Comment by throw0101a
Comment by throw0101a 10 months ago
> I don't think I'm disagreeing with you regarding firewalls: what I was trying to say is that "every node being a peer" isn't a good argument against NAT, since these days it holds neither in IPv4 nor in IPv6, now that everything has a firewall in front of it.
In residential environments you can do whole bunch with UPNP/PCP, but with IPv4 you have the added complexity of STUN, TURN, and ICE:
* https://community.cisco.com/t5/collaboration-knowledge-base/...
* https://medium.com/@ecosmobtechnologies/webrtc-best-practice...
With IPv6 you simply punch a whole and and the two clients simply talking to each other with their GUAs.
(In more tightly controlled environments (e.g., work), firewall policies and hole punching are dictated by IT.)
> Meanwhile, one might argue that things like SLAAC in IPv6 can similarly add conceptual difficulties compared to IPv4. E.g., "How do I identify some particular device in my network, if its link-local IP is changing on a regular basis?"
If a device gets its address via DHCP(v4), how do you identify it? SLAAC is for dynamic environments, but if you want static services, configure IPv6 statically.
At least with IPv6 you don't need DHCP infrastructure (and complexities like IP helpers configured on routers) to get going.
> With IPv6 you simply punch a whole and and the two clients simply talking to each other with their GUAs.
Eh, I wouldn't call it that simple. With an IPv6 firewall, TCP hole-punching is still difficult to impossible depending on how strict the connection tracking is (necessitating something TURN-like), and UDP hole-punching still requires some timing trickery. It's useful to keep a connection open with a STUN server regardless, in case that influences the firewall. All that NAT does is add a few more possible failure points, depending on how the router sets up mappings.
In the end, these are just hacks on hacks regardless, since we're never going to have reliable UPnP or similar on every network.
> If a device gets its address via DHCP(v4), how do you identify it?
I manage its assigned IPv4 address from the router, which itself presumably identifies it by MAC address. Doing it centrally from the router is often easier than trying to change the device's own settings.
Regarding static IPv6, can you still have static addresses within a network, while using rotating privacy addresses for outside connections? I've always been somewhat unnerved by the idea of each device in a network having a persistent address that can be separately tracked.