Canadian ISPs are also extremely far behind on IPv6. Bell is the largest ISPs in the country and they still don't have IPv6. I'm with one of their wholly owned subsidiaries (EBOX) which offers static /56 allocations, but good luck trying to find anyone in tech support who understands WTF you're talking about.
Why don't you want every device to have a public IP? There seems to be a perception that this is somehow insecure, but the default configuration of any router is to firewall everything. And one small bonus of the huge size of a /64 is that port scanning is not feasible, unlike in the old days when you could trivially scan a whole IPv4 /24 of a company that forgot to configure their firewall.
NAT may work fine for your setup, but it can be a huge headache for some users, especially users on CGNAT. How many years of human effort have gone towards unnecessary NAT workarounds? With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.
Your ISP shouldn't be rotating your /64, although unfortunately many do since they are still IPv4-brained when it comes to prefix assignment. Best practice is to assign a static /56 per customer, although admittedly this isn't always followed.
And if you don't need a /48... don't use it? 99.99% of home customers will just automatically use the first /64 in the block, and that's totally fine. There's a ton of address space available, there's no drawback to giving every customer a /56 or even a /48.
Great question and my gut is that it makes it that much easier for large, perhaps corporate interests to gain surveillance and control. I'm aware it's possible now, but it really feels like there's some safety in the friction of the possibility that my home devices just switch up IP addresses once in a while.
Like, wouldn't e.g. IPv6 theoretically make "ISP's charging per device in your home" easier, if only a little bit? I know they COULD just do MAC addresses, but still.
You can't correlate the number of addresses with the number of devices because IPv6 temporary addresses exist. If you enable temporary addresses, your computer will periodically randomly generate a new address and switch to it.
I feel like this is a silly narrowing of the problem for normal, retail users. My priority isn't masking "the number of addresses" or devices. My desire is to not have a persistent identifier to correlate all my traffic. The whole idea of temporary addresses fails at this because the network prefix becomes the correlation ID.
I'm not an IPv4 apologist though. Clearly the NAT/DHCP assignments from the ISP are essentially the same risk, with just one shallow layer of pseudo-obscurity. I'd rather have IPv6 and remind myself that my traffic is tagged with my customer ID, one way or another.
Unfortunately, I see no real hope that this will ever be mitigated. Incentives are not aligned for any ISP to actually help mask customer traffic. It seems that onion routing (i.e. Tor) is the best anyone has come up with, and I suspect that in today's world, this has become a net liability for a mundane, privacy-conscious user.
> My desire is to not have a persistent identifier to correlate all my traffic.
Reboot your router. Asus (with the vendor firmware) allows you do this in a scheduled manner. You'll get a new IPv4 WAN IP (for your NAT stuff) and (with most ISPs) a new IPV6 prefix.
As it stands, if you think NAT hides an individual device, you may have a false sense of security (PDF):
But most ISPs aren’t giving out static IPv6 prefixes either. Instead they are collecting logs of what addresses they’ve handed out to which customer and holding on to them for years and years in case a court requests them. Tracking visitors doesn’t need to use ip addresses simply because it’s trivial to do so with cookies or browser fingerprinting. There’s exactly zero privacy either way.
> Instead they are collecting logs of what addresses they’ve handed out to which customer and holding on to them for years and years in case a court requests them.
They are only supposed to hang on to them for a limited time according to the law where I live (six months AFAIK). Courts are also unwilling to accept IPv4 addresses as proof of identity.
> Tracking visitors doesn’t need to use ip addresses simply because it’s trivial to do so with cookies or browser fingerprinting
Cookies can be deleted. Browser fingerprinting can be made unreliable.
Its not zero privacy either way. Privacy is not a binary. Giving out more information reduces your privacy.
> Most home users do not have a static public IPv4 address - they have a single address that changes over time.
I'd be curious to know the statistics on this: I would hazard to guess that for most ISPs, if your router/modem does not reboot, your IPv4 address (and IPv6 prefix) will not change.
"If you enable" is doing ALL THE HEAVY LIFTING THERE.
Again, my point isn't about what is possible, but what is likely. -- which is MUCH MORE IMPORTANT for the real world.
If we'd started out in an IPv6 world, the defaults would have been "easy to discover unique addresses" and it's reasonable to think that would have made "pay per device" or other negatives that much easier.
