File: 1713351929127.jpg (43 KB, 700x525)

43 KB JPG

Especially Australian ISPs, we have one of the most fucked allocations in the world where mining and universities own /20s on 50 year leases, and the overwhelming majority of internet devices are now connected via carrier NAT because oh no letters in muh address is too hard. Dead set you can get 2-5x the throughput on ipv6 where available because these fuckwits have absolutely no idea how it works so everything is completely unmetered and unmaintained, I've seen broken BGP routes where traffic is blackholed to major providers like vocus for 6 months so you literally had to vpn to a Adelaide datacenter just to access google.com

>filtered by thing nobody uses

networking is like plumbing, I don't really care about it, I just care that water comes out of the pipe or data comes out of the internets tube.

>>100065212
kek'd

>>100064819
it's just an IP like IPv4 but simpler

>>100065205
my home ISPs have had IPv6 for years now and my Go8 university doesn't lmao

I'd like if I could use tunnelbroker without sending all traffic on my server that can possibly go over ipv6 through the tunnel. I just want to selectively tunnel some traffic. Haven't figured out a good way yet. Maybe docker is the answer.

>>100064819
IPv6 filters retarded itlets and sysadmins because they don't even understand IP how would they understand IPv6?

IPv6 isn't dogshit for any reason constantly complained about on/g/ everyone is retarded and brown about this. If you are filtered by hex you shouldn't be allowed to touch a computer go buy an iphone and sit at the womans table while tucking your penis you absolute faggot.
It simplifies all the bloat from ipv4 that was required at the time of design but not at all now. It simplifies tunneling, dhcp, addressing, all basic monkey shit that shouldn't be manually done and isn't a real task.

IPv6 has NAT and it works perfectly fine, yet another cope from people who do not actually work with or know about ipv6.

No IPv6 blows dick because web providers are retarded and don't fill out quad A records properly and NAT64 is a broken piece of shit (thanks to IPv6). Websites going through NAT64 translations even with a good quad A record will simply break sometimes for no good reason, because it is broken and or slow or webshitters cannot into anything technical and their AAAA DNS records are broken browsers will default back to IPv4 anyways.

ISP ipv6 is also broken in many parts of the world, 6RD is practically nonfunctional and is just a lab technology and most ISP's do not set up 6PE/6VPE properly and refuse to forward native IPv6 let alone native internet IPv6.

for THESE reasons IPv6 is a broken piece of shit on the internet. Not the braindead filtered sysadmin shitnigger brown tier complaints.

IPv4 is the White man's IP. IPv6 is for brown subhumans who need it for their skyrocketing birth rates.

>>100064819
IPv6 + SLAAC needs some sort of rule based UPnP. Not sure how DNS is supposed to work either. My pfSense router recognizes all the devices through network discovery, but it doesn't add the hostnames to the DNS server.

File: 109702012_p0.png (2.22 MB, 4093x2894)

2.22 MB PNG

>itt faggots who can't deal with Hex.

File: b3f.png (124 KB, 294x350)

124 KB PNG

>>100072568
What are you fucking smoking. You don't need NAT for ipv6

>muh hex filter
This is the best argument IPv6fags ITT have.
lol
lmao

>>100074580
I said ipv6 works just fine with NAT, you also don't need NAT for ipv4.

NAT64 is how a lot of internet content is served in IPv6, and there are a lot of reasons for using and needing it. If you don't even know what NAT64 is or the different ways it is implemented (ie Android/windows nat64 vs iPhone nat464 detection) do not reply.

>>100074650
>muh hex
the best argument ipv4lets have
>inb4 muh eui64
not a real security threat and already addressed multiple times in modern implementations
literally read the RFC's

>>100074513
DNS with IPv6 autoconfig is still broken. No one came to an agreement in any of the working groups about how it should work. There were issues with it bootstrapping with only the RA messages and there were a lot more issues with implementing some sort of other protocol within IPv6.

The real answer is that you use a DNS client and controller that handles it all for you automatically since all web providers already do this for everything else anyways. As a small enterprise or home setup the solution is manual configuration. This defeats the point of IPv6 taking all the literal retard tier work out of setting up a network for you but the spec is intrinsically broken in this regard and manual configuration in small environments takes a day and that is the best it will get.

>>100072430
You put the tunnel on your router, your home network now has ipv4 and ipv6 addresses (via slacc, route delegation, or dhcp6 if you only have a /64), all local traffic is now switched at L2, if someone try's to access your pc the routers firewall blocks it, each of your docker containers has it's own ipv6 address, you can allow inbound connections to that address/port and make it static.

You can also leave DNS out on the router which makes sending all internet traffic via the tunnel optional, only if you add a name server to the client will it use ipv6 servers if they exist.

>>100074664
>you also don't need NAT for ipv4.
Right now, every consoomer is behind some sort of NAT either provided by their WiFi Router(or AP if I actually want to be correct) or their carrier added a CGNAT because they ran out of IPv4 addresses to give to users. While theoretically not needed, it actually became a necessity as more users flooded the web(IoT and smartphones only made this shit worse too)
>NAT64 is how a lot of internet content is served in IPv6
Because ISPs are too retarded. At least mine does prefix delegation so I am free to assign publicly routable IPs as I wish, no NAT required. And NAT is not a firewall, and sysadmins doing this deserve the rope

>>100065212
It's simply overengineered garbage. It's tedious to work with, not hard.

>>100077165
>NAT is not a firewall
correct PAT is.

>ipv4 technically doesn't need NAT
that's my entire point. IPv4 and IPv6 do not need NAT but they work perfectly fine with NAT. IPv6 has 6 to 6 NAT, everyone who complains about no NAT or every device being accessable from the internet in IPv6 is a moron. I know extensively well that NAT for IPv4 is required.

NAT64 NAT46 and 464XLAT are broken pieces of shit on the internet and it has nothing to do with ISP's beyond ISP's or webhosts not natively supporting IPv6 (a combo of one or the other). Web hosts and DNS providers are just braindead. Webshitters and devs cannot into networking beyond primitive IP shit (same as sysadmins but to be fair their job is inane jeetscript and babby sql). Even when there is full connectivity and HTTP is returning good responses to requests the websites will still just break for no reason and it is seemingly random as to why. Both webshitters and and actual Network architects can't figure it out. There is something fundamentally wrong with IPv6 content delivery and no one has unbroken it yet.

