- I don't want my interfaces to have multiple IP addresses<p>- I don't want my devices to have public, discoverable IPs<p>- I like NAT and it works fine<p>- I don't want to use dynamic DNS just so I have set up a single home server without my ISP rotating my /64 for no reason (and no SLAAC is not an answer because I don't want multiple addresses per interface)<p>- I don't need an entire /48 for my home network<p>IPv6 won't help the internet "be addressable." Almost everyone is moving towards centralized services, and almost no one is running home servers. IPv4 is not what is holding this back.
Why don't you want every device to have a public IP? There seems to be a perception that this is somehow insecure, but the default configuration of any router is to firewall everything. And one small bonus of the huge size of a /64 is that port scanning is not feasible, unlike in the old days when you could trivially scan a whole IPv4 /24 of a company that forgot to configure their firewall.<p>NAT may work fine for your setup, but it can be a <i>huge</i> headache for some users, especially users on CGNAT. How many years of human effort have gone towards unnecessary NAT workarounds? With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.<p>Your ISP shouldn't be rotating your /64, although unfortunately many do since they are still IPv4-brained when it comes to prefix assignment. Best practice is to assign a static /56 per customer, although admittedly this isn't always followed.<p>And if you don't need a /48... don't use it? 99.99% of home customers will just automatically use the first /64 in the block, and that's totally fine. There's a ton of address space available, there's no drawback to giving every customer a /56 or even a /48.
Great question and my gut is that it makes it <i>that much easier</i> for large, perhaps corporate interests to gain surveillance and control. I'm aware it's possible now, but it really feels like there's some safety in the friction of the possibility that my home devices just switch up IP addresses once in a while.<p>Like, wouldn't e.g. IPv6 theoretically make "ISP's charging per device in your home" easier, if only a little bit? I know they COULD just do MAC addresses, but still.
You can't correlate the number of addresses with the number of devices because IPv6 temporary addresses exist. If you enable temporary addresses, your computer will periodically randomly generate a new address and switch to it.<p><a href="https://www.rfc-editor.org/rfc/rfc8981.html" rel="nofollow">https://www.rfc-editor.org/rfc/rfc8981.html</a>
I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.<p>I don’t want a static address either (although static addresses should be freely available to those who want them). Having a rotating IP provides a small privacy benefit. People who have upset other people during an online gaming session will understand; revenge DDoS is not unheard of in the gaming world.
> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.<p>This feels like a strawman. If you are making the sort of change that accidentally disables your IPv6 firewall completely, you could accidentally make a change that exposed IPv4 devices as well (accidentally enabling DMZ, or setting up port forwarding incorrectly for example).
You can have IPv6 firewalls emulate the behavior of NAT so it blocks unsolicited inbound traffic while allowing outbound traffic. If you get a /48 form your ISP you could rotate to a new IP address every second for the rest of your life.
Many routers don't firewall by default. Lemme check later, but pretty sure my basic ASUS router doesn't either.
> hollowing can crash the target process if the payload isn't carefully matched to the host process architecture.<p>So here's the thing. My ISP does _not_ rotate my IPv4 address, but _does_ rotate IPv6. Why? I'll never know.<p>Anyhow. I'm not confused about NAT vs. firewalling. No one who dislikes IPv6 is confused by this.
NAT is arguably a very broken solution.IPv4 isn't meant to be doing address translation, period. NAT creates all sorts of issues because in the end you're still pretending all communications are end to end, just with a proxy. We had to invent STUN and all sorts of hole punching techniques just to make things work decently, but they are lacking and have lots of issues we can't fix without changing IPv4. I do see why some people may like it, but it isn't a security measure and there are like a billion different ways to have better, more reliable security with IPv6. The "I don't want my devices to have public, discoverable IPs" is moot when you have literally billions of addresses assigned to you. with the /48 your ISP is supposed to assign you you may have 4 billion devices connected, each one with a set of 281 trillion unique addresses. You could randomly pick an IP per TCP/UDP connection and not exhaust them in _centuries_. The whole argument is kind of moot IMHO, we have ways to do privacy on top of IPv6 that don't require fucking up your network stack and having rendezvous servers setting that up.<p>We may also argue that NAT basically forces you to rely on cloud services - even doing a basic peer to peer VoIP call is a poor experience as soon as you have 2 layers of NAT. We had to move to centralised services because IPv4 made hosting your own content extremely hard, causing little interest in symmetrical DSL/fiber, leading to less interest into ensuring peer to peer connections between consumers are fast enough, which lead to the rise of cloud and so on. I truly believe that the Internet would be way different today if people could just access their computers from anywhere back in the '00s without having to know networking
NAT is a horrible, HORRIBLE hack that makes everything in networking much more complicated. IP networking is very elegant when everyone is using globally unique addresses and a ugly mess when Carrier NAT is used.