Temporary addresses are enabled by default in OSX, windows, android, and iOS. That's what, like 95% of the consumer non-server market? As for Linux, that's going to be up to each distro to decide what their defaults are. It looks like they are _not_ the default on FreeBSD, which makes sense because that OS is primarily targeting servers (even though I use it on my laptop).
I haven't done the exhaustive research but props in advance for being the only person shouting in caps on HN. Definitely one way to proclaim one's not AI-ness without forced spelling errors.
I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.
I don’t want a static address either (although static addresses should be freely available to those who want them). Having a rotating IP provides a small privacy benefit. People who have upset other people during an online gaming session will understand; revenge DDoS is not unheard of in the gaming world.
> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.
Do you ever connect your laptop to any network other than your home network? For example, public wifi hotspots, hotel wifi, tech conferences, etc? If so, you need to be running a firewall _on your laptop_ anyway because your router is no longer there to save you from the other people on that network.
It's also a good idea even inside your home network, because one compromised device on your network could then lead to all your other firewall-less devices being exploited.
Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall.
You must have not read my original post. I said that the NAT provides an additional fallback layer of safety in case you accidentally misconfigure your firewall. (This has happened to me once before while working late and I’ve also seen it in the field.)
Only if they're set up properly, which is quite the gamble. I was recently in a hotel and I listed all the chromecast devices throughout the entire hotel. I could see what everyone was watching and if I was a lesser person I could have controlled their TVs or changed what they were watching.
What about device like those Chromecasts which don't even have firewalls? The only real solution would be to bring your own hardware firewall / access point and connect it as a client off the hotel wifi. Who is really going to do that?
You can have IPv6 firewalls emulate the behavior of NAT so it blocks unsolicited inbound traffic while allowing outbound traffic. If you get a /48 form your ISP you could rotate to a new IP address every second for the rest of your life.
Right, but if you’re messing around as a naive learner it’s easy to accidentally disable that or completely open up an IP or range due to a bad rule. It’s a lot harder to accidentally enable port forwarding on a NAT.
> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.
This feels like a strawman. If you are making the sort of change that accidentally disables your IPv6 firewall completely, you could accidentally make a change that exposed IPv4 devices as well (accidentally enabling DMZ, or setting up port forwarding incorrectly for example).
As someone who has done this while tired, it’s a lot easier to accidentally open extra ports to a publicly routable IP (or overbroad range of IPs) than it is to accidentally enable port forwarding or DMZ.
You could accidentally swap ips to one that had a port forward, some applications can ask routers to forward, etc etc. I donmt know how exactly we'd measure the various potential issues but they seem incredibly minor compared to the sheer amount of breakage created by widespread nat.
> Why don't you want every device to have a public IP?
Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.
> With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.
There is no guarantee with IPv6 that hole punching works. It _usually_ does like with IPv4.
> Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.
The answer here is kinda that Wi-Fi isn't an appropriate networking protocol for lightbulbs (or most other devices that aren't high-bandwidth) in the first place.
Smart devices that aren't high bandwidth (i.e. basically anything other than cameras) and that don't need to be internet accessible outside of a smart home controller should be using one of Z-Wave/Zigbee/Thread/LoRaWAN depending on requirements, but basically never Wi-Fi.
>> Why don't you want every device to have a public IP?
> Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.
Why would it be "accessible by everyone"? My last ISP had IPv6 and my Asus (with the vendor firmware) didn't allow it. My printer automatically picked up an IPV6 address via SLACC and it was not "accessible by everyone" (I tried connecting to it externally).
It's because router defaults have been bad for a long time and NAT accidentally made them better.
I finally have IPv6 at home but I am being very cautious about enabling it because I don't really know what the implications are, and I do not trust the defaults.
>> Why don't you want every device to have a public IP?
> What would be the advantage in it?
Not having to deal with ICE/TURN/STUN. Being able to develop P2P applications without having to build out that infrastructure (anyone remember Skype's "supernodes"?).
It's about being able to run apps that can operate without have an HQ that needs to be phoned home to for operation, which is currently generally necessary with NAT.
> Anyhow. I'm not confused about NAT vs. firewalling. No one who dislikes IPv6 is confused by this.
"No one"; LOL. I've participated in entire sub-threads on HN with people insisting that NAT = security. I've cited well-regarded network educators/commentators and vendors:
That article is making a narrower claim than you're implying. It argues that NAT is not a security mechanism by design and that some forms of NAT provide no protection, which is true.
It also explicitly acknowledges that NAT has side effects that resemble security mechanisms.
