I like to think that Microsoft is trying to run GitHub in Windows in their Azure cloud. And on the fact that every time GitHub is down I think of "someone updated the Windows Servers GH runs on and had to reboot everything".
While I'm 99% sure it is not true, it makes me sleep better at night. And giggle a little when it goes down.
They could have shipped a good product with all those billions they spent in reinventing Clippy.
I have this feeling that their bet was that all the Microsoft shops will jump on Copilot without looking at alternatives, so they did not really have to make it as good as their competition.
"good" is not important for software anymore, at least in the regular consumer market. Companies have discovered that people will just continue to accept subpar, unfinished and sometimes even partially-functioning software.
if internet comments are any kind of indication (which they very well may not be) I've seen lots of people complaining about win11 but remaining because they can't give up playing their favorite online hero shooter. That's acceptance to me
Agree that acceptance is irrelevant. No one has a choice, because all the “competitors” in any given niche (phone, cloud platform, PC operating system) are executing the same play. Enshittify, extract profit from ~suckers~ customers, ignore any churn because with the limited choices available there will be new suckers to replace them.
We accept this the same way we accept the air quality wherever we are.
Yes, Linux is there, but consider the barriers to the average person of truly adopting a strict Free Software life. Consider how many things in life now simply demand for you to have an Android or iOS phone. Things as simple as parking.
Well, now no one has to convince anyone to shell out for upgrades because everything is a subscription. What worked perfectly well can now get replaced out from under you overnight
Making good products was never Microsoft's MO. Even during the peak of the Nadella era, the good bits were side shows. Microsoft Office and Windows have always been things that succeed primarily via network effects/lock-in.
Microsoft continues to make billions in profit despite its spending on AI, because it has a diversified business that generates revenue. I don't get why they would be "scared"? It's basically a calibrated risk at that level.
> They could have shipped a good product with all those billions they spent in reinventing Clippy.
I really liked Copilot - it gave you a lot of tokens across a bunch of models and their agentic features were perfectly serviceable, alongside it being really affordable! And then they moved over to usage based billing and it no longer has that advantage over the alternatives: https://github.blog/news-insights/company-news/github-copilo...
I still think they have a really good AI tab autocomplete implementation and it's nice to be able to use that in VSC without swapping to another editor altogether... but that's not enough to really make me pay for their subscription. I could probably move to Zed altogether if I had a problem with VSC itself, though at least the base editor doesn't feel like it has been enshittified and I quite like it, all things considered.
Good products are not profitable enough. Not that good products are profitable at all, but if it doesn't make disgusting amounts of money this quarter it's not worth considering at all.
We've reached the phase of "infinite shareholder growth" where physics says no, and that is so unacceptable that we'd rather burn down the entire global economy than accept less than exponential growth. It isn't that growth is impossible either, there just can't be enough growth. Break-even is apparently a fate worse than death
In my experience so far with Azure, it shines at one single thing: IAM and to be used as an IdP.
Even with the free version you get phish-resistant MFA, SAML, OIDC, OAuth.
But go beyond that and it is messy:
- creating a single VM is an extremely convoluted process
- Intune needs up to 24 hours to appply changes to a managed computer
- There are at least two management consoles for Entra. Each with slightly different functionalities.
I don’t know how Microsoft is organized internally, but it feels like product organizations don’t talk to eachother and everybody is is just building stuff on top of Azure as if their thing is the only product MS ships.
Is a greed/not greed scale really useful to discuss company behaviors ?
I wanted to say I get what you mean, but even thinking about the company I root for the most, I can't think of a point where they're not driven by their desire to make a lot more money.
If your point is that there's good and bad ways to seek money, I'm not sure it's properly encompassed by "greed", which I interpret as the intensity of a desire, not its nature or validity.
To you "greed" might mean something else, but is it properly conveyed ?
The Seven Deadly Sins provide an interesting perspective to human psychology even in modern times. Greed / avarice is defined as wanting more than you need.
I was recently using an inexpensive paper shredder. I had an urge to put in too many papers at one time, which jams the shredder. Taking into account the time needed to unjam the shredder, the end result is that it takes more time for me to process the papers if I give in to my urge than if I resist the urge and only put in just the right amount of papers. Then I can claim that the "shredder is of bad quality", instead of seeing how I contribute to the problem.
