zlacker

I don't quite understand what you mean by "any ipv6 deployment will have this". When my ISP switched to IPv6, my internal devices were exposed to the internet and the only thing that stopped the incredible amount of bot traffic was my own on-device firewall that I explicitly turned on and configured. Luckily I don't have any smarthome stuff, not sure how I'd configure a firewall on a lightbulb. These devices didn't have a public IPv4 before that. And a bonus - the ISP didn't say anything about this possible consequence, just "we're making some changes".

NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc. And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV. I'm probably going to buy a router and make my own NAT soon (don't have access into the ISP modem).

I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.

>>throwa+(OP)
Well, that sounds like a colossal misconfiguration on the ISP's part. A firewall blocking incoming requests has been standard part of ISP routers for a long time.

>>throwa+(OP)
My ADSL connection rides on some non-IP network before it hooks up to a concentrator about an hour away. Most location based services, other than Apple, seem to assume I am in Norwich, NY. So I get these ads that say “They don’t like it when seniors use this one weird trick to save money on car insurance in Norwich but they can’t stop it” and “Horny grandmas want to jump your bone right now in Norwich” and such.

Contrast that to using public WiFi in NYC where everybody knows exactly where you are.

>>rcxdud+E3
On the other hand... What exactly is the benefit of IPv6 then? I thought the point was to make all my devices addressable on the public internet. How is it useful if the ISP firewall blocks my servers?

And yes, incompetent ISPs are the norm.

>>PaulHo+R3
I'm on DOCSIS to the Home / Fiber to the Building, but there seems to be some kind of overlay network and as a result, my PC that's hooked into the modem is on the public internet.

Before IPv6 it was a classic internal LAN with IPs like 192.168.0.1.

>>throwa+Z9
The biggest benefit is exponentially higher complexity, assuring continued job growth for network engineers.

>>throwa+Z9
The point is not needing a NAT translation table and running out of ports on your router. My provider also delivers an IPv6 configuration with all ports closed. I can enable incoming traffic for the devices that need it.

>>bzzzt+rj
Running out of ports how? Someone is hosting 65536 public services in their home network? Why not just pay for an additional public ipv4 then?

I can't configure anything technical about my internet. Any change is paid, and often simply not possible.

>>throwa+(OP)
> I don't want anyone to know how many devices I have at home

Even if your ipv6 host or border firewall allows pings through, it's not practical to scan an entire /64. There's just too many addresses in it, and your devices will frequently change them.

> I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc.

They already do this through fingerprinting that operates with higher-layer protocols.

> And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV.

This is very simple to implement. Ensure it's listening on the link-local address. That's the IP that starts with fe80. These are unrouteable by spec.

>>RulerO+uJ
> They already do this through fingerprinting that operates with higher-layer protocols.

It's very hard to distinguish my iPhone and Mac from the other dozens/hundreds people have in my building just through fingerprinting. Very easy if they have separate IP addresses.

Ad link local - cool, I'll look into that, thanks.

>>throwa+pO
It's actually very easy just through fingerprinting. You might be surprised.

It doesn't matter if everyone in your building has an iPhone and a Mac as well -- there are things about virtually every single one of them that make them unique.

>>throwa+(OP)
> When my ISP switched to IPv6, my internal devices were exposed to the internet and the only thing that stopped the incredible amount of bot traffic was my own on-device firewall that I explicitly turned on and configured.

When my (previous) ISP switched on IPv6 none of my internal devices could be connected to because my Asus did stateful packet inspection and only allowed in replies to connections that were previously initiated.

> NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website

Given that temporary IPv6 addresses tend to rotate every 24 hours it will kind of hard to track individual devices by IP in a 2^64 address space.

You could rotate addresses 10 million times per second, using each only once, and it would take over 5000 years to exhaust a single /64.

> I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.

I now have to use a ISP-supplied router (for GPON), but when I still had my Asus on the DSL/IPv6 ISP I could tell it to reboot every night and I would get a new IPv4 address and a new IPv6 prefix every day.

>>throwa+Z9
Without bidirectional NAT, hole-punching works. Two sides of a p2p connection can coordinate with an intermediary to learn each other's addresses. They send each other a packet, which gets dropped by the other side. Their firewall sees the outgoing packet though, and opens the port. The next time they send each other packets, they will be allowed through. The intermediary is only needed to do the initial handshake instead of for all packets.

With NAT, it doesn't work because the ports get remapped, and the intermediary doesn't know how they will get remapped on the p2p connection, so they can't coordinate to send on the correct ports to open the firewall.

Or UPnP can work. By default, your router drops incoming packets on all ports. If you want to e.g. run a game server, then on startup, it hits a standard API to tell the router to forward that one port. On shutdown, it can tell it to close the port (you could potentially also have the router require keepalives to keep the forward alive. I'm not familiar with the details of UPnP and related protocols).

Without a public IP, you need intermediate servers to relay all traffic to you, which centralizes the web. With p2p working, you can e.g. have high quality video calls with friends/family instead of dealing with the garbage quality tech companies allow. Or I can share with my mom photos of her grandkids with effectively unlimited storage; for 2 years of 2 TB Google storage, I can buy 20 TB of disks.

>>throwa+Ll
Running out of ports is usually a misunderstanding, but a device doing stateful NAT will have a limit on how many states it can manage, and it's usually not fun when it goes over the limit.

>>throwa+(OP)
Pro tip: buy a computer for and make it into a router .. There are some great cheap fanless machines out there (servethehome has reviews)...

You could also just use an old pc...

For software opnsense, pfsense, openbsd, freebsd, Linux (openwrt could be used too if you want embedded)

It is a pain to start ... But satisfying when it works :)

>>crazyg+x11
https://www.amiunique.org/ is scary and eye opening