In typical deployments, those side effects mean internal hosts are not directly addressable from the public internet unless a mapping already exists. That reduces externally reachable attack surface.
So, the disagreement here is mostly semantic. NAT is not a security control in the design sense, but it does have security-relevant effects in practice.
I personally do consider NAT as part of a security strategy. It's sometimes nice to have.
Both of those articles are actually wrong. They say "if an unknown packet arrives from the outside interface, it’s dropped" and "While it is true that stateful ingress IPv4 NAT will reject externally initiated TCP traffic" respectively, but this is in fact not true for NAT, which you can see for yourself just by testing it. (It's true for a firewall, but not for NAT.)
The biggest security-relevant effects of NAT are negative. It makes people think they're protected when they aren't, and when used with port forwarding rules it reduces the search space needed to find accessible servers.
I agree it can be a useful tool in your toolbox sometimes, but a security tool it is not.
> Why don't you want every device to have a public IP?
Big companies would abuse that beyond belief. Back around the late 90s ISPs wanted to have everyone pay per device on their local networks. NAT was part of what saved us from that.
IMO, IPv6 should have given more consideration to the notation. Sure, hex is "better in every way" except when people need to use it. If we could just send the IPv6 designers back in time, they could have made everyone use integer addresses.
# IPv4 - you can ping this
ping 16843009
# IPv6 - if they hadn't broke it :-(
ping 50129923160737025685877875977879068433
# IPv7 - what could have been :-(
ping 19310386531895462985913581418294584302690104794478241438464910045744047689
> Back around the late 90s ISPs wanted to have everyone pay per device on their local networks. NAT was part of what saved us from that.
But with IPv6 a single device may have multiple addresses, some of which it just changes randomly. So this idea that they'll then know how many devices you have and be able to pay per device isn't really feasible in IPv6.
A single /64 being assigned to your home gives you over 18 quintillion addresses to choose from.
If the ISP really wanted to limit devices they'd rely on only allowing their routers and looking at MAC addresses, but even then one can just put whatever to route through that and boom it's a single device on the ISP's lan.
> Bandwidth and processing are substantial bottlenecks with SAR; Only targeted and stationary applications have been broadly useful so far, and more focus has been put on planes than satellites for this.
I'm not sure why you assume this, this is factually incorrect. Satellite based SAR has been successfully used for civilian ship detection applications (traffic management, illegal fishing, smuggling detection, etc) for over three decades. I am sure its military use goes back much further.
> SAR is not as simple as taking a static image with a fixed resolution, your sensing window has got a target velocity and distance in mind and the antenna and processing needs to be tuned for that.
No? SAR satellites take thousands of SAR images of stationary scenes every day. It's true that object motion in the scene introduces artifacts, specifically displacement from true position - this is often called the "train off track" phenomenon, as a train moving at speed when viewed with SAR from the right angle will look like it's driving through the adjacent field rather than on the track. However, this isn't a significant problem, and can actually be useful in some situations (eg: looking at how far a ship is deflected from its wake to estimate its speed).
40 years ago the USN was working on using SAR with a elliptical kalmann filter to detect _submarine_ wakes. I assume things haven't digressed since then.
Eh, not really. Synthetic Aperture Radar satellites used for marine ship detection have extremely wide sensor swath widths, and ships show up as very bright radar targets against the ocean. Detecting a large ship, even in a very large search area, is almost trivial.
Identifying a ship is harder, but not insurmountable. In particular, large ships like aircraft carriers tend to have very identifiable radar signatures if your resolution is high enough.
How do these work? I would think radar would have a very difficult time seeing a ship against the backdrop of the ocean from so high above. Is the satellite bouncing radar waves off the side of the ship as the satellite is near the horizon? Even if you can detect a ship, I'm having a hard time imagining a sufficiently high radar resolution for such a wide sensor swath width at such an extreme range. Is the idea that you locate it with the wide sensor swath and then get a detailed radar signature from a more precise sensor?
Even with an extremely low resolution radar hit they are very identifiable.
Most naval vessels move in groups/squadrons. Carriers basically always travel with a "carrier strike group"/CSG of a dozen other ships and destroyers often travel in "destroyer squadrons"/DESRONs. So any time you see a cluster of hits, just by the relative responses of each hit you can narrow down and guess the entire CSG/DESRON in one go and then work out which responses map to which ship in the CSG/DESRON once you have a good idea of which group you are looking at.
This is especially true because ships even within the same class have varying ages, different block numbers, and differing retrofits. So each one has a unique signature to it.
