Re: Homenet

[Xen <list xenhideout nl>]

Op 21-3-2016 om 13:43 schreef Stuart D. Gathman:
> On Mon, 21 Mar 2016, Xen wrote:
>
> > > "Addressable" is NOT the same thing as "exposed".  Any sane IPv6
> >
> > There is a fundamental issue with this and that is that this is a rather
> > arbitrary "sanest method of configuration" rather than a topology 
> > feature.
>
> So is NAT.

If you consider the network topology the same because it is behind the 
same router, fine. But you do realize that the new system has en 
entirely different model of encapsulation right?

You still have subnets, but now a host can apparently be a member of a 
remote network -- I do not know how routing works when a host is part of 
multiple networks as a network is typically that thing that gets routed 
to, not a host. So you would think that being part of multiple networks 
is impossible unless you are speaking of virtual networks.

If my host is part of one subnet, it cannot be part of another one, 
unless for instance the link-layer network is the same and no routing is 
needed. You can have multiple subnets in the same house of course, on 
the same physical network. And I have used multiple IPs on a single 
interface repeatedly to do VPN related stuff.

And being able to be part of many possible VPNs at the same time is an 
interesting proposition. But they wouldn't (shouldn't) use public IPs.

So just assuming you have answers (or there are answers to that) that 
takes away the nerves of that, let me think more about that topology thing.

Of course if you have multiple routes (physical links) then there is no 
issue with being part of multiple networks.

But supposing that networks are still hierarchical. The network is still 
the same, but the router now passes through a public addressing to 
internal IPs that are the same, and the host part is simply the "room" 
number of a building that is able to be addressed per room.

The network is the building address, the host is the room number.

Nothing special about that you might say.

In a general sense I am trying to enlighten you so that I won't have to 
do the work for it ;-).

For this :p.

You can also call this having a phone number for every room directly 
accessible from the outside without some interim login system or 
telephone operator in between.

I'll leave the rest to you.


> > There is no longer a "port to different port" mapping, now it is simply
> > "open or closed".
>
> You can still use NAT.  Ip6 NAT works just fine and dandy - it's just no
> longer *needed*.

I didn't know that. I had read or heard that there was no NAT in IPv6. 
Sorry.


> > When you cross boundaries, meanings can change. For example, I have a 
> > device
> > internally running on port 22, but externally port 80. This is 
> > because I was
> > located on a premises that blocked outgoing port 22 connections. And
> > basically all other connections except 80 and 443. There are also other
> > ports open on that router but they are all accessible through the 
> > same IP
> > and domain.
>
> IP6 NAT still works for that.  But I just use IP6 darknet.

Isn't a darknet just intended to catch and sample unwanted traffic into 
a network?

I meant that I was not at home, and where I was located there was a 
corporate firewall disallowing me the use of 22 etc. So I just used port 
80 for everything. Eventually I just started using a commercial VPN 
though that had a tunnel open on 80 as well to connect to the VPN.

> I can directly address all the hundreds of boxes I have to monitor.
> Configuration is so much simpler.  Protocols like SIP that are broken
> behind NAT Just Work with IP6, and without an external 3rd party. I can
> have a separate IP for each logical web page.  (Yes, https is finally
> being upgraded so name virtual host works - but IP6 is still better
> deployed, and that's not saying much.)  I can actually talk to people
> behind the same firewall via SIP.

Well, I guess. I would just solve it in a different way I guess. There 
is in essence nothing wrong with host-addressable (network, internal 
network) addressable addresses. We have been using that for telephone 
numbers and basic physical (postal) addresses since like forever.

We have also had systems (businesses) where you couldn't, often quite by 
design.

The question is how much do you want to expose your stuff. In this case, 
of course, if you put those hundreds of boxes you need to monitor on a 
subnet that is accessible through a VPN, and the gateway (VPN gateway) 
of that subnet / network translates those addresses for you (would need 
cooperation of the hosts, so won't work) or simply makes that subnet 
routable to you, the issue is also solved right.

Which of course gives trouble if that subnet you get routed to has the 
same configuration as some other subnet you need to access, and that is 
valid concern. What is needed is a unique form of addressing, given 
several networks that might use the same, and I guess IPv6 fixes that by 
making all those addresses simply global.

If every subnet is global and recognised and unique, you will never have 
an issue in negotiating which internal subnet addressing you are going 
to use.

And if NAT is still possible you can still use your own range.

A VPN has a preconfigured address range. That is no problem if you only 
use one or two. But if you use a thousand, configuration is going to be 
a problem. Of course, again, if you just use global addressing for 
everything, you will never have such a problem.

Not my idea of a good time though. It means you are completely dependant 
on being given those addresses right.

It also means without NAT your internal addresses (at least the subnet 
part) are determined by the outside world. Right?

Maybe that makes no sense since you still decide the host parts.

> In short, all the hundreds of daily irritations and things that just
> don't work "behind NAT" go away.  NAT is great for working around
> ISP braindamage via port mapping - and works OK as a default incoming
> only security policy - but is a hug Pain in the rear the rest of the
> time.  Anytime you are using NAT to work around lack of additional
> public IP4s (because you aren't made of money), you really want IP6.

So the question is really, how do you want to be addressed internally. I 
mean from the outside.

It is clear that if you need to address a lot of devices it would be 
helpful if they never changed address as they move across boundaries.

In IPv4 typically you have one address and addressing internal hosts is 
not possible, and you make do with port numbers that map onto them.

Both automatic (outgoing snat and the opening of a connection and the 
router maintaining that) and ingoing (dnat because of a port mapping 
configuration).