>>100077244
IPv4 was overengineered garbage with literal bloat in the header.

>>100065212
>RFC1488
kek

>>100072568
Since there are so many addresses, ISPs assign a static subnet in IPv6 to their users ranging from a /48 to a /64, NAT is not required.
I have a /56 subnet and it works flawlessly.

>>100077239
You just proved that OP is right.

File: hitler_laugh.gif (995 KB, 500x400)

995 KB GIF

>>100077464

>>100077475
>NAT isn't required
I didn't say IPv6 needs NAT. I said it works just fine with NAT, you can use private and public addresses the exact same way you do in IPv4. Also like IPv4 (in theory as anons have already pointed out and as literally everyone knows in practice we need NAT) you do not need NAT for operation.

>>100077458
What's wrong with 464XLAT? It works on my machine.

>>100065205
Please tell me more random facts about how shit Australian ISPs and network infrastructure is

>>100077522
It's more the 64 part of 464 that is broken than 464 itself. I am surprised you are running 464 on your home PC.
I cannot find the presentation, I just remembered NANOG 69 had a very good presentation about testing DNS64 and it is still very relevant.
Here are the slides
https://archive.nanog.org/sites/default/files/3_Steffann_Nat64_Dns64_Experiments.pdf

If you find the video please post it, I don't think it was uploaded to a nanog repo.

>>100077516
Why even mention NAT for IPv6? No one uses it on the native IPv6 network.
NAT was born in IPv4 because available addresses were running out very quickly, carrying over this protocol to IPv6 is simply retarded.

> IPV6 support?
> No. See video for explanation.
https://dmca.fileditch.com/ipv6.mp4

>>100074580
I use outbound NAT for my IPv6 ULAs and it works great, get fucked.
> You don't need NAT for ipv6
You don't *need* NAT for IPv4 either, fuckass.
Do you actually know anything about IPv6?
iT dOeSn'T hAvE nAt! YoU cAn'T nAt IpV6! gLoBaLlY rOuTaBlE! hUrR dUrR!

All that shit is just people spouting out what they heard from some other idiot when they don't actually know a damn thing.

T. Straight White American Male

>>100077575
I get that it's Euro retard hours but why does every reply insist I am married to the idea of IPv6 NAT.
It is a common complaint from IPv4lets that IPv6 does not do NAT and thus every IPv6 device is internet facing and this is simply untrue.
>No need
NAT is in fact the easiest way to ensure reachability to the internet but not reachability from the internet. The notion that device level security should handle incoming requests is a very bad one because devs are retarded and skids are very malicious.

>>100077575
I bet you a fucking house that you've never worked IT in an enterprise network environment that properly uses IPv6.

>>100077575
P.S. NAT isn't a protocol you braindead idiot.

>>100074650
It's quite telling how the ipv6 fomoniggers project hexadecimals to be some crazy scheme (ipv4 works better with hexes btw: 192.168.0.1 becomes c0a8:1) in how it implicitly confirms that all the midwit overengineering of ipv6 is just a ploy to make them feel smart and important, but just annoys anyone who's now forced to look under the hood just to make sure their mom isn't getting botnetted via some dodgy iot device (can't even blame the devices for it, ipv6 is hell to get right and it's a numbers game before one gets it wrong), just to be dragged into a rabbit hole of protocols, tied to essential but trash protocols, followed up by protocols meant to fix those glaring mistakes, on top of protocols that merely exist because some manufacture was getting pissy at implementing some other protocol.
All that for baseline security. Or I'd just turn ipv6 off and get the same results.
>>100077458
I'm not getting paid to sysadmin my own fucking home. The point of wanting 6to6 is ootb secure configs, which are essential for home usage, if not for the above, then at least for the sake of other techlets, whose compromised systems only come back to bite you in the ass in the form of ddos that pushes you to cancer like cloudflare.
Hope quic succeeds btw. Network engineers (really just cisco) have proven their inability to maintain a simple already-functioning system without trying to poz it up at every turn. More of the stack should be brought up to layer 7 where saner (relative) individuals reside.

File: sickjoke_notlaughing.png (448 KB, 344x1067)

448 KB PNG

>>100074664
>>100077592
>using nat on IPv6
Jesus fucking christ.

>>100077902
So then use 6to6, like I said no issues. The issues start with 64.
>security should be brought to the application level
kek, because that has worked every time anyone tried? Devs are retarded and cannot into security this is as true in nature as the sun will rise tomorrow. There's a reason engineers at every step bake in security to their product (hardware, kernal, protocol design, cryptography itself etc etc) because 99% of devs are braindead monkeys and still fuck it up anyways.

>>100077599
>thus every IPv6 device is internet facing and this is simply untrue.
I know that, that is why there are address spaces reserved for local networks.

>NAT is in fact the easiest way to ensure reachability to the internet but not reachability from the internet.
Lol, the easiest way is using a firewall, which is on by default on routers and devices. If you go and disable the firewall you are actually retarded.

>>100077604
>Noooo, you see, NAT, CGNAT and dynamic IPs are actually great and you should use them in IPv6 too, trust me I work in IT.
You are victim of a braindead ISP who forces NAT on the IPv6 network for all its customers. You are so used to that that you developed Stockholm syndrome.

>>100077612
>Ackchyually
You know exactly what I meant, faggot.

>>100077570
>DNS64
This was always a terrible idea.

>>100077965
the thing is, there isn't even security at the network level. the entire idea of quic is to bake cryptography into the IP level, without the need for another stupid handshake after the tcp handshake. granted, the crypto architecture chosen is preposterous (the whole ass internet under the authority of a couple (((chosen))) cert corpos, and cloudflare getting its own root cert for the explicit intent to mitm) but that's the fault of a pozzed ietf that can't do anything useful without google's permission.

By the way, privacy addresses miss the point completely. practical NAT isn't giving you privacy, it's giving you anonymity and security. Security by depth in that expecting garbage locked down consumer products to have any level of acceptable security is hubris. Anonymity in that you blend in with everyone else on your local network, or at the very least between the multiple devices you own.
VPNs and overlay networks like tor are not tenable to every case, eg. this website. If you've done everything else correctly (right browser configs, proper opsec), the bottleneck left is your IP. The main advertising point of ipv6 is direct addressing, which stands in direct contrast to the whole idea of anonymity. I'll let you know who I am when I want to, thank you.

