> It concerns me how casual the article and some of the comments here discuss an actual war against China, as if that were a reasonable scenario.
The last few wars started by the US were based on scenarios that looked good on paper and in reality they did not went so well.
Look at the Iran war: "we're gonna kill their supreme leader and the regime will fall". Almost two months later nothing changed in any significant way despite bombing it relentlessly.
Coming back to your concern, I'm pretty sure some people at the Pentagon believe the US can fight China using an expeditionary force and somehow win.
The Iran War never looked good on paper. The only people who thought it would succeed were Trump and the cast of characters he surrounded himself with. I doubt if many congressional Republican chickenhawks thought it would succeed.
The only way to oust the regime is with ground troops, ripping out the Revolutionary Guard and its tentacles. For all its corruption, Iran is far from a failed state, and there aren't factions waiting in the wings, ready and willing to take over the government with force. (There are political factions, to be sure, but they're already integrated into the government, though without leverage over the Revolutionary Guard.) The only armed group remotely capable of even trying would be the Kurds, but the US and in particular Trump screwed them over in the past, multiple times. Even if they thought they could go it alone (which they couldn't), there was zero chance they were going to enter the fray without the US committing itself fully with their own invasion force (i.e. success was guaranteed), because failure would mean ethnic Kurds would be extirpated from Iran, and might induce Iraq and Syria to revisit the question of Kurdish loyalty to their own states. And, indeed, Kurdish groups took a wait and see approach, assembling some forces but waiting to see how the US played their cards.
It's just so ridiculous. Nobody is going to be writing books about the mistakes or hubris of US intelligence, military strategists, or political scholars and analysts. Even the most diehard American proponents of regime change in Iran, at least those with any competence, could have predicted (and did predict) this outcome. This was 100% a Trump fiasco, though the whole country shares some culpability for this kind of epic failure by allowing someone like Trump to win the presidency... again.
It's a little ironic that its due in part[1] to Trump's reticence to commit ground forces that we've come to this pass. I hesitate to criticize that disposition, but at the same time it's malfeasance to start a war without being willing and able to fully commit to the objective.
[1] Assuming the war had to happen, which of course it didn't.
> The Iran War never looked good on paper. The only people who thought it would succeed were Trump and the cast of characters he surrounded himself with.
Not to nitpick, but “looked good on paper” was an euphemism for “the powers that be think its doable”. Amd yes, yiu are right: Trump surrounded himself with “loyalist” this time that won’t go against hime like in the previous administration, but with the very undesirable effect of amplifying the echo chamber he lives in.
And like someone said in this thread, lots of hubris.
I am no expert on Iran, but all documentaries that I’ve seen about this reach the same conclusion: you don’t invade Iran using ground forces.
The iran war - for all it was a bad idea eliminated a lot of iran's war capacity which seems to be the real goal - near as anyone can tell what they were. Regime change would be nice, but needs more than the us was ever gave indication they would do.
the followon effects like the closing of the straight were obvious which is why few Iran hatehs thought it was a good idea
The estimates I’ve seen say they lost/used 33% of their conventional capacity, 33% was rendered inoperable but recoverable.
I’d guess with the ceasefire, they’re probably back to 40-50% online.
The nuclear capability story is even worse: they were mostly mothballed prewar, suffered partial refinement damage and minimal stockpile loss. Refinement will be back online sometime in the next few years (unless this is a forever war), with weapons following shortly after that.
My first IPv6 implementation was in 2010-2011 (memory a but fuzzy). Carriers supporting BGP over IPv6 were few, websites over IPv6 were also scarce.
Fast forward 15 years snd the situation has improved quite dramatically.
IPv6 has some quirks that make it harder to digest.
- link local gateway address, makes it hard to understand why the subnet does not have a gateway from the ssme address space
- privacy extensions: it is very hard to explain to people why they have 3-4 IPv6 addresses assigned to their computer
- multicast instead of broadcast
- way too many ways for autoconfiguration (SLAAC, DHCPv6)
- no real tentative mapping to what people were used to. Every IPv6 presentation I did had to start with “forget everything you know about IPv4”
In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”. Those people love their NAT.
> In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”.
Topic drift, but for younger people who didn't live it, that's how it used to be!