The issue I guess, as you say, is also that you want to be able to do 
this without outside intervention (third party).

For instance, I don't know anything about SIP, but an internal IP 
telecommunication device that runs a service needs to be able to be 
connected to if it is not going to be reached through an 
internet-located server, and even then. I find it hard to imagine that a 
protocol will break when the device can open portmaps on the router, but 
okay. The issue is peer-to-peer, in essence. Or anything using fixed 
ports, in the absence of dynamic ports being communicated through a 
central server (3rd party).

So I assume we are talking about peer-to-peer here with both peers 
needing to be able to be addressed and contacted directly without the 
intervention of anything else. Since the typical solution has been a 3rd 
party that tells the called client to open a port on the router (these 
days) after which it is reachable.

And then you always need that server that IS reachable to enable peer to 
peer, in essence peer to peer being dependable on client-server (but 
this has always been the case). (Without any third party you cannot even 
reach anything anyway, even the DNS is a third party).

So are you alluding to peer to peer systems the way GNUtella were? Is 
that the goal here?

Perhaps you may consider that a port is no good way to contact a /host/.

And without a public address you need a translated address anyway. So if 
you want to externally address internal hosts, you either need a fixed 
IP, or something that is translated, or perhaps ugly, a port that maps 
onto an internal port of that device you want to reach.

For me the port mapping is still the most agreeable solution. Supposing 
I needed multiple devices running at port 80. Even with all the ideas of 
what I wanted to run from my home. I would have needed and acquired a 
second physical link, probably. But apart from that. I probably would 
have required one website at 80. But I might just have put that on a 
VPS. A single web page addressable by IP? What for?

"I can actually talk to people behind the same firewall via SIP" You 
mean people on a remote network right?

That should ordinarily have been possible anyway with a central service 
negotionating port forward openings?

I am not going to assume these SIP devices require any stable fixed address?

> No, a different host name.

Yup but unless you have a fully setup domain for your (home) you will be 
using a form of DynDNS so you will need one host name registered for 
each address.

That is a management nightmare unless you already have an internal 
naming scheme that translate into the external world and that means your 
internal hosts are directly addressable per DNS (you have a real domain 
for yourself).

(Or even a subdomain you control).

> Things work the same internally as externally.  One fixed IP per device
> that is the same internally and externally.  Situations (like mobile
> devices) where you have 7 billion devices but only 4 billion IP4
> addresses.

I understand that reaching a device that is internal is problematic if 
its address changes from the outside as compared to the inside.

Anything you run on your internal network is going to be a bitch to 
configure if e.g. you have mobile devices that need to reach it. The 
solution for me has been to use the external address exclusively, which 
was a problem because that stupid D-Link router didn't support it. For 
only that reason did I acquire a new router, mostly.

For *me* the number of things I would be needing to reach would be 
limited because they would be servers. So the question is again: are you 
talking of p2p? Distributed systems?

I live in a home where you cannot reach it directly, you first have to 
get through the front door. I like it a lot.

Police habitually gets around that by just calling at the neighbours to 
let them in before they walk on to your house to surprise you there :p. 
When I could still walk I got away from them though due to this system :p.

My neighbour even apologized for letting them in ;-). ;P :).

I do not want a "publicly addressable" house in the street. I do not 
want a house where people can see whether I am home or not and harass me 
that way. I want to be left alone mostly.

Can you accept that? Can you agree with that?

I am annoyed that I cannot turn off my doorbell because it is not even 
on my own electricity, I do not control that system.

I am annoyed that many games have account-wide systems and you often 
cannot delete your account or control anything that goes into it. I am 
annoyed that when you buy a game, it is tied to the account, and when 
you delete the account, you lose all your games and they have basically 
stolen your money because you can't get it back; the key has been used, 
now it is lost (probably). I hate that "account" and "game ownership" 
are being equated with each other. I don't like that my email address 
and domain (separate from it) are currently tied to each other because 
they are on the same account, so I can delete the website without 
removing the email address, but not the other way around.

I do not like that a public defence attorney is employed by the state 
and handles all administration by himself, and that it is almost 
impossible to get rid of him. I hate that attorneys present themselves 
as your contact person to the outside world, and falsely attest that 
they are representing you with full agreement when it is not so. They 
ask this of the attorney, not of you. The attorney can say whatever 
he/she wants, his or her words are believed, while he can only represent 
you after YOU have said so. An attorney can go to a court and present 
himself/herself as your representative and the court will accept that by 
default without any intervention or requirement on your part. And then 
suddenly your mail is no longer getting sent to your address, but to 
that of the attorney. Bah.

A public defense attorney is a complete burden and the only benefit in 
most cases is that the court appears to want to talk to him, but not to 
you. Courts and other parts of the justice system are very eager to talk 
to the attorney but not to the defendant. The attorney meanwhile doesn't 
do shit and leaves you out in the cold, while preventing you from making 
your own defense.

I hate dependence. I hate being dependant on factors I don't like and 
that make my life worse. I like to be in control of what goes on, 
because other people just ruin everything. Everyone who is employed by 
someone I don't like, is going to be against me.

I don't like dependence in computer systems. I don't like when one thing 
I like is tied to another thing I don't like, and I cannot get rid of 
the thing I don't like without also losing the thing I like.

If I want to link my internal network to an alien civilization that uses 
a different addressing scheme, I want to be able to do so ;-).

I like an internal network that is not dependant on the fucking outside. 
I do not need to be in that storm. I do not need to be in that weather. 
I do not want that.