But also if you aren't completely certain you can always come back with a second high resolution pass and then it's trivial to identify each ship just visually.
Granted, but how does satellite radar actually see ships at all? How do the ships not blend into the ocean (the relative difference between the distances between ship<->satellite and ocean<->satellite is minescule)?
Consider shooting a ray at the ocean at an oblique angle from a satellite: it bounces off and scatters away from you. Hardly any of the energy scatters back towards you.
Now, put a ship there. The ray bounces off the surface of the ocean and scatters up into the side of the ship, and from geometry, it's going to bounce off the ship and come straight back towards its original source. You get tons of energy coming back at you.
A ship on the ocean is basically a dihedral corner reflector, which is a very good target for a radar.
> I'm having a hard time imagining a sufficiently high radar resolution for such a wide sensor swath width at such an extreme range. Is the idea that you locate it with the wide sensor swath and then get a detailed radar signature from a more precise sensor?
That's one approach, there are so-called "tip and cue" concepts that do exactly this: a lead satellite will operate in a wide swath mode to detect targets, and then feed them back to a chase satellite which is operating in a high resolution spotlight mode to collect detailed radar images of the target for classification and identification.
However, aircraft carriers are big, so I don't think you'd even need to do the followup spotlight mode for identification. As an example, RADARSAT-2 does 35 meter resolution at a 450 km swath for its ship detection mode. That's plenty to be able to detect and identify an aircraft carrier, and that's a 20 year old civilian mission with public documentation, not a cutting edge military surveillance system. There are concepts for multi-aperture systems that can hit resolutions of less than ten meters at 500 km swath width using digital beamforming, like Germany's HRWS concept.
If only it could actually do anything. I genuinely don't understand how we refused to retrofit any weapon system to the gun mounts. We have 5inch guns. They aren't the magic cannon it was designed for but do they really not fit? Apparently we are now putting hypersonic missiles in those mounts instead.
A Zumwalt with 5 inch gun offers almost no mission capability above a simple coast guard cutter.
They're putting hypersonics on it because they've got 3 hulls and might as well get some value out of them, but not because it's what you'd design for from scratch.
The Zumwalt program was dumb from day 1. It was driven by elderly people on the congressional arms committees that have romantic notions of battleships blasting it out.
The reality is since the development of anti ship missiles, sitting off the coast and plinking at someone is suicidal, even if you have stealth shaping and uber guns of some sort.
The Zumwalt class are being refitted to carry CSP. And the boutique gun system is really a complex thing, it's not like packing in a bunch of VLS containers.
Just do a youtube search and you'll find plenty of talking head explainer videos. Ignore the talking head and just look at the imagery and data they share.
87 years ago, our founders launched a disruptive startup on this continent—a new nation built on the core values of liberty and the mission-driven proposition that "all men are created equal."
Right now, we’re facing a major pivot point in a great civil war, testing whether this organization, or any venture with such a strong culture and vision, can truly scale and endure. We’re currently on-site at a key battlefield of this conflict. We’ve gathered here to dedicate a portion of this space as a final resting place for the team members who gave everything to ensure the brand could live on. It’s the right strategic move.
But looking at the bigger picture, we can’t actually "brand" or "consecrate" this ground. The high-performers, both living and dead, who put in the work here have already established its value far beyond our ability to add or detract. The world won't remember our status updates, but it will never forget their execution.
It’s up to us—the remaining stakeholders—to stay dedicated to the massive project ahead of us. We need to take inspiration from these top-tier contributors and double down on the cause they were so passionate about. We are here to resolve that their efforts won't be a sunk cost; that this nation will undergo a digital transformation of freedom; and that a customer-centric government—of the people, by the people, for the people—will never be disrupted out of existence. #Leadership #Vision #Legacy #GrowthMindset
This is great. My only gripe is that it's still way too smart compared to most of the stuff I see on LinkedIn. If it had wrapped up with a "it's not X, it's Y", would've been perfect.
> Then again maybe the quality of Lincoln's literacy defies it.
I think so. My first thought reading this output is that I should ask the LLM to first write in the style of Lincoln and then slightly modernize the prose.
Anybody else being annoyed by all this focus on em-dash use to detect AI? In no time, the bad guys will tell their BS machines to avoid em-dashes and "it's not X it's Y" and whatever else people use as "tell-tale signs" and eventually the training data will have picked up on that too. And people who genuinely use em-dashes for taste reasons or are otherwise using expressions considered typical for AI are getting a bad rep.