For most of the 90s my workstation in the office (at several employers) was directly on the Internet. There were no firewalls, no filtering of any kind. I ran my email server on my desktop workstation to receive all emails, both from "internal" (but there was no "internal" really, since every host was on the Internet) people and anyone in the world. I ran my web server on that same workstation, accessible to the whole Internet.
That was the norm, the Internet was completely peer to peer. Good times.
Pretty much all tech companies and universities had a drop-in ftp server where anyone could, anonymously, put and retrieve files. It was a collective 'pastebin' useful to exchange information with clients and partners.
On the ftp server of the company I worked for, someone had put a cracked copy of our software for their colleagues to use.
The nice thing about NAT is it makes the security model easier to reason about.
By this, I don’t mean it’s more secure, because I know it isn’t. But it is a lot easier to see and to explain what has access to what. And the problem with enterprise is that 80% of the work is explaining to other people, usually non-technical or pseudo-technical decision makers, why your design is safe.
I really do think IPv6 missed a trick by not offering that.
> The nice thing about NAT [...] I really do think IPv6 missed a trick by not offering that
IPv6 supports NAT [0], and nearly all routers make it easy to enable. The primary differences compared to IPv4 is that no-NAT is the default, and that it's more heavily discouraged, but it still works just as well as it does with IPv4.
[0]: In the same way that IPv4 "supports" NAT, meaning that the protocol doesn't officially support it, but it's still possible to implement.
But would we have said the same in 1996 or 2000? Part of the adoption curve seems to be that it took years to abandon some of the bad ideas around IPv6 and readopt some of the better ones from IPv4. And a good chunk of the complexity of IPv6 is that some of the early ideas are very persistent, both in some deployed systems and in people's minds
> But would we have said the same in we 1996 or 2000?
IPv6 the protocol supported NAT just as well back then as it does now, but the software probably didn't. Which goes back to my point [0] [1] that IPv6 is a great protocol with bad tooling and documentation.
> Part of the adoption curve seems to be that it took years to abandon some of the bad ideas around IPv6 and readopt some of the better ones from IPv4.
The only abandoned IPv6 concept that I'm personally aware of is A6 records [2], but I'm pretty young, so I'm sure that there are others that I'm just not aware of. My impression from reading the RFCs and Wikipedia is that IPv6 hasn't changed very much, but that doesn't really mean anything, since I wouldn't expect for current sources to talk about concepts abandoned 20+ years ago.
My consumer router, and every router I have configured, implicitly supports IPv4 NAT out of the box. But it will never NAT an IPv6 network. If I enable IPv6 then it operates by IPv6 rules, which means each device gets a Network ID and each Network ID gets routed directly and transparently. The router has no NAT table and no NAT settings for this protocol.
So if NAT is “supported” whatever that means, it simply isn’t possible for most end-users.
Consumer routers don't support lots of useful stuff though, so them not supporting NAT66 isn't very surprising. Enthusiasts are likely to use OpenWRT or nftables, both of which support NAT66 [0], and quickly Googling some random enterprise routers shows that they all support NAT66 too [1] [2] [3].
This isn't enabled by default because it's usually a bad idea, but it's certainly possible if you really want. (It's discouraged because NAT in general is a bad idea, but it's no worse with IPv6 than with IPv4; the only difference being that IPv4 effectively requires NAT.)
If you've got a car that can't go 100, that doesn't mean nobody can, or that it doesn't exist. I don't care if you can't do it, it IS supported in the spec.
That’s an interesting analogy because there’s several ways you could easily dismiss it.
For example: if roads aren’t built to support cars travelling at 100 miles per hour then it doesn’t matter how much you argue that cars are can do 100MPH, because you’re still not going to be travelling at 100MPH.
Or
But if the only cars that can travel at 100 MPH are Bugatti Veyrons then it’s safe to say that 100MPH cars isn’t something available to even the average consumer of high end sports cars.
Or
Sure, some cars can travel at 100 MPH, but they’re so unstable at those speeds that it’s not even safe to attempted it.
The price you pay is that it's more difficult to reason about what is accessible from elsewhere, because all devices are represented by your router from the outside, and there are no great ways to opt out of that.
With NAT removed, you've still got the firewall rules, and that's fairly easy to reason about for me: Block anything from outside to inside, except X. Allow A talking to B. Allow B to receive Y from outside.
