommended.
either buy paying a few bucks for a vps with static v4 or try techniques like "nat hole punching" to keep the cgnat statemachine happy. but tbf it isn't meant to
>billions of ppl access the internet thru nat everyday
A caveat is that a lot of people are knowing or unknowingly relying on things like UPnP and NAT-PMP to have services operating normally under NAT. That conveniently masked a lot of the issues with NAT in P2P usecases such as online gaming and torrenting.
Unfortunately, even that is broken under CGNAT.
The more layers of NAT you put on your connection, the more things you break.
interestingly, i religiously disable upnp/pmp on all residential cpe's that i configure due to it's glaring security implications. never heard of a problem
though i do defend v4-nat internet as the way it was meant to be, being jailed behind a cgnat w/o repercussions would push me to another isp.
In gaming communities e.g. Minecraft you regularly get people asking for port forwarding related questions. Some gamedevs automate that process using UPnP, I believe Eve is one of them.
Neither solution works for me though, as someone whose IPv4 connnectivity is behind a CGNAT.
ALL ISPs in my country have deployed CGNAT so there's no "changing ISP" for me either. IPv6 is the only solution left unless I want to pay a premium to get one of those public IPv4 addresses. Really, single-layered IPv4 NAT can't last forever. The address space of IPv4 is simply too limited.
the push of p2p comms in gaming was never a good idea, but i can totally see how it was sold. apart from that i don't know why any game would need incoming connections.
the upnp cargo cult in gaming is real though, despite the prevalence of cgnat.
i agree that you should have choice but am not yet ready to accept that ~11B ppl cannot manage with ~3B addresses given the typical ratio of users per v4 with nat.
Using "11 billion" as an estimate of total needed addresses is a bad idea (TM).
Both sides of the internet (provider and user) need an IP address. An average human may possibly require two or more addresses simultaneously (phone, laptop, office PC, and maybe IoT) in the future. And internet infrastructures like routers and managed switches, although never visible to the end users, need an IP address for themselves too. And don't get me started on containerization.
Furthermore, there are internal networks running out of RFC1918 addresses to use so even internal IPv4 has a real limit. Comcast is one of them, T-mobile is another. I believe Facebook moved to IPv6-core because of this too.
People constantly find new ways to use more IP addresses. 4.3B is just too small, even with NAT.
The fact that we are deploying CGNAT everywhere should have made that obvious enough.
Indeed, I don't have "friends" on Facebook / Instagram (I don't use those) - I talk to friends on the phone, meet them in person, we have message groups on various services.
Some of my friends do post on Facebook or Instagram; but they let me know personally if there's anything important I should know.
you're a privacy by-default kinda guy because you don't maintain any 'traditional' 'social media' accounts i guess you mean to say? that's a somewhat random notion and not entirely relevant as social media is about the lowest hanging fruit any of us could conjure.
so you believe yourself to be privacy-minded, yeah. i had already gathered that much. my point was that there's all but no such thing and typically merely only the illusion of 'privacy by-default'—hence the lonely, lonely world in which you could only claim to live.
I fail to understand your perception in which I am lonely just because I don’t leave a breadcrumbs everywhere for state and commercial actors (whose interests don’t align with mine) to find.
i don't think you're lonely. i was simply employing sarcasm to suggest that maybe the private world you merely believe yourself to live in doesn't actually exist. not for any of us, myself included.
we're definitely replying past each other a bit. i now realize after seeing a few of your other comments throughout this thread that your opinions surrounding personal privacy are much more aligned with my own than i think your opinions on CGNAT represent.
You are wrong, and I say that as someone who was employed by someone who (likely) invaded and still invades your privacy through a firewall and IPv6.
Modern firewalls do nothing for privacy. IPv6 eliminates your ability to maintain your privacy.
Security is a different matter, and NAT doesn't add much there (although it is another layer). But the comment you quoted was specifically about privacy.
Even though you're right, privacy is quite irrelevant in this case anyway. If no one can walk through the door, your personal space cannot be violated. If you want to hide your IP use VPN. You essentially should not rely on things out of your control, such as CGNAT. But yeah, I agree, I should have mentioned security, only.
My threat model excludes state actors and my ISP actively collaborating with those who try to profile me. Thus, CGNAT - which I already get, is comparable to VPN (better in some respects, worse in others).
This article is two years old. I don't think things as as dire as they seem, just a bit more boring than people might like.
I can't see any sign that long-term IPv6 growth has stopped, it's just ceased to accelerate. Looking at Google's IPv6 traffic graph (https://www.google.com/intl/en/ipv6/statistics.html), this is entirely consistent with being the first half of a classic logistic curve, with growth now linear as it approaches the 50% point after 15 years. If this is actually a logistic growth curve, we will presumably see the end of IPv4 sometime around 2040. Even if we take a more optimistic view and assume linear growth continues, it will still take until about 2035.
And that's fine. Old technlogies tend to wither away, not go out with a bang.
The issue with looking at IPv6 adoption from that point of view is that it only shows half of the picture. It shows the percentage of IPv6-enabled clients, which has been growing steadily.
On the other side there are still major services that are IPv4-only, and growth is not uniform.
This means the combined situation is not as cheerful. It's hard to arrive at definitive conclusions, but IPv6 traffic(1) may be as low as 15% when considering this mismatch.
Without stronger incentives, IPv6 may be an eternal runner up. At least it looks like it will take quite a few decades more to make IPv4 obsolete.
(1) By connections or requests. By bytes transferred, IPv6 might have already overtaken IPv4 for all we know (I'm not aware of a broad enough study on this, so I'm open to this possibility). The largest streaming providers are IPv6 enabled.
Another good reason for slow adoption is that the pushers of V6 herald it as the death of all nat, and i wager there are certain types of net admins who really like at least SOME nat. I have a longer writeup here http://www.jofla.net/?p=00000113#00000113
granted i would love for more v6, if it yielded a 1 for 1 repacement, with all features .
