Re: And who told you I want to be measured?
I could easily rephrase this to "the majority of people want to be capable of accepting inbound connections in at least some circumstances", and for that we're going to need v6. v4 just isn't going to cut it.
This is simply incorrect. Incoming TCP connections might need some assistance in the event of CGNAT, but UDP doesn't. And if you're looking for the sort of isochronous connections that end-users might generally want - games, VoIP, that sort of thing - then UDP is going to be what you're after. If you want to set up web or mail servers, CGNAT probably isn't for you. But how many of us want to run web or mail servers and don't know how to work around CGNAT?
Behind CGNAT? If not then I suspect that'll be a nasty surprise for you when it happens.
Effectively, yes. My second tier of NAT - which I put on place - gives me the same effect. My first tier probably does - but as I didn't build that, I can't actually be certain without a load of work that I cannot be arsed to do.
And yet - it still works.
Indeed - the only time I've had difficulty with such setups is when the router tries to do something clever; a colleague of mine from years ago use to love putting Juniper kit anywhere he could. I soon found that the best way to use this was to turn off every ALG it offered; they were all crap. Running STUN sorted the problem every single time.
Also... I'm doing this too, on v4. I know it's possible. But I'm also doing it on v6, and I can tell you that it's just easier on v6.
Well, I can install SIP phones on an IPv4 network without a firewall, and they just work. If I install them on an IPv6 network, I must have a firewall to prevent the administration interfaces being visible to the Internet at large. I fail to see how this is "easier".
NAT doesn't seem hard until you get rid of it, and suddenly you realize how much of a pain it really was.
I can't agree with you. I run NAT on my IPv4 network, and not on my IPv6 networks. The IPv4 network takes much less thinking about.
And partly because there's no other choice
Nonsense. There are numerous application that run over IPv4 - there's VoIP that I've already mentioned, or there's BitTorrent, for example. Or any other P2P app - the original Skype? There are choices. They work. Game vendors are not eschewing this technology because it doesn't work, they are preventing it because it doesn't pay.
Do you want it to be _possible_ for a company to release something that isn't trivial to spy on, or not?
That's FUD. The visibility of your data to an attacker is entirely unrelated to the transport mechanism chosen.
Not every company wants all your info (just most), but none of them will have any choice if everybody is behind CGNAT.
No. That's just bollocks. CGNAT does not preclude TLS. Nor, indeed, does it make any difference in either direction to the snoopability of plaintext.
Adding two bytes is exactly as hard as adding 12 bytes.
In protocol terms, yes. In human terms, no. Any time you have to get humans to modify their behaviour in any significant way in order to accommodate a computer, you've almost certainly screwed up.
If you're going to add bytes, you may as well add enough bytes that you don't need to go "whoops, we didn't add enough, we need to go through all that again" later on.
A 64-bit address space with a MAU of /16 would give you individual prefixes for nearly 3x1014 users, with 65K addresses for each. Given that this planet really can't support 1010 people, and that no individual is going to be able to maintain 65K devices, that would have been enough until approximately the time we've colonised 10,000 other worlds. I can't see that happening before Christmas, if I'm honest.
Okay, for starters: DNS. It's awesome and it's been around for years now and it makes your life a lot easier; I really suggest you read up on it.
Until it breaks. Some of us make a living fixing stuff like that; having memorable addresses really does make life easier. Holding more than four numbers in memory at any time is actually quite difficult for dyslexics like myself. Now I know this is my problem, but just claiming "DNS makes it go away" entirely ignores the situation where DNS has gone down. And DNS does go down...
For seconds: why did you pick such an awkward v6 address? If you needed to remember this address you should've picked something easier to remember, like 3ffe:1900:4545:3::2 (read that as "address 2 on subnet 3").
For starters, that's all very well if you know the prefix. But the prefix is the bit that will need memorising; most public addresses are likely to be on low subnet/address pairs, but the prefix is going to be utterly unpredictable. For a MAU, it's a 64-bit number with no memorable cues.
So we all know that Google runs a DNS server on 8.8.8.8. But if you want to do that over IPv6, it's on 2001:4860:4860::8888. They've clearly worked hard to get the repetition into that prefix, but that's still not a number I can carry in my head.
[Of forging local network addresses]
I do like to point out that this isn't completely true: your ISP (or anyone who can strongarm them) can connect to you even if you're behind a NATing router, unless you prevent them with a firewall.
It's quite a few years since I worked for an ISP, but when I did, our experiments with forging LAN addresses on the WAN port only got through to the LAN side on a few really shitty routers. I cannot tell you whether or not that is still the case.
You are free to do this to yourself. I accept your right to make your own life more annoying than it needs to be for no real benefit. Just don't force it on anybody else.
That last is the only thing that actually needs saying; there are many people for whom NAT is a really useful thing. With IPv6, no-one is forced to use NAT, but similarly, no-one should be prevented from using it either. If the High Priests would stop telling us we can't use NAT, most of the objections would disappear...
IPv6 does _not_ take this perimeter away.
Yeah, it does unless you do something to replace the perimeter. A NAT router in front of an RC1918-based LAN gives you a default DENY configuration. An IPv6 router gives you a default ACCEPT. To get the perimeter afforded by the first, you need to add a stateful firewall, which is another piece of equipment that needs maintenance. This is an increase in complexity, which might well be a show-stopper for those not versed in networking.
This is backwards. NAT is the tricky thing to understand; things are a lot easier without it.
It really isn't. NAT might be tricky to understand if you're trying to program it, but the vast majority of users never do that. They just use it, and it just works. If you want them to use firewalls in addition to what they've done before, that's a bunch of new learning they have to do. Now you and I might not think that a big deal - but for substantially all[1] Internet users, that's a huge amount of work that will never happen.
Note that I'm basing this on actual experience, not fear of the unknown like most other people in this thread.
As am I. I am a networking professional and I run both IPv4 and IPv6. But I also have a fair bit of contact with "home users", for whom the transition to IPv6 without NAT will be a total nightmare. Now I could make quite a bit of cash out of that - but I'd rather see standards working for users, rather than the reverse. That will transition us to IPv6 more rapidly, with fewer catastrophes along the way. And the single biggest thing we need to happen is for IPv6 proponents to stop trying to prevent NAT; it's not going to harm you, no-one is going to force it on you, and it will make many people's lives much easier.
Vic.
[1] I was going to write "the vast majority" or somesuch, but it is so close to "everyone" as to make no difference.