I didn't recommend dropping IPv4. It's a terrible it to start a new project in 2024 without IPv6 support though. It's easy enough to build in from the beginning that there's not any real reason not to go for it.
And running a dual stack is trivially easy for almost everyone using it. That chart has almost half of Google's users coming in via IPv6. I promise you less than 1% of that 50% have ever even heard of IPv6, let alone done a single thing to configure it. With my ISP I'd have to go out of my way to turn it off, which I haven't done because this isn't 2008 where it broke things more often than never.
Exactly! IPv4 management is hideous compared to IPv6 once you grok it. The sooner you upgrade to it, the sooner you can deprecate horrid mitigations like NAT.
The fact that it exists. I was a network engineer before NAT became a common thing and remember how it use to be when nodes on the network were legitimately peers. NAT is a bletcherous band-aid for the fact there are more people than 32 bit numbers. Now we're seeing true abominations like CGNAT. That stuff needs to be lost to the realm of scary legends told late at night.
I was asking about practical issues, not just complaints of subjective ugliness. While I'll grant that CGNAT can be pretty bad (though not entirely indefensible for mobile networks), I don't think we can ever return to "every node being a peer" in any case, not when any typical network will have a firewall that denies incoming connections.
>I don't think we can ever return to "every node being a peer" in any case, not when any typical network will have a firewall that denies incoming connections.
Forgive me if I'm missing something here, but how is that any different WRT IPv4 vs. IPv6?
In both cases, except for those services one wishes to expose to the Internet (assuming one has a use-case for that), all incoming connections should be blocked, IPv4 or IPv6.
Or are you arguing that NAT masquerade confers some sort of security benefit on one's network that precludes the necessity of blocking incoming connections?
I'd argue that NAT (N:1 or 1:1) doesn't provide any security benefit. Nor does IPv4+NAT reduce the complexity of firewall rules as compared with IPv6.
In fact, I'd posit that NAT makes things more complicated and not less. That said, you can use NAT/NPT[0] with IPv6 (along with ULA/SLAAC) if you really want.
As such, I'd say that IPv6 provides the best and worst of IPv4, plus additional benefits.
IF we ever get completely off IPv4, that will be a good day.
I don't think I'm disagreeing with you regarding firewalls: what I was trying to say is that "every node being a peer" isn't a good argument against NAT, since these days it holds neither in IPv4 nor in IPv6, now that everything has a firewall in front of it.
> In fact, I'd posit that NAT makes things more complicated and not less.
Sure, it clearly adds some iota of additional work, but I've never seen it as being the worst thing in the world. I'm young enough to have never witnessed the legendary paradise of globally-reachable static IPs for everything, so it seems more like "just the way things are". And yet there is widespread hatred against the existence of NAT, and I can't tell if it's primarily ideological, or if NAT is causing real practical difficulties for many setups. (Though at least the issues with CGNAT are easy to see. And also with broken NAT implementations.)
Meanwhile, one might argue that things like SLAAC in IPv6 can similarly add conceptual difficulties compared to IPv4. E.g., "How do I identify some particular device in my network, if its link-local IP is changing on a regular basis?" (To which the answer is something DNS-like, I guess?) So switching a network's internal operations from NATted IPv4 to NATless IPv6, with all of its different mechanisms, would seem like more of a tradeoff than an unequivocal win.
> I don't think I'm disagreeing with you regarding firewalls: what I was trying to say is that "every node being a peer" isn't a good argument against NAT, since these days it holds neither in IPv4 nor in IPv6, now that everything has a firewall in front of it.
In residential environments you can do whole bunch with UPNP/PCP, but with IPv4 you have the added complexity of STUN, TURN, and ICE:
With IPv6 you simply punch a whole and and the two clients simply talking to each other with their GUAs.
(In more tightly controlled environments (e.g., work), firewall policies and hole punching are dictated by IT.)
> Meanwhile, one might argue that things like SLAAC in IPv6 can similarly add conceptual difficulties compared to IPv4. E.g., "How do I identify some particular device in my network, if its link-local IP is changing on a regular basis?"
If a device gets its address via DHCP(v4), how do you identify it? SLAAC is for dynamic environments, but if you want static services, configure IPv6 statically.
At least with IPv6 you don't need DHCP infrastructure (and complexities like IP helpers configured on routers) to get going.
> With IPv6 you simply punch a whole and and the two clients simply talking to each other with their GUAs.
Eh, I wouldn't call it that simple. With an IPv6 firewall, TCP hole-punching is still difficult to impossible depending on how strict the connection tracking is (necessitating something TURN-like), and UDP hole-punching still requires some timing trickery. It's useful to keep a connection open with a STUN server regardless, in case that influences the firewall. All that NAT does is add a few more possible failure points, depending on how the router sets up mappings.
In the end, these are just hacks on hacks regardless, since we're never going to have reliable UPnP or similar on every network.
> If a device gets its address via DHCP(v4), how do you identify it?
I manage its assigned IPv4 address from the router, which itself presumably identifies it by MAC address. Doing it centrally from the router is often easier than trying to change the device's own settings.
Regarding static IPv6, can you still have static addresses within a network, while using rotating privacy addresses for outside connections? I've always been somewhat unnerved by the idea of each device in a network having a persistent address that can be separately tracked.