IPv6 certainly has its own technically legitimate uses, absolutely. thanks for my next read! (curious how many things you discuss that i hadn't even considered.)
Every service I run for all time will be exclusively ipv4. Ipv6 gets a heckler's veto from me for trying to do too much.
Give me an addressing scheme and absolutely NOTHING ELSE - just like IPv4 - and I'll consider it. IPv6 does an order of magnitude more than just this one thing, and therefore is too complex to be a replacement as it adds a bunch of anti-features that I don't want anywhere near any of my networks for any reason ever.
I am a permanent rejecter of all ipv6, both as a client and a server.
For every downvote this post gets, I'm going to increase the number of sockpuppet acconts I automate in my crusade against ipv6 in all public forums by 1 order of magnitude. Each downvote will multiply the number of voices standing in opposition to your own desired outcome coming from my system by ten.
Don't like it? Propose a better standard that fixes the address space problem without adding layers of shit on top of it next time.
Democracy is two wolves and a sheep voting on what to each for lunch, and for this particular subject, I can (and will) make more virtual anti-ipv6 wolves than there are pro-ipv6 sheep that are real humans.
Don't like that? Demand a better governance system than democracy.
the very notion of technology factually implies that it never gets less complex as it iterates upon itself. reminds me of the rhetorical ponderance: how many humans did it take to invent the pencil eraser? (and somehow your post also calls to my mind the woeful Luddites! but i digress...)
pray tell who, my good man, are you railing against?
very well said about legacy technologies, plus estimated projections based on actual current adoption at least to me informative. thanks for sharing your thoughts.
Or at least it should be illegal to advertise a CGNAT service as an "Internet connection". It's not an Internet connection, you can't use it to send or receive arbitrary IP packets, only TCP/UDP.
Yeah, I like to compare it to the old "Party Line" phone lines people used to have, where you shared a single phone line with multiple houses and only one person could talk at a time. Sure, it gives you some of the functionality of a phone line, but it is not a phone line, and shouldn't be sold as the same thing.
Honestly, I'm genuinely surprised no ISP has started doing "gamer" marketing as it seems to be so effective elsewhere, "We give you real public IPs so you can connect directly to your opponents for lower latency, get on the internet fast lane!".
This already exists via VPNs that allegedly give you better routing/peering to the game servers.
No idea if they work. I can see conceptually why they might (internet routing is often more of an approximation of a best route than the actual best route), but the problems seem too individualized for a generic VPN to help. Happy to be wrong if someone knows how well/why they work.
A VPN isn't always an extra hop from a "hops in traceroute" perspective. It's very possible to get a shitty route from your ISP; e.g. if the best route goes through an ISP that your ISP has shitty peering with. You might get better latency via a VPN to a server inside the "best route ISP" network, because then your ISP _has_ to route your traffic through that peering exchange. I.e. the additional latency of doing the VPN stuff is still less than the additional latency of having a poor route.
Hops also aren't a particularly useful abstraction here. They don't align with latency very well; the only thing a hop implies is that a router has to get the packet and route it, but that's a huge variance in latency. A hop could take nanoseconds or it could take hundreds of milliseconds. The number of hops doesn't really imply anything useful about latency.
All that is to say that yes, I believe under some circumstances the VPN could give you lower latency (with a bunch of asterisks). One asterisk is that figuring out whether your peering is good or bad practically requires a network engineer to look at your routes, it's not an easy thing to figure out. A second is that those routes change frequently, so just because the VPN helps today does not mean that it will tomorrow or even for the next hour. A third is that these solutions are likely somewhat custom; each ISP or maybe even each network segment will have particular links that need to be avoided, which means each ISP/network segment will have particular IP ranges that "encourage" the correct routing. Figuring out which to use would be non-trivial.
In TLDR form, I think a network engineer willing to spend like 4 hours analyzing their network to set up a VPN that will shave 5-10ms off their latency to a particular game for a limited amount of time could probably do so. It's within the realm of possibility that some company is doing a Thousand Eyes-like thing and actually creating optimized VPNs with the same strategy. My suspicion, however, is that they just tell you to log in and try your latency on a bunch of servers til you find one that's lower (at the present moment) and then they hope you never check again.
Games have largely moved away from direct connections and user hosted servers though. The players and companies prefer the modern match making system. Its easier to use, more reliable, and gives the company greater control over the experience.
How much of that is because of (CG)NAT though? You can still do matchmaking and have direct connections. Yeah, there are trade-offs, but when you look at for example the fighting game crowd where latency is a big deal, consumers may massively prefer it.
(Either way, a "gamer" branded product that is unlikely to actually help in most real gaming scenarios is 95% of "gamer" branded products.)
Or refuse to implement IPv6. (At least here in Indonesia with only 14% adoption rate)
Why? Because for residential user that want low latency internet & low packet drop (CGNAT increase both), ISP can charge "business price" for dedicated IPv4 that aren't behind CGNAT. With IPv6, CGNAT is not needed.
Considering ISP/Telco in here is very scummy (they even perform MITM to inject ads, use Class 0 message / AMBER Alert for ads, etc.) I won't be surprised if that's the only reason why they didn't rolled out IPv6.
I could easily access my computer from the internet when I'm not home back in the days... all the ISPs in my country have moved to CGNAT and there is no v6 support, probably because of lack of demand and ridiculous "static IP" pricing.
Result: I'm constantly checked by Cloudflare etc. and sometimes blocked altogether by some hosts as I'm probably in the same public facing IP with many non-savvy people whose devices are infected with botnets.
> In a just world concerned with real human rights (restrictions on evildoers from harming you, not entitlements like free X, free Y, and free Z), every Cloudflare employee would go to bed every night fearing whether or not they will wake up alive the next morning.
Your claim is that in a just world Cloudflare employees would fear for their lives?
I have been averse to IPv6 until recently,and used to disable IPv6 altogether. Couple of weeks back, the ISP silently shifted to CGNAT, and I could no longer forward ports. Out of sheer desperation, I gave IPv6 a try and was shocked to find that the demon which I had feared all along, was in fact the solution to most of the concerns.