As my aim was to shred papers efficiently, my "sin" (sin = to miss the mark, not to hit the aim) was greed, and the virtuous path is to successfully to resist the urge. The blessing I get from the virtuous path is the joy of the flow when I efficiently shred the papers.
Yesterday, I was in a shop when I was hungry, and I felt the urge to buy a large chocolate bar. Being hungry, it would have been a constant struggle not to eat all of it if I had bought it. Eating a whole large chocolate bar does not make me feel so good.
As my personal aim is to feel good, eating a whole large chocolate bar at one go is a sin in relation to that aim. I successfully resisted the urge to buy the large chocolate bar -- and did so by buying a small one. That way I did not "sin" too much towards my aim of feeling good, because small chocolate bar did not affect my well-being almost at all.
On the surface, it might appear more virtuous to not buy any chocolate bar. However, I know myself from prior experience that if I had "successfully" resisted the natural urge at the shop, it might have caused me to later to be unable to later resist the urge to buy a large chocolate bar from a kiosk.
So knowing myself to be the imperfect human being in these scenarios, buying a small chocolate bar at the shop was actually more aligned with my aim of feeling good than not buying it, because the end result was more aligned with my aim of feeling good.
Modern psychology would probably say that this urge is in my superego. Maybe as a child, I learned that I don't usually get what I need, so when something is available, I feel the urge to take as much as I can -- i.e. greed is something that I will encounter in many things that I do, keeping me from hitting the mark. As this is very common way humans miss the mark and deeper in the psychology, it is a Deadly Sin.
Some theological and psychological perspectives posit that the belief that this urge is a part of me -- i.e. I identify with the urge, I believe that "I am greedy" -- is actually part of the problem. So a better formulation would be instead of "WHO decides how much I need" to ask "WHAT IN ME decides how much I need". And then, what is a healthy and useful relationship towards those urges. And it may be different in different circumstances, hence resisting the urge to put in too many papers, but replacing the urge with a lesser one in case of chocolate bars.
The point might not be to learn to "control" the urge -- we can learn from system theory that excessive control might cause a backlash -- in terms of some systems even literally. More healthy relationship is often to just observe -- and then learn how such urges affect my well-being -- i.e. to learn more about myself. Often the observation itself is enough to have an effect.
We can take a corporate analogy (literally, corpus = body) and ask, what in organizations (again, organization has the same literal root as organism) cause them to be "greedy". In other words, what drives organizations to have an urge for excessive profits that they ignore the harms they cause to employees, society at large or even customers (i.e. enshittification). This urge appears very similar as the urge in humans.
That question will lead to other interesting questions about politics, economics etc. For example, you can ask, what is the aim of such corporations, and whether that aim produces results aligned with the aims of societies at large, etc.
maybe long term vs. short term is the key idea. apple, for example, could rake in bountiful measures in the short term if they ventured away from their boutique-electronic-consumer-goods niche. in the long run it would hurt their bottom line to do so
Greedy people put the desire for more money above the welfare of the business, themselves, and other. Greedy people literally put their desire for more personal wealth above the very lives of others.
Greed/not greed is a very fair way of putting it. One can operate a business that requires profit without wanting to destroy everyone and everything that stands in the way of more money.
I think there's one more factor that is crucially important — greedy people lack long-term vision, and care a lot more about money now than they do about potentially much more money in the future.
I suppose it's kind of interesting that you could measure greed as an unusually high discount rate for the time value of money?
I'm old generation and almost forgot for a while. GitHub was good even on their hands at the beginning, C# is amazing, TypeScript is amazing, wsl2 is game changer (which includes the change in Microsoft's position about linux), vscode is amazing, microsoft great increase in presence on opensource was nice (rushstack for example), etc...
But well, they still have the garbage side, which seems to be spreading again.
I second the C# praise: we have a few teams building software with C# and having to debug it here and there, it is very modern, compiles cross-platform and has lots of functionality already built-in and from the release notes I read from time to time, the people behind it know what they are doing.
> Probably they thought the new generations forgot about how awful they were in the not so distant past.
More likely, never learned about it in the first place, save a few whispers. Who's got time to go digging in deep, when there's 'experiments to run, research to be done' ...
> I think they set it all on fire because greed got the better of them again.
AI psychosis. Divide between rich and poor. They live in their own golden bubbles and there's no sanity checks. The workers are so far removed from the realm of competentance and influence it's just CEOs and VPs trying to pump the next 6 months stock value regardless of anything.