>>100078247
>authority of a couple (((chosen))) cert corpos
transport encryption does not care about the issuer, or validity for that matter. TLS goes further in validation but that applies to user-facing web traffic. You're mixing completely different kinds of crypto.

>NAT and anonymity
only at host level at best, which IPv6 addresses through privacy extensions, changing host address or using multiple of them

>NAT and security
is a meme

NAT stands in the direct contrast of IP networking and end-to-end reachability. Implementing security by breaking basic reachability is moronic. Use a firewall instead of your security by obscurity.

>>100078540
addresses but does not fix. privacy extensions provides no anonymity as you could track a single device across multiple connections, just not across multiple days. NAT is fully anonymous even if only in this regard.
not addressing the rest. it is painfully clear you never even tried to understand my points on those.

>>100078725
nothing prevents you from using a different address for each connection.

It was hard to understand that pile of your nonsense. You are defending garbage technology in applications it was never intended for and where it delivers by pure coincidence and obscurity

>>100078845
>different address for each connection
that's not how it is out of the box, is it? why don't I just use a nat on ipv6, seems much more simple than fucking with the network interface on every device. better yet why don't I just stick with ipv4?
I recognize that I'm trying to make arguments that aren't simple to understand zingers and gotchas, because reality itself is never that simple. the practical implications of a worldwide ubiquitous protocol that brings humans into the mix can only be expected to have complex emergent properties that all need to be taken into account when modelling them, especially with the goal of replacing one wholesale.

>>100078937
So you're bashing a protocol for defaults set by OS vendors that don't suit your preference. Makes sense.

NAT was created to work around IPv4 address scarcity and delay their depletion. Any other effects are tangential and better achieved by applying solutions that actually intend to implement them and do it well. It makes no sense to implement NAT for IPv6. If you want security and host anonymity use a firewall, faggot.

>why don't I just stick with ipv4
because we're out and you can't get new allocations

>>100078993
>defaults set by OS vendors
>defaults
anon.. how would you design an os with a network that randomizes IPs for every *simultaneous* connection? each tcp session and udp pseudo-session needs its own IP address btw. existing interface logic is all open source for linux. chop-chop
>Any other effects are tangential
and happened to be beneficial in a world where security is now paramount, ossifying into an essential security feature over time. this isn't the old days of prankster win32 email viruses; grtting pwed through mindfuck insane exploit chains is a matter of getting eternal botnet bandwidth leech poz or ransomwared.
>we're out and you can't get new allocations
that's a good thing. it keeps us on NAT and me anonymized even on networks I don't control, in cases where I can't use a website through an exit node, like right now.

I wouldn't. Most consumers don't need to make requests that identify them anyway over anonymous connections, and those who care about this stuff use a firewall with port randomization.

NAT is not a security feature. Now I am aware it is viewed as one by people who don't understand how it works, but that does not make it one.

>we're unable to bring new publicly reachable resources online and
>that's a good thing
sorry I didn't know your ID was 10T, my bad

>>100064819
>net.ipv6.conf.all.disable_ipv6 = true
100% of indians get filtered by this.

>>100079495

This

vm.swappiness=0
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
kernel.dmesg_restrict = 0

>>100079443
>seethes so hard he omits quoting >>100079125 and pulls a reddit joke
I knew you were reddit with the spacing but I responded anyways. my loss I guess.
actually no, I keep ipv6 off and it just works.
>port randomization
lmao.
>>100079495
https://stats.labs.apnic.net/ipv6/
reminds me of the volte screeching on xda.

I think IPv6 is a passing fad given most of the uptake is by mobile devices since the cellular companies control the network and must have IPv6 due to the massive user-bases.

I am personally holding out for IPv128 as IPv4 should suffice for another 200 years or so.

>>100080010
But the internet of things, where every 'jeet and lightbulb gets its own external IP, how else would glowies hack you?!

>>100079880
>reddit
meds, schizo
>port randomization
>lmao.
that's literally all that NAT does in terms of protecting your anonymity

>>100080040
>that's literally all that NAT does in terms of protecting your anonymity
stop, I already knew you were retarded

>>100080024
That's all good. It's a solved problem. Light bulbs, toasters, buttplugs can NAT. I could easily put 2 million devices behind a single IPv4 NAT / DNAT / SNAT Tripple Nat or Octo-NAT.

File: 1705234107707393.jpg (16 KB, 441x411)

16 KB JPG

>>100064819
"Hey bro you got a server running for the gayman sesh?"
"Yea sure bro, just connect to 91b4:3407:07da:1567:2901:c019:cbb7:1bfd"

>>100080181
>copy paste is too hard
>i just manually retype everything
If this sort of person was permanently filtered from connecting to my service, I see IPv6 as the perfect firewall for retardation of the 1st degree.

>>100064819
big number = big brain
nuf said

>>100080060
>thinks NAT is a security feature
>calls others retarded
now I have seen everything

>>100080181
>games that let you host your own server
It's not 1999 anymore, gramps.

>>100080212
>thinks NAT is a security feature
am I supposed to just believe that it's not? maybe there's some highly upvoted article on reddit that's required reading in your mind?
I made my points. you seethe in futile rage

>>100080234
>why yes, I do enjoy owning nothing and being happy. owning things is obsolete
I can still play Halo, zoomer. can you go back and play patch 1 of Fortnite?

>>100080255
you're supposed to know better instead of falling for the meme of security through NAT. Your points are retarded and you'd probably be happier among your peers at the site you like to refer to so often.

>>100080234
those 1999 games like Minecraft, Palworld or Counter Strike 2

File: 2024-04-19T22:41:16,33361(...).png (175 KB, 1838x1046)

175 KB PNG

>>100077525
i pay 140 aud a month for a static ip and 1000down/50up, i also pay another 30 a month for a 4g failover because im a selfhosting faggot and thats how shit our internet really is.

>>100080300
reddit is full of poojeets like you and boomer retards who simp for ipv6. any cursory search for ipv6 knowledge on search engines could've told you that. but you barely know anything of ipv6 aside from the same few buzzwords which are probably all you remembered from those reddit articles you read (your only reading on the subject) so you've probably not done even that.

>>100080359
I implemented IPv6 in networks long before you knew how to spell IPv6. The reason why I laugh at your "NAT as a security feature" is that I understand NAT and IPv6 while you don't, as has been demonstrated ITT.

>>100080351
>140 aud a month
Does it come with a hooker or something lol?