But we aren’t talking about someone technical glancing at their home routers firewall. We are talking about explaining a network topology to enterprise teams like change management, CISO, etc in large infrastructure environments.
That’s a whole different problem and half the time the people signing off that change either aren’t familiar with the infrastructure (which means explaining the entire context from the ground up) and often aren’t even engineers so need those changes explained in a simplified yet still retaining the technical detail.
These types of organisations mandate CIS / NIST / etc compliance even where it makes zero sense and getting action items in such reports marked as “not required” often takes a meeting in itself with deep architectural discussing with semi-technical people.
Are these types of organisations overly bureaucratic? Absolutely. But that’s typical for any enterprise organisation where processes have been placed to protect individuals and the business from undue risk.
In short, what works for home set ups or even a start up isn’t necessarily what’s going to work for enterprise.
> But we aren’t talking about someone technical glancing at their home routers firewall.
Are we not? Because I suppose most people here are only disgruntled by a new protocol that changes how their home router works, and having to spend some learning effort.
For network admins in commercial settings, this is even less of an excuse. IPv6, the protocol, is fairly well documented and understandable if you put in the work to do so. And I am confident in saying it is absolutely able to deliver on any kind of corporate network scenario, even moreso than IPv4.
> Are we not? Because I suppose most people here are only disgruntled by a new protocol that changes how their home router works, and having to spend some learning effort.
People at home don’t care about protocols. If the WiFi works and the TV plays Netflix or Hulu or whatever, the protocol can be anything.
Last time I “cared” was when I changed the DHCP network to not overlap with the VPN. And that was a long time ago.
Also I’m really not seeing many people here “bikeshedding” over their home gear. Are you sure you’re reading these comments and not some other IPv6 discussion? Because those conversations definitely do happen but this particular thread hasn’t gone like that.
> Are we not? Because I suppose most people here are only disgruntled by a new protocol that changes how their home router works, and having to spend some learning effort.
I did make the context pretty clear when I said:
> the problem with enterprise is…
Also, you completely missed my point when you said:
> if you put in the work to do so. And I am confident in saying it is absolutely able to deliver on any kind of corporate network scenario, even moreso than IPv4.
My point wasn’t that IPv6 cannot deliver enterprise solutions. It’s that some of the design around it makes the process of deploying enterprise solutions more painful than it needed to be.
> The nice thing about NAT is it makes the security model easier to reason about.
I first heard that relying on the 'moated castle' design of security (firewalls) was bad idea and no longer best practice a decade or two ago, and while inside/outside may be a convenient mental shortcut for security, it shouldn't be relied about.
Sure, sensible people know that NAT ≠ security, but by having private/public IPs I think it makes people's thinking lazy. Every system having publicly routable addresses (but not publicly accessible, due to SPI) would force more folks to actually examine their security controls.
It's too easy to think "ah, this has a 10.x.y.z address, therefore it's inside and safe". No, because most attacks nowadays involve compromised/ing clients, and then running around 10.x networks where people got lazy because these things are on the "inside".
Nope, it doesn't. The security model is based on your firewalls and routing, not on NAT. NAT just gets in the way and makes it harder to understand what's going on.
For example, on a normal home network, if you don't have a firewall on your router then your ISP can connect to anything on your network. Even when they don't control the router and even if you're NATing.
If you didn't realize this then apparently NAT didn't make it easier to reason about after all.
Can you say more about the ISP connecting to any computer on your network? I can’t find any references to this aspect in googling the right terms and the concept is foreign to me.
There are a bunch of ways to break it, or misconfigure it. But I have idea what this isp method is.
It's just normal routing. If you send packets to a router, it'll route them.
More concretely, they can run the equivalent of `ip route add 192.168.1.0/24 via <your WAN IP>` on a machine that's connected to your WAN network, and then their machine will send packets with a dest of 192.168.1.x to your router. Your router will route them onto your LAN because that's what its own routing table says to do with them.
Anyone on your immediate upstream network can do this, not just your ISP. Also, if you use ISP-assigned GUAs then this inbound route will already exist and anyone on the Internet can connect. Applying NAT to your outbound connections will change their apparent source address, but it won't make that inbound route disappear.
20 some years ago when cable broadband was new, you connected a computer and got public IP. For this example let's just assume it was a public/24. Back then there was no firewall built into Windows, it didn't ask you if you were connecting to a public or private network.