It's like the zeitgeist has decided the only thing that matters is their own farts and how they dont smell.
Isn't that just like.. what Microsoft has always been? Browser wars, Tay, bad behavior around open source software.. This is how they roll. They're being their best selves.
Thank you for this. I completely agree. Microsoft has always been awful, and the likely always will be. However, the did strike gold a handful of times, and they are just reliable enough to feed enterprises.
Apple, Oracle, Adobe, Google, IBM, Microsoft, etc... All the established players have their own distinct flavor of awful. This incident is just a very on-brand flavor for Microsoft.
> It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.
I disagree. Exploits should pe published as soon as they are written and found vulnerabilities to have as much details as possible, because if the researchers cannot write an exploit, someone else could.
- this has the advantage of forcing upgrades as soon as possible. No more “we need to see and schedule patching”
- publishing it as soon as possible makes everyne aware of the threat
- it is a learning experience for everyone
- “responsible disclosure” was invented by lazy companies that have zero interest in fixing a problem quickly
This is an example of how simplicity won over features.
Not even then, when people with access to computers were probably in the thousands, would anyone liked to type "C=no; ADMD=; PRMD=uninett; O=uninett; S=alvestrand; G=harald" just like in the example of the article.
Is this an example of simplicity winning over features, or an example of features that are advertised but don't exist failing to win over the competition?
Some examples from the article:
> You could have messaged an entire organization or department
This is a mailing list.
> So it was possible, say, for one implementation of X.400 to offer X.400 features like recalling a message, in theory at least, when such guarantees would fail as soon as messages left their walled garden. But “they couldn't buck the rules of physics,” Borenstein concluded. Once a message reached another server, the X.400 implementations could say that an email was recalled or permanently deleted, but there was no way to prove that it hadn’t been backed up surreptitiously.
This is a feature that (1) is in the spec, and also (2) is impossible to implement. That's not a real feature. It's a bug in the spec.
> You don’t email with X.400 today. That is, unless you work in aviation, where AMHS communications for sharing flight plans and more are still based on X.400 standards (which enables, among other things, prioritizing messages and sending them to the tower at an airport instead of a specific individual).
This is... also a mailing list. There's nothing difficult about having an email address for the tower. That email could go to one person, or many people. What's the difference supposed to be? What "feature" are we saying X.400 has that email didn't start with?
>> You could have messaged an entire organization or department
> This is a mailing list.
The way I understand it, the layering is different. In X.400, multicasting was a feature of the protocol. An SMTP mailing list, on the other hand, is an endpoint that terminates a protocol transaction, and then initiates one transaction for each final recipient.
I guess it boils down to where it is preferable to have the extra complexity: the ITU-T protocols invariably prefer to put it inside the network, while the Internet protocols prefer to put it at the endpoints. The SMTP protocol is simple, and therefore the mailing list software needs to be complex.
My name is not particularly common although I was the first to claim firstname.lastname@gmail.com. I've been getting email intended for other people with the same name for decades.
I've seen estimates that there are only 10,000 people with my last name in the US. Back in the days of local telephone directories, I was always the only one with that last name.
Internet scaling is an interesting thing. I don't know if I feel less unique or that I'm in an exclusive club.
I registered [my HN username]@yahoo.com many, many years ago. Once a year I log into that mail account and I'm always amazed at how many other people have decided to give out that email, at Yahoo! of all places, as their own. Why? Just, why?
Spam and scam had to work on a human scale, via locals paid something resembling a living wage, not automated machines sending millions a second or people working for pennies a day.
I want a phone that can only ring if the source of the call is within artillery range.
White pages were for a city/phone company area. If you dug up all of them you'd have to have a pretty damned big room. Also, it took a long time to search.
> It concerns me how casual the article and some of the comments here discuss an actual war against China, as if that were a reasonable scenario.
The last few wars started by the US were based on scenarios that looked good on paper and in reality they did not went so well.
Look at the Iran war: "we're gonna kill their supreme leader and the regime will fall". Almost two months later nothing changed in any significant way despite bombing it relentlessly.
Coming back to your concern, I'm pretty sure some people at the Pentagon believe the US can fight China using an expeditionary force and somehow win.
The Iran War never looked good on paper. The only people who thought it would succeed were Trump and the cast of characters he surrounded himself with. I doubt if many congressional Republican chickenhawks thought it would succeed.