>>100080481
dumb boomer then. explains the cancerous writing style at least. everyone with an ounce of soul and the intelligence to sustain it knows by instinct how much of a disaster ipv6 as it stands is. your midwit ass is best served on reddit

>>100080509
IPv6 is just an IP, but simpler than IPv4. It's the "NAT is for security" idiots like you who cause the perceived disaster to themselves. For the rest of us it just works.

>>100080505
no but it comes with a fucking coax to Ethernet media converter box thats probably a listening device.

>>100065212
you know you're not supposed to memorize IP addresses, right?

>>100074572
My wife Evil is cute!

>>100080543
ipv6 is not simpler than ipv4 when you take all the rfcs into account.
how long have you been white knighting for ipv6 on /g/? you make all the same arguments that this one retard has been making for years across dozens of threads.
you're like the pixdaiz of ipv6. get a trip

>>100080629
do you take all IPv4 related RFCs into account? I thought so.
I started today as I was amused by the level of retardation by IPv6 haters in this thread. Bitch it's just an IP, nothing more, and it's worked for decades now. I had native dual stack almost 20 years ago and it has not stopped working since. It's just a fucking IP.

>>100080730
>do you take all IPv4 related RFCs into account?
yeah? at least the ones that have a direct effect on my usage of it on a home network (openwrt) for both protocols. I've only skimmed them, but I honestly doubt you've done even that, let alone stew on them to actually understand the implications of them and how they'd play out against each other and in the real world.
>it's worked for decades now.
and the prevalence of insanely huge botnets has risen too. every website is now behind cloudflare for a reason.

>>100064819
I don't like it because the likes of google and amazon somehow use it to immediately pinpoint my location with disturbing accuracy. When I use IP4, it takes them a few days to get a rough location.

>>100080773
it was obvious that you are home network brainlet who has no grasp of the implications and problems caused by NAT in a large network, let alone when two or more such networks need to integrate and talk to each other
>muh botnets
>cloudflare
now you're just desperately throwing random and unrelated words hoping something sticks. Expand on the material and one day I'll see you on a Netflix special.

>>100080887
you are paid to deal with a network in a corporate setting, not me. so deal with it. don't offload all the complexity to a dumbfuck retarded scheme that compromises billions of devices worldwide.
>random and unrelated words
you know it's not, stop acting coy. the one shared vector in the exploit chain of iot is probably the end to end addressability of devices, next to the routers themselves being fucked.

>>100080954
I do deal with it, but it's just solving self-inflicted problems that are a result of abusing old technology in a stubborn effort to avoid learning something new (not that IPv6 is new). The sooner we stop making the problems worse the better. IPv6 does not compromise anything. It's just another Internet Protocol.
Just put your devices behind a firewall and stop relying on NAT for security that it does not deliver.

Rate-limiting is trivial in IPv4 and very difficult in IPv6. To solve it you still have to be very restrictive about IP’s you give to people which kind of defeats the purpose of IPv6 to begin with. Also IPv6 adoption begets IPv4 adoption since it will make the remaining addresses cheaper. There’s no killer-app on IPv6. The closest one is the telecom’s like it cause its cheaper

>>100077959
Yeah, who wouldn't want their domain controllers, databases, and certificate authorities to be routed globally for no reason at all?
Fucking retard.

>>100078993
>NAT was created to work around IPv4 address scarcity and delay their depletion.
NAT was invented three different times by three different people for three different reasons. The reason that saw commercial success was security, not address scarcity. And this shouldn't surprise you -- no business is going to go out and purchase a device for the sole purpose of preserving the limited IPv4 address space. No, they bought routers because of the security they offered, and the fact that it preserved addresses was just an extra bonus.

>>100082770
wrong on all counts. Holy shit this board is full of retards. Routers for security, lmao you're a clown. Go back to your openwrt and stop commenting on things you have absolutely no clue about.

>>100082825
>wrong on all counts.
Look up the history of it. It's perfectly documented. NAT as a tool for preserving address space never got even the slightest bit of traction even among academics. Instead it was Cisco that popularized NAT and sold shittons of hardware as a means to secure networks and make network management easier. The fact that Cisco's implementation of NAT happened to also implement one of many ideas that were being bandied about to solve the IPv4 address space was a complete coincidence.

This is all extremely well documented history.

>>100083210
nah, this is all utter nonsense. The first and single most important reason why NAT is used these days is IP space conservation because nobody gets an allocation of public IPs for all their devices. NAT is the only way to connect more than one device at once in today's state of things. Any perceived security benefits are just a misunderstanding on the part of those who don't understand how NAT works and that it is not a security technique.

>>100083261
You can go do your research if you don't believe me. At the time when NAT was invented -- the early 90s -- nobody outside of the academic circle cared at all about the number of free addresses out there. People expected it would last to 2100.

We know now that NAT isn't necessary for security but at the time it was revolutionary state of the art technology that eclipsed everything else in the arena, and that's why routers sold like hotcakes to every business in the world and Cisco made bank off it.

You're literally arguing with history and trying to say history is wrong. It doesn't work that way.

>>100083324
ok done, back from my research. Let's review RFC 1631 "The IP Network Address Translator (NAT)" from 1994, shall we? https://www.rfc-editor.org/rfc/rfc1631

Just read the abstract. It's all about "IP address depletion", "This memo proposes another short-term solution, address reuse", "solving the address depletion problem". It does not address security at all.

Literally everything you wrote is wrong. The problem of scaling and depleting IPv4 space was recognized pretty early on. That's why CIDR was introduced instead of classful routing, followed by NAT and RFC 1918 private IP space designation, ultimately resulting in IPv6 that was first standardized as early as 1995.

NAT was never introduced for any security benefits. It's whole purpose was IP space reuse and conservation. You are inventing some parallel history that never happened on this planet.

>>100064819
i have it disabled because nothing uses ipv6 anyway, what's even it's point if ipv4?

>>100083484
The man who wrote that abstract was not involved in the deployment or production of routers. He did not work for Cisco, he did not invent a single product, he did not sell a single unit, and he never earned any money off it. In academic circles his idea was rejected, as it was a half measure that did not solve the actual problem -- and the other academicians were right, it didn't solve the problem, and that's why they went on to invent IPv6.

Cisco invented the router as we currently know it and spread NAT across the world. Not this paper, not this man. Please, do your research. This is embarrassing.

