Idk man, NAT makes a lot of sense once you get used to it. And it’s pretty cozy with its firewall features. And somewhat human readable ipv4 addresses are nice.
They charge extra for a feature called “static IP”. But the IP address not being static is not the issue, for me at least. You could host stuff with a dynamic IP back in 2000s/2010s. But no, now you get to share the same IPv4 address with a bunch of other households, unless you pay extra.
Ha, yeah that sucks and I’d absolutely hate it if I were behind a CGNAT. But I believe most ISPs don’t do that. None of mine ever have. Just like how most ISPs provide you with an ipv6 address range, but not all. Fact is that crappy ISPs can screw up your network no matter what ip spec you’re using.
And I’ve never heard of a business network being behind an ISP controlled CGNAT. A NAT you control can be nice.
I like that none of my local devices are externally addressable unless an outgoing connection has been established. You can (and should) achieve the same thing with ipv6, but then it’s essentially just maintaining a NAT table without the translation piece. I think that makes sense in both protocols.
I’m actually trying a hybrid approach with some VPCs: use firewalled IPv6 ports for remote management, direct to the VMs; while siphoning off the IPv4 traffic to a basic Linux host with Netfilter rules acting as a NAT router. I keep the benefits of using IPv6, without eating up a bunch of external IPv4 addresses, that I would also have to account for on filtering.
I like that none of my local devices are externally addressable unless an outgoing connection has been established.
This can also be achieved using (other) firewall rules.
but then it’s essentially just maintaining a NAT table without the translation piece.
So… a firewall?
NAT isn’t a security feature and shouldn’t be relied on for managing access to hosts.
It also breaks the assumption of IP that connections between hosts are end-to-end, which requires sophisticated solutions so that everything works (more or less).
I too employ NAT to make services accessible over IPv4. But only because it doesn’t work otherwise. Not because it “makes sense”. I don’t use it at all for IPv6.
Does IPv6 scare you so much that you start craving the monstrosity known as NAT44?
Idk man, NAT makes a lot of sense once you get used to it. And it’s pretty cozy with its firewall features. And somewhat human readable ipv4 addresses are nice.
NAT provides no firewall features and we can have a discussion about how wrong that statement is
ISPs putting you behind NAT is not cozy.
They charge extra for a feature called “static IP”. But the IP address not being static is not the issue, for me at least. You could host stuff with a dynamic IP back in 2000s/2010s. But no, now you get to share the same IPv4 address with a bunch of other households, unless you pay extra.
Ha, yeah that sucks and I’d absolutely hate it if I were behind a CGNAT. But I believe most ISPs don’t do that. None of mine ever have. Just like how most ISPs provide you with an ipv6 address range, but not all. Fact is that crappy ISPs can screw up your network no matter what ip spec you’re using.
And I’ve never heard of a business network being behind an ISP controlled CGNAT. A NAT you control can be nice.
You don’t need a NAT with IPv6, that’s what link-local addressing is for
Unless your ISP won’t support DHCPv6-PD until you pay them extra… want to guess how I know this?
That’s a lie, NAT is bullshit, sometimes necessary, but it will never “make sense”.
I like that none of my local devices are externally addressable unless an outgoing connection has been established. You can (and should) achieve the same thing with ipv6, but then it’s essentially just maintaining a NAT table without the translation piece. I think that makes sense in both protocols.
exactly, I also like this peace of mind for my home network and see no benefit in using ipv6 there. Similarly for any VPC I deploy to an IaaS.
I’m actually trying a hybrid approach with some VPCs: use firewalled IPv6 ports for remote management, direct to the VMs; while siphoning off the IPv4 traffic to a basic Linux host with Netfilter rules acting as a NAT router. I keep the benefits of using IPv6, without eating up a bunch of external IPv4 addresses, that I would also have to account for on filtering.
This can also be achieved using (other) firewall rules.
So… a firewall?
NAT isn’t a security feature and shouldn’t be relied on for managing access to hosts.
It also breaks the assumption of IP that connections between hosts are end-to-end, which requires sophisticated solutions so that everything works (more or less).
I too employ NAT to make services accessible over IPv4. But only because it doesn’t work otherwise. Not because it “makes sense”. I don’t use it at all for IPv6.