The only way to oust the regime is with ground troops, ripping out the Revolutionary Guard and its tentacles. For all its corruption, Iran is far from a failed state, and there aren't factions waiting in the wings, ready and willing to take over the government with force. (There are political factions, to be sure, but they're already integrated into the government, though without leverage over the Revolutionary Guard.) The only armed group remotely capable of even trying would be the Kurds, but the US and in particular Trump screwed them over in the past, multiple times. Even if they thought they could go it alone (which they couldn't), there was zero chance they were going to enter the fray without the US committing itself fully with their own invasion force (i.e. success was guaranteed), because failure would mean ethnic Kurds would be extirpated from Iran, and might induce Iraq and Syria to revisit the question of Kurdish loyalty to their own states. And, indeed, Kurdish groups took a wait and see approach, assembling some forces but waiting to see how the US played their cards.
It's just so ridiculous. Nobody is going to be writing books about the mistakes or hubris of US intelligence, military strategists, or political scholars and analysts. Even the most diehard American proponents of regime change in Iran, at least those with any competence, could have predicted (and did predict) this outcome. This was 100% a Trump fiasco, though the whole country shares some culpability for this kind of epic failure by allowing someone like Trump to win the presidency... again.
It's a little ironic that its due in part[1] to Trump's reticence to commit ground forces that we've come to this pass. I hesitate to criticize that disposition, but at the same time it's malfeasance to start a war without being willing and able to fully commit to the objective.
[1] Assuming the war had to happen, which of course it didn't.
> The Iran War never looked good on paper. The only people who thought it would succeed were Trump and the cast of characters he surrounded himself with.
Not to nitpick, but “looked good on paper” was an euphemism for “the powers that be think its doable”. Amd yes, yiu are right: Trump surrounded himself with “loyalist” this time that won’t go against hime like in the previous administration, but with the very undesirable effect of amplifying the echo chamber he lives in.
And like someone said in this thread, lots of hubris.
I am no expert on Iran, but all documentaries that I’ve seen about this reach the same conclusion: you don’t invade Iran using ground forces.
An invasion likely would turn into a quagmire, but what keeps regime proponents eternally hopeful is that unlike Afghanistan, Iraq, Vietnam, etc, Iran has a robust political system. The dictatorship notwithstanding, it has a vibrant parliament and, by global standards, a decent electoral system. The Ayatollah rules by following the maxim, keep your friends close and your enemies closer. If you could excise the Revolutionary Guard (a big if), you wouldn't necessarily need to change the government or its institutions. The existing liberal and moderate factions could quickly fill the vacuum, and would be happy to do so. You wouldn't get a pliant Iran, but that's for the better.
So by invasion the idea would be to rapidly, physically excise the apparatus the Ayatollahs use to maintain control. The structure and identity of that group is well known. It's a large group, and you couldn't catch all the leaders, but so long as you can stop their ability to enforce their rule through execution, you give the rest of the country time to shut them out of the institutions. In theory just weeks.
The problem is the very thing that makes regime change a plausibly good idea--a stable polity and modern, liberal-ish institutions--is the very thing that could result in failure. The Ayatollahs understood that a fragile, backwards system would be a weakness to their rule. Their military and bureaucracy are professional; they know how to follow orders, without being micromanaged, and even if everyone wants regime change, there's a huge collective action problem.
The iran war - for all it was a bad idea eliminated a lot of iran's war capacity which seems to be the real goal - near as anyone can tell what they were. Regime change would be nice, but needs more than the us was ever gave indication they would do.
the followon effects like the closing of the straight were obvious which is why few Iran hatehs thought it was a good idea
The estimates I’ve seen say they lost/used 33% of their conventional capacity, 33% was rendered inoperable but recoverable.
I’d guess with the ceasefire, they’re probably back to 40-50% online.
The nuclear capability story is even worse: they were mostly mothballed prewar, suffered partial refinement damage and minimal stockpile loss. Refinement will be back online sometime in the next few years (unless this is a forever war), with weapons following shortly after that.
My first IPv6 implementation was in 2010-2011 (memory a but fuzzy). Carriers supporting BGP over IPv6 were few, websites over IPv6 were also scarce.
Fast forward 15 years snd the situation has improved quite dramatically.
IPv6 has some quirks that make it harder to digest.