What does the world give me really.... As long as I can be routed to, 
that's fine. Maybe a different outlook on life, but that's it. I am fine 
with having a gateway system that will translate outside requests to 
internal ones. We have an amount of addresses in IPv6 that would allow 
us to connect to or become a pan-galactic civilisation. But you would 
need gateways anyway. How on earth are you going to homogenize between 
different cultures? And is your internal network really anything 
different? Why not have a translation layer? Internal and outside the 
same address, well can be nice. Then just use the external address since 
it is getting translated anyway, and it exists at the exit point of your 
network. If not, use a system that gives host names to your devices that 
can get you where you want. It should be possible to have a domain name 
system that easily accesses something from the outside as well as from 
the inside, but of course you need a public address. That remains the 
case. Whether my host is "peanuts" or "peanuts.myfacility.net" shouldn't 
make a lot of difference. These are not numbers, they are names. They 
have more meaning. Whether that translates to two different addresses; a 
client could or should perhaps be intelligent enough to just pick the 
one based on where it is located (if it also has such a hostname). All 
of these things are in principle much simpler than IPv6. A GOOD host 
naming scheme that translates to the outside is pretty much essential 
anyway and something I have never really had.

My ISP has never given me a real domain I could use for that. I don't 
really need multiple IPs. In essence I need multiple host names. That is 
what an address is to us humans. So start from that. Do we have that 
system? What is so difficult about giving people a domain for their 
home? People have domains for websites but not for homes.

If you concur that you should have host names for your devices (or the 
ones you care about) (at least) that have an address from the outside, 
you can still make various choices about the IP scheme. Generally 
speaking your router should be the DNS for those hosts. If anyone 
contacts a host, it knows who they are. It doesn't work that way because 
host name resolution and addressing are two separate steps. In essence 
our ISPs give us IP addresses that are like host names, they often have 
a reverse domain (host) attached to it. You never use it really, but 
it's there. It's just not very convenient, or nice, or pleasant. If 
those hosts translate to the same IP, that's still nothing you can work 
with. An IP packet doesn't contain a host name. So then what you need is 
this "name" based addressing included, or a numeric address being 
revealed, or a cascade of encapsulated packet (first to the gateway, 
then to the internal host). Basically a tunnel. Which means it becomes a 
little like a VPN. I like the last idea most. You send a package to a 
gateway, and ask it to forward an included packet to someone else.

It is forwarding anyway, not it just needs to unpack. Today (or at least 
in IPv4 NAT) we do that by treating the port as the internal address (of 
the masquerade) and 'abuse' it as an internal node address really.

There has not been any concept of cascaded addresses really. Since there 
are two concepts: IP and port, the port has been our cascaded "included" 
address of the internal system.

If you travel physically... well this goes on too long.

You first travel to the hub, and from the hub you travel on. That is 
basic routing too. But I like the idea of being internally invisible in 
some way.

You cannot reach my house directly. By phone number, yes. Not by mail. I 
have to go get the mail myself. Or someone comes in and brings it to me 
after I open the door.

So what would you imagine then. Imagine being part of an intergalactic 
civilisation with many diverse systems being linked.

A culture might not even want you to send messages to its members 
directly. Not as directly. It might not want the individual members to 
be known.

It might use pseudonyms, or something like that. It might like 
seclusion. Messages travel to a central hub. People that want to receive 
them, connect to that. The hub notifies the person that something is 
there. The person responds by obtaining it, or not.

To me, host names are pseudonymic enough (or actually, perfect) but 
numeric IDs aren't.

If you are going to use 128-bit addresses, a 20 char host name in 
essence, shouldn't be a problem either.

If you used a hostname, an internal host would be capable of relocating 
itself (change its number) without hassle even in the midst of a connection.

In essence that's the same as what you want with VoIP, in essence you 
want a fixed address that you can register with wherever you are, on 
whatever device you are using. Like an account name, in that sense. 
Account names are usually addresses in these systems (or at least in 
chat systems) -- you register with the account name, the system 
registers your number, and you are now reachable through that name 
wherever you might be.

You may want a device not to change address, but with mobile devices 
this is not possible anyway. We were merely talking of internal hosts 
that do not change location. What about hosts that do change location? 
You need a name that registers with a number.

Why not have a name that registers with a number for the outside world 
as well? The host picks its name, and registers with the gateway (same 
thing). The gateway now knows its name. Internal hosts also know its name.

Registering is saying "I can be reached there".

Now something from the outside wants to reach it. Some one from the 
outside wants to reach it. Someone from the outside.

The gateway can now do one of two or three things.

1. give it a fixed globally addressable address, after which the gateway 
won't care anymore, and just obliviously do its work.
2. only allow addressing by name for whatever long something might take.
3. give it one additional address, it already knew the gateway (or in 
our case, the DNS server) now it needs to know the internal host.

Now you can say 1 and 3 are the same. But there is a subtle but 
important difference.

I'm not sure if I will have the time for this.

In our case, the first case, we have:

1. an upstream DNS server resolving the address of the downstream (our) 
dns server.
2. packets being routed to that server through known routes belonging to 
our ISP.
3. our DNS server resolving the address of our internal host that is 
publicly knowable.
4. packets being routed to that internal host first through the route to 
the gateway (same route as 2) and then through our router onto the 
internal network.

The router and the DNS server are the same (the gateway) and they should 
be, in essence. Or at least it is part of the same concept, the same 
notion, the same unit.

It is the access point to our network (if there is only one).

And mostly it would be, at least in a home router.

