Kevin Karhan 
goetz 🚲
Jonathan MatthewsHow do folks manage roaming/mobile #wireguard clients talking to homelabs that are also behind #CGNAT? I'm not seeing anything #STUN or #NAT related in the iOS wireguard app - how do you get p2p connectivity without hairpinning all traffic through a public/non-NAT node? (I'm fully aware of Tailscale - that's not the answer I'm searching for) #VPN
@Jarek @landley that assumes #IPv6 addresses are static (Providers in #Germany do "pseudostatic" alike #IPv4 and unless one's a business customer, will forcibly disconnect once each 24 hours and reassign a new IP) and that applications ain't configured to prefer IPv4 over IPv6 just to avoid timeouts and having to check if IPv6 exists since the only "#IPv6only" #ISP I know is #Starlink (and even they do #CGNAT due to customer complaints…)
@landley @jschauma @ryanc @0xabad1dea yeah, the exhaustion problem would've been shoved back with a #64bit or sufficiently delayed by a 40bit number.
Unless we also hate #NAT and expect every device to have a unique static #IP (which is a #privacy nightmare at best that "#PrivacyExtensions" barely fixed.)
- I mean they could've also gone the #DECnet approach and use the #EUI48 / #MAC-Address (or #EUI64) as static addressing system, but that would've made #vendors and not #ISPs the powerful forces of allocation. (Similar to how technically the #ICCID dictates #GSM / #4G / #5G access and not the #IMEI unless places like Australia ban imported devices.
I guess using a #128bit address space was inspired by #ZFS doing the same before, as the folks who designed both wanted to design a solution that clearly will outlive them (way harder than COBOL has outlived Grace Hopper)...
- Personally I've only had headaches with #IPv6 because not only do I only have #IPv4only #Internet but my #ISP refuses to allocate even a singe /64 to me (but has no problem throwing in a free /29 of #IPv4's in with my contract!)and stuff like #HurricaneElectric / #HEnet's #Tunnelbroker fail face first due to #Geoblocking and the fact that #ASNs get geolocated, not their #PoPs...
If I was @BNetzA I would've mandated #DualStack and banned #CGNAT (or at least the use of CGNAT in #RFC1918 address spaces) as well as #DualStackLite!
@landley @jschauma @ryanc @0xabad1dea well, #CGNAT has it's own problems and bricks connectivity forr many applications.
@teezeh
Alle, sind nur aus dem #LegacyNet erreichbar, geht alles durch die #CGNAT s speziell der kleinen ISPs, nur weil beim @ZDF niemand die richtigen Dualstack Akamai Endpunkte im DNS eintragen kann.
Betrifft ja nur ca. 75% der Nutzenden, scheint aber nicht relevant zu sein.
Wenn man manuell die Endpunkte überschreibt kann man @ZDF auch aus dem Internet erreichen.
Der @NDR kann es ja auch.
Matthias Klein 🇩🇪|🇪🇺@SebastianM6L Yes, it serves my purpose well. You can also use it as a reverse proxy directly on the local network, but I wanted to secure my external ports.
Additionally, I have applied for a fiber-optic connection and will need a plan to make my services accessible behind #CGNAT in the future.
Now, the IPv4 and IPv6 addresses of my VPS are essentially the ones to which the domains are forwarded, and from there, a tunnel connects to my home lab.
Deinosbueno, pues a lo mejor hay que ir a casa del señor #pepephone a quemarle los internetes, porque vuelvo a estar sin stremio y algo me dice que es culpa del bloqueo a #Cloudflare OTRA VEZ, a pesar de que me solucionaron la "incidencia" sacándome de #cgnat
el finde pasado no estuve en casa para comprobar si funcionaba, pero ahora mismo esto no chuta.
Alec MuffettCGNAT frustrates all IP address-based technologies | Cybersecurity | SIDN
https://alecmuffett.com/article/112584
#OnionNetworking #cgnat
https://alecmuffett.com/article/112584
#OnionNetworking #cgnat
alecmCGNAT frustrates all IP address-based technologies | Cybersecurity | SIDN
Aside from the observation that this is basically one half of a Tor networking connection, one might also observe MAYBE THERE IS A PROBLEM WITH THE SUPPOSED LEGAL OBLIGATION AT HAND, HERE:
One practical outcome is that government agencies find it harder to identify criminals behind particular IPv4 addresses. According to Europol, access providers are no longer able to meet their legal obligation to provide details of the account holder linked to a given connection. Because, in some cases, a single IPv4 address is shared by thousands of users. As a result, the agency says, investigations often involve examining and tapping the connections of many more people than really necessary.
https://www.sidn.nl/en/news-and-blogs/cgnat-frustrates-all-ip-address-based-technologies
It continues:
In a document entitled ‘Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’, the Commission explains how the EU wants to promote the adoption of IPv6. The ultimate aim is to have one user per IP address to facilitate the investigative activities of the police and security services. Procurement policy, research and project funding, and covenants will be used by the Commission in pursuit of its goals.
Here in the Netherlands, the Ministry of Economic Affairs is currently looking at ways of energising the country’s tardy migration to IPv6.
Sounds lovely…
