As a sysadmin, any time I read some variation of; "At some point even data centers may become a thing of the past.", I know they don't know what they are talking about. As a matter of fact it has provided much joy through laughter (followed by required sysadmin scotch) at the show "Silicon Valley" for obviously parodying the issue. Datacenters aren't going anywhere, and this strange fascination in hipster-hackers with instant uber-decentralization-pushes concerns me because it ignores some of the more real (and fixable) issues at hand like dns centralization in favor of magical "p2p(+blockchain) will save us all" thinking not backed by much real world practical implementation.
Don't get me wrong, I'm a darknet, meshnet supporter. I love decentralization. That said, I support the establishment of the infrastructure required to support it independent of end-user devices, and I think for security and other purposes it's at least possible they should remain separate, and devs shouldn't assume so much right to cpu-cycles.
So in essence the topology I think that is preferable would be properly called decentralized-distributed.
Of course thats part of the reason I support things that go against that common grain, such as ipv6nat.
I genuinely don't understand why you would want ipv6nat. It seems like a bog-standard firewall; but instead of being able to configure rules about incoming traffic, everything is blocked and you are stuck with that.
Maybe somebody who knows more about this topic could explain it?
Explain? Only reason I can think of why this would be funny is that under IPv6 everything could have a dedicated IP, making the NAT useless. No other reason to have NATs, though? Single IP exposure, security, that kind of thing?
> One of the hopes for IPv6 was that it'd deliver us from IP address scarcity and hence the need for NAT and all the associated difficulty of NAT traversal.
My response:
> This is what I thought -- why would you neet Network Address Translation (NAT) when the address space is big enough to have everyone have an individual address? No need to traverse a router, it just becomes another hop in the chain.
Because you might not want to expose your internal addresses to the wider internet for a variety of reasons. Security, variability, compatibility with IPv4 clients/subnets etc.
NAT is not a security mechanism, nor is it a necessary part of routing ("variability"). At the very best, it's a band-aid - mostly cosmetic and provides psychological comfort.
But it provides some privacy. Identifying users solely by IP doesn't work well with ipv4. Even if you have a subnet in ipv6, you're still the only one using it.
Band-aid again. Identifying users by IP was never a reliable technique; and with most services, I'm still the only human using my public IPv4 address, NAT or no NAT.
If worried about privacy, you have a whole raft of identifying mechanisms to cope with before the IP address as an identifier even appears on the horizon, and there are tools to obfuscate your source address; NATing it away only makes things more complicated without a commensurate increase in privacy (worse, provides a false sense thereof).
I'm not sure if this makes sense -- it sounds like security through obscurity. If your address is reachable, it is exposed. Not allowing people to enumerate the devices on your network is one thing, but if you're accessible through your router (internal port forwarding/DMZ whatever), then you're exposed, whether NAT happens or not.
If your router is "just a node" in between (that happens to have a monopoly on the address/nodes it's in front of), it just needs to disallow access to the endpoint that is behind it -- almost like purposefully leaving it out of the routing table. It's not like people are going to be able to guess your IPV6 address easily, and even if they could, the proper way to deal with that is to just ensure you're actually secure (and no ports are open, forwarding isn't being done at all, etc)
Am I missing something here? The way things work now, yes you can't find out what ip addresses are on the private network behind a router, but if any ports on the router are open, you know SOMETHING is responding (whether the router or something else. In the IPV6-no-nat world, the router could just forward all your traffic (pretending the router was the originating computer), and NOT allow any traffic that attempts to hit the IP at the computer past it. Someone still needs to know the internal address before they can try and access that internal computer -- and you can still stop it at the router if you wanted to...
What am I missing? I'm not a networks expert, but from my understanding of networking/nat/firewalls/security/etc, I can't see how ipv6 increases your exposure that much.
IPv6 address space is so huge that every internal Internet-connected host should receive discrete internal and external prefixes, the latter associated with your AS and the former unannounced and with no global routing.
Internal servers, routers etc don't receive the external prefix and so can't be enumerated from the Internet.
Just like I don't get 100 IPv4 addresses on my phone, I don't get a block of IPv6 addresses. There is nothing I can do about it. IPv6 changes nothing in that regard, effectively.
Except that with IPv6, your telco could delegate you an entire /64, or potentially less and turn your phone into just another router in the network.
Just asked my friend who is on Verizon, when he is tethered to his phone his laptop/computer gets a full globally unique IPv6 address, every device that is tethered gets one. So it already exists.
> Just like I don't get 100 IPv4 addresses on my phone, I don't get a block of IPv6 addresses. There is nothing I can do about it.
Sure you can. Do the thing the people whose ISPs give them zero IPv6 addresses do -- use a tunnel broker. Or a VPN provider that gives you a real IPv6 address block.
Isn't this a security thing? I'm not anything close to a security expert, but I always understood that it was best not to have your personal computer exposed directly to the Internet. Not to mention just having control over my own network.
Also, my ISP only gave me one ipv6 address. I'm OK with that.
how do you cope with something like gossip in consul when you have a
host <-> nat <-> internet <-> nat <-> host
setup?
the last time i tried, gossip would send a udp packet from something other than port 8302, so left to right would work ok, but nat would assume some state there, and treat right to left as a reply, rather than fresh connection, and stuff would get lost.
Although, it has been a couple of years and i'm probably misremembering the details.
Debugging nat. it's, well, unpleasant. ipv6 has a whole lot more address space than ipv4. it obviates the need for nat. i think the standard deal is a /64 for your router. you can roll addresses every half hour forever, if you want to.
nat is just a bunch of glued together heuristics about how things should work. it's not fun to debug. i mean, you have 2^32 internets worth of space to assign to machines. everything is so much simpler without nat.
i dunno. maybe i'm an idiot. maybe nat is super cool, and i'm just jaded. imho it makes things very difficult. but i'll defer to the majority. whether i want to or not.
One of the hopes for IPv6 was that it'd deliver us from IP address scarcity and hence the need for NAT and all the associated difficulty of NAT traversal.
This is what I thought -- why would you neet Network Address Translation (NAT) when the address space is big enough to have everyone have an individual address? No need to traverse a router, it just becomes another hop in the chain.
Don't get me wrong, I'm a darknet, meshnet supporter. I love decentralization. That said, I support the establishment of the infrastructure required to support it independent of end-user devices, and I think for security and other purposes it's at least possible they should remain separate, and devs shouldn't assume so much right to cpu-cycles.
So in essence the topology I think that is preferable would be properly called decentralized-distributed.
Of course thats part of the reason I support things that go against that common grain, such as ipv6nat.