>>100080205
switching to ipv4 is just adding an exception for retards in firewall
>>100080267
>i enjoy unupdated stagnation
i accept your forfeit

>>100083512
and Cisco did that to help delay IP address depletion. You are talking absolute gobshite.

File: 1387945920593.png (86 KB, 500x500)

86 KB PNG

>>100082328
Use a firewall dumbass.

>>100083612
>and Cisco did that to help delay IP address depletion.
The man who invented the router has gone on public record that he had no idea of the IP address issue and was completely unaware of the entire discussion. The router was invented to solve actual business needs business had at that time -- and that's why it sold like hotcakes. Do you actually, honestly think people went out and bought specialized hardware and redid the layouts of their networks out of the goodness of the hearts? No, they did it because it solved a business need they had. In the early internet there was no concept of private or public networks -- everything connected to the internet directly. By separating intranet from internet it became infinitely easier to manage and secure the devices in your domain.

The man who invented the router had no idea about the IPv4 address space crunch. He invented the router to meet business needs he identified in the business community. The fact that it alleviated the IPv4 address shortage was a complete and utter coincidence.

>>100083668
I am not talking about what a router is for. For the whole time I've been discussing the origin and purpose of NAT. Which is IP space conservation and reuse, not security. NAT does not separate intranet from Internet, you are mistaken on the most simple concepts related to this debate and you are the least qualified to give any lectures here.

>>100083842
>For the whole time I've been discussing the origin and purpose of NAT.
You've been talking about one of three times that NAT was independently invented. And in that instance, the invention went nowhere, had no support, and was rejected by the community it was made for, and it sat unused in a closet for years as a result.

The second (NTI) and third (Cisco, which later bought NTI) times NAT was invented were for business needs, and it was those business needs that spread NAT across the world. Not the address crisis. The address crisis didn't even begin to manifest in public spaces for another decade.

I don't understand how stupid you have to be to think that this why people went out and bought routers, to stave off a problem that was not happening (yet) and wouldn't happen for some time. At the time there was no cost to having every device in your office with their own public IP address -- there were IP addresses to spare. People didn't buy these things because they reduced the number of public IP addresses they had, people bought them because it made networks much much easier to manage.

>>100083921
Other anon here, so if we imagine a scenario where the world has finally completed the switch to IPv6 and IPv4 simply does not exist anymore, are there contexts in which it makes sense to keep NAT around or is it something we should (aim to) get rid of entirely?

>>100084726
The biggest scenario where NAT still makes sense in a pure IPv6 world is with multiple WANs -- which is actually a very common setup in the business world. Without NAT, if you have multiple WANs each device can only send data out via the WAN that gives the device its address lease, and if that WAN goes down or is overloaded to migrate to the other WAN means getting a new address lease from it. With NAT, though, the device has no idea about how many WANs there are or which WAN is carrying their data -- the router makes that decision entirely on its own on a per-connection basis.

I don't see NAT fully going away even if we move to a full IPv6 world, if only because of multi-WAN. But, that's much more of a business style need than a home user need, for home routers I don't see any real reason for NAT to be implemented under IPv6. The other advantages that NAT brought are better implemented through other means and so it's better to get those benefits elsewhere.

>>100083643
>firewalls are totally infallible
lmao

>>100084847
jesus fucking christ you are retarded beyond belief. Your scenario calls for PI space, not NAT for fucks sake. You are completely illiterate in networking.

>>100083921
people got routers to do, you know, routing, idiot. Of course those with large IP allocations were not pressed to do anything about conserving IP space. The rest caught up with the problem pretty early on. That's where NAT as a software feature in routers they already had became popular.

>>100084957
>That's where NAT as a software feature in routers they already had became popular.
More historical revisionism. NAT was already implemented in those routers. You really have no idea what the fuck you're talking about.

>>100084988
in what world does "become popular" mean the same as "was first implemented"? You are clutching at straws.

>>100085023
You're the one claiming NAT was invented for the address space issue. The historical fact is that it wasn't. NAT was created as part of early end routers to define intranet vs. internet, and was implemented because of the security implications that had. Nobody who worked on these devices or bought them cared about the address space issue until years later -- people bought them for network security and network management purposes.

>>100085050
that's because it was. Your intranet story is nonsense and your understanding of NAT is abysmal, as you've clearly demonstrated.

>>100084957
>PI space
care to explain further?

>>100085120
Right, everybody who worked on that project and who bought the product it produced back then is wrong and you're right. I see now. They were divinely motivated by the hand of God to implement this solution without realizing it or intending to.

>>100085167
PI = provider independent. It's a chunk of IP space (in IPv6 that'd be something like a /32) that is assigned to your organization by a LIR and is not carved out of your provider's IP space. You then go ahead and advertise it over as many providers as you like and control your redundancy and load sharing using those advertisements. This is how Internet is supposed to work, not using NAT everywhere like a massive faggot who does not know their shit.

>>100085228
no, it's just you who's retarded

>>100085344
this PI business doesn't sound particularly feasible for smaller enterprises

>>100084957
Listen you faggot, in a multi-WAN setup or stretched layer 2 datacenter scenario, using IPv6 GUAs is not even close to ideal (DNS, DHCP, routing, gateways, etcetera all have to be carefully implemented and monitored). Outbound NAT of ULAs or something similar is the best option, and has less maintenance overhead and less moving parts to break. Just because you're stuck on the meme of "no NAT with IPv6" doesn't mean it's the correct answer.
Are you trying to solve problems or create them?

>>100064819
Only shit tier residential ISPs get ipv6. You must be living in an area that was a late bloomer for internet.

Datacenters and companies love ipv4, it’s so much easier and in the end accessible by everyone on the internet. Companies will never not have an ipv4 public address. Basically hosting anything in ipv6 only is retarded.


So there you go. The reality is datacenter will pay $1/month to get those static ipv4 addresses. Ipv6 is solely for shittier residential.

>>100085412
it's totally feasible as long as you don't ride consumer-grade home Internet lines.

>>100085438
you're talking absolute garbage. I hope you don't get to fuck up anyone's network with this wisdom of yours. IPv6 NAT instead of transparent routing of PI space, fuck me sideways you are mental.

>>100064819
It's only useful for ISPs.

>>100083643
> bro just create and manage firewall rules for a shitload of servers in different subnets per individual system.
You still use a firewall with outbound NAT you fucking idiot.

