Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Hizonner 3 days ago

If I run out of IPv4 addresses for my own network, I can install NAT and make that problem (sort of, mostly, vaguely) go away.

If I want to use IPv6 to solve my IPv4 address shortage problem, and I want to communicate with you, I have to wait for you to also install IPv6.

SNI isn't really the same thing. For one thing it has actual positive benefits, very much unlike NAT (and no NAT is not a fucking security feature and is orthogonal to fucking firewalls don't make me come over there). And for me to use SNI, your browser (or whatever) has to send SNI, so it's still a change on only one end. But it still does let me put more than one service on a single IP address, and you only have to upgrade one program, probably a program you were going to upgrade anyway, rather than change your whole networking structure.

The way this should have worked was that IPv4 should have been turned off completely in the public Internet around 1997 or 1998. But ISPs didn't want to tell the much smaller number of much more sophisticated admins back then that they had to, you know, change things. So people just kept baking IPv4 into more and more things, and throwing in more and more NAT, and not even bothering learn or teach IPv6... and ignoring all the things they were breaking.

Many (not all!) of the things they were breaking were things that really came into play if you were trying to do P2P. Like, for instance, the ability to, you know, actually make a connection to any random peer. There are hacks, but they work poorly when they work at all. So since NAT was everywere, P2P didn't have a chance. There were other forces at work too, but basically everybody's business model and expectations gelled around centralization in a way that might have had a chance of not happening if there hadn't been NAT all over the place.

taskforcegemini 2 days ago | parent | next [-]

>NAT (and no NAT is not a fucking security feature and is orthogonal to fucking firewalls..)

is this about the meaning of the term "NAT"? because of course it is a security feature if something is offline by default

Hizonner a day ago | parent [-]

A box that enforces that doesn't have to do NAT. In fact it's simpler and less error-prone if it doesn't.

I will be over there soon.

throw0101d 3 days ago | parent | prev [-]

> If I want to use IPv6 to solve my IPv4 address shortage problem, and I want to communicate with you, I have to wait for you to also install IPv6.

Or you set up DNS64/NAT64/464XLAT on your IPv6 end of things, and those on IPv4 side don't have to do anything.

apitman 2 days ago | parent | next [-]

I'm not really familiar with IPv6. If I have a million IPv4 servers, it's pretty simple to set up a million subdomains and route incoming TLS requests using SNI. If I have a million IPv6 servers, can I somehow accomplish the same thing using DNS64/NAT64/464XLAT? Assuming the incoming request is from an IPv4-only host.

throw0101c a day ago | parent [-]

> If I have a million IPv6 servers, can I somehow accomplish the same thing using DNS64/NAT64/464XLAT? Assuming the incoming request is from an IPv4-only host.

You can have a front-end with IPv4 and have a box send the request to the back-end which is IPv6.

This is how FaceMeta works for the last few years: they are completely IPv6 internally in their DC and only have IPv4 at the edges to service 'legacy' connections.

* https://www.youtube.com/watch?v=IKYw7JlyAQQ

* https://engineering.fb.com/2017/01/17/production-engineering...

apitman a day ago | parent [-]

So I still need SNI for IPv4 requests.

throw0101c a day ago | parent [-]

Given the finite nature of IPv4 addresses, how can it be otherwise?

Hizonner a day ago | parent | prev [-]

... meaning I still have to have a public IPv4 address (or many) for them to connect to, and I have to install a NAT system that is, if anything, an even uglier, more complicated kludge than plain IPv4 NAT.

And I still don't get any-to-any connectivity with the IPv4 people, which is what you need if P2P is going to be seamless.

Dagger2 a day ago | parent [-]

You're never going to get that. There isn't enough v4 in the world for that. That's kind of why we're doing v6.

You don't have to install NAT64 to connect to v4-only hosts -- you can run dual-stack, and use your existing v4 setup to reach them. NAT64 is just what you do when you want to turn off v4. You said in the post above that people running networks should have been told they had to change things, so you don't get to whinge about needing to do it yourself.

Also, you don't need to have a public v4 address for v4-only people to connect to you. Reverse proxying is a service you can pay for, and only the people running the proxy need v4. CloudFlare do this (for free, even, depending on what you're doing).

In fact the same is true of NAT64; set your DNS server to e.g. 2a01:4f8:c2c:123f::1 and away you go.