undefined | Better HN

0 pointsbigstrat20031mo ago0 comments

I'm not really seeing a reason why it would be impossible to open firewalls in that scenario. More work, sure, but by no means impossible. In any case TFA says right up front that it is trying to solve the problem of overlapping subnets, which IPv6 solves nicely.

0 comments

throwway1203851mo ago

Then you've probably never worked in any serious networked embedded systems space. Getting people to open ports on the firewall and making the firewall configuration palatable to the end customer is like a quarter of what I think about when my team makes new features.

pcarroll1mo ago

Yes! Exactly this.

mschuster911mo ago

> I'm not really seeing a reason why it would be impossible to open firewalls in that scenario.

Cheap ass ISP-managed routers. Got to be lucky for these rubbish bins to even somewhat reliably provide IPv6 connectivity to clients at all, or you run into bullshit like new /64's being assigned every 24 hours, or they may provide IPv6 but not provide any firewall control...

themafia1mo ago

> or you run into bullshit like new /64's being assigned every 24 hours

It'd be nice if DNS servers supported this. Save the 64 host bits in the zone and just use whatever 64 prefix bits happen to be issued right now.

Otherwise it makes a strong case for the continued use of "private networks" and the IPv6 ULA mechanism.

lxgr1mo ago

> Otherwise it makes a strong case for the continued use of "private networks" and the IPv6 ULA mechanism.

Let's please not. Even without inbound reachability, hole punching is significantly easier given globally routeable addresses.

1 more reply

lxgr1mo ago

It's completely impossible if you simply don't have the necessary access. Not everybody can administer all firewalls upstream from them.

Nor can everyone control whether their connection supports v6, unfortunately.

pcarroll1mo ago

Hole punching actually works most of the time. A lot more often than you might think. But enterprise firewalls usually don't allow it. And some home routers fail when you check all the anti-intrusion options. But it's the same for other VPNs. In the residential and small-business space, it's pretty rare. You might need to point it out to the network guy. If the customer wants the service, they should be open to it.

lxgr1mo ago

The problem isn’t that it doesn’t work (and it does often not work – one “symmetric NAT” in the old/deprecated terminology is enough), it’s that it’s orders of magnitude more complex than it needs to be.

I’ve also never seen it work for TCP in practice, and not everybody should have to roll their own UDP wrapper for their TCP-expecting application.

digiown1mo ago

Hole punching is a thing. Ports are not normally completely blocked. They allow replies, which can be exploited to do make a connection. Obviously this requires an out of band signaling mechanism. Tailscale does this, so does WebRTC, iirc.

See: https://tailscale.com/blog/how-nat-traversal-works

lxgr1mo ago

Yes, but I don't believe all firewalls support that, especially for TCP, and as you've mentioned, now you also need to maintain a handshaking mechanism.

The complexity makes sense if you need to transport a lot of data peer-to-peer or the lowest possible latency, but if you don't, you might as well use that coordination server (which outbound-only clients are connecting to) for payload communication as well.

1 more reply

pmontra1mo ago

Companies with an IT department, maybe. Companies without IT, not much. People, nope.

I can't see my neighbors opening ports on their switch. What's a switch, to start with. And what happens when they change provider and switch next month?

It's much easier to tell them: I install two boxes. One is the camera (or whatever), the other one is necessary to make the camera work properly, keep it online, don't switch it off.

j / k navigate · click thread line to collapse

0 comments

throwway1203851mo ago

pcarroll1mo ago

Yes! Exactly this.

mschuster911mo ago

> I'm not really seeing a reason why it would be impossible to open firewalls in that scenario.

themafia1mo ago

> or you run into bullshit like new /64's being assigned every 24 hours

It'd be nice if DNS servers supported this. Save the 64 host bits in the zone and just use whatever 64 prefix bits happen to be issued right now.

Otherwise it makes a strong case for the continued use of "private networks" and the IPv6 ULA mechanism.

lxgr1mo ago

> Otherwise it makes a strong case for the continued use of "private networks" and the IPv6 ULA mechanism.

Let's please not. Even without inbound reachability, hole punching is significantly easier given globally routeable addresses.

1 more reply

lxgr1mo ago

It's completely impossible if you simply don't have the necessary access. Not everybody can administer all firewalls upstream from them.

Nor can everyone control whether their connection supports v6, unfortunately.

pcarroll1mo ago

lxgr1mo ago

I’ve also never seen it work for TCP in practice, and not everybody should have to roll their own UDP wrapper for their TCP-expecting application.

digiown1mo ago

See: https://tailscale.com/blog/how-nat-traversal-works

lxgr1mo ago

Yes, but I don't believe all firewalls support that, especially for TCP, and as you've mentioned, now you also need to maintain a handshaking mechanism.

1 more reply

pmontra1mo ago

Companies with an IT department, maybe. Companies without IT, not much. People, nope.

I can't see my neighbors opening ports on their switch. What's a switch, to start with. And what happens when they change provider and switch next month?

It's much easier to tell them: I install two boxes. One is the camera (or whatever), the other one is necessary to make the camera work properly, keep it online, don't switch it off.

j / k navigate · click thread line to collapse