A few things to note though:-
1. Default router settings - as configured by the ISP - defaulted to IPv4 only. I had to change it to enable IPv6 too in the WAN settings.
2. Had to lower Firewall security levels (which in fact makes sense).
3. In firewalld, had to enable ipv6-icmp protocol
4. Technologies such as IRC (to take an example), does not support IPv6, but many torrent clients do.
With my ISP, I see CGNAT as a feature as it obfuscates my IPv4 address.
Then I also get millions of IPv6 addresses that are not CGNAT, so it is a real win as far as I am concerned.
ISP still has CGNAT logs and can presumably still be lawfully subpoenaed. it's a false cloak.
and in terms of identity tracking—all teh marketeers (who sleep with the CGNAT ISPs mind you) can still exceedingly accurately profile you and keep tabs on what you're up to whether behind your CGNAT ISP or CGNAT telecom alike. it's a false sense of privacy.
Making attackers get a subpoena is actually a huge barrier. Especially compared to just handing it out to every server you make a request to.
that level of sophisticated target likely doesn't rely upon nor hang its hat on lawful controls, either.
For this you can just have a socks proxy instead of NAT. Works with ip6 too.
> see CGNAT as a feature as it obfuscates my IPv4 address - then get millions of IPv6 addresses that are not CGNAT
It's tough trying to connect to home IPv6 services - when all the locations you visit are served by an ISP that doesn't support IPv6. That's the scenario here.
> With my ISP, I see CGNAT as a feature as it obfuscates my IPv4 address.
It can become an issue when sites like The Economist don't vet their blocklists - and then someone behind the NAT does something that makes the list-author grumpy.
> Had to lower Firewall security levels (which in fact makes sense).
Sounds suspicious to be honest. If you get a direct IPv6 address to your computer (as opposed to an IPv4 behind a NAT), shouldn't you raise firewall instead of lowering?
some components, like RA and SLAAC, require specific ICMP to function properly. a properly configured IPv4 firewall on the other hand would allow no inbound and filter most outbound ICMP by default.
the only actually suspicious part of the original comment is...
> a properly configured IPv4 firewall on the other hand would allow no inbound and filter most outbound ICMP by default.
A properly configured IPv4 firewall would allow at least the "destination unreachable - fragmentation needed and DF set" inbound ICMP, otherwise path MTU discovery will break; it probably should also allow the rest of the "destination unreachable" inbound ICMP, and probably also the "time exceeded" inbound ICMP, so that connection failures are instantaneous instead of having to wait for a timeout.
Allowing no inbound ICMP at all is always an incorrect firewall configuration.
a properly configured (stateful) firewall permits replies to unfiltered outbound connections. you've made no corrections to anything i said, but merely added context to "filter most outbound connections" and with fair points.
but reasonable plumbers could and certainly do disagree on whether to allow any ICMP connections initiated from outside the firewall whatsoever.
The back and forth was a little confusing to me.
I forward/open IPv4 & IPv6 as needed, limited to trusted sources.
I allow IPv6 ICMP from approved countries. IIRC, this functionality goes beyond the needs of SLAAC and RA. It is a required criteria for IPv6 testing sites - but I'm not clear why.
Makes sense, thanks!
Most IRC clients happily accept a properly encoded v6 address.
What makes you think that IRC doesn't support IPv6?
Many IRC networks were early to IPv6
E.g.:
> The project had its highlight in 1999, when the first-ever production-stage IRC6 server was featured on IRCnet by Project IRC6 of Europe. This resulted in a movement for more rapid evolution and evaluation of IPv6 services by IRC-users, which can still be seen as a rather interesting effect of the nature of competition in advances in technology...
* http://www.irc.org/irc6.html
4. Hm. Must be a strange network, or bad client. Even (most of what remains of) EFNET supports v6 and TLS. Imagine...
This Tailscale blog [1] from 2020 has been posted on HN many times before I’m sure but is worth highlighting again as it does a great job outlining the technical complexities that CGNAT (and NAT in general) introduce.
I have my head in this space at the moment as I’m trying to implement NAT detection (as pioneered by Dublin traceroute [2]) into Trippy [3].
[1] https://tailscale.com/blog/how-nat-traversal-works
[2] https://dublin-traceroute.net/
[3] https://github.com/fujiapple852/trippy/issues/1104
I already love Trippy but that would be an awesome addition! Big thanks from a satisfied user!
could you say a little bit more about the design and/or purpose of NAT detection in this context? i'm unfamiliar but see what the service generally does in lay terms. curious more about the technical necessity.
Maybe it's more like IPv6 is the solution we got, rather than the solution we want. Not unlike Wayland vs X11. Both over-corrections to the problems they set out to fix.
Then again, my code doesn't get good until the third time I rewrite it...
As someone with a small home lab, IPv6 feels much more complex compared to IPv4. And it's still in significant flux despite decades old, while IPv4 hasn't changed significantly since I deployed my own m0n0wall box back before y2k.
It also requires more infra. DNS for everything is non-optional due to long addresses and dynamic prefixes. DHCPv6 is needed for all configuration settings to be set on clients. And there's still software that doesn't play well with IPv6.
It's just too much hassle for my home lab for now. Maybe in another decade.
Every time I used IPv6 I found it solved more problems than it created. E.g. with v6 you can make sure a VPN addresses will not collide with the user's actual address. No more nats or port forwadings, etc.
The main problem is that v4 has not yet been retired and that means many times you have to support both.
> No more nats
Hehehe... writing this from behind NPTv6 (a form of a prefix-to-prefix NAT). I have to use it because this is currently the only working method for a fail-over configuration with two ISPs.
Even worse - isps give different prefix lengths - I am curious how you are running npt -i spent WAY too long trying to get basic ipv6 failover working - what vendor / etc. Ipv4 failover is basically flawless and internal network doesn't renumber as routes flap
OpenWrt. It does require a custom script. See https://forum.openwrt.org/t/npt6-as-a-core-feature/146399
a comment elsewhere in this post makes some informed projections about when the transition will go from being gradual to necessarily fully (at least for IPv4) co-operational.