- link local gateway address, makes it hard to understand why the subnet does not have a gateway from the ssme address space
- privacy extensions: it is very hard to explain to people why they have 3-4 IPv6 addresses assigned to their computer
- multicast instead of broadcast
- way too many ways for autoconfiguration (SLAAC, DHCPv6)
- no real tentative mapping to what people were used to. Every IPv6 presentation I did had to start with “forget everything you know about IPv4”
In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”. Those people love their NAT.
> In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”.
Topic drift, but for younger people who didn't live it, that's how it used to be!
For most of the 90s my workstation in the office (at several employers) was directly on the Internet. There were no firewalls, no filtering of any kind. I ran my email server on my desktop workstation to receive all emails, both from "internal" (but there was no "internal" really, since every host was on the Internet) people and anyone in the world. I ran my web server on that same workstation, accessible to the whole Internet.
That was the norm, the Internet was completely peer to peer. Good times.
Pretty much all tech companies and universities had a drop-in ftp server where anyone could, anonymously, put and retrieve files. It was a collective 'pastebin' useful to exchange information with clients and partners.
On the ftp server of the company I worked for, someone had put a cracked copy of our software for their colleagues to use.
The nice thing about NAT is it makes the security model easier to reason about.
By this, I don’t mean it’s more secure, because I know it isn’t. But it is a lot easier to see and to explain what has access to what. And the problem with enterprise is that 80% of the work is explaining to other people, usually non-technical or pseudo-technical decision makers, why your design is safe.
I really do think IPv6 missed a trick by not offering that.
> The nice thing about NAT [...] I really do think IPv6 missed a trick by not offering that
IPv6 supports NAT [0], and nearly all routers make it easy to enable. The primary differences compared to IPv4 is that no-NAT is the default, and that it's more heavily discouraged, but it still works just as well as it does with IPv4.
[0]: In the same way that IPv4 "supports" NAT, meaning that the protocol doesn't officially support it, but it's still possible to implement.
But would we have said the same in 1996 or 2000? Part of the adoption curve seems to be that it took years to abandon some of the bad ideas around IPv6 and readopt some of the better ones from IPv4. And a good chunk of the complexity of IPv6 is that some of the early ideas are very persistent, both in some deployed systems and in people's minds
> But would we have said the same in we 1996 or 2000?
IPv6 the protocol supported NAT just as well back then as it does now, but the software probably didn't. Which goes back to my point [0] [1] that IPv6 is a great protocol with bad tooling and documentation.
> Part of the adoption curve seems to be that it took years to abandon some of the bad ideas around IPv6 and readopt some of the better ones from IPv4.
The only abandoned IPv6 concept that I'm personally aware of is A6 records [2], but I'm pretty young, so I'm sure that there are others that I'm just not aware of. My impression from reading the RFCs and Wikipedia is that IPv6 hasn't changed very much, but that doesn't really mean anything, since I wouldn't expect for current sources to talk about concepts abandoned 20+ years ago.
My consumer router, and every router I have configured, implicitly supports IPv4 NAT out of the box. But it will never NAT an IPv6 network. If I enable IPv6 then it operates by IPv6 rules, which means each device gets a Network ID and each Network ID gets routed directly and transparently. The router has no NAT table and no NAT settings for this protocol.
So if NAT is “supported” whatever that means, it simply isn’t possible for most end-users.
Consumer routers don't support lots of useful stuff though, so them not supporting NAT66 isn't very surprising. Enthusiasts are likely to use OpenWRT or nftables, both of which support NAT66 [0], and quickly Googling some random enterprise routers shows that they all support NAT66 too [1] [2] [3].
This isn't enabled by default because it's usually a bad idea, but it's certainly possible if you really want. (It's discouraged because NAT in general is a bad idea, but it's no worse with IPv6 than with IPv4; the only difference being that IPv4 effectively requires NAT.)
If you've got a car that can't go 100, that doesn't mean nobody can, or that it doesn't exist. I don't care if you can't do it, it IS supported in the spec.
That’s an interesting analogy because there’s several ways you could easily dismiss it.
For example: if roads aren’t built to support cars travelling at 100 miles per hour then it doesn’t matter how much you argue that cars are can do 100MPH, because you’re still not going to be travelling at 100MPH.
Or
But if the only cars that can travel at 100 MPH are Bugatti Veyrons then it’s safe to say that 100MPH cars isn’t something available to even the average consumer of high end sports cars.
