If it was really about illegal immigrants, ICE wouldn't be raiding immigration hearings, nor would they be kidnapping legal immigrants.
If it was about stopping violent criminals, they wouldn't raid restaurant kitchens and crop fields, where workers are trying to make an honest living for their family.
You can't reason someone out of something they clearly didn't reason themselves into. If they cared about the truth and evidence they wouldn't be holding that opinion right now.
My understanding is that for most residential heat pumps, the temperature needed to make the heat pump less efficient than resistive heating is so low that it enters a range that the pump doesn't even work anymore.
However, that's only a measure of efficiency. It could still be that the throughput isn't enough. A 30 kW resistive heater can ALWAYS output 30 kW of heat. But my 7 kW heat pump could produce anywhere from 14 to 30 kW depending on outside temperature.
Does that mean the heat pump gets less efficient as the outside warms? Because that would be fine. 7kW to make you home a constant temperature seems wonderful.
This is going to depend on the router and on IP distribution.
My ISP does not give me an IPv6 address, only a single IPv6 which all my network devices have to NAT through.
NAT is not intended to be a security feature, for sure, but it creates security as a side effect. If I start up a web server on one of my devices, I know that it is unreachable from the Internet unless I go out of my way to set a port forward on my router.
But...if my ISP decides to start handing out IPv6, that can change. If each of my devices gets an Internet routable IPv6 address, at that point, that security-as-a-side-effect is not guaranteed unless my router has a default-deny firewall. I would hope that any routers would ship with that.
But if my ISP still gives me only a single IPv6 address and I'm still needing to use NAT, then I'm guaranteed to still effectively have a "default deny" inbound firewall policy.
> If each of my devices gets an Internet routable IPv6 address, at that point, that security-as-a-side-effect is not guaranteed unless my router has a default-deny firewall. I would hope that any routers would ship with that.
They usually do, and they also ship with the most wonderful technology ever specified within a 67 MB compressed archive [0]: UPnP! Now your attacker's job is to convince you to initiate an outgoing connection, which automatically forwards an incoming port to your device behind the NAT and bypassing the router's default-deny firewall! Nothing has ever gone wrong with a zero-configuration port-forwarding protocol from the 1990s rammed through the ISO!
That's an entirely different attack scenario. To succeed at that attack, my computer would already need to be running malware. At that point, they've already won.
I don't believe that opens a port to accept an incoming connection.
Even if it did, a web page making a request can't control the source port for the connection. They still couldn't make a local network service exposed to the Internet.
WebRTC and similar tools have existed for over a decade at this point and been abused horribly. Many common UPNP or similar daemons trust ANYTHING on the "trusted" side and will happily grant basically anything asked for because their vendors don't want customer support calls over whatever insane behavior some printer or IOT lightbulb is doing without the end user's knowledge.
Every router I’ve ever used has blocked incoming connections on v6 exactly the same as on v4. Really the only difference is you can have multiple devices on your network allowed to receive on the same port if you want.
> Every router I’ve ever used has blocked incoming connections on v6 exactly the same as on v4.
A few years back my ISP didn't properly support prefix delegation, and the only way to get IPv6 to work was in "Passthrough" mode. My router (Asus ax86u) was really unclear about what passthrough mode meant, but I think that it might also disable the IPv6 firewall (I have read conflicting reports, and was never able to find an authoritative answer). The setting is buried pretty deep in the router and off by default, so I don't think most people would enable it by accident, but a quick google search does show lots of people on forums enabling Passthrough mode to get IPv6 working. So seems pretty dangerous and there is no warning or anything [1] that you are potentially exposing every device on your network to the internet (if that is indeed what it does).
Fortunately, my ISP has since implemented proper support for prefix delegation.
I got curious about what "passthrough" might be doing and found this assertion [0], which reminded me of the existence of '6relayd' [1]. So I assume that that mode relays the RAs & etc, but replaces the link-local address in the RA & etc with that of the relaying interface.
So, what side effect of NAT is making your server unreachable here? It sounds like you could turn the NAT off and it would be exactly as unreachable as it was when the NAT was on.
(Just to double-check... have you tried DHCPv6-PD? ISPs will normally only give your router a single IP on its WAN interface, or sometimes no IP on the WAN. Getting the routed prefix for the LAN-side networks involves doing a PD request, which is separate from requesting the WAN IP.)
With NAT your device does not have a publicly routable address. Attackers have no way of contacting you at all. Without NAT you have a publicly routable address and attackers can try reaching out to your device. You rely entirely on your device's and your router's firewall.
So it's not really about NAT although it ends up being a consequence—it's about having a truly private network "air gapped" from the public internet.
No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.
The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.
If your network is air-gapped then no connections will be happening at all, in or out... and if you connect a router to both the Internet and to your network, and enable routing on it, then it's not air-gapped any more.
> No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.
Well no shit. The NAT is a requirement for devices without a publicly routable IP because if my router just sends packets out with a source address being my 192.168.1.101 local IP, my ISP is most likely just going to drop the packets.
You know this, I'm sure, so I'm really unsure what point you're trying to make.
> The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.