But what is the alternative notion?

1. the network address directly identifies the router/gateway. In a 
sense this is already true because the ISP knows the route to our system.
However our router address is being kept in a routing table and added 
there on purpose, often through a kind of DHCP system (in our case).
The router is a host ON the network -- if we have a single IP from your 
ISP, it is not even a network, it is just a host.

Traditional IPv4 did not identify networks, it just identified hosts 
(for an end user). There was no addressing space beyond that, hence NAT 
and masquerading. The ports were used as the additional addressing 
space, when it was not really meant for that.

So IPv6 adds this. It gives a /64 additional space, give or take, to 
every end point. Right. But even this is limited, it is not recursive or 
any form of encapsulation. Supposing you were talking to an alien 
civilisation. You know, IPv6 tries to be "Universal" but of course it 
isn't. What are your IPv6 packets going to do? They can reach the earth 
boundary gateway. THAT'S IT. Now you need an additional address first 
for the required solar system and/or even the required galaxy you want 
to go to. That means, if this sort of addressing is not available on our 
earth network, you will have some layer somewhere in which the earth 
gateway is located, an IPv6 packet is sent to it that encapsulates a 
larger addressing scheme, and the gateway, that does know the addressing 
scheme, uses it to find the required host abroad using whatever scheme 
there is.

That's like a VPN right. You open a tunnel to the gateway, and your own 
system (host) goes and speaks a completely different scheme on top of 
what we already have. Inside of what we already have. Basically, through 
this gateway, a completely different virtual network emerges.

You don't even have to go to the earth gateway for that. Your ISP could 
be doing the same for you. Everyone could be logged on to a different 
virtual network that would sit on top of the regular IPv6 internet. And 
things would get pretty boring pretty soon then.

Now everyone needs this larger scheme. But what if different 
civilisations use different schemes? Are you going to create one 
addressing scheme for all and then use this on earth as well?

In the end what you need is a form of encapsulation anyway. You cannot 
get around it really.

Or you'll end up living in virtual networks on top of virtual networks. 
Maybe not so bad. But maybe the reverse solution of what is needed.

Suppose we use something different.

Our address for our home is a network. It is a network address. But 
inside of us, there could be another network, and inside of that, 
another, and another and another.

So what does it matter if a remote host can reach the innermost address 
directly? Isn't it sufficient that it can reach the first boundary, and 
then include the addressing for the next, inside of that? And the next, 
inside of THAT?

IPv6 has tried to solve it by creating a number number of bits (well, 
relatively speaking, for us) that are supposed to cover ALL of this in 
any practical matter.

So, you have 64 bits. For your host. Supposing you were to use 8 bits 
for the first next network, 8 bits for the one inside of that, and so 
on. After a while you cannot go any deeper. Because they have tried to 
use a fixed size number to conver the entire depth you may need to traverse.

We have a fixed size number that we can split as much or in any way we 
like using bitmasks. If we have 128 bits (or 64) we can use 64 bits for 
a host, but we can also use 8 for another network and 56 or a host. That 
is up to us and that is basic IPv4 parlance as well. Same thing right.

But the concept hasn't changed. We can now have cascade of networks but 
the addressing is still one single number. We have seen how people used 
to port to get around that. The port is an additional number. The port 
is part of UDP or TCP I believe, so it is an encapsulation going on 
here: The TCP packet is ENCAPSULATED inside the IP packet and people 
used THIS to address internal hosts!!!! You see the solution that was 
used! Encapsulation! For further addressing!!!!!!.

This is why it worked so well and why people were so happy about it in a 
general sense.

Now why shouldn't we be able to encapsulate IP packets within one another?

Why can't we send a packet to a network which is equivalent to a gateway 
in this sense. The gateway has one address.

Whatever this address is (this reminds me of designing the minimax 
algorithm I did as a kid). Whether it is (or has been) encapsulated or 
not, it reaches us now as the outermost encapsulation: a packet with our 
address on it that we can know about. The unpacking of packets is going 
to be how routing is going to be in the future. In essence it is going 
to be the question of whether we want multiple or single inheritance. In 
the case of single inheritance, the scheme I have proposed here works 
intently and directly. In the other case, we will have multiple 
addresses for our network, and it is no longer a real tree.

Just stick to single then.

But maybe the rest is up to you know. I'm just some loser who doesn't 
know anything, you know. I can't really think this thing true, because 
my brain is too impaired (for real).

And I have no food either, etc. etc.

Thinking requires a lot of glucose and I don't have much of it.

So I'll see ya.



> > The question is: WHY DO YOU WANT or feel the need or desire for (RANDOM)
> > 64-bit addresses on an internal network?
>
> You don't want or need them on an internal network.  It is an optional
> IP6 privacy feature, in case you don't want outside parties tracking
> your device by its MAC - which is used in the original SLAAC. When the
> internal network has a server or DHCP6 capable router, then DHCP6 is
> better and simpler IMO, and works with subnets smaller than /64.

Right. I'll have to think about that some day. I'll keep the mail.

> The privacy feature is optional.  When used, it is used only for
> outgoing connections from the device.  There is still a fixed IP6 that
> can be given out to things that need to connect to it.  It is generally
> a good idea not to use SLAAC if privacy is a concern, as that exposes
> your MAC and can be tracked across multiple locations (e.g. if coffee
> shops all had IP6 but no DHCP6, then your device would be recognized
> at each coffee shop).

Thank you for your understanding and willingness to explain. Much 
appreciated.