NAT demonstrably does not work fine. We have piles of ugly hacks (STUN, etc) that exist only because NAT does. If you really want to keep NAT then nothing stops you from running it on IPv6, but the rest of us shouldn't suffer because of your network design goals.
NAT only matters in so far as you don't technically need a firewall to block incoming traffic since if it fails a NAT lookup you know to drop the traffic.<p>But from a security standpoint you can just do the same tracking for the same result. That is just technically a firewall at that point.
So run fc00::/7 addresses with IPv6 NAT.<p>That addresses all of your concerns, and you have that option.
IPv4 is not holding back home setups, nobody cares about NAT at home.<p>The place where it hurts is small VPSs, from AWS to mom and pop hosters, the cost of addresses is becoming significant compared to low cost VPSs.
NAT is hurting anyone who has to use CGNAT and share an IP with a bunch of other people.
> nobody cares about NAT at home.<p>Only because most people don't know how NAT is hurting them, and because corporations have spent incredible resources on hacking around the problem for when peer to peer is required (essentially only for VoIP latency optimization and gaming).<p>NAT hurts peer to peer applications much more than cloud services, which are client-server by nature and as such indeed don't care that only outgoing connections are possible.
Even in a NAT-less world, the common advice is to use a firewall rule that disallows incoming connections by default. (And I'd certainly be worried if typical home routers were configured otherwise.) So either way, you'd need the average person to mess with their router configuration, if they want to allow incoming P2P connections without hole-punching tricks. At best, the lack of NAT might save you an address-discovery step.
> the common advice is to use a firewall rule that disallows incoming connections by default.<p>That's good advice! But firewall hole punching is also significantly easier (and guaranteed to work) compared to NAT hole punching. Address discovery is part of it, but there are various ways to implement a NAT (some inherently un-hole-punch-able) and only really one sane way to do a firewall.<p>> you'd need the average person to mess with their router configuration,<p>At least with IPv6, that firewall is likely to exist in the CPE, which sophisticated users can then ideally open ports in (or which can implement UPnP/NAT-PMP or whatever the current name for the "open this port now!!" protocol of the decade is); for CG-NAT, it's often outright impossible.
I recently changed ISPs and have IPv6 for the first time. I mostly felt the same way, but have learned to get over it. Some things took some getting used to.<p>An "ip address show" is messy with so many addresses.<p>Those public IPs are randomized on most devices, so one is created and more static but goes mostly unused. The randomly generated IPs aren't useful inbound for long. I don't think you could brute force scan that kind of address space, and the address used to connect to the Internet will be different in a few hours.<p>Having a public address doesn't worry me. At home I have a firewall at the edge. It is set to block everything incoming. Hosts have firewalls too. They also block everything. Back in the day, my PC got a real public IP too.<p>NAT really is nice for keeping internal/external separate mentally.<p>I'm lucky enough my current ISP does not rotate my IPv6 range. This, ironically, means I no longer need dynamic DNS. My IPv4 address changes daily.<p>A residential account usually gets a /56, what are you talking about? Nowhere near a /48! (I'm just being funny here...)<p>There are reasons to need direct connectivity that aren't hosting a server. Voice and video calls no longer need TURN/STUN. A bunch of workarounds required for online gaming become unnecessary. Be creative.
> Having a public address doesn't worry me. At home I have a firewall at the edge. It is set to block everything incoming.<p>Concern is privacy, not security. Publicly addressable machine is a bit worse for security (IoT anyone?), but it is a lot worse for privacy.
I'm not confused about the NAT / firewall distinction, but it might be nice if my ISP didn't have a constant, precise idea of exactly how many connected devices I owned. Can that be _inferred_ with IPv4? Yes, but it's fuzzier.
Is this solved by the device having between 1 and X randomly generated IPv6 addresses?<p>Some of my devices have 1, some 2, and some even more. Takes some precision out, at least.
You already have a public IP address the only difference is if you have a rotating IP address which is orthogonal to IPv6.<p>The only difference is most ISPs rotate IPv4 but not IPv6.<p>Heck IPv6 allows more rotation of IPs since it has larger address spaces.