Or
Sure, some cars can travel at 100 MPH, but they’re so unstable at those speeds that it’s not even safe to attempted it.
The price you pay is that it's more difficult to reason about what is accessible from elsewhere, because all devices are represented by your router from the outside, and there are no great ways to opt out of that.
With NAT removed, you've still got the firewall rules, and that's fairly easy to reason about for me: Block anything from outside to inside, except X. Allow A talking to B. Allow B to receive Y from outside.
But we aren’t talking about someone technical glancing at their home routers firewall. We are talking about explaining a network topology to enterprise teams like change management, CISO, etc in large infrastructure environments.
That’s a whole different problem and half the time the people signing off that change either aren’t familiar with the infrastructure (which means explaining the entire context from the ground up) and often aren’t even engineers so need those changes explained in a simplified yet still retaining the technical detail.
These types of organisations mandate CIS / NIST / etc compliance even where it makes zero sense and getting action items in such reports marked as “not required” often takes a meeting in itself with deep architectural discussing with semi-technical people.
Are these types of organisations overly bureaucratic? Absolutely. But that’s typical for any enterprise organisation where processes have been placed to protect individuals and the business from undue risk.
In short, what works for home set ups or even a start up isn’t necessarily what’s going to work for enterprise.
> But we aren’t talking about someone technical glancing at their home routers firewall.
Are we not? Because I suppose most people here are only disgruntled by a new protocol that changes how their home router works, and having to spend some learning effort.
For network admins in commercial settings, this is even less of an excuse. IPv6, the protocol, is fairly well documented and understandable if you put in the work to do so. And I am confident in saying it is absolutely able to deliver on any kind of corporate network scenario, even moreso than IPv4.
> Are we not? Because I suppose most people here are only disgruntled by a new protocol that changes how their home router works, and having to spend some learning effort.
People at home don’t care about protocols. If the WiFi works and the TV plays Netflix or Hulu or whatever, the protocol can be anything.
Last time I “cared” was when I changed the DHCP network to not overlap with the VPN. And that was a long time ago.
Also I’m really not seeing many people here “bikeshedding” over their home gear. Are you sure you’re reading these comments and not some other IPv6 discussion? Because those conversations definitely do happen but this particular thread hasn’t gone like that.
> Are we not? Because I suppose most people here are only disgruntled by a new protocol that changes how their home router works, and having to spend some learning effort.
I did make the context pretty clear when I said:
> the problem with enterprise is…
Also, you completely missed my point when you said:
> if you put in the work to do so. And I am confident in saying it is absolutely able to deliver on any kind of corporate network scenario, even moreso than IPv4.
My point wasn’t that IPv6 cannot deliver enterprise solutions. It’s that some of the design around it makes the process of deploying enterprise solutions more painful than it needed to be.
Nope, it doesn't. The security model is based on your firewalls and routing, not on NAT. NAT just gets in the way and makes it harder to understand what's going on.
For example, on a normal home network, if you don't have a firewall on your router then your ISP can connect to anything on your network. Even when they don't control the router and even if you're NATing.
If you didn't realize this then apparently NAT didn't make it easier to reason about after all.
Can you say more about the ISP connecting to any computer on your network? I can’t find any references to this aspect in googling the right terms and the concept is foreign to me.
There are a bunch of ways to break it, or misconfigure it. But I have idea what this isp method is.
It's just normal routing. If you send packets to a router, it'll route them.
More concretely, they can run the equivalent of `ip route add 192.168.1.0/24 via <your WAN IP>` on a machine that's connected to your WAN network, and then their machine will send packets with a dest of 192.168.1.x to your router. Your router will route them onto your LAN because that's what its own routing table says to do with them.
Anyone on your immediate upstream network can do this, not just your ISP. Also, if you use ISP-assigned GUAs then this inbound route will already exist and anyone on the Internet can connect. Applying NAT to your outbound connections will change their apparent source address, but it won't make that inbound route disappear.
It's true that almost everything comes with a firewall rule that blocks new connections from the WAN to the LAN, so in practice these connections will be blocked on most things by default. But they come with this rule precisely because NAT doesn't do the job.
It is the default and default is secure. Users don't have to reason about it, they can assume it works, how doesn't matter and they may lack training/willingness to figure out.
