Op 21-3-2016 om 00:29 schreef Stuart Gathman:
There is a fundamental issue with this and that is that this is a rather arbitrary "sanest method of configuration" rather than a topology feature. What you get is like a multi-to-multi mapping (one on one, so to speak) there is just a filter in between that will block incoming connections. That means that the filter will record and maintain outgoing connections like a current NAT firewall does. There is no advantage to this over NAT other than the fact that you can use the same port if you wanted on multiple devices. There is no longer a "port to different port" mapping, now it is simply "open or closed". The port to port mapping is not really a fundamental feature, typically the ports for internal devices are not meaningful. There is a bit of an advantage in not configuring anything but you also lose the feature of being able to map anything in the first place. If those ports on the internal network are meaningful, they don't have to be meaningful on the outside. When you cross boundaries, meanings can change. For example, I have a device internally running on port 22, but externally port 80. This is because I was located on a premises that blocked outgoing port 22 connections. And basically all other connections except 80 and 443. There are also other ports open on that router but they are all accessible through the same IP and domain. Now tell me, what is the advantage of IPv6, I don't see any. I'm sure the mapping is a feature that is on IPv6 routers as well. But are you telling me that I am going to need a different domain to access every local device (because they use each a different public IP address)?. Sure, the router will have this feature. So what is the advantage then. I'm still using one IP to access all services. I'm sure certain people have experienced conflicts because for instance certain games required certain incoming ports (doesn't really happen, but okay. Think a file-sharing program, that may require some fixed ports). Current torrent clients are able to choose any port they want. Maybe it's a bit of a configuration hassle if you want fixed ports. Nothing insurmountable and actually something that helps you understand your network. What advantage do I have if I have addressable (but per the configuration of the firewall) inexposed IP addresses for each internal device, including possibly the router? Can you tell me that? The only semi-valid criticism is that with IP4 NAT, the effective 48 bit (IP+ random 16 bit port) public address is periodically recycled to point to different internal objects. With IP6 sans NAT, the 128-bit (Subnet + random 64 bit host ip) public address, while random and periodically changing like IP4 NAT, is not recycled. A given IP only ever points to a single internal object. This could potentially reveal more information to someone logging IP+port on the outside. But it is not yet clear what exactly it would gain them. You know, sometimes people say "why do you want it?" and often times when people say these things, it's just because people want it and there is no other reason. An example was a computer game that does not allow direct trade between players in an online world. Most of these online worlds do allow direct trade between individuals in a way of exchanging items in a relatively safe way. Did particular game did not have it. When some people started arguing for inclusion of this feature, the wannabe employees of this company started defending the status quo by saying "why do you need it?". "Why do you want it?". And it was completely obvious and is completely obvious to any sane normal person out there, even in the real world, that being able to give stuff to another player, is something that is meaningful and helpful. To anyone not affiliated with the status quo of that game, this would normally not be a question. Of course you want to trade. Of course you want to be able to hand someone something. You can do so in real life, why would you not want to do something like that in a virtual world. So in that case the question became really "why not?". Today, you are saying "why not?" but the situation is different. I do not feel a need or desire for IPv6. So in this case my question is predominantly: "why?". It's like building a research facility on the moon for no reason whatsoever and to anyone who says "why?" you respond "there is no valid criticism". Well there first has to be a reason, doesn't it. Doesn't there. And simply the number of addresses is no reason for a change in topology. The question is: WHY DO YOU WANT or feel the need or desire for (RANDOM) 64-bit addresses on an internal network? First of all, a random non-reusable address is clearly a bag of nonsense, as you indicate. That's no sane method of doing anything. Think of a programming stack, queue or list. You want the queue, stack or list to remain in an elegant state, for instance that indices keep starting at 0 and that the first element is at index 0. You don't want a runaway system where the indices become higher and higher constantly but you expect not to run into trouble because you have reserved 64-bit for them. Maybe I'm assuming, perhaps. Then enlighten me. There is a linux system in which numbers go up. It is the linux software raid. If you have a raid type that needs rebuilding, I believe the number of any disk "added again" to the array will always go up. So if you keep doing that, these numbers keep going up (both of them, if you have a 2-disk array). That in itself bugs people. I do not even like random addresses in my network unless it is for devices I could never want to directly address anyway. I also do not like hexadecimal addresses in a hard to understand format. People recognise 192.168.1.1. People are not going to recognise any of that other shit. And