This is all just demonstrating the helplessness that's coming to our society w.r.t. dealing with gen AI output. Looking for em-dashes is not the solution and distracts from actually having to deal with the problem. (Which is not a technical but a social one. You can't solve it with tech.)
This is turning out to be a huge issue for me as my frequent use of em-dashes makes my remarks trigger people effectively disrupting attempts to communicate. Maybe my communication needs to change or maybe these objections are yet another red flag to watch for.
> Anybody else being annoyed by all this focus on em-dash use to detect AI?
Yes, the “AI detectives” can be quite annoying, as the comments are always the same. No substance, just “has X, it’s AI”. The em-dashes detectives tend to be the worse, because they often refuse to understand that em-dashes are actually trivial to type (depending on OS) and that people have been using them on purpose since before LLMs.
Mind you, using em-dashes as one signal to reinforce what you already perceive as LLM writing is valid, it’s only annoying when it’s used as the sole or principal indicator.
I keep reading about students are learning to intentionally write worse so that it doesn't get flagged as AI-generated. I think it's a systemic problem that won't be solved in the short term, unfortunately.
It's hilarious that em dashes and "it's not X; it's Y" and other trivial things are the best way for humans to spot AI now. Like if AI robots infiltrated us, at first we'd be like "ooh, he has long ears, he's a robot". And after a while the robots will learn to keep their ears shorter. Then what? When we're out of tell-tale signs?
> We’ve gathered here to dedicate a portion of this space as a final resting place for the team members who gave everything to ensure the brand could live on. It’s the right strategic move.
This is hilarious but... and I can't believe Im actually giving critique here... but a modern day, LinkedIn version would be couched in words like "exceedingly complex", "multi-domain", "system of systems", etc.
But the whole thing is brilliant. And #GrowthMindset at the end is absolute gold.
What does it mean for two people to be "equal"? Obviously, it cannot mean they are equal in strength and in quality. There are people who are excellent, and excellent in many ways, and people who are mediocre or poor in quality in many ways. People are also morally diverse, ranging from the virtuous and the saintly to the thuggish and the depraved.
No, this equality is an equality of basic human dignity. It rests with human nature: our dignity is rooted in our rationality and freedom to make chose. Incidentally, this is also the basis for human rights.
Historically, however, most cultures did not believe in human equality or equality of dignity. You only see that with a robust account of natural law and in its fullness within the Imago Dei; living up to it is another matter. Liberalism [0], as an offshoot of this tradition, takes for granted this notion, but when pressed, it has trouble offering justification. That's why political appeals to equality now appear more frantic and strident. When there is an underlying uneasiness about the rational basis of one's convictions, this often transmutes into emotional defensiveness. But mere assertion has little force. Over time, emotion and pure assertion does not maintain its grip, which makes these quotes that much more interesting.
[0] Another fun case are materialists who simultaneously believe in equality. If there is anything that would dash the very notion of equality, it is materialism.
Their WAF isn't there yet, the moment it can build the expressions you can build with CF (and allows you to have as much visibility into the traffic as CF does), then it might be a solid option, assuming they have the compute/network capacity.
Many countries have solved this with a special background check. In Canada we call this a "vulnerable sector check," [1] and it's usually required for roles such as childcare, education, healthcare, etc. Unlike standard background checks, which do not turn up convictions which have received record suspensions (equivalent to a pardon), these ones do flag cases such as sex offenses, even if a record suspension was issued.
They are only available for vulnerable sectors, you can't ask for one as a convenience store owner vetting a cashier. But if you are employing child care workers in a daycare, you can get them.
This approach balances the need for public safety against the ex-con's need to integrate back into society.
Why are only some sectors "vulnerable" and who is to make that call? How about the person cooking my food?
You're over-thinking it, trying to solve for a problem that doesn't exist. No one has a "right" to work for me. There's plenty of roles that accept ex-cons and orgs that actively hire them.
Of course, I don't need to know everything, just if I'm hiring them I'd like to know if they have been tried and convicted of a crime, and then I can make a judgement whether it's disqualifying for my particular need.
I don’t think everything you’re saying is completely out of line, but the way you’re drawing a line in the sand and being so unequivocal about this is kind of striking. You won’t even entertain a more nuanced to approach to this.
Hardware should be much easier, especially if you get your boards fabbed and assembled at a CM (which you probably should, very few companies have a good reason to move assembly in-house).
.jpg){kind=link}
reply