IPv6 has changed a lot over the years, mostly to simplify it. IPsec used to be mandatory, for example.
I vastly prefer CGNAT to IPv6, because CGNAT preserves my privacy by default, and IPv6 eliminates it by default. It’s that simple.
While it’s possible for an ISP to unmask me on CGNAT (Verizon and AT&T did in the early smartphone days)- and it’s possible for an ISP to NAT/Wildcard my IPv6 address for privacy - it’s the default in 99% of the cases; and I prefer default privacy to the ability to be directly addressable at home.
Well, I'm inside a CGNAT. It's like living in an apartment building with 20,000 other families. Maybe it's all fine when everything is normal, but one day, the water pipe on the top floor might go burst while no one is answering the door.
It is true that a NAT could give you some privacy, but the downside is also very obvious. For example, your network neighbor might rub some service in the wrong way, then the service ended up sanction/ban the shared NAT exit.
Then, you might be thinking, "just use a smaller CGNAT then". Well, then a smaller CGNAT will allow the website to track you more easily.
If I really really don't want to be tracked, I'd rather use Tor.
In order to ban an ip6 client one must ban entire /64 network due to address randomization. So you still get banned.
In that analogy, the /64 is their specific apartment, not the whole building. That is, they wouldn't get banned for something their neighbor did, because their neighbor would be in a separate /64.
That is, the whole /64 is equivalent to the single IPv4 address they have in their home router, not to the CGNAT which combines several home routers into a single IPv4 address.
on what firewall platform/s does this restriction exist? asking genuinely as i admit that i may be the one out of the loop on this.
this is a real downside of ip reputation systems
Ding ding ding. IPv6 doesn't solve this problem either because not all malicious activity from a given IP address is guaranteed to be conducted with the knowledge or consent of the folks paying for the connection anyway.
There should only ever be discrimination against traffic, not against addresses. Addresses should not be presumed to be fixed, and it should therefore never be assumed that seeing the same client IP twice means it's the same end user.
ding ding. your last sentence hit the mark. though from a operations/defensive perspective it often makes sense
It's something I had said before in another thread, but oh well... Here goes again:
The so called privacy-presevation of CGNAT is a double edged sword. Other websites can't track you, simultaneously that also means other internet users can't reach you.
The most obvious consequence is that to host a server, you must purchase a VPS or rent an public IP address from your ISP, and the price for a public IPv4 address is getting higher and higher.
The less obvious consequence is that you're giving up control to the VPS providers (and other centralized services). Does your VPS provider allow you to host Tor services? Run BitTorrrent?
It's rather ironic that people on HN, a website whose name literally includes the term "hacker", would support things like CGNAT which hurt hackers/hobbyists/"privacyists" the most.
To each their own. Want to be reachable? Use IPv6. My privacy is more important to me than being directly reachable.
If you think privacy can be achieved using CGNAT and not services like Tor or VPNs... then good luck.
I will be blunt: Long term, IPv4 and any technology that extends the lifetime of IPv4 will actually result in the death of online privacy.
I do a lot to preserve my privacy.
The CGNAT makes it impossible for random websites to correlate my actions among them - which is something they try to do while profiling me. It is, as you point out, useless against state actors and similarly funded-and-legally-equipped bodies; For those, you indeed need Tor and VPN and likely that's not enough even then.
But I care about the civilian "spies" following me; like Facebook, Google, Microsoft, and friends. I use as little of their services as possible, with add blockers, a restrictive JS policy, ultra restrictive cookie policy, etc. It's unlikely any of them can correlate me with the other (or with myself from yesterday, for many uses). Giving me an externally imposed unique identifier (and a /64 prefix is just that, regardless of randomizing the remaining bits) makes it trivial for them and impossible for me -- unless I do all my browsing through Tor or something like that.
For the record, I have no proper FB or G account, but cannot avoid Whatsapp and an occasional Google product.
> I will be blunt: Long term, IPv4 and any technology that extends the lifetime of IPv4 will actually result in the death of online privacy.
Can you explain why you believe that? To me it sounds like baseless scaremongering.
>Can you explain why you believe that? To me it sounds like baseless scaremongering.
One word: centralization.
As we have seen throughout the years, all means of IPv4 lifetime extension have involved the introduction of state, which is bound to a central node. The HTTP/1.1 Host request header allowed the existence of reverse proxies, the invent of NAT allowed routers to no longer be "just" a dumb packet forwarder. Both technologies are involved in state tracking.
NATs also destroyed the possibility for any two nodes on the Internet to communicate with each other directly, unless workarounds like port forwarding are used. This means that all messages on the Internet must go through a central server, where there can be malicious actors sniffing your traffic. Remember Mark Zuckerberg's infamous "they trust me"? [0]
But it was still somewhat managable during the early 21st century, when free IPv4 addresses were available. Most people had only one layer of NAT (in their routers) which they owned and controlled back then, so P2P were still mostly doable, and services like Skype relied on that. Life went on.
Fast forward to the 2010s, we ran out of IPv4 addresses. CGNATs were starting to be widely deployed so even port forwarding had become impossible. P2P communications ceased to work. Virtual hosting were now ubiquitous. TURN was invented, which of course increased more centralization. [1] Since central servers have to carry even more traffic now (back then they merely mediated the communication between two nodes behind NAT, now they have to relay the entire traffic), it had become more costly to host web services, increasing the barrier to entry.
In the 2020s, people can no longer host servers inside their homes, many have come to rely on centralized technologies or services e.g. VPSes for that purpose. By now, we have mostly given up on peer-to-peer, and moved onto "federation" where we have a web of central servers that clients can connect to -- in the end though, a central server is still a central server that you have to implicitly trust, and some admins of the Fediverse had been discovered performing suspicious activities.