File: EE786088-714A-46C2-8700-7(...).jpg (206 KB, 900x873)

206 KB JPG

>>100085504
>all these different servers and routers
Solved issue. Learn to use cidr notation.
Each server now has a unique ip and you don't have to deal with forwarding or redirection.
You don't use NAT at all with ipv6 because there's no translation, just routing.
I really can't believe you faggots are all for having an single WAN ipv4 address and routing everything through it rather then do an ipv6 addresses because hex is too hard and clyiu don't know how to subnet and apply firewall rules across an network.

>>100084923
>drop packet from outside if these conditions are met
Seems pretty infallible to me anon.
Also you don't have every fucking IoT device on your network attempting to UPnP an port open

>>100064819
bru the entire career market has been specializing as time passes by
therefore the same can be said for almost every technology in existence
>Pure JavaScript (to program in the web)
>CSS (to design and stylize the web)
>C++, Rust (to create browsers)
>Linux (to serve the web)
need more examples?

Again data center won’t adopt ipv6. It cost $1/month/per static ipv4 address. That’s a drop in the bucket.

>>100085721
network bros, we’re so barack because sysadmins can’t into hex

File: winbox64_8f0Gb8Q6K7.png (12 KB, 817x487)

12 KB PNG

This triggers NAT fags.

>>100085818
Mikrotik does have first class support for ipv6. On a side note, this is because mikrotik is popular with third world ISPs that only have ipv6 address range.

>>100085758
data centers and cloud providers have been offering native IPv6 since forever. Show me one established cloud provider that does not have IPv6 available for customers.

>>100085883
Ipv6 is given away free like candy (just cause everyone and their mom has a large range of ip to give out).

That doesn’t mean servers don’t use ipv4. If you get a vps usually you get one ipv4 and included a free ipv6 range. You’ll see that some providers will have ipv6 only vps and they are all heavily discounted because no one wants them. As I previously said, if you get a vps with ipv4 it usually cost $1/month to get an extra ipv4 address. With servers in data center the NAT issue never existed because we want all our boxes to have a public ip.

If you were setting up a separate intranet from your actual internet facing network, like separate interfaces and switches or wireguard, would you make it ipv4 or ipv6?

File: dos.jpg (101 KB, 500x297)

101 KB JPG

>>100086349
Why either or? Most systems have the IPv6 stack enabled by default, so you'd have to explicitly disable one or the other.

>>100085946
This is a retarded take
IPv6 is super cheap because there’s a shitload more of them.
The reason IPv4 is still around is because enough of the big corporations using tons of IPs have largely moved to IPv6. There’s no reason for everyone to switch to IPv6. Only enough to prevent IPv4 from restricting the total supply to of IPs.

>>100086349
IPv4
If it’s not going to be an n the Internet, there’s very little reason to use 4. Unless you’re a large company who might be buying out other large companies and merging large networks.
>>100087786
Fuck that. I’m not doing twice the work for marginal benefit.

>>100089017
>The reason IPv4 is still around is because enough of the big corporations using tons of IPs have largely moved to IPv6.
Are you saying these corporations are using fewer IPv4 addresses because they can supplement what they need by v6? Or that they have moved to v6 entirely?

How to fix IPv4

>normal IPv4
255.255.255.255 = 4,228,250,625 possible combinations
>fixed ipv4
255.255.255.255.255 = 1,078,203,909,375 possible combinations
>alternatively, even larger
255.255.255.255.255.255 = 274,941,996,890,625

See? I fixed it without having to resort to the retarded shit that is IPv6. Why the fuck didnt they just do this?

>>100089168
>add more digits
>runs into the same issue
>remove all compatibility
>cause breakage and overflow because there's an extra octet
How are you going to make the extra octect backwards compatible when devices can't tell the difference? T
They did do this but with Hex. But we have 340 undecillion addresses.

>>100089168
You're braindead. This is literally all they did but instead used hex instead of numbers.
255.255 is the same as FFFF.

>>100078239
I agree but without DNS64 DNS46 464XLAT etc you end up assuming everyone is fine running dual stack and they don't. You would create two different internets without translation between namespaces. Encoding IPv4 addresses in IPv6 addresses solves most of the problems but again like I mentioned before near the top of the thread before it became NAT sophism for some reason no one seems to actually care that their quad A DNS records are broken and even when they aren't broken sometimes it just breaks.

ISP's are also at fault since they will deploy 6RD or DS-Lite both of which are the absolute bare minimum to count as "IPv6" capable and call it a day. In reality 6RD is a joke lab tech to play with and DS-Lite while actually functional doesn't actually solve any problems.

>>100078247
What are you talking about? NAT gives you only privacy, it's literally in the name private address space. NAT is the only technology out of the box that lets you do this while giving you a mechanism to still allow access to and from the internet.
>NAT isn't a firewall
this word has lost all meaning I am so tired of this. /g/ doesn't know how NAT or firewalls work. No NAT is not a stateful firewall that does deep packet inspection, correct.
NAT does however provide an incredibly easy surface to prevent devices from accessing the internet by limiting the pool of inside local addresses, and it intrinsically gives you a way to block all incoming requests to your network and specifically forward them to specific devices with a static translation.
This is the next best thing to a higherayer load balancer or stateful firewall (which basically does all the same primitive operations).

>>100078247
>>100089583
>IPv6 is direct addressing this is a privacy/security threat
Ok so use NAT. Your devices MAC is no longer encoded into the address because it has been translated to your gateways outside global address. Do you know how NAT works?
>VPN
I would really like for people to stop abusing this definition. A VPN isn't a tunnel. It's a private address space that can't talk to anyone else unless through outside means. It's literally in the name. An SSL tunnel VPN needs NAT at the VPN gateway, an MPLS VPN needs NAT at a gateway, a mobile network overlay needs (you guessed it) NAT at the Serving Gateway, Datacenter VXLAN Ethernet VPN (EVPN) needs, well, you guessed it, NAT at the Datacenter gateway to get onto the internet OR the only other way is if the device already has a globally routeable address. In this case it doesn't matter since it will fall outside the inside local natpool, unless you really want to translate global addresses for some reason.

>>100089092
Probably either depending on there situation.
I’m drunk and phone posting from an airport bar so excuse the retarded example.

If there’s 80 P4 addresses and 1,200 P6 addresses and demand for 1,000 addresses, if corporations use 1,150 P6 addresses, the remaining 50 addresses can be either P4 or P6 without consequence. This is the situation most people buying VPSs are in.

