this post was submitted on 10 Nov 2024
32 points (92.1% liked)
Explain Like I'm Five
14276 readers
14 users here now
Simplifying Complexity, One Answer at a Time!
Rules
- Be respectful and inclusive.
- No harassment, hate speech, or trolling.
- Engage in constructive discussions.
- Share relevant content.
- Follow guidelines and moderators' instructions.
- Use appropriate language and tone.
- Report violations.
- Foster a continuous learning environment.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm going to just answer each point in turn. Maybe it's useful. I don't know.
It does. Generally most ISPs assign each user the equivalent of the IPv4 address space multiplied by itself. There's a lot of address space to go around.
This is true. But you rarely need to remember a full IP address. Most resources you access via DNS. If you have servers on your own network you will probably need to remember your own prefix (first 3 or 4 blocks of 4 hex numbers) and your servers you want to access would likely be ::1 and ::2 etc in that allocation. So you'd learn them. Also most routers allow for local DNS entries and there's other things that will help here.
This is a concern, but that's mostly because router makers now are often badly configuring their routers. The correct way to configure a router is to allow outgoing/established connections by default and block all incoming (until you specifically open a port). Once this is done the security is very similar to NAT.
Yes, NAT was created to make a small address space work in an era of multiple internet consumers behind a single connection. But when each device can get a routable IPv6 address, NAT is not needed. However the security I talk about above IS essential to apply to consumer routers.
Now, I'll elaborate on some of the features of IPv6 (a lot of which are just not being used when they could have been).
This allows normal client machines (the kind that would usually be behind NAT entirely) to have a similar level of security and privacy provided by NAT. One concern with just plain IPv6 with a fixed IPv6 allocation is that people could ID a specific machine from web logs etc and could be used against you in privacy terms. This extension ensures that you have multiple active IPv6 addresses. One could be the one you perhaps have some ports open on. That address will not be used for outgoing connections. A random IP will be used for outgoing connections and this IP will not have any ports open and will change frequently. I think on windows this is enabled by default (when you look in ipconfig you will often see multiple "temporary addresses").
Currently it doesn't take THAT long to portscan the whole IPv4 address space. And because almost every public address is hosting multiple hosts behind it, there's a good chance ports will be open on a lot of the IPs scanned.
With IPv6 the public address space is huge. With normal machines having their allocations made randomly within a huge allocation per user and every IP would still need every port scanned. This makes active port scanning much harder. The above privacy extensions also mean that passive port scanning (port scanning IPs found in web logs for example) is harder too.
Provided consumer routers are configured well from the factory and ISPs are making sensible decisions regarding allocation of address space, the user will benefit from the advantages and not even know they're using IPv6 in many cases. When you go to google/facebook/youtube etc you will be on IPv6 and not even know it.