NAT was introduced by private company called Network Translation Inc. and successfully broke efforts to migrate off IPv4 (which was supposed to be EOLd by 1990) and permanently broke the "network of hosts" into asymmetric one of servers and clients.

Note that we had a solution for address exhaustion by 1991, but it was just "good" and not "perfect" and worst of all it used the hated OSI protocol stack (TUBA - TCP & UDP on top of OSI CLNS - also known as IPv9). It even had at least two usable implementations at the time it was proposed (for SunOS and Cisco IOS)

> permanently broke the "network of hosts" into asymmetric one of servers and clients.

That was inevitable and can't reasonably be blamed on NAT. As but a few examples. ISPs arbitrarily break things unless you pay them extra. Stateful firewalls are a good thing. Even on my local LAN I can't reliably SSH into my laptop because it's on WiFi and does funky power saving stuff with the chipset I guess. My phone is far worse than my laptop in that regard.

Setting up a reliable and widely reachable server requires deliberate effort regardless of the existence of NAT.

First product, but does the early RFCs and discussions predate their work?

There's some work predating it, but it was very much undeployed before PIX let out the genie out, because even the early NAT work notes it might be problematic even in short term.

People would have resisted TUBA the same ways they're resisting IPv6 now. It's not a technical problem.

It's partly technical (BSD Sockets being bad API that hard does low level proto ok details in applications) and partially business - vendors didn't want to do the work to upgrade software and hardware - especially with advent of CEF and similar hardware routing options. And by 1990s the government-led standardisation efforts that gave us widespread ethernet and IPv4 got axed, and efforts to make vendors update if only for federal contracts died in waiver hell.

The others kinds of problems are from there over time.

The thing I like about NAT is that it is essentially an ISP side stateful firewall. I would migrate to the ipv6 globally addressed mode immediately if my ISP had a checkbox "disallow all incoming connections".

> I would migrate to the ipv6 globally addressed mode immediately if my ISP had a checkbox "disallow all incoming connections".

Does your router not already do that by default?

As another commenter already clarified, I meant CGNAT on the ISP side. I don't believe any ISP currently offers an equivalent firewall on their side.

ISP side? Hopefully not, or rather, only if you're behind one of those awful CG-NATs (and I'm not aware of any that let you actually configure port forwarding, although my knowledge here might be outdated; fortunately I haven't had to deal one in a long time). Otherwise, it's usually your CPE doing the NATting.

It sounds like you want an ISP-provided stateful firewall though, upstream of your (metered, slow) connection, which I'd agree would be a great feature to have!

It's funny. They'll block things I don't want them to block (email, http server, ...) but not unsolicited inbound IPv6 connections.

Your router almost certainly has that option.

NAT is done on your router. There is no difference with IPv6 firewall except doesn't do NAT.

Are you thinking about CGNAT which is done by the ISP? That results in double NAT which causes problems.

You're right, I was thinking of CGNAT. My ISP definitely does it (they have far more users than IP allocations) and my router does NAT as well, so I guess I have a double NAT.

Interesting. My ISP passes both IPv4 and IPv6 inbound, expecting you to block them yourself.

Unless IPv6 were to be actually adopted as it was introduced

I don't know networking all that well. In my mind, I have 50 devices connected to my router behind NAT. My Mac, My Apple TV, my iPhone, My PC, My Linux Box, My partner's versions of all of those. My video games. Etc

From outside there's 1 IP address. With IPv6, every device would get it's own address outside. Why do I want that? That sounds less private to me. Am I mis-understanding something? Lots of traffic on one IP address sounds more obfuscated than all separate.

With IPv6, every device has multiple IP addresses. One or more addresses that are rotated* to prevent you from being tracked easily, and one that's derived from your device's MAC address so you can make your devices easily accessible from WAN by opening ports in your firewall if you want to.

You could disable the rotating addresses, or disable MAC-based ones by using DHCP, but there's usually no point.

As for why you would want something like that: a whole bunch of software and hardware breaks because of NAT. Consumer NAT has some monkey patching inside of it rewriting some protocols to make them work again (which also allowed random websites to open arbitrary ports to arbitrary addresses in some Linux routers a while back, because NAT overrules firewall settings to work) but there are still limitations.