You can't say the same for IPv6 where default is allow (have things changed?, havent checked in a long time)
Of course you can say the same for v6. Blocking connections that go from WAN to LAN by default has the same effect on both protocol families. If you assume that having the appropriate firewall rule to do that is the default then inbound connections will also be blocked on v6 by default.
NAT contributes nothing to your security in this scenario, and instead makes it harder (not easier) to understand and reason about what your router is doing.
Ah, okay. In that case v4 doesn't have a firewall by default either.
That's precisely why routers come configured with a firewall that blocks inbound connections from the WAN -- because the protocol itself doesn't have a firewall by default, and neither does NAT.
20 some years ago when cable broadband was new, you connected a computer and got public IP. For this example let's just assume it was a public/24. Back then there was no firewall built into Windows, it didn't ask you if you were connecting to a public or private network.
For some ISPs you could connect a switch or hub (they still existed with cable came out, 1gbps switches were expensive) and connect multiple computers and they would all get different public IPs.
Back then a lot of network applications like windows filesharing heavily used the local subnet broadcast IP to announce themselves to other local computers on the network. Yes this meant when you opened up windows file sharing you might see the share from Dave's computer across town. I don't recall if the hidden always on shares like $c where widely know about at this time.
ISPs fixed this by blocking most of the traffic to and from the subnet broadcast address at the modem/headend level but for some time after I could still run a packet capture and see all the ARP packets and some other broadcasts from other models on my node, but it wasn't enough to be able to interfere with them anymore.
I understand this aspect, and this conversation is tricky because most consumer routers have this barebones firewall built in to reject the routing mentioned by the OP. So what we think of as a "router doing nat" often is subtly doing more. I'd hate to call what a barebones consumer router is doing a firewall because there are important firewall features that it does not have that are necessary for security.
It's just one firewall rule at the border to block all inbound traffic to a subnet or a range unless related to an outbound connection. Now you have identical security to a NAT. The huge win is you can forget about port forwarding and later just open the ports you need to the hosts you need or even the whole host if required.
At this point, the people who would be worried about this ought to know that temporary addresses are a thing, and that they prevent workstation N from having a single fixed IP for its outbound connections that it could be identified with.
> any website can now not only log that the traffic originated from org A, but specifically from org A, workstation N.
GeoIP databases and Cookies exist. So I'm not sure how your threat profile has increased here.
> I wonder, is privacy implication is not important enough for people to worry about this?
The most you can do over what is already possible is attempt an inventory or unit count of my office; however, you'd have to get every computer in my office to go to the same website that you control. Then you'd have to control for upgrades and other machine movements. I don't think this enables anything in particular.
One good thing about IPv6 is that any reasonable allocation will be large enough to use sizable chunks as functional divisions.
A small company might have a /48. You don't have to be concerned about address space when you just go, ok, first bit is for security zones. Or first 2 bits. Or first 3 bits. Do you need more than 8 security zones?
(Also, ULAs¹ exist, and most people should use them, independent of a possible consideration to not roll out GUAs² in parallel as one would normally do.)
> The nice thing about NAT is it makes the security model easier to reason about.
I first heard that relying on the 'moated castle' design of security (firewalls) was bad idea and no longer best practice a decade or two ago, and while inside/outside may be a convenient mental shortcut for security, it shouldn't be relied about.
Sure, sensible people know that NAT ≠ security, but by having private/public IPs I think it makes people's thinking lazy. Every system having publicly routable addresses (but not publicly accessible, due to SPI) would force more folks to actually examine their security controls.
It's too easy to think "ah, this has a 10.x.y.z address, therefore it's inside and safe". No, because most attacks nowadays involve compromised/ing clients, and then running around 10.x networks where people got lazy because these things are on the "inside".
The SLAAC/DHCPv6 combo seems really strange to me.
Either IP/DNS/gateway discovery with one or the other could be tolerable. But allowing combinations such as SLAAC for addressing and DHCP for DNS discovery is lunacy.
It’s as if one said, let’s take the most basic and critical step and make it as complicated as possible and explore the combinatorial explosion…
The article mentions that DHCPv6 was an afterthought because DHCP itself barely existed when IPv6 was being designed - they were still using things like RARP or BOOTP!
The article does seem to simultaneously claim that IPv6’s design is the result of wierd no longer current pressures but also that it’s perfectly fine and correctly designed.
> IPv6 has some quirks that make it harder to digest.
Almost every point in your list is wrong.