IPv4 as well as IPv6 was designed with endpoint to endpoint communication in mind so when NAT was conceived (originally intended to be a stop-gap while we moved to IPv6) we also had to re-write many other protocols and create many new ones since NAT broke IPv4's design principle (each IP needs to be unique)
This has lead to many context specific problems as many of the re-written protocols don't work as well not to mention the added complexities of protocols designed specifically with NAT in mind. As another network engineer I can attest to the problems this has caused. Pretty much everything from overlay VPN networks, VoIP solutions, security and ACLS, and just our day to day maintenance tasks are complicated by NAT. It has gotten so out of hand that many of us have dedicated NAT routers just handling NAT translation.
It's so weird to me that so many people in our industry spout scalability but then laugh off IPv6... How the heck do you guys plan to communicate to the ever increasing amount of smart devices? IPv4 literally ran out a space years ago...
I mean adding IPv6 support doesn't make nodes "legitimate peers". NAT still exists in a v4+v6 world; there will always be a distinction between "nodes with a public v4 address" and "nodes without a public v4 address".
You're missing the point, I believe intentionally. You can't get away from IPv4 as long as you have users who can't access IPv6-only servers. All your users and potential users can access IPv4-only servers.
> You can't get away from IPv4 as long as you have users who can't access IPv6-only servers.
That depends on your definition of "can't get away from". Your users can live on a IPv6 only lan and have the IPv4 world available to them. IPv6 supports 4 in 6 - ie you can embed IPv4 addresses in IPv6, so all you need is a gateway that translates IPv4 to IPv6 for them.
I've done it. At a conference, to unsuspecting users. All phones support IPv6 well, so they didn't notice. Not one complaint - I was blown away by how well it all worked.
It was done because some noisy attendees insisted on being assigned routable IP addresses. That can be difficult to provide with IPv4 for obvious reasons, whereas ISP's will happily hand you thousands of billions of IP{v6 routable addresses, for free.
I set up the gateway myself, rolling my own using a linux box I had lying around. Adding the 4 in 6 capabilities is maybe an hours work on top of all the other setup you have to do on the box, and that includes googling to find what tools you need and how to configure them. It's not hard.
> All your users and potential users can access IPv4-only servers.
Not all servers are user-accessible. For instance, a database server or a NAS server might only be accessed by other servers within the same organization. Using IPv6 between these internal-only servers, instead of RFC 1918 addresses, can simplify things.
And can make things far more complex too. You now need people to understand both ipv4 (for your public facing) and ipv6 (for your internal ones).
Instead you could just choose ipv4 only and reduce a lot of complexity. Sure there are also downsides -- if you're in a large org and are running out of RFC1918 space, or you're rationing it to smaller than /24 networks, that can be a pain (I don't see a benefit of more than 256 host addresses on a subnet as that's already far to large a broadcast domain)
#2 has essentially no downsides and is radically simpler.
That's my point. It's not terrible to start a new project without IPv6 support, because adding IPv6 support adds a ton of complexity for almost no benefit.
I never claimed or insinuated that you recommend dropping IPv4. If I thought your recommendation was to drop v4, my argument about the complexity of dual-stack would've made no sense.
> I never claimed or insinuated that you recommend...
Check my handle. I'm not who you seem to think I am.
> ...adding IPv6 support adds a ton of complexity for almost no benefit.
That doesn't at all match my experience with IPv6 support in greenfield projects for the past decade+. You actually have to do extra work to make them IPv4-only. Remember that the statement you initially responded to said "It's a terrible it to start a new project in 2024..."
> > I never claimed or insinuated that you recommend...
> Check my handle. I'm not who you seem to think I am.
Sorry, I didn't notice. Pretend I said "they" rather than "you".
> > ...adding IPv6 support adds a ton of complexity for almost no benefit.
> That doesn't at all match my experience with IPv6 support in greenfield projects for the past decade+. You actually have to do extra work to make them IPv4-only. Remember that the statement you initially responded to said "It's a terrible it to start a new project in 2024..."
Huh, I never found it difficult to ... not add an AAAA DNS record to point to a server. It surprises me that you find that to be extra work.
> Huh, I never found it difficult to ... not add an AAAA DNS record to point to a server.
Have you attempted to make greenfield software written in 2024 support only IPv4 addresses and be deliberately incompatible with IPv6 addresses? It's a lot more work than just using what the standard libraries give you and just getting support for v4 and v6.
I have actually made a green field project in 2024 and created a VPS for it and not added an AAAA record to point to that VPS, it was pretty easy to not add that AAAA record, I could do it in my sleep (in fact I do spend most of my nights not adding AAAA records to anything)
Now the software itself would probably work v6 if you set up the infrastructure for it, but that's not what I'm talking about. (I don't know for sure that it works with v6 though, never tested)
I know for sure that I've written some software before which doesn't work with IPv6 because the buffer I pass to gethostbyname is 4 bytes, but to be fair I haven't written such software in 2024. I have also written software to configure a device's interfaces and routing tables which only does DHCP4 and only configures v4 addresses, but that was in 2023 not 2024, maybe dhcp4 would've magically worked with IPv6 if I had done it this year
> The gethostbyname*(), gethostbyaddr*(), herror(), and hstrerror() functions are obsolete. Applications should use getaddrinfo(3), getnameinfo(3), and gai_strerror(3) instead.
Certainly some will be needed for 'legacy' purposes for the foreseeable future, but the more you can reduce the use of them at your edge, the less money you'll be shelling out.
And running a dual stack is trivially easy for almost everyone using it. That chart has almost half of Google's users coming in via IPv6. I promise you less than 1% of that 50% have ever even heard of IPv6, let alone done a single thing to configure it. With my ISP I'd have to go out of my way to turn it off, which I haven't done because this isn't 2008 where it broke things more often than never.