Basically once the surplus demand is met with P6 everyone else can chose 4 or 6 at their preference. Not everyone HAS to switch to 6.

>>100077592
>You don't *need* NAT for IPv4 either, fuckass.
Anon, you’re making the bait too obvious. Be more patient next time.

>>100089893
point to the rfc that says ipv4 requires nat for forwarding or routing.
>captcha NAND

>>100089583
464XLAT just works. DNS64 breaks everything.

>>100089583
>255.255 is the same as FFFF.
I thought his point was that 128 bit is way too much for IP.
>NAT gives you only privacy
it confers privacy by way of anonymity. the privacy only happens when you blend into other traffic from the local network. in other words, if you're the only user of your network (and more so if it's the only device on it), you have no anonymity. privacy contingent on such a conditional looks a lot more like anonymity than the former to me.
>>100089602
I agree with your VPN spiel in the context of how paid proxy services conflating the terms have made it much harder to look shit up, but no one else calls it any other way. also vpn tunnels are essentially local networks made private and accessible to(from) the internet only via the vpn service, so even for your autism it is technically correct. I'll admit that it was confusing the way I wrote it.

>>100090524
>I thought his point was that 128 bit is way too much for IP.
The address space was made to be nearly inexhaustable so we only have to theoretically do this transition once. Look at how much of a shitshow this one has been. Performance wise there is little if any difference between 128 and say 96 bits but the design differences are huge and it's obvious which one is objectively superior for design goals.

>NAT with privacy
I am now extremely confused as to how within the local area network NAT has anything to do with other devices knowing of eachother. If your entire point was that EUI-64 IPv6 addresses within the LAN are a fundamentally bad idea for privacy then I agree but it's almost a nonstarter now and has since been solved in multiple implementations on most major OS's. Obviously IoTslop is still an issue (and always will be).

>The VPN makes private addresses internet accessable
This is entirely the function of NAT. Nothing to do with the tunnel. If you forward ports on your own NAT router it achieves the same thing. If your carrier forwards ports for you if you are stuck behind CGNAT this also achieves the same thing. The tunnel serves to get past your CGNAT cone when your provider won't forward anything for you. Obviously this is common and I'm not trying to be a sophist but the tunnel itself does no functions that people associate with how they use the term "VPN".

>>100065205
Every negative statement I have heard from Aussie IT matches my experience working with them. Its like the fuckers think swearing over the phone is a replacement for actual ability.

>>100090648
the issue with ipv6 is because it isn't meant to only address address space exhaustion, the same way the corona aid package was shoehorned with a ton of other shit no one asked for by opportunistic retards and assholes.
>eui64
the argument I was making with the other anon was how privacy addresses aren't enough. your device identity via IP is still persistent over multiple tcp/etc connections on the same network for several days.

>>100090805
>the argument I was making with the other anon was how privacy addresses aren't enough.
Private addresses don't address this "issue(?)" at all, neither do public addresses. I don't get it. This has nothing to do with the addressing scheme or routeable vs private addresses. This also likely isn't a real attack surface, devices knowing of eachothers MAC IP bindings on a LAN isn't a real issue and in cases where vulnerable or low security devices are on the same ethernet segment as an internet accessible device they should just be put in a different subnet that's standard issue best practice IPv4 and IPv6.

>devices know of eachothers TCP flows
how? TCP/UDP/QUIC, normal IP, etc is explicitly unicast, unless there was a malicious switch mirroring and logging traffic devices on the same subnet can never receive unicast traffic unless the link is a collision segment like a wireless link.

> it isn't meant to only address address space exhaustion
Sure so lets take a look at the headers and differences between 4 and 6, and some of the considerations in the designs.

>>100091446
>same purpose and implementation: self explanatory
version, source, destination, hopcount/ttl

>same purpose different implementation
ipv4: IHL/Total Length VS ipv6: payload length

IPv4 uses two fields to denote the length of its own header to be subtracted from the total length to find the payload length and set delimiters for processing the IP header. This is also used in fragmentation of the IP packet (to come later). IPv6 bins this retarded idea entirely uses a fixed length header with no fragmentation and encodes the length of the follow on packet after the IPv6 header being processed. This is where IPv6 debloats the IP header.


ipv4: dscp vs ipv6: Traffic class and Flow label

IPv6 and IPv4 encode DS bits largely the same way IPv6 uses 2 more bits but the flow label is where IPv6 starts to really shine as entropy does not have to be pulled from upper layer tuples instead processing for the flow can be done right then and there. This is similar to an MPLS entropy/FAT label. Native flow identification in the IP header could be thought of as bloat for a best effort protocol but in reality in greatly simplifies flow processing for load balancing and multi flow QoS. Point 2 to IPV6.

>>100091464
>Different headers
IPv4 has an Explicit Congestion field, along with an ID field (for identifying fragments), fragment related flags, and the fragment offset
This is literally bloat incarnate. IP handling fragmentation is a cope of old internet design and this is no longer useful and hardly used in practice anyways, out of order IPv4 fragments are a disaster for the protocol and cause a lot of hiccups. IPv6 removes this bloat, because it is retarded and was only a cope for lower layer transport protocols at the time being dodgy, and upper layers not entirely handling literally all traffic at the time. (ie some protocols were literally just IP protocols).

IPv6 3-0 IPv4

checksum
IPv4 bloat from lower layers doing poor or no error checking. In all modern networks Ethernet everywhere even at the carrier level and TCP both handle this. Bloat.

IPv6 4-0 IPv4

Next Header vs Protocol (ie UDP or TCP but also IP protocols)
Next Header identification like how Ethernet denotes the next or upper layer to read is an objectively superior as it natively allows for tunneling or non implemented protocols if intermediate devices do not support the protocol: ex a device may support IPv6 but not IPv6 tunneling outright or SegmentRoutingv6, that's fine it doesn't have to it can forward based on the IPv6 instructions. In IPv4 it's all or nothing if your device does not support IP in IP or GRE tunneling you don't get the tunnel.

IPv6 5-0 IPv4 for unbloating the IP header.

So we know the header is objectively superior. Even a webshitter can look at it and see that it is greatly simplified by putting pictures of the headers side by side. The issues start coming with the protocols tacked onto IPv6 to make it work in reality and achieve some other goals of the redesign of IP.