Perhaps I worded my thoughts too strongly in my previous comment, but the trend of centralization is there and continuing. Your own comment has alluded to that fact. Time has shown repeatedly that privacy never fares well under centralization.
The thing is, the Internet as a whole doesn't have to go down this route, had we simply moved onto IPv6 and restored end-to-end communication. Then P2P is possible again. [2] It's IPv4 and its lack of address space that created an environment where people expect there to be a central node. It's just the natural consequence of the statefulness of IPv4-extending technologies like NAT and CGNAT.
Oh well, CGNAT preserves privacy, so they say.
[0]: https://en.wikiquote.org/wiki/Mark_Zuckerberg
[1]: https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_...
[2]: https://github.com/realrasengan/dwebchat
Thank you for the elaboration.
I disagree it’s the limited IPv4 address space that promotes centralization, which seems to be the essence of your thesis.
Incumbents and laziness promote centralization. First, people stopped hosting email because gmail (and friends) were free. Now, it’s become hard regardless of whether you own a pristine IPv4 or not - because msft+goog+amzn+etc make it hard, and effectively own email.
I don’t see how the IPv4/CGNAT/IPv6 thing is related. To be decentralized, we need thousands of directly addressable nodes (which IPv4 even today easily and cheaply provides), not that every single node be addressable.
We might just agree to disagree.
It's a fact that with NATs, many nodes are hidden from the Internet -- it's in fact how it works. The only way for two hidden nodes to communicate with each other then, is through a central service. And the hiddenness (statefulness) is what caused you to think that CGNAT provides privacy.
So, in essence, you are already believing in my thesis! There's no agreeing nor disagreeing here, we are effectively on the same page but looking at the different sides of it.
As a side note, the early internet had a lot of P2P phenomenons, Napster etc were all based on the technology, but we don't see them nowadays except maybe BitTorrent. The entire Web 2.0 (so GOOGL, AMZN, etc) was built on the already-existing expectation that there is a central node somewhere.
What kind of privacy are you getting with CGNAT? ISPs and websites can still track you.
>CGNAT? ISPs and websites can still track you.
Yes, ISP's can still track but the other websites-that-are-not-the-ISP that depend on logging unique ip addresses for tracking can't identify you behind a CGNAT. My previous comment about how CGNAT can be another layer of privacy for things like torrents: https://news.ycombinator.com/item?id=38176079
EDIT reply to : >Sure except for the like 800 other metrics they use to track you besides IP lol. Advertisers
Yes, browser fingerprints and "device behavior" heuristics etc demonstrated at https://amiunique.org/ and https://fingerprint.com/blog/browser-fingerprinting-techniqu... ... also exist but that's not what my reply was about.
My comment was specifically talking about those websites that depend on ip addresses and not fingerprinting. Examples are torrent trackers, torrent honeypots, and Wikipedia articles' edits history where their server logs keep track of ip addresses instead of browser fingerprints. CGNAT will make users more anonymous in those situations. Lawsuits and subpoenas from RIAA and movie studios against torrenters for copyright infringements were filed against ip addresses and not browser fingerprints.
As for Google/Facebook sophistication levels of browser fingerprints tracking and surveillance, I'm not so sure how paranoid I should be about it because they still think I'm in Idaho because I happen to open my laptop in a hotel one time there 10 months ago.
No one “depends” on IP addresses. Wikipedia could very easily (and likely does) use browser fingerprints for some things. They don’t serialize to something human-readable, though, so I wouldn’t expect them to appear anywhere but debug interfaces.
IPs havent been a viable way to ban or identify people since the early 00’s. For sure with the launch AWS, and the ease of swapping IPs there. It’s been laughably easy to swap source IPs on requests for at least a couple of decades.
I think the only people you’re getting privacy from is people who didn’t really care enough to invade it in the first place.
>No one “depends” on IP addresses. Wikipedia could very easily (and likely does) use browser fingerprints
One of the tools Wikipedia gives admins to protect pages from vandalism/abuse is ip address blocks and not browser fingerprints: https://en.wikipedia.org/wiki/Wikipedia:Blocking_IP_addresse...
>IPs havent been a viable way to ban or identify people since the early 00’s.
You are factually wrong. Copyright holders have successfully won lawsuits as recently as 2023[1] by starting the process via subpoena of ip addresses from ISPs. The steps are:
1) obtain the ip addresses of anonymous users torrenting your intellectual property. (Because the studios monitor torrent trackers for ip addresses.)
2) Connect a real name to that ip address by having a court subpoena the ISP to reveal the owner of the ip address. If the ISP subscriber on the account is not the actual infringer, ask the owner of the account (via a court deposition) to further identify the actual user (e.g. a spouse, a roommate, etc)
3) get a financial settlement or judgement against that person
That type of identity unmasking doesn't happen with CG-NAT or other shared NAT scenarios like libraries/airports because the torrent trackers logs only have granularity of ip addresses which is useless when a thousand people share it.
[1] April 2023 defendent loses $27016.25 in lawsuit via ip address unmasking: https://casetext.com/case/strike-3-holdings-llc-v-john-doe-s...
Telecom operators have admitted to being able to identify people through CGNAT since at least 2015 https://torrentfreak.com/pirates-can-be-identified-despite-s...
You just have to have the source port as well as IP instead of just the IP (which the MPAA et al surely gather). CGNAT is basically just port-based DHCP; it still has to keep an inventory of what ports are available, practically requiring the ability to tell who was using what port at what time.
Even from a first principle's perspective, if they can't identify subscribers for relatively benign things like piracy, they also can't do it for something like CP. Those logs 100% exist, if only so the telecom has something to turn over when the FBI comes looking for pedophiles.
> One of the tools Wikipedia gives admins to protect pages from vandalism/abuse is ip address blocks and not browser fingerprints: https://en.wikipedia.org/wiki/Wikipedia:Blocking_IP_addresse...
And yet that very tooling will detect if a hard-blocked user tries to log in from a new IP address and block that new IP address. It's almost like IP address blocking doesn't work very well...