For some ISPs you could connect a switch or hub (they still existed with cable came out, 1gbps switches were expensive) and connect multiple computers and they would all get different public IPs.
Back then a lot of network applications like windows filesharing heavily used the local subnet broadcast IP to announce themselves to other local computers on the network. Yes this meant when you opened up windows file sharing you might see the share from Dave's computer across town. I don't recall if the hidden always on shares like $c where widely know about at this time.
ISPs fixed this by blocking most of the traffic to and from the subnet broadcast address at the modem/headend level but for some time after I could still run a packet capture and see all the ARP packets and some other broadcasts from other models on my node, but it wasn't enough to be able to interfere with them anymore.
I understand this aspect, and this conversation is tricky because most consumer routers have this barebones firewall built in to reject the routing mentioned by the OP. So what we think of as a "router doing nat" often is subtly doing more. I'd hate to call what a barebones consumer router is doing a firewall because there are important firewall features that it does not have that are necessary for security.
It's just one firewall rule at the border to block all inbound traffic to a subnet or a range unless related to an outbound connection. Now you have identical security to a NAT. The huge win is you can forget about port forwarding and later just open the ports you need to the hosts you need or even the whole host if required.
At this point, the people who would be worried about this ought to know that temporary addresses are a thing, and that they prevent workstation N from having a single fixed IP for its outbound connections that it could be identified with.
> any website can now not only log that the traffic originated from org A, but specifically from org A, workstation N.
GeoIP databases and Cookies exist. So I'm not sure how your threat profile has increased here.
> I wonder, is privacy implication is not important enough for people to worry about this?
The most you can do over what is already possible is attempt an inventory or unit count of my office; however, you'd have to get every computer in my office to go to the same website that you control. Then you'd have to control for upgrades and other machine movements. I don't think this enables anything in particular.
One good thing about IPv6 is that any reasonable allocation will be large enough to use sizable chunks as functional divisions.
A small company might have a /48. You don't have to be concerned about address space when you just go, ok, first bit is for security zones. Or first 2 bits. Or first 3 bits. Do you need more than 8 security zones?
(Also, ULAs¹ exist, and most people should use them, independent of a possible consideration to not roll out GUAs² in parallel as one would normally do.)
The SLAAC/DHCPv6 combo seems really strange to me.
Either IP/DNS/gateway discovery with one or the other could be tolerable. But allowing combinations such as SLAAC for addressing and DHCP for DNS discovery is lunacy.
It’s as if one said, let’s take the most basic and critical step and make it as complicated as possible and explore the combinatorial explosion…
The article mentions that DHCPv6 was an afterthought because DHCP itself barely existed when IPv6 was being designed - they were still using things like RARP or BOOTP!
The article does seem to simultaneously claim that IPv6’s design is the result of wierd no longer current pressures but also that it’s perfectly fine and correctly designed.
> IPv6 has some quirks that make it harder to digest.
Almost every point in your list is wrong.
> - link local gateway address, makes it hard to understand why the subnet does not have a gateway from the ssme address space
IPv4 has link-local addresses, too. Those are the 169.254.X.X addresses that you see on Windows machines. IPv6 adds nothing new.
> - privacy extensions: it is very hard to explain to people why they have 3-4 IPv6 addresses assigned to their computer
Well then, don’t use them. Configure the machines with one address each, just like before. If you want the (arguable) advantages of the privacy extensions, they are available, but not mandatory.
> - multicast instead of broadcast
IPv4 always had multicast, too. IPv6 is simplified by considering the broadcast concept to be a kind of multicast.
> - way too many ways for autoconfiguration (SLAAC, DHCPv6)
SLAAC is just link-local addresses, which you already mentioned above. Did you mean NDP with router advertisements?
If you did, you do have a small point, but DHCP6 is still there like always. IPv6 just offers an additional feature for the simple cases where a host just needs an IP address, netmask and a router address.
> - no real tentative mapping to what people were used to. Every IPv6 presentation I did had to start with “forget everything you know about IPv4”
That’s the complete opposite of my experience. Almost everything in IPv6 works exactly the same as with IPv4.
You're being obtuse. Every point in the original comment is correct, you just disagree they're issues. The original comment also doesn't state they are issues just that they are differences.