> "small set".  Yes, that is the *critical* problem with IP4.  You do
> realize that we ran out of IP4 addresses years ago everywhere except
> Africa, and the bandaids (like NAT) to keep things sort of running
> are getting cumbersome?

Like I explain, I would favour a cascade system of encapsulations in 
either a real hierarchical or multi-inheritance fashion that would 
forever abolish all problems of running out of addressing space because 
you could add another encapsulation layer at your convenience at any 
time provided the hierarchical layout of the world follows this model as 
well, ie. there might be an encapsulation for your region, your country, 
your country region, your continent, etc. etc.

IPv4 address can already be translated to country but that is in a 
different way, that is just through some table in which parts of the 
space are allocated to certain regions in this fixed size address number 
way.

It would not be hard, for intance, if you did run out of space, to 
further segment the area you live in (and the addresses that are being 
given out) to add a few more hierarchical layers, and the transition for 
this could happen overnight. It is really flexible and you can add or 
remove layers at your behest as long as it is being done for the entire 
region you are part of. Which only needs to happen at that regions 
gateway, really.

Since every subsystem would have its own independent addressing, it can 
include itself into anything you want (but you really need hierarchy I 
feel, I don't like C++ multi inheritance either). What you get is a 
grassroots system instead of a topdown system. The internal network 
comes first. Then it joins with other internal networks into one bigger 
network. The bigger network joins with other bigger networks into an 
even bigger one. And this goes on until you reach the global level, or 
even the universal one. It can be infinitely extended, into larger and 
larger, but also into smaller and smaller. You can become part of larger 
and larger wholes, or you can turn yourself into larger and larger 
wholes by having deeper and deeper nested things inside of yourself.

You are only yourself and infinity goes both ways. This is an infinite 
system. It can grow in either direction, or shrink in either direction 
as you please.

You can become your own country if you want. You can disconnect from 
everything else and only grow inside yourself. Or you can join the 
entire cosmos as you explore outer space.

The only real question that remains would be what would be the size of 
each addressing step. This *could* be an individual thing but I consider 
it more likely, or pleasant, or workable, if this ... I expect this to 
become a universal statistic. I suppose, and I think, and I guess, that 
a number of about 200.000 would be the maximum number of internal nodes 
you would need to any level of hierarchy.

If you are talking bits, that would mean that 256k or 18 bits is the 
maximum number any internal segment needs to have to addresss all its hosts.

I believe this is the universal system, but I just conjured it up. I 
have been thinking about these things for a long time though. I think 
this is what real hierarchy comes down to, not a top down system, but an 
inclusion of segments that each vote for voluntary inclusion, in that sense.

Corporations often grow by assimilating stuff. But assimilating is not 
the same as growing, and joining is also not the same as assimilating. 
What I mean is that forceful acquisition would not happen in this 
system. Either you subdivide yourself, or you become part of a larger 
subdividion of something bigger than you.

You can perhaps subdivide yourself by becoming the larger entity, using 
your old self as one cell, and then acquiring by force or purchase or 
whatever, something else as the 2nd or 3rd or 4th cell. But that's not 
really the spirit of this thing. The spirit is that you always remain 
yourself and you choose what to be included in. For example, naturally 
you can choose your ISP (mostly), that's the kind of thing. The ISP 
doesn't choose you. You are a client. You choose what you become a part 
of, in that sense.

The spirit is really that if something larger is needed, you either join 
together with something else to make that larger whole, or perhaps you 
could become larger but this would happen voluntarily. I don't know. 
Subdividing yourself also means you become larger, just not higher up 
the hierarchical ladder. I don't know.

I think it would naturally resolve itself.

If you have a cascade of 18 bit addresses relative to your position in 
life it means you don't need no global address to address your internal 
hosts or networks. At the same time, you don't even have one, in the 
sense that your next bigger address simply includes the network you are 
connecting to. You know how the whole tiered internet infrastructure 
works in a way. I am fascinated by how big and monstrous and wonderful 
the T1 internet providers are and how they work together, and how they 
have peering agreements only with other big T1 networks, but not with 
smaller ones, that they only accept as clients. I think it is a 
wonderful model and it works very well. This are huge corporations 
and/but they dig their own fucking cables through the atlantic ocean.

Nobody really knows about them but they exist and do everything.

And there is hardly, scarcely, or at all, any malevolence in there. 
Fascinating :).

So from your perspective, your next bigger address is the one that 
includes your address as part of the 18 bits you are included in. Then 
THAT network has no identity other than what it is, until it includes 
the next 18 bits IT is included in.

That ALSO means that if you just want to address the hosts in the 
network you are part, of you need go no further than just knowing your 
own address as part of that whole, getting someone elses, encapsulating 
your internal traffic as part of that thing, send if off, it gets 
routed, and reaches its destination. So, but, if this is infinite in 
every direction, how and when do you know when to go higher up the chain?

That is really quite simple but perhaps a bit difficult. You require the 
knowledge of the entire whole you are part of.

Just like with those tiering things, you need to know in advance on 
which network something is located.

Then you can see whether you can reach it from where you are or not.

The encapsulation is really done by the gateway, but, the hosts need to 
know about it too otherwise they can't address it right.

So there is a different protocol for that. If you know any address you 
want to reach, and you need to go up, you know exactly how far up you 
need to go, otherwise you wouldn't have its address.

In a sense that address is a flexible sequence of 18 bit numbers (in the 
case we / I have chosen here).

You can present that sequence to your gateway, that will encapsulate 
your packet (or at least your return address) and chop off your part, 
after it will give the packet to the next higher up. This works for the 
return address because you start by encapsulating the deepest part first.