You're of course free to do what you want, but it seems naive to me to assume that anyone operating even a moderately popular site isn't browser fingerprinting. Even if the site isn't, CloudFlare will if they use CloudFlare (and I wouldn't be surprised if other CDNs).
Yes, CGNAT can't give you any protection against state actors.
But if you are NOT under criminal investigation, having an IPv6 lets every single server on earth know who you are so they can correlate and profile you. That's happening with or without IPv6 of course, but is much less reliable through CGNAT - and essentially useless through a CGNAT if you have proper fingerprinting/cookie/js/3rd party protection. But if you HAVE IPv6, there is nothing you can do to remain anonymous except e.g. Tor.
My symmetric NAT seemingly assigns a random port for every UDP packet. At least that's what I see from STUN servers.
I got kind of curious how UDP works with CGNAT, and in my travels I found this on the Wikipedia page [1]:
> STUN does not work with symmetric NAT (also known as bi-directional NAT) which is often found in the networks of large companies. Since the IP address of the STUN server is different from that of the endpoint, in the symmetric NAT case, the NAT mapping will be different for the STUN server than for an endpoint. TURN offers better results with symmetric NAT.
Not sure if that's related or if you're even having issues, but figured I'd drop it since I found it.
As for the privacy aspect, are you CGNAT'ed? My understanding is that bidirectional UDP streams generally don't work with CGNAT unless your ISP adds a proxying service that can construct "sessions" out of those packets. E.g. for DNS, you can proxy it across the CGNAT by having the DNS proxy record the transaction ID and the internal IP/port that requested it, and then looking for that txid in UDP packets coming to the DNS relay to forward it.
The solution I usually see for getting UDP across CGNAT is TURN, but then you're making a TCP connection which can be tracked by port easily.
I just can't see any way for an ISP to proxy UDP packets without knowing which subscriber they're going to. It seems like trying to make a router route without any routing tables; I just don't see how your ISP can forward that packet to you without knowing it's going to you.
[1]: https://en.wikipedia.org/wiki/STUN
Sure except for the like 800 other metrics they use to track you besides IP lol. Advertisers don’t need your ip to track anymore
For many people, that’s true. But not for those who care. The other metrics are under my control, and I actively scramble them to uselessness. An IP address … I can’t do much about.
You can have a different IPv6 every minute if you like. They are plentiful! Maybe have a fixed one for your web server too.
That different IPv6 will still identify the subscriber, because it will have a shared prefix, usually statically allocated by the provider.
That shared prefix would be no worse tban a shared IPv4. Unless the shared prefix is per user and immutable.
For every ISP serving my area, it is indeed a "per customer, immutable" prefix. IIRC, some have a 96-bit prefix, some have a /64, but that's the kind of thing that a "maxmind" style database of prefix length per isp lets you nail down easily -- if those databases don't already exist today, they will soon.
It's easier for the ISP to do it that way.
they both suck for me. i can't port forward any IPv4, and Verizon blocks any incoming IPv6 on their side
Instead of port forwarding for IPv4, couldn't you use that Cloudflare service tunnelling thing?
rock and a hard place
both seem to be political problems rather than technical ones
But how do you host services through CGNAT though?
You can’t. When my ISP switched me to CGNAT, I spent days upgrading everything to IPv6, only to discover that gmail didn’t even support it! (Mail Server to mail server, not the web app) I gave up, asked my ISP IPv4 back and, fortunately, got back a new IPv4. But I fear the day that option will disappear…
What year was this? While I can't find a source I believe Gmail has supported IPv6 for sending and receiving since the World IPv6 day back in 2011. I've certainly been doing it since 2017.
Your issue might be rather that Gmail actually enforces all their guidelines on IPv6 instead of silently degrading your reputation behind the scenes like they do for IPv4. So proper RDNS, SPF and DKIM are tablestakes with DMARC and MTA-STS strongly recommended.
This was maybe three four years ago. That might be it. I lack rDNS but I have everything else. Except for MTA-STS, I’ll check that out
Yeah, rDNS is a hard requirement for IPv6. I believe you should get a hard reject for missing that with a pointer to the documentation.
My mail server has been known to deliver mail to Gmail using IPv6 if I don't tell it not to. Not sure if Gmail will use IPv6 for incoming mail though.
By and large, you don't. I suspect beagle3 cares more about the privacy aspects than hosting a service from their home.
There are some trick for hosting through CGNAT, if you have a server on the outside.
either buy paying a few bucks for a vps with static v4 or try techniques like "nat hole punching" to keep the cgnat statemachine happy. but tbf it isn't meant to
> but tbf it isn't meant to
Then it's not internet. Internet means there is no distinction between "servers" and "clients", everyone is a peer.
If you can't host things, you don't have internet. You've just got a modern version of MSN/BTX/Telex/whatever
how it started, how it's going.
billions of ppl access the internet thru nat everyday, i'm glad it exists and also happy for alternatives
>billions of ppl access the internet thru nat everyday
A caveat is that a lot of people are knowing or unknowingly relying on things like UPnP and NAT-PMP to have services operating normally under NAT. That conveniently masked a lot of the issues with NAT in P2P usecases such as online gaming and torrenting.
Unfortunately, even that is broken under CGNAT.
The more layers of NAT you put on your connection, the more things you break.
interestingly, i religiously disable upnp/pmp on all residential cpe's that i configure due to it's glaring security implications. never heard of a problem
though i do defend v4-nat internet as the way it was meant to be, being jailed behind a cgnat w/o repercussions would push me to another isp.
In gaming communities e.g. Minecraft you regularly get people asking for port forwarding related questions. Some gamedevs automate that process using UPnP, I believe Eve is one of them.
Neither solution works for me though, as someone whose IPv4 connnectivity is behind a CGNAT.