you say there is no valid criticism? Sorry, you're wrong. But of course you recognise this, but as you say, or as I feel, this system you've just shown me is just the output of a ludicrous mind. Instead of a small set of understandable addresses with a fixed scope of a certain containment (like what we have now, in that sense of about 255 addresses) they create 18446744073709551616 possible addresses ... just looking at it makes clear now little sense this makes. That are being randomly consumed, and only (?!) because there are so many, is there no real risk of actually exhausting them, even when it would be a theoretical possibility and end result. At least that is what it seems to be, from the way you just described it. My apologies if I'm not well enough versed in this to really discuss this. But what you've just shown is me is just more stupid than what I already thought........... A random 64-bit address is 8 bytes. A byte is 2 hexadecimal digits. That means if these addresses are really random in the entire range, you need 16 digits to write them down. Currently, I can remember every device with one decimal number between 1 and 254. So where is the advantage here? People in the past used to directly access public IPs by IP. By heart. I never did much of that, but it happened. I do use a domain service for my IP and don't remember it. Often times I still manually write them in to some "host" program call or something of the kind. There can be DNS issues and it is often helpful to directly attempt IP addresses instead of domains to troubleshoot that. Sometimes. In Europe bank accounts have been 'europenized'. There is no real advantage but all European account numbers in the EU are now directly addressable throughout the EU. Surely there is an advantage to knowing those addresses more easily. But local addressing has also been forced to conform to the standard. My 7 digit account number now has the form of NL88INGB000xxxxxxx. So it is now an 18 character number. There is a structure to it so it is not that hard to remember. But you're being forced to use these addresses even though the banks themselves can easily translate the old addresses into the new ones (or really, vice versa). It's not that they can't. You are being disallowed. It is a political choice. For which there is not really any practical imperative. I know my mother's bank account number by heart. But I don't know if she has the same 88, because the same bank also uses different numbers for that. That makes no sense, but it is true. I see the same in IPv6. I see no advantages to IPv6. I mean, its structure. You say "there is no valid criticism". I can see the advantage of having more than one IP address for certain purposes. Simply because yes, it could be helpful to have a port 80 for something else as well. My port 80 leads to 22 internally, and 443 leads to port 80 I believe. A bit of a make-do setup. More addresses would mean more ports available. But I wouldn't want them to be mapped one-on-one -- that would not even be a solution because both of these ports are on the same device. There is another device in my home that is not accessible yet. I just haven't bothered. I also wouldn't want it to be directly accessible on the outside (addressable) with the same address that I have for it on the inside. I just don't want that. What I want is clear: I want this to stay the same, or at least to remain in a similar setup. I have no habit and dependance on a complete and utter structure of IPv4, but I also don't see what's really wrong with it. The while A B and C address ranges (or something like that) are rather arbitrary and don't make a lot of sense, but there is also no issue to that. They would have had to be arbitrarily something else. What the world needed was a 6 number global address, and nothing else. Not 128 bit. 48 bit, and that was perfect, and it was enough. You could simply have introduced routers that could acquire multiple addresses from an ISP, or better yet, a system where multiple connections could be multiplexed over the single line, and a router can simply handle 2 or more connections. Simply expose several MAC addresses (for example) and acquire an IP on each. Then be able to use several routers, or one for both. Then do whatever you want with it. It's fun, and if it is elegant it is nice as well. The complexity on a router does not extend by a great deal. You only need it for fixed services anyway, like, what else do you need it for. No one ever had trouble with IPv4 unless they needed fixed ports. In a home network setting at least. There is no valid criticism. No, there is no valid need. You are making life more difficult, you are creating trouble. And there's no need for that. "Home networks need to provide the tools to handle these situations in a manner accessible to all users of home networks. **Manual configuration is rarely, if at all, possible**, as the necessary skills and in some cases even suitable management interfaces are missing." This in itself should be clear enough. "Firewalls that restrict incoming connections may be used to prevent exposure, however, this reduces the efficacy of end-to-end connectivity that IPv6 has the potential to restore." So basically they want full exposure, but recognise that this is not actually desirable, so they introduce a firewall that will block incoming connections, when at first the whole reason for having individual addresses was in large part to solve the problem of not being reachable. So they *wanted* all devices to be reachable, but now recognise that such a thing is not actually desirable. There is no point to having addresses if you can't do anything with it. That means you STILL need UPnP to open ports. Nothing has changed. Except everything has become a 1000 times more complex, apparently.
|