Correction: It will have ONE publicly-routable IP, and if I assign it to my router, but don't use NAT, then none of my devices on the network will be able to talk to the Internet, either in or out.
The point was that turning NAT on or off doesn't affect whether your LAN is reachable or not. NAT just edits the source address of your outbound connections. It's irrelevant to how your inbound connections behave.
> Correction: It will have ONE publicly-routable IP, and if I assign it to my router, but don't use NAT, then none of my devices on the network will be able to talk to the Internet, either in or out.
Right, and then if you add NAT you'll be able to make outbound connections, but inbound connections will be unaffected and will still not work. So what is NAT doing here to prevent inbound connections, given that the exact same connections already didn't work before you were NATing?
Turn fireball off. Keep NAT on, internal addresses are still not reachable. You are protected against firewall misconfigurations as well as the outside world. Defense in depth.
NAT in its customary usage is a bit of a historical accident that as a side effect happens to make it basically impossible for non-technical people to expose their devices.
Again, I ask: what is NAT doing to make those internal addresses unreachable? What side effect of NAT is making it basically impossible to expose your devices?
In the post I was replying to, the hosts were already unreachable (or... mostly unreachable, not completely unreachable) before NAT was even in the picture.
I think the problem is that everyone else is operating under the assumption that all the computers on the network still to be able to make outgoing connections to the Internet and you're not.
If I want all the computer on my network to have Internet access, I have two options: Each gets a publicly routable IP, which results in all computers being exposed to incoming connections unless I have a firewall, or I get a single IP which gets assigned to my router, use NAT, and all my devices are no longer exposed to incoming connections unless I go out of my way to configure port forwarding on the router.
So when I talk about the "side effect of using NAT", I really mean "side effect of using NAT instead of assigning public IPs to each computer on my network".
> my ISP still gives me only a single IPv6 address
This is criminal, and also incredibly uncommon. You should talk to your ISP, it's most definitely a misconfiguration of some kind, if not deliberate torture. Normally you get a /56 at least because there are so many and they cost nothing.
Datapoint of 1: With Cox as my ISP, I can get a /64 just by configuring my DHCPv6 client to request it, but if I wanted a /56 or /48 I would have to contact someone at my ISP.
What ISP gives you a single IPv6 address? That's incredibly comical. An ISP would have at least 79 billion billion billion addresses and they are giving you one?!
If I run a webserver on my network I know it's unreachable from the internet unless I specifically allow inbound traffic to it at my firewall. I get to use the actual security features with sensible terminology instead of silly things like "port forward".
Discord can be great when people treat it properly. That is, treat it as IRC for the modern age, rather than a replacement for forums.
Just like in IRC, you probably don't care about most messages. You don't need to be in every conversation. But it can be a great way to just jump into a live conversation or start a new one.
Just like IRC. Except 1 giant server, 1 owner logging everything. Don't ask how it sustains itself though. It still doesn't. People let their guard down in such lax environments and many even run their entire business comms on an unencrypted app as a result too. People should know better.
In a lot of ways, this is a major regression as far as security and redundancy is concerned.
There's also the good old saying: Don't build your castle in somebody else's Kingdom. Bot developers definitely learned that recently. I don't have a lot of pity for bot developers though as many are truly, in fact, scraping data and doing other undocumented things with it (Spy Pet wasn't and won't be the only one). All I'm going to say on the matter!
> Discord can be great when people treat it properly. That is, treat it as IRC for the modern age, rather than a replacement for forums.
For certain needs, like support, forums are abysmal too. See Unraid as an example. Got a problem? Drill through ten different 20-page long discussions with no clear answer.
I wish I could examine your brain to understand how you think "Massive trucks are useful for construction" is a good counterargument to people using them as daily drivers.
> One final factor that can impact how long your car lasts is good, old-fashioned luck. Unfortunately, luck is one factor completely out of your control. You have control over the way you drive, but not the way others drive. Even if you are a defensive driving expert, you can still find yourself involved in a car accident.
So the numbers are calculated including traffic collisions in the life span calculation.
I wonder what the actual number is if you exclude traffic collisions? "How often should I expect to have to replace my car" and "How long should I expect a car to last" aren't quite the same question.
I've always gotten the impression that China is becoming a technological manufacturing powerhouse because of massive investment by the Chinese government, whereas America is falling behind because the government giving grants to corporations is incredibly unpopular because of the belief that the investment is just going to get pocketed by the CEO and board of directors and spent on stock buybacks rather than the development the people and the government wanted to see.
Even if the money is spent properly, it's still highly criticized. I can't tell you how many times I've seen people complain that Tesla was only successful because of massive government grants.
In fairness to the US system, it’s certainly better than the European system or pretty much all but a few around the world. Yes, there is corruption, inefficiency and the largest subsidies are often for huge corporations that obtained them by buying politicians, but! The US government still manages to fund the cutting edge in 2026 in countless fields, to fund real American manufacturing, if you want to get grants you have a real shot at real money regardless of who you are, etc. In China you’re not getting a dime without the right political opinions. In Europe you have to be part of a very specific academic-professional class. In the US you can be anyone.
The thing about China is that they’re more strategic with their money and have longer timelines and clear, achievable visions. If you read the Wikipedia page