> - link local gateway address, makes it hard to understand why the subnet does not have a gateway from the ssme address space
IPv4 has link-local addresses, too. Those are the 169.254.X.X addresses that you see on Windows machines. IPv6 adds nothing new.
> - privacy extensions: it is very hard to explain to people why they have 3-4 IPv6 addresses assigned to their computer
Well then, don’t use them. Configure the machines with one address each, just like before. If you want the (arguable) advantages of the privacy extensions, they are available, but not mandatory.
> - multicast instead of broadcast
IPv4 always had multicast, too. IPv6 is simplified by considering the broadcast concept to be a kind of multicast.
> - way too many ways for autoconfiguration (SLAAC, DHCPv6)
SLAAC is just link-local addresses, which you already mentioned above. Did you mean NDP with router advertisements?
If you did, you do have a small point, but DHCP6 is still there like always. IPv6 just offers an additional feature for the simple cases where a host just needs an IP address, netmask and a router address.
> - no real tentative mapping to what people were used to. Every IPv6 presentation I did had to start with “forget everything you know about IPv4”
That’s the complete opposite of my experience. Almost everything in IPv6 works exactly the same as with IPv4.
>> IPv6 has some quirks that make it harder to digest.
> Almost every point in your list is wrong.
You missed the point and almost every counterpoint in your list is wrong.
>> - link local gateway address, makes it hard to understand why the subnet does not have a gateway from the ssme address space
>IPv4 has link-local addresses, too. Those are the 169.254.X.X addresses that you see on Windows machines. IPv6 adds nothing new.
That's not what the OP said. Note it says gateways. IPv4 when DHCP'd will show 192.168.1.1 for example when it has a 192.168.1.55 address. IPv6 will show fe23::166:8f2c:9a21:96de when it has a 2001:921:61c:aef:78f:7190:1ca2 address, despite the gateway actually being 2001:921:61c:aef::1. So its highly confusing for no good reason.
>> - privacy extensions: it is very hard to explain to people why they have 3-4 IPv6 addresses assigned to their computer
> Well then, don’t use them. Configure the machines with one address each, just like before. If you want the (arguable) advantages of the privacy extensions, they are available, but not mandatory.
While you can configure not use them, by default DHCP'd devices WILL have a bunch. Again confusing for no good reason.
>> - no real tentative mapping to what people were used to. Every IPv6 presentation I did had to start with “forget everything you know about IPv4”
> That’s the complete opposite of my experience. Almost everything in IPv6 works exactly the same as with IPv4.
It's the complete opposite experience for most people, including network engineers.
You're being obtuse. Every point in the original comment is correct, you just disagree they're issues. The original comment also doesn't state they are issues just that they are differences.
• link local addresses
.Auto configuration addresses are in V4 but they are used entirely differently. Interfaces do not have link local addresses if they have a DHCP or statically configured address, in V6 it is extremely common to use a link local address as the gateway, in V4 this basically never happens.
> The original comment also doesn't state they are issues just that they are differences.
My point is that, in most cases, these aren’t differences, since IPv4 does the same thing as IPv6. Therefore, the claim that IPv6 “has some quirks that make it harder to digest [than IPv4]” is incorrect.
> Interfaces do not have link local addresses if they have a DHCP or statically configured address
I could be wrong, but I seem to recall that Windows machines always have a IPv4LL address?
> in V6 it is extremely common to use a link local address as the gateway
>In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”. Those people love their NAT.
Was also designed in the early 90s before security was taken seriously.
I would need to ask the follow up question. Okay so what happens when someone gets in? Say some idiot install something they should not. Or there is some vulnerability in something you allow in?
Extra layers is good. But it does not mean you can forgo anything else.
The real problem is many "enterprises" have people who don't understand networking. NAT was a solution to IP address depletion. This is not a problem we have with IPv6.
If security is taken seriously, I'm sure they can spend a few minutes and learn how to configure a IPv6 firewall that allows no inbound connections. It's basically the simplest configuration possible.
Yes. You can actually buy pairs of antennas (basically an AP pair) that do just that. The only downside is that the signal quality varies based on weather.
If you want something more or less weather proof, you can get microwave P2P links that run in licensed bands and you don't get any signal interference from similar nearby antennas.
Both WiFi and Microwave equipment act just like bridges and you can connect them to a switch or router.
While I'm 99% sure it is not true, it makes me sleep better at night. And giggle a little when it goes down.
reply