this post was submitted on 05 Feb 2024
189 points (95.2% liked)

Technology

59092 readers
4721 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Amazon finds $1B jackpot in its 100 million+ IPv4 address stockpile | The tech giant has cited ballooning costs associated with IPv4 addresses::undefined

you are viewing a single comment's thread
view the rest of the comments
[–] cheet@infosec.pub 18 points 9 months ago (2 children)

In addition to what the other commented said, a lot of sys and net admins really don't like the idea of every lan device being globally addressable, while there's ways around it, a standard ipv4 Nat is a safety blanket to a lot of admins... Not that it should be like that, just my observation.

[–] abhibeckert@lemmy.world 8 points 9 months ago* (last edited 9 months ago) (1 children)

a lot of sys and net admins really don’t like the idea of every lan device being globally addressable

Those admins don't know what they're talking about. IPv6 has a region of the address space that can only be reached locally - similar to the 192.168.x.x space in IPv4. The only difference is it's really big (way bigger than the entire IPv4 space).

As for NAT... there's nothing stopping you from using it with IPv6. It's often unnecessary, but if you disagree you can use it. And in practice NAT is often part of the transition process to IPv6 - my cell network carrier for example gives my phone an IPv6 address on their internal network but routes all my traffic to the regular internet via IPv4. They are using NAT to do that. If you try to ping my phone's IPv6 address, it won't reach my phone.

[–] Fungah@lemmy.world 4 points 9 months ago (2 children)

Honestly my biggest issue with ipv6, aside from not understanding it, which I don't, at all, I've realized while setting up my own opnsense firewall, is that they decided on FUVKING COLONS. AND LETTERS. Okay, cool, hexadecimal exists, that's swell, but typing them is such a fucking pain in the ass.

There's no way to put your fingers on a keyboard to make it feel natural.

[–] frezik@midwest.social 3 points 9 months ago

Nothing the mechanical keyboard community can't solve.

https://ipv6buddy.com/

[–] nightwatch_admin@feddit.nl 3 points 9 months ago

While I agree that it is godawful to type and worse to read, let alone remember, you wouldn’t want these addresses in full decimal notation…

[–] frezik@midwest.social 4 points 9 months ago* (last edited 9 months ago) (1 children)

They need to stop that nonsense. NAT is not for security, and was not designed for security purposes. In fact, there are a few ways it subverts security, such as SNI in TLS making the connection less private than it could be.

If they want to block external connections, a border firewall can do the job just fine without NAT. It's arguably better, because NAT complicates existing firewall rules and their implementation in code. Complications are the enemy of security.

[–] Blue_Morpho@lemmy.world 1 points 9 months ago (1 children)

a border firewall can do the job just fine without NAT

How do you anonymize ip addresses without effectively recreating nat using firewall rules?

[–] frezik@midwest.social 2 points 9 months ago (1 children)

Mu. Why do you feel the need to anonymize IP addresses?

[–] Blue_Morpho@lemmy.world 1 points 9 months ago (2 children)

There is no way to personally identify anyone. Right now advertisers have to jump through hoops of cookies and browser fingerprinting to identify you- which can be blocked.

[–] frezik@midwest.social 2 points 9 months ago (1 children)

They still wouldn't. A single computer address is not an individual. They're only slightly better off compared to knowing the edge router IP like they do now.

If you really want to protect against that, then use a proxy or an onion router. NAT was never meant to do this, and it does it poorly.

[–] Blue_Morpho@lemmy.world 0 points 9 months ago (1 children)

A single computer address is not an individual.

It is extremely likely to be the same user. Shared computers are rare today.

[–] frezik@midwest.social 2 points 9 months ago

So what? They still don't have much more information than the edge router IP. Again, if you want to protect yourself here, use a proxy, onion router, or VPN. NAT is not designed to tackle this, and does it poorly.

[–] Dark_Arc@social.packetloss.gg 1 points 9 months ago

In a large cooperate network, or even a small network, there's nothing fixing a device to a specific network address. You can shuffle those around between people entering and leaving the building and device power cycles just like DHCP does for IPv4.