For instance, if you're having issues with your Nintendo Switch, Nintendo will tell you to forward every single port to your Switch (https://en-americas-support.nintendo.com/app/answers/detail/..., hope that IP address doesn't get reassigned to an unpatched device later). Multiple Xbox consoles behind the same NAT requires tricking them into super-restricted-NAT mode to work, or enabling UPnP which allows devices to open ports in your firewall without any authentication.

NAT just kind of sucks. IPv6 wasn't ready for deployment when NAT gained popularity, but all of the reasonable problems have been solved over a decade ago.

*=default rotation happens daily, but your OS may allow you to pick a shorter duration. I've found out the hard way that setting this to five minutes will fill up Linux' route table real fast after a few days.

Does it matter if they rotate if you use prefix delegation with standard size?

No, it doesn't. At least the last time I checked unless you go out of your way to implement a non-standard configuration IPv6 is a disaster for personal privacy for the typical multi-user household.

Then again, the "typical" multi-user household is likely logged in to most things via SSO with Google or Facebook and probably has approximately zero fingerprinting mitigations in use so perhaps it isn't worth worrying about?

If you aren't the typical household then given 2^64 addresses and a Linux box serving as a router you've got quite a few options available. Including various creative reinventions of NAT that don't break basic functionality.

> IPv6 is a disaster for personal privacy for the typical multi-user household

Why? With privacy extensions (which are normally enabled for user devices), then all someone can do is look at the prefix. This is identical to looking at the IPv4 address in a NAT setup, and it hasn't been that much of a privacy disaster.

As I see it, nothing is lost on that front.

> This is identical to looking at the IPv4 address in a NAT setup

It is not identical unless the OS uses a new IP for every new outbound connection. I believe that would qualify as a (very) nonstandard configuration.

> it hasn't been that much of a privacy disaster.

Indeed, it was tongue in cheek which is why I went on to point out SSO. The reality is most people aren't willing to sacrifice convenience to retain even a shred of privacy.

If you are one of the few who care then you can implement one of the many possible non-standard solutions.

Even disregarding fingerprinting, a single household doesn't have enough traffic from separate devices/users to the same servers to really matter from a privacy standpoint.

If my PC uses the same IP as my partner's to talk to Google, it hardly matters for our privacy if they mix up the attribution of traffic between the two of us.

Speak for yourself. I also don't want it to be readily apparent how many different devices I have, or when I'm using which one, or how many people are in the household, or when who is home.

Granted any service that I consistently interact with is likely to be able to figure out at least some of that information if they put in some effort. But I don't want to be freely providing a complete picture for zero effort.

Creepy data aggregator stories pop up on the HN front page regularly so hopefully I don't need to explain why I feel this way.

Yeah, I mean, I share those concerns in general, but my efforts are mostly centered around aggressive ad/tracker-blocking (moderate DNS-level blocking at the network level, more aggressive at the device level + browser-level blocking) and the avoidance of non-privacy-focused services, e.g. avoiding the popular social networks entirely, and using privacy-supporting pay-for services.

Using the same IP for all of my devices, for me, generally falls into the same bucket of anti-fingerprinting techniques that are used by the Tor Browser like letterboxed resolution that I don't find practical for general use. If I want to actually prevent fingerprinting by IP, resolution, etc. then I'll actually use the Tor Browser.

It depends what you're trying to defend against. The rotation hinders associating an address with a particular device. If someone looks at the network prefix to see if people are in the same household, then that's exactly the same as looking at the IPv4 address to determine the same thing.

> From outside there's 1 IP address. With IPv6, every device would get it's own address outside. Why do I want that? That sounds less private to me. Am I mis-understanding something? Lots of traffic on one IP address sounds more obfuscated than all separate.

Having recently enabled IPv6 for my home network, the "why" was that a) IPv6 to IPv6 connections are nominally more efficient than those that have to traverse NAT and b) it enables connectivity to/from IPv6-only internet devices.

The privacy upsides of a single IPv4 IP for a household are, to me, more marginal than the above benefits.

I'm pretty sure the IETF fought against NAT.