ALL ISPs in my country have deployed CGNAT so there's no "changing ISP" for me either. IPv6 is the only solution left unless I want to pay a premium to get one of those public IPv4 addresses. Really, single-layered IPv4 NAT can't last forever. The address space of IPv4 is simply too limited.
the push of p2p comms in gaming was never a good idea, but i can totally see how it was sold. apart from that i don't know why any game would need incoming connections.
the upnp cargo cult in gaming is real though, despite the prevalence of cgnat.
i agree that you should have choice but am not yet ready to accept that ~11B ppl cannot manage with ~3B addresses given the typical ratio of users per v4 with nat.
Using "11 billion" as an estimate of total needed addresses is a bad idea (TM).
Both sides of the internet (provider and user) need an IP address. An average human may possibly require two or more addresses simultaneously (phone, laptop, office PC, and maybe IoT) in the future. And internet infrastructures like routers and managed switches, although never visible to the end users, need an IP address for themselves too. And don't get me started on containerization.
Furthermore, there are internal networks running out of RFC1918 addresses to use so even internal IPv4 has a real limit. Comcast is one of them, T-mobile is another. I believe Facebook moved to IPv6-core because of this too.
People constantly find new ways to use more IP addresses. 4.3B is just too small, even with NAT.
The fact that we are deploying CGNAT everywhere should have made that obvious enough.
10/8 routinely being too small and overlapping is a real good reason to use v6 instead
if you're a privacy by-default kinda guy—then regrettably you must live in a lonely, lonely world. how do i get there?
at least i have my edge firewall until you let me know.
I live in a very social, active, healthy world.
Indeed, I don't have "friends" on Facebook / Instagram (I don't use those) - I talk to friends on the phone, meet them in person, we have message groups on various services.
Some of my friends do post on Facebook or Instagram; but they let me know personally if there's anything important I should know.
I'm a privacy-by-default kind of guy, yes.
you're a privacy by-default kinda guy because you don't maintain any 'traditional' 'social media' accounts i guess you mean to say? that's a somewhat random notion and not entirely relevant as social media is about the lowest hanging fruit any of us could conjure.
so you believe yourself to be privacy-minded, yeah. i had already gathered that much. my point was that there's all but no such thing and typically merely only the illusion of 'privacy by-default'—hence the lonely, lonely world in which you could only claim to live.
I fail to understand your perception in which I am lonely just because I don’t leave a breadcrumbs everywhere for state and commercial actors (whose interests don’t align with mine) to find.
i don't think you're lonely. i was simply employing sarcasm to suggest that maybe the private world you merely believe yourself to live in doesn't actually exist. not for any of us, myself included.
we're definitely replying past each other a bit. i now realize after seeing a few of your other comments throughout this thread that your opinions surrounding personal privacy are much more aligned with my own than i think your opinions on CGNAT represent.
thanks for the discourse no less.
> because CGNAT preserves my privacy by default
This comment. Every single time. No it doesn't. NAT doesn't add privacy. NAT doesn't add security. Use firewall with IPv6. This is it.
You are wrong, and I say that as someone who was employed by someone who (likely) invaded and still invades your privacy through a firewall and IPv6.
Modern firewalls do nothing for privacy. IPv6 eliminates your ability to maintain your privacy.
Security is a different matter, and NAT doesn't add much there (although it is another layer). But the comment you quoted was specifically about privacy.
Even though you're right, privacy is quite irrelevant in this case anyway. If no one can walk through the door, your personal space cannot be violated. If you want to hide your IP use VPN. You essentially should not rely on things out of your control, such as CGNAT. But yeah, I agree, I should have mentioned security, only.
My threat model excludes state actors and my ISP actively collaborating with those who try to profile me. Thus, CGNAT - which I already get, is comparable to VPN (better in some respects, worse in others).
This article is two years old. I don't think things as as dire as they seem, just a bit more boring than people might like.
I can't see any sign that long-term IPv6 growth has stopped, it's just ceased to accelerate. Looking at Google's IPv6 traffic graph (https://www.google.com/intl/en/ipv6/statistics.html), this is entirely consistent with being the first half of a classic logistic curve, with growth now linear as it approaches the 50% point after 15 years. If this is actually a logistic growth curve, we will presumably see the end of IPv4 sometime around 2040. Even if we take a more optimistic view and assume linear growth continues, it will still take until about 2035.
And that's fine. Old technlogies tend to wither away, not go out with a bang.
The issue with looking at IPv6 adoption from that point of view is that it only shows half of the picture. It shows the percentage of IPv6-enabled clients, which has been growing steadily.
On the other side there are still major services that are IPv4-only, and growth is not uniform.
This means the combined situation is not as cheerful. It's hard to arrive at definitive conclusions, but IPv6 traffic(1) may be as low as 15% when considering this mismatch.
https://blog.cloudflare.com/ipv6-from-dns-pov/
Without stronger incentives, IPv6 may be an eternal runner up. At least it looks like it will take quite a few decades more to make IPv4 obsolete.
(1) By connections or requests. By bytes transferred, IPv6 might have already overtaken IPv4 for all we know (I'm not aware of a broad enough study on this, so I'm open to this possibility). The largest streaming providers are IPv6 enabled.
Another good reason for slow adoption is that the pushers of V6 herald it as the death of all nat, and i wager there are certain types of net admins who really like at least SOME nat. I have a longer writeup here http://www.jofla.net/?p=00000113#00000113
granted i would love for more v6, if it yielded a 1 for 1 repacement, with all features .
IPv6 certainly has its own technically legitimate uses, absolutely. thanks for my next read! (curious how many things you discuss that i hadn't even considered.)
Every service I run for all time will be exclusively ipv4. Ipv6 gets a heckler's veto from me for trying to do too much.
Give me an addressing scheme and absolutely NOTHING ELSE - just like IPv4 - and I'll consider it. IPv6 does an order of magnitude more than just this one thing, and therefore is too complex to be a replacement as it adds a bunch of anti-features that I don't want anywhere near any of my networks for any reason ever.
I am a permanent rejecter of all ipv6, both as a client and a server.
For every downvote this post gets, I'm going to increase the number of sockpuppet acconts I automate in my crusade against ipv6 in all public forums by 1 order of magnitude. Each downvote will multiply the number of voices standing in opposition to your own desired outcome coming from my system by ten.