The address you are using for the target is not yet that encapsulated 
thing. If it was, it would contain the address of the top most level you 
need to go up to.

So instead what you do is you encapsulate the deepest part of that too 
because at the top of the hierarchy you need to reach, it needs to have 
the full sequence (encapsulated) for going down.

Every level you go up, supposing the end target is on the same level as 
you, you encapsulate an additional part of that address while chopping 
it off the sequence that you pass on. I'm not sure if I want to say 
anymore. I feel as though people will run off with my idea without 
giving me any credit, seeing as I can't even work or do anything in the 
world. But this thing is easy enough to solve in a way. It is better if 
other people solve it then.

Knowing your position in the world, or the position of the target you 
need to reach relative to you, is vital. That's because the length of 
the sequence you present to your gateway will determine how far up the 
hierarchy you will go before descending down again.

The sequence you present is really the length you want to travel up. You 
know where you are, or your gateway does, so you don't need to 
encapsulate your entire address yourself. If you want to travel further 
down than you have travelled up, you need to encapsulate the deeper 
steps first yourself.

Because presenting those as a sequence means you are travelling farther 
up than you intend.

The sequence you present determines how far you will travel up, but it 
will not determine where you will travel up TO. That's because you will 
just travel up to the next highest level, in this system. But once you 
reach the top of where you need to go, the entire sequence will have 
been encapsulated (of both your target and source address).... I don't 
know, maybe I should write a paper about this some time. I don't know. I 
can't really do much atm.

And well, all the top gateway needs to do is unwrap evermore going down, 
until there is nothing more to unwrap, at which point you will have 
reached a host.

So you need to know the relative location of every host you want to 
reach, nothing absolute.

The question can become how you are going to fix alternative routes, 
that is a subject for later study. In a sense it will depend on peering 
as well as what is being done in the internet infrastructure world.

In a sense the physical structure already follows this model you know. 
The addressing structure just doesn't. It is not a sane model what we 
have, especially as it has grown into something bigger and more 
monstrous like IPv6.

There is really nothing very special about this.

> Let me blow your mind with my favorite application of IP6: CGA -
> CryptoGraphic Addressing.  One huge problem with both IP4 and
> conventional IP6 is that you IP (/64 subnet in the case of IP6) is
> essentially assigned by the government (through IANA) and can be taken
> away at any time.  And can be spoofed.  In the CJDNS protocol, the
> 128-bit IP6 address of a device is the truncated hash of the public key
> of the device.  No central address assignment.  No spoofing.
>
> https://github.com/cjdelisle/cjdns/

That is mind blowing but also very freaky. I like the idea of a dark net 
(in the sense of an anarchistic kind of network) but it is a think of 
unspeakable intransparancy. I mean obliqueness. They say that CJDNS is 
meant to replace the regular internet.

Okay so I get it. It is really a routing system that functions by fully 
allowing yourself to pick your address, and becoming part of something 
that will always be able to route to you no matter what.

But just like other distributed systems (I mentioned Gnutella) I don't 
like it very much. They say at the end of their wiki/markup page (on 
Github) that "Congratulations, you have now become a network 
administrator" and then talk about the resonsibilities of that.

It is filthy in a sense you know. This is the kind of thing that really 
terribly reminds me of child porn networks and how they are constructed 
on the internet. I have never seen anything like that and I have only 
seen a very small surface of it. There is a lot of obfuscation, for 
instance there are public urls that will only show something if you are 
coming from another recognised page (another host). If you enter the 
page directly, it will just show nonsense. I don't like to be a part of 
that, but I had a look. This is not even the dark web. This is just 
publicly obfuscated. And there is not really anything there either, from 
what I've seen. Yet, they've put it on the surface. For people to find 
perhaps, I don't know.

It's a weird world and it doesn't make me sick, but it makes me feel 
filthy. I get the same feeling from this CGA. It is a way to throw 
darkness over the earth.

You don't know anyone except your next few peers.

Just like with Gnutella, you depend on existing known hosts or peers to 
get connected. You even require an invitation or acceptance. Don't like 
it at all, at all.

It reminds me of hacker culture as well but this is different. Who are 
going to be running those hosts? Who are those hosts? Are you not in the 
dark? What do you know about your surroundings really?

In my system you also depend on something like an ISP including you. But 
your ISP can also take away your internet connection so it's no 
different really. In my system, address and geophysical location are 
intimately tied together. If you can have access to something, you can 
have an address. What you would do instead is layer something like this 
on top of that. I mean that you start out with my system. And then you 
put that what you have on top of it. Then you have an amazing system I 
think.

I would call my thing a cascading encapsulated hierarchy. CEH sounds bad 
;-). But that's what it is I guess.

Cause you see, if the internet authority did take away your address. It 
would mean it would have to take it away from the topmost actor that is 
functioning between them (or it, or whatever that authority is). Suppose 
the topmost thing I am a part of is Earth. Earth has no address, because 
it is the topmost thing, it doesn't need an address.

Now every continent would have an address in those first 18 bits. You 
would probably have a space of about 15 different regions. Then you 
would probably have a space of about 15-30 other things that are not 
regions. This would then conclude the top level for Earth. These 15-30 
other thing are not geolocated. They could be other forms of 
non-geographical organisation. It could be a cross-cultural or at least 
cross-regional grouping together of individuals wanting to belong to the 
same thing. An intersection, if you will.

Let's call these non-geolocated groups by colours. There would be a 
group called Red, Blue, Green, Purple, etc.