>>100091479
>IPv6 Neighbor Discovery / Neighbor Solicitation Protocol (all of ICMPv6 basically)
This is literally the largest sticking point for every sysadmin retard. The point was for IPv6 networks to "set themselves up" for you. Normally autoconfigs sound like a bad idea but this is literally the most basic bitch monkey work that humans shouldn't ever do or have to do for run of the mill networks. Giving addresses to every device or dealing with DHCP is plebeian work and shouldn't even be paid work, it's a pain in the ass to handle when you have a real network, and for some reason don't have an automation platform, and you want to do something actually complex with the network.

>muh I want my specific servers to have specific addresses
ok then manually config them, no issues, same as IPv4.
>I don't want SLAAC I think EUI-64 is still a security or privacy issue in current year and didn't read the RFC
Then use DHCPv6 it works perfectly fine.

This is a bloated feature but it contends with literal monkey ape work and attempts to and largely does remove it, it's a good feature for the protocol.

>NAT
Read the rest of the thread

This hasn't touched on any of the real use cases of IPv6 in mobile networks since Mobile IPv4 was a disaster, service chaining in mobile networks,or datacenters both for service chaining and tunneling as well as outright address exhaustion of private IPv4 addresses.

Literally the only real issues with IPv6 start with interop between IPv4 and IPv6.

>>100091446
>devices knowing of eachothers MAC IP bindings on a LAN isn't a real issue
yes, that's the anonymity issue. the security issue involves end to end addressability.
>>devices know of eachothers TCP flows
that's not what I said. are you being dense on purpose? perhaps you just don't have a good grasp on the concepts of privacy let alone anonymity.
>headers and differences between 4 and 6
>the three subsequent walls of text
why are you so fixated on this? I'm talking about the whole process of implementing and using ipv6, not the packet. and more than the scant few protocols you listed that are probably the only net positive ones of the bunch to make your argument look good. the x-0 scorekeeping writing style is giving me deja vu too. are you the other ipv6 simp with the midwit IQ? cause I already decided not to reply to that bad faith nigger; I was under the impression that I was talking to a different anon.
don't bother replying + who even asked if so

>>100065212
truest post on /g/

>>100092332
>yes that's the anonymity issue
So then there's no addressing protocol that has ever been used or ever will be used that will content with your purported non-issue.

>>devices know of eachothers TCP flows
>that's not what I said.
"your device identity via IP is still persistent over multiple tcp/etc connections on the same network for several days."

There's literally no case or mechanism where this matters. An endpoint knows of your (public but not private) address who cares that's the entire point. There is no mechanism for devices on the same LAN to know about your traffic this is well established. There's no point in caring about endpoints knowing about your IP address when you access the internet since there is no possible way to know what is behind a NAT cone ie if you are one user or multiple and this once again has nothing to do with IPv4 or IPv6, it's not intrinsic to either, neither is having a NAT cone vs a publicly routeable internet address. You do not have a solid understanding of security in computer networks.

>I'm talking about the whole process of implementing and using ipv6
I literally just exhaustively covered this and went over all the mechanisms of IPv6 and their mechanisms in implementation. It's inane to mention using IPv6 since the scope is literally the entire internet although I mentioned some where, for example, IPv4 does not work well and was the motivator to a newer protocol.

>you cherry picked to make your argument look good
I extensively covered the ENTIRE header and ALL 3 major points of contention. Anything past this is nitpicking and getting into the weeds, if you wanted to be entirely comprehensive we could talk about the differences in tunneling and routing since that is the only thing left to talk about besides what I talked about. I would be glad to handhold you and any other anons through this as well since no one seems to have any understanding of the subject.

>are you the other ipv6 simp with the midwit IQ?
No.

>>100092487
*contend

I want to make something really clear since you seem to be lost. For routing to happen 2 unique globally addressable names must be used for endpoints, these names MUST exist within the namespace. On the internet these means all public IP addresses. Private IP addresses might as well be a different internet. The only way a private network can talk to another public network or a private network OVER a public network is with a public name.

This means intrinsically endpoints MUST know of eachother. There is no security issue with this, there is anonymity issue with this beyond knowing an IP address bound to any and all request or transfer data you can glean from the packets. If you consider this in and of itself an anonymity issue then so be it, it has nothing to do with IPv4 or IPv6 and will be an issue no matter how you construct your routing and addressing protocols.

Obligatory
Read the IPv6 security RFC's, or any RFC, you don't know how this works

>>100085504
there's no reason for the router's default policy to allow inbound establishing of connections to public addresses at all, you would have to explicitly allow them which would give you the same security and configuration burden as with NAT

the fact there is so much anger and confusion in our precious community regarding IPv6, makes me want to become some kind of an expert in it

>>100092900
Becoming an expert in IPv6 will make you angry too because of how shit it is.

>>100093339
this. the recent canvas shit made me look into ipv6 once more and I came out hating it more than ever before

>>100093339
>>100093586
what's shit about it that's not at least as shitty in ipv4?

>>100085841
Mikrotik only has one downside that I've seen with ipv6. On linux you can dhcp ipv6 however you want but on mikrotik it must be /64 chunks. So you are out of luck if provider is only giving you /64 for youself, meaning you cannot divide it further for your lan clients.
Other than that yeah ipv6 works just fine out of the box.

>>100093339
people who made ipv6 rfc are dumb fucks thinking that they know better what majority of ISPs are gonna do with their precious ipv6 allocations... other than that its maybe fine.

>>100096295
you need the full 64 bits to essentially generate uuids that serve as your ip within a given subnet. it's an exceedingly retarded idea that someone probably thought up to justify having 128bits for ip. if your isp only gives you /64 subnets and no larger then you're SOL wrt further subnetting.
some routers do give you proper sane real dhcp as you've noticed. this still isn't as bad as how badly they fucked up dns, not to mention all the other issues already discussed in this thread.

>>100092533
the purpose of a router is to route packets and not care about your retarded ideas. Your described desired behavior is that of a firewall, not of a router. So get one, faggot. Problem solved.

ebin thread really

>>100078247
>By the way, privacy addresses miss the point completely. practical NAT isn't giving you privacy, it's giving you anonymity and security.
yap yap yap...

Wanna take a guess on why 4chan doesn't allow IPv6?

>switch to ipv6
>nobody uses it
>requires additional time configuring firewalls
>no benefit
>turn it off
>no loss
why does /g/ shill it again? no nat routing so there's no native blocking of ports? less security?