> I can’t think of any common requirement that will be afforded to users having devices that will never need to be publicly reachable be publicly addressable.
Because you do not know ahead of time which devices may have such a need, and by allowing for the possibility you open up more flexibility.
> [Residential customers] don't care about engineering, but they sure do create support tickets about broken P2P applications, such as Xbox/PS gaming applications, broken VoIP in gaming lobbies, failure of SIP client to punch through etc. All these problems don't exist on native routed (and static) IPv6.
> In order for P2P to work as close as possible to routed IPv6 in NATted IPv4, we had to deploy a bunch of workarounds such as EIM-NAT to allow TCP/UDP P2P punching to work both ways, we had to allow hairpinning on the CGNAT device to allow intra-CGNAT traffic to work between to CGNAT clients, as TURN can only detect the public-facing IP:Port, hairpinning allow 100.64.0.0/10 clients to talk to each other over the CGNATted public IP:Port.
By having (a) a public address, and (b) a CPE that supports PCP/IGD hole punching, you eliminate a whole swath of infrastructure (ICE/TURN/etc) and kludges.
When it was first released, Skype was peer-to-peer, but because of NAT "super nodes" had to be invented in their architecture so that the clients/peers could have someone to 'bounce' off of to connect. But because of the prevalence of NAT, central servers are now the norm.
A lot of folks on HN complain about centralization and concentration on the Internet, but how can it be otherwise when folks push back against technologies that would allow more peer-to-peer architectures?
> by allowing for the possibility you open up more flexibility.
The problem is that flexibility is often the enemy of security, and that’s certainly true here. Corporate networks don’t want to allow even the possibility of devices that are supposed to be private being publicly addressable. Arguing that it’s “simpler” or “more flexible” is like arguing that we don’t need firewalls, for the same reasons. And in fact, that argument used to be made quite regularly. It’s just that no-one who deals with security has ever taken it seriously.
What do you mean by popular? I hosted a site on a home machine in the early teens. If you don't know how to do that with NAT, you should not have a web server under your control exposed to the internet.
The early teens didn’t have huge proliferation of ISPs using CGNATs.
These days ISP can’t get hold of new IPv4 blocks, and increasingly don’t provide public IP addresses to residential routers, not without having to pay extra for that lowly single IPv4 address.
Hosting a website behind a NAT isn’t as trivial as it used to be, and for many it’s now impossible without IPv6.
> Hosting a website behind a NAT isn’t as trivial as it used to be, and for many it’s now impossible without IPv6.
The example I keep coming back to is multiplayer games like Mario Kart, where Nintendo tell you to put the Switch in the DMZ or forward a huge range of ports (1024-65535!) to it [1].
If you’ve got more than one Switch in the household, though, then I guess it sucks to be you.
To require that, the person would have needed to disable upnp on their router. I’ve played tons of multiplayer games on the switch and upnp handled it seamlessly on the 7 or 8 home networks I connected it to over its life. Never once even had to think about it.
So yes, if you disable the requisite, standard, built-in feature on your router, you may need a pretty annoying workaround. Weird!
What percentage of users do you imagine disable upnp? Let’s be real. This is a problem that your average user will never, ever experience a problem with.
No they wouldn't. UPnP is not requisite, certainly not standard, or necessarily built-in. For example, the router I've got doesn't implement UPnP.
It's not unusual for it to be disabled, because it's a security issue that something with no authentication can punch enduring holes out through NAT.
It's also irrelevant in a scenario where the ISP's using CGNAT.
I'm sure the Switch deals with conflict resolution with multiple consoles on the same network too but shrug it's another example of how NAT is a pain and also contradicts your assertion that incoming connections would be a breach of ISP ToS [1].
Edit: A quick Google suggests the Switch originally didn't support UPnP, and the Switch 2 now supports IPv6.
Ok, so it didn’t even need upnp then. Are you talking about using their LAN head-to-head feature across the internet? Or perhaps all the times I used my switch on various networks to play head-to-head games it was… my imagination? Sure. If people had to consistently forward every port on their home router to play Fortnite, smash, etc. with a portable console you’d never hear the end of it. This is literally the first time I encountered someone saying this was a problem. Regardless, most people don’t buy routers— they use the ones their ISPs gave them, and I haven’t seen one of those come without upnp in at least a decade. You’re seeking out reasons to dislike NAT.
Capitalism, essentially. Companies can make more money from centralized control over systems than from truly distributed systems, and customers are suckers for the simplicity of delegating their needs to single providers.
The reason Google bought and destroyed dejanews.com, for example (try visiting that site) was to weaken one of the distributed sources of competition. Similar for RSS.
I'd like to know the average number of broadband customers that make support tickets because of NAT. I'll bet it's far less than 1%. And you really think NAT, rather than SV betting huge on cloud services and surveillance capitalism, was the reason that everything is centralized? Come on...
Because you do not know ahead of time which devices may have such a need, and by allowing for the possibility you open up more flexibility.
> [Residential customers] don't care about engineering, but they sure do create support tickets about broken P2P applications, such as Xbox/PS gaming applications, broken VoIP in gaming lobbies, failure of SIP client to punch through etc. All these problems don't exist on native routed (and static) IPv6.
> In order for P2P to work as close as possible to routed IPv6 in NATted IPv4, we had to deploy a bunch of workarounds such as EIM-NAT to allow TCP/UDP P2P punching to work both ways, we had to allow hairpinning on the CGNAT device to allow intra-CGNAT traffic to work between to CGNAT clients, as TURN can only detect the public-facing IP:Port, hairpinning allow 100.64.0.0/10 clients to talk to each other over the CGNATted public IP:Port.
* https://blog.ipspace.net/2025/03/response-end-to-end-connect...
By having (a) a public address, and (b) a CPE that supports PCP/IGD hole punching, you eliminate a whole swath of infrastructure (ICE/TURN/etc) and kludges.
When it was first released, Skype was peer-to-peer, but because of NAT "super nodes" had to be invented in their architecture so that the clients/peers could have someone to 'bounce' off of to connect. But because of the prevalence of NAT, central servers are now the norm.
A lot of folks on HN complain about centralization and concentration on the Internet, but how can it be otherwise when folks push back against technologies that would allow more peer-to-peer architectures?