• link local addresses
.Auto configuration addresses are in V4 but they are used entirely differently. Interfaces do not have link local addresses if they have a DHCP or statically configured address, in V6 it is extremely common to use a link local address as the gateway, in V4 this basically never happens.
> The original comment also doesn't state they are issues just that they are differences.
My point is that, in most cases, these aren’t differences, since IPv4 does the same thing as IPv6. Therefore, the claim that IPv6 “has some quirks that make it harder to digest [than IPv4]” is incorrect.
> Interfaces do not have link local addresses if they have a DHCP or statically configured address
I could be wrong, but I seem to recall that Windows machines always have a IPv4LL address?
> in V6 it is extremely common to use a link local address as the gateway
>In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”. Those people love their NAT.
Was also designed in the early 90s before security was taken seriously.
I would need to ask the follow up question. Okay so what happens when someone gets in? Say some idiot install something they should not. Or there is some vulnerability in something you allow in?
Extra layers is good. But it does not mean you can forgo anything else.
The real problem is many "enterprises" have people who don't understand networking. NAT was a solution to IP address depletion. This is not a problem we have with IPv6.
If security is taken seriously, I'm sure they can spend a few minutes and learn how to configure a IPv6 firewall that allows no inbound connections. It's basically the simplest configuration possible.
Yes. You can actually buy pairs of antennas (basically an AP pair) that do just that. The only downside is that the signal quality varies based on weather.
If you want something more or less weather proof, you can get microwave P2P links that run in licensed bands and you don't get any signal interference from similar nearby antennas.
Both WiFi and Microwave equipment act just like bridges and you can connect them to a switch or router.
I live in a country where you can get 10Gbps fiber for ~ 10EUR. And one 1Gbps for the same money if they don't have coverage for the 10G.
And, having worked with the US providers all I can tell you is this: greed, and lots of it. And if they're the only option in an area, they will charge you a literal arm and a leg.
Just a small example: in a mall, there was a single provider Paid ~ 300USD for 5Mbps in 2024. Once we were able to upgrade the equipment and get a cell router, we got to pay about $50/mo for ~ 50-60Mbps. Mall provider not happy.
There is mothing to be gained politically by doing this. You think you look good if you say “hey, the Poles had this really good idea, how about we do the same”?
Plus, the process is something like:
- we want to do $something
- hire consultants to help us define $something and produce a document
- hire other consultants to write the specs for the project
- launch an RFP
- select a winner
- wait for the implementation to finish
All the proposed solutions will be something paid, ideally made by a really large company to lend it credibility, and with maintenance costs that justify hiring dedicated people for it.
In the end no one gets what they want.
You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?
How is the Estonian system now? I remember when I visited around 2010 our host just had a quite simple smart card reader and could just use it to sign in to government services with their ID and as far as I remember even sign mails and documents. Germany of course could not use normal smart cards but had to use NFC cards with special readers and made the signing feature and additional service you had to pay for on a yearly basis. Of course the Germans system did not went anywhere for years. I do have a reader now and can use it for some governmental services and have very limited appetite to bind the ID to my phone.
Ukraine also seems to have solved this pretty well. NFC in the plastic card, selfie video confirmation, etc.
Hungary is also rolling out a "digital citizenship" app. (Also can be bootstrapped via newer plastic cards, so no need to visit the government office.)
And what attestation services does your web app use? Do we lock that web app behind having Secure boot enabled, along with a Java applet for the fun of it?
My business, no. Your government however, has a few reasons to want to ensure that the ID you're going to use to vote, to prove your identity to any service, etc, etc, does not get passed from device to device.
Configure your phone however you want, then use your physical ID because your phone isn't supported. They're not taking it away. In the same way that you can file your taxes. Having an online filing service doesn't mean you're being "excluded" because your i386 running BeOS isn't part of the supported hardware. Send a letter. It'll still work.
I second the question, attestation of what? I have a Solo key that I use with webauthn for several services already. Is that not good enough and even if not, there surely are sufficient alternatives, least of all the actual electronic id on the national id card via nfc?
The last few wars started by the US were based on scenarios that looked good on paper and in reality they did not went so well.
Look at the Iran war: "we're gonna kill their supreme leader and the regime will fall". Almost two months later nothing changed in any significant way despite bombing it relentlessly.
Coming back to your concern, I'm pretty sure some people at the Pentagon believe the US can fight China using an expeditionary force and somehow win.
reply