- 0 Posts
- 32 Comments
Good luck getting a block of IP addresses from your regional internet registry for this community ISP… IP address exhaustion is just that, no more addresses. That’s why we are sharing them.
We do have a solution and it’s called IPv6, but its deployment is still not as widespread as people would like to be. If I self-host my website on IPv6, a lot of people from Europe would still be unable to access it.
Overall everyone will use less data when there’s a data cap, I found.
My ISP implemented data caps back then too (thankfully it’s all removed now, but 60GB was really bonkers!) and I just find it fascinating how much traffic I generate nowadays, when I don’t have to care how much data I have left this month.
Anyways, data caps shouldn’t be relevant anymore in 2023 when absolutely everything can handle gigabits and more. It’s interesting how American ISPs still implement them.
I sorta understand why data caps were implemented in the past. Some people hosted servers on their home connection, and their total internet traffic in a week would far exceed that of a normal user’s. Data caps were meant to force people to be conservative on their internet usage so this would not happen.
But come on now, it’s 2023. If your internet infrastructure could not handle that amount of traffic, you are a laughing stock of ISPs.
I don’t know where D fits nowadays and which problem it’s trying to solve.
My experience has been similar - it’s hard to categorize the language.
As a low-level system language like C, C++, Rust, Zig? The garbage collector makes it a hard sell to other people, even though one can opt out of it.
As a higher-level application language like Java and Go? D frequently gives me a “low-level language” feel, but I am not sure why.
As a scripting language? I feel like its type system works against the rapid-prototyping coding style commonly seen in scripts.
…Are you saying that the rest of the world have not a single idea, which temperature is burning hot and which temperature is freezing cold?
All of that is just a matter of habits/familiarity. If you are used to Celcius, you know 0℃ is freezing cold, like literally. Anything beyond 40℃ is “shit just got real” territory.
If you want to call out “but 40 is not an intuitive number!!” then I would briefly mention that 212℉ is not an intuitive number for the boiling point of water either.
The IPv4 exhaustion is far more gnarly in developing countries. Something on the scale of hundreds of people sharing one IPv4 address.
If I want to get a public IPv4 address from my ISP, I have to spend extra. Some ISPs in my country simply don’t give public IPv4 addresses anymore. They have completely exhausted their pool.
You can’t talk about NAT and then mention speed in the same statement…
The 128-bit IPv6 addresses are just four simple 32-bit integers if you think about it, but with NAT you have juggle around and maintain the (internal IP, internal Port, external IP, external Port, Protocol) tuples all the time. That’s a significant overhead. Also, switches typically deal with the Layer 2 stuffs. IP is Layer 3.
See the HN discussion for more information.
It’s just easier to do IPv4 in every way
Except when you have to NAT transversal. Then you are in a world of hurt.
I feel like there’s already a significant downgrade in content quality since the blackout.
The subs I frequent seem… dead. Posts would regularly get 200+ karma before the blackout, but now even the top ones get only 100+, the rest hover around single digits. Mostly shallow discussions / simple topics that I simply don’t have the urge to engage in.
And those subs that don’t seem “dead”, are being filled by bots (obvious to see because they are very, very enthusiastic about everything lol)…
Right. Packets still have to go through your router, assuming that your router has firewall turned on, it goes like this:
-
Your router receives a packet.
-
It checks whether the packet is “expected” (a “related” packet) - by using connection tracking.
For example, if ComputerA had sent something to ServerX before, and now the packet received by router says “from ServerX to ComputerA”, then the packet is let through - surely, this packet is just a reply to ComputerA’s previous requests.
-
If step 2 fails - we know this is a new incoming packet. Possibly it comes from an attacker, which we don’t want. And so the router checks whether there is a rule that allows such a packet to go through (the assumption is that since you are explicitly allowing it, you know how to secure yourself.)
If I have setup a firewall rule that says “allow packets if their destination is ComputerB, TCP port 25565”, and the received packet matches this description, the router lets it through.
-
Finally, the packets that the router accepts from the previous steps are forwarded to the relevant LAN hosts.
IP addressing is just a way to give a globally unique number to each device. It’s just a number.
And there wasn’t a real public/private distinction when the Internet was still in its infancy. Printers were indeed given “public” addresses because people needed a number for it.
If you don’t want your printer to be reachable by the public Internet, use a firewall to block outside connections. If you can use NAT, you certainly can use a firewall. Heck, they are almost the same thing if you have been using the Linux kernel (iptables/nftables handle firewalling and masquerading with the same tool!)
Routability is not the same as reachability. With NAT transversal you can reach my “private” hosts all the same, although you can’t route to me because I don’t have a public address.
Port forwarding is exclusively a NAT phenomenon.
In IPv6 every device should in theory have a public address - just like how every computer had a public IPv4 address back in the 1980s ~ 1990s.
However, most sensible routers will have a firewall setup by default that blocks all incoming connections for security reasons. You still need to add firewall rules.
Living in the APNIC region, we are kinda notorious for being the first region to run out of IPv4 addresses.
The top 3 mobile ISPs in my country here have been doing CGNAT since at least 2014. Cable ISPs are limiting public IPv4 according to plans since at least 2017, i.e. if the download speed of your plan is below 200Mbps , you get CGNATed.
We are severely out of IPv4 addresses.
It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.
Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.
I still have firewall (that blocks almost all incoming connections) and sshguard setup. I also check the firewall logs daily, blocking IPs that I find to be suspicious.
I could probably do better, but with so few scanners connecting to my home server, I have managed to sleep way better than back when I setup a server on IPv4!
Also, even if my home server gets attacked, at least I know that my other devices aren’t sharing the same IP with them… NAT-less is a godsend.
Lol, I have heard some ISP horror stories from the Down Under.
I am fortunate enough that my country’s government has been forcing ISPs to implement IPv6 in their backbone infrastructure, so nowadays all I have to really do is to flick a switch on the router (unfortunately many routers still turn off IPv6 by default) to get an IPv6 connection.
I use IPv6 exclusively for my homelab. The pros:
No more holepunching kludge with solutions like ZeroTier or Tailscale, just open a port and you are pretty much good to go.
The CGNAT gateway of my ISP tends to be overloaded during the holiday seasons, so using IPv6 eliminates an unstability factor for my lab.
You have a metric sh*t ton of addressing space. I have assigned my SSH server its own IPv6 address, my web server another, my Plex server yet another, … You get the idea. The nice thing here is that even if someone knows about the address to my SSH server, they can’t discover my other servers through port scanning, as was typical in IPv4 days.
Also, because of the sheer size of the addressing space, people simply can’t scan your network.