Red, for instance, could contain people of a communist persuasion or 
something of the kind. There system, they can make it whatever they 
want. The only thing that's true, is that globally it is reached through 
the top level by their address.

How you reach any hosts within that, is beyond that. It is contained in 
your packet. That may contain a whole lot of other packets (wrapped). 
But we do not know. That is up to them.

Supposing somewhere in that line you acquired both an access path and an 
address from this Red network / organisation to their physical network. 
It doesn't even have to be one physical network. It can be a bunch, it 
can be whatever. It can be composed of Squids. Real Squids. I don't care.

It could be hierarchical, I don't know,. You don't know how crazy these 
people are. They could do anything ;-) :).

But in this general sense, unless they hook onto other levels as well 
(and they would) in order for my address now to be taken away, the whole 
Red network will need to be disconnected (from the top level).

But being in antersection, they'd have access paths at every level as well.

Now, it is probably going to be the case that in order to shut you off, 
they will have to shut off your access (or that of the Red network) at 
various levels as is interconnects with existing infrastructure. But 
what about the Green network? It is composed of environmentalists. They 
may have interconnection or peering agreements with the Reds as well. 
Now you get access through THEIR network instead of through the 
geopolitical geographical geolocated networks of our governments. ;-).

The Purple people have access to outer space that most of us don't know 
about. They provide a service called InterLink that has a roundabout to 
it connecting through satellites or whatever to other Purple exit nodes 
on earth. Now if you know a nearest Purple exit point, you can even 
access the White House ;-).

The Whites though don't like this, but yeah but what can they do. They 
are being superseded by higher intelligence ;-). That would correspond 
to Christianity - those whites.

Anyway enough fun here. I think this could happen for real ;-) :). :P.


> > A random 64-bit address is 8 bytes. A byte is 2 hexadecimal digits. That
> > means if these addresses are really random in the entire range, you 
> > need 16
> > digits to write them down. Currently, I can remember every device 
> > with one
> > decimal number between 1 and 254. So where is the advantage here? 
> > People in
> > the past used to directly access public IPs by IP. By heart. I never did
> > much of that, but it happened. I do use a domain service for my IP 
> > and don't
> > remember it.
>
> Now you have a different private IP4 for every location.  That is even 
> more
> confusing.  Even worse, you get private IP4s that conflict, because 
> there is
> no central allocation of your private IPs, and the address space is too
> small for CGA.  It's a real bummer when you add a client whose already
> existing internal IPs conflict with another clients, and you need to
> directly address both.  At least, it used to be a bummer until I
> switched to IP6.

Alright I haven't thought about address acquisition in my system yet but 
in a sense that would just be DHCP. However your own name you could 
probably choose and there'd need to be a bit of resolution for that but 
that would work out fine I suppose.

In my system that I just proposed I haven't thought about name 
resolution, just numbers. However every number can correspond to a name. 
So if you include earth in the address an address could be like 
ea.eu.we.bl.nl.nw.am.pu.ct.db.9d and it would actually constitute a full 
physical address.

That's my address right there haha.

In that sense those could be all of my layers (hierarchically speaking, 
or numerically speaking).

Am stands for Amsterdam, Pu stands for Purmerend, and so on ;-).

So it encodes an address that can also be encoded simply in physical form.

Now that is really what I would want. For my home. To have a real 
address on the internet in that sense. Really, I do.

This is different from websites and all of that.

But any IP would be possible to be resolved, perhaps, unless you put a 
stop to that, to that full physical address of someone's location, or at 
least of the internet link.

Likewise, in the Red system, your full address would also be able to be 
resolved.

But not the geographical/geopolitical one. It would be a Red address 
mostly, unless it intersects with other networks. Your address is simply 
the path of all layers towards you from the top.

Of course you can layer the CGA on top of that to get rid of that if you 
want. I guess it would be a good thing for various purposes. Stay with 
me for a while.

> However, when you aren't using privacy extensions (which aren't
> *supposed* to be remembered) or CGA, then IP6 addresses are also easy to
> remember.  E.g. my personal mail server is 2001:470:5:c85::10. The CJDNS
> (CGA) IP of my mail server is fcd9:7f8a:e050:4b48:7fd6:7fa:5509:6e26 - 
> and
> yes, that is hard to memorize - and I don't.  That's what DNS (and other
> decentralized naming systems like Namecoin) are for.

Yo man. Don't even know about Namecoin yet.

> Yep.  Still works just fine in IP6.  When using hierarchical addressing,
> most of those 128 bits are 0, and written as "::".

Well I knew about that, just haven't really used it yet. It is the same 
as with IBAN, I had a real like objection to learning it. I don't like 
it, I don't want to know it.

> > So basically they want full exposure, but recognise that this is not
> > actually desirable, so they introduce a firewall that will block 
> > incoming
> > connections, when at first the whole reason for having individual 
> > addresses
> > was in large part to solve the problem of not being reachable.
>
> You need a firewall for NAT as well.  You only want to block incoming
> by default for clueless users that don't know any better.  The first
> thing a knowledgable user does is turn *off* the default "block all
> incoming", or replace the default firmware on the router with OpenWRT,
> or replace the router with a linux box.

Sure, but I never thought real end-to-end connectivity was a real 
problem. The advents of IPv6 thought that, did think that. So they 
introduce something that will grant it, and then when they've done it, 
they think like "hmm, maybe this is just not a very good thing at all, 
we need strong firewalls too". With IPv4, you need ACTIVE CONFIGURATON 
for any internal host to be reachable (apart from UPnP). With an IPv6 
router, you could do it by accident. Suppose someone (a regular user) 
can't do something. His friend tells him: go to your router settings and 
turn off the firewall. That's the easiest. Yeah, you can configure the 
rest later, don't worry.