Don't like it? Propose a better standard that fixes the address space problem without adding layers of shit on top of it next time.
Democracy is two wolves and a sheep voting on what to each for lunch, and for this particular subject, I can (and will) make more virtual anti-ipv6 wolves than there are pro-ipv6 sheep that are real humans.
Don't like that? Demand a better governance system than democracy.
Like it or not this is the way forward and you might as well get used to it.
the very notion of technology factually implies that it never gets less complex as it iterates upon itself. reminds me of the rhetorical ponderance: how many humans did it take to invent the pencil eraser? (and somehow your post also calls to my mind the woeful Luddites! but i digress...)
pray tell who, my good man, are you railing against?
> a bunch of anti-features that I don't want anywhere near any of my networks for any reason ever
Is there a good write-up on IPv6 anti-features?
very well said about legacy technologies, plus estimated projections based on actual current adoption at least to me informative. thanks for sharing your thoughts.
CGNAT should be illegal.
Or at least it should be illegal to advertise a CGNAT service as an "Internet connection". It's not an Internet connection, you can't use it to send or receive arbitrary IP packets, only TCP/UDP.
Just as well, it should be illegal to advertise a connection with only a single dynamic /64 of IPv6 as an "Internet connection".
Yeah, I like to compare it to the old "Party Line" phone lines people used to have, where you shared a single phone line with multiple houses and only one person could talk at a time. Sure, it gives you some of the functionality of a phone line, but it is not a phone line, and shouldn't be sold as the same thing.
Honestly, I'm genuinely surprised no ISP has started doing "gamer" marketing as it seems to be so effective elsewhere, "We give you real public IPs so you can connect directly to your opponents for lower latency, get on the internet fast lane!".
This already exists via VPNs that allegedly give you better routing/peering to the game servers.
No idea if they work. I can see conceptually why they might (internet routing is often more of an approximation of a best route than the actual best route), but the problems seem too individualized for a generic VPN to help. Happy to be wrong if someone knows how well/why they work.
> VPNs that allegedly give you better routing/peering to the game servers
Does this actually work? VON is always an extra hop
A VPN isn't always an extra hop from a "hops in traceroute" perspective. It's very possible to get a shitty route from your ISP; e.g. if the best route goes through an ISP that your ISP has shitty peering with. You might get better latency via a VPN to a server inside the "best route ISP" network, because then your ISP _has_ to route your traffic through that peering exchange. I.e. the additional latency of doing the VPN stuff is still less than the additional latency of having a poor route.
Hops also aren't a particularly useful abstraction here. They don't align with latency very well; the only thing a hop implies is that a router has to get the packet and route it, but that's a huge variance in latency. A hop could take nanoseconds or it could take hundreds of milliseconds. The number of hops doesn't really imply anything useful about latency.
All that is to say that yes, I believe under some circumstances the VPN could give you lower latency (with a bunch of asterisks). One asterisk is that figuring out whether your peering is good or bad practically requires a network engineer to look at your routes, it's not an easy thing to figure out. A second is that those routes change frequently, so just because the VPN helps today does not mean that it will tomorrow or even for the next hour. A third is that these solutions are likely somewhat custom; each ISP or maybe even each network segment will have particular links that need to be avoided, which means each ISP/network segment will have particular IP ranges that "encourage" the correct routing. Figuring out which to use would be non-trivial.
In TLDR form, I think a network engineer willing to spend like 4 hours analyzing their network to set up a VPN that will shave 5-10ms off their latency to a particular game for a limited amount of time could probably do so. It's within the realm of possibility that some company is doing a Thousand Eyes-like thing and actually creating optimized VPNs with the same strategy. My suspicion, however, is that they just tell you to log in and try your latency on a bunch of servers til you find one that's lower (at the present moment) and then they hope you never check again.
I think I once read that Microsoft's Xbox team once advocated for residential IPv6 for exactly this reason, but I don't have a reference.
Games have largely moved away from direct connections and user hosted servers though. The players and companies prefer the modern match making system. Its easier to use, more reliable, and gives the company greater control over the experience.
How much of that is because of (CG)NAT though? You can still do matchmaking and have direct connections. Yeah, there are trade-offs, but when you look at for example the fighting game crowd where latency is a big deal, consumers may massively prefer it.
(Either way, a "gamer" branded product that is unlikely to actually help in most real gaming scenarios is 95% of "gamer" branded products.)
"let them use IPv6!" -Marie Antoinette a/k/a your ISP that hasn't even rolled it out yet.
Or refuse to implement IPv6. (At least here in Indonesia with only 14% adoption rate)
Why? Because for residential user that want low latency internet & low packet drop (CGNAT increase both), ISP can charge "business price" for dedicated IPv4 that aren't behind CGNAT. With IPv6, CGNAT is not needed.
Considering ISP/Telco in here is very scummy (they even perform MITM to inject ads, use Class 0 message / AMBER Alert for ads, etc.) I won't be surprised if that's the only reason why they didn't rolled out IPv6.
I could easily access my computer from the internet when I'm not home back in the days... all the ISPs in my country have moved to CGNAT and there is no v6 support, probably because of lack of demand and ridiculous "static IP" pricing.
Result: I'm constantly checked by Cloudflare etc. and sometimes blocked altogether by some hosts as I'm probably in the same public facing IP with many non-savvy people whose devices are infected with botnets.
[flagged]
> In a just world concerned with real human rights (restrictions on evildoers from harming you, not entitlements like free X, free Y, and free Z), every Cloudflare employee would go to bed every night fearing whether or not they will wake up alive the next morning.
Your claim is that in a just world Cloudflare employees would fear for their lives?
GCNAT is truly one of the ugliest pieces of technology ever created. It is incompetence and bad planning made manifest into software.
tbf cgnat is fine for the majority of consumers.
a solution to get public v4 on the cpe could be a deeply burried "advanced-expert iknowwhatiamdoing" checkbox in the isp portal