Now at a certain point 20% of users has turned the firewall completely 
off, thinking their computer will do that enough on its own. This could 
be very realistic you know. I think it could be, or it even is.

I mean, if and when you connected directly without a router, you had the 
same right? So what's the difference. Windows Firewall works too, and I 
have a virus scanner installed. It should be enough. So people start 
turning off that thing.

In IPv4 or at least with NAT you couldn't turn anything off. Wouldn't 
work, wouldn't do anything. You had to actively open or forward ports.

The first thing (IPv4 NAT) required knowledge to fuck up. The second 
thing (IPv6 without NAT) just requires a lack of knowledge to fuck up, 
nothing else.

It is not safer, or equally as safe.

Press a button and everything is open, instead of having to individually 
select and forward ports.

But let's speak about that "knowledgeable user" if we have time.

"The first thing a knowledgable user does is turn *off* the default 
"block all
incoming", or replace the default firmware on the router with OpenWRT,
or replace the router with a linux box."

Making port opening settings is fine. You say "block all except" and 
then you open some ports. Right.

The latter thing though is far beyond the reach of any regular computer 
user or even many who are really very good with computers. I have used 
OpenWRT, and it is not easy. I wanted to change THEIR model as well (you 
know, the UCI) -- it is deeply flawed as well and confused the hell out 
of me. It took a long time for me to get the simplest thing running. 
Some things (normal things) are just not possible with the default 
configuration (or SEEMED to not be possible until someone told me) and 
required me to dig into the way it generates IPtables rules in order to 
add a custom rule that would do the thing. Turns out I was mistaken but 
I had not been able to find it anywhere.

I don't know where that little router has gone to. Have I given it away?

My memory is jaded. I got a hit to the head.

I have a TP-Link router now that will accept OpenWRT but. Yeah. Where is 
that thing....

> It *is* desirable - but too dangerous by default for unskilled users 
> running
> Windows.  A gun is a valuable and essential tool - but you don't give it
> to a four year old to play with unsupervised.

But if IPv6 becomes ubiquitous in the home, it will land a lot of users 
in a serious ...not knowing what to do.... problem, I mean you ARE 
giving that gun to those people. Maybe not by default but very close to it.

It is like giving a gun to that 4 year old with some kind of safety lock 
on it, but the 6 year old can remove it ;-).

> 1000 times more simple.  Hence, why I don't even bother with IP4 anymore
> except to configure a 6in4 tunnel when the ISP is still living in the
> '90s.

Well simple for you apparently given who you are and what you want to 
do. Is it simple for the ones writing NetworkManager?

Do all people have your user requirements? I would say scarcely any have 
in the grand scheme of things. Don't design a home networking solution 
that only provides benefits to 5% of people.

Maybe if VoIP becomes very popular but I haven't heard anything else 
that is end-user, and basically everyone and his monkey just has a 
provider-enabled VoIP solution that works through a regular phone. Where 
I live. I don't know about corporations.

I would really like a simple sign-in VoIP thing that registers my 
handset with a gateway, software on laptops and computers that can do 
the same, devices that can bridge DECT tO those VoIP terminals or 
bridges, so that I can simply do VoIP on a DECT phone, or on a 
smartphone that can receive dect, or on a laptop or computer. But it's 
not there right. I mean consumers are regularly just faced with Skype 
and that's it. Where is my VoIP account with accompanying phone number 
or internet phone address, on which I can call other people both online 
and on the regular network, unless it is by Skype? And Skype is WAY 
expensive to call regular mobile phones, WAY WAY expensive. You can 
easily get like 3ct/minute and with Skype it will be like WOW.

I do not know anyone personally that uses VoIP apart from their 
provider-issued thing, apart from one guy that used something where he 
had to acquire a phone number with one provider, an outgoing payment 
dial account from another. You know people don't use that. Maybe in 
businesses they do.

Regular people don't have VoIP apart from their ISP or telecom, which 
made no difference for them and didn't save them any money (mostly) 
unless they are calling people on the same (closed) network.

Regular people use a mobile phone for calling, some still have a 
landline, but the landline is now VoIP behind the scenes, not that that 
is any use to them, the system is still the same except that it cannot 
be used for dialup modems or on the case of an emergency anymore. There 
is not a soul alive that is not an IT tech guy that will really readily 
and clearly benefit from IPv6 as it is now being introduced apart from 
some fringe cases or use cases I don't know about.

Except of course, again, when you talk about this IoT guy that started 
the thread (hey Tim!) with rather high end media streaming and device 
controlling solutions that (for instance) require inside and outside 
operation whether your controlling device is inside and outside of the 
network or not. That's like, fastest possible solution to a problem.

NOT your regular thing that many people will have. 200+ devices? WHAT THE?

What does something like that COST???.

Like they say in the YouTube comments, "200.000 people in Africa could 
eat those 200+ devices ;-)".

I mean I see it a lot that Linux tech people have no clue about real 
world people, sorry if I say it in this way but it is true.

A skilled user installing OpenWRT. That is quite something.

That is 0.5% of the human population or less. In developed countries.

Probably much less than that okay.

One in two hundred people? No way.

No way!!!.

Make it one in a thousand and go lower than that. Okay. Really.

You are creating something that will only benefit you. Apart from the 
lack of addresses, but that could have been solved by extending it to 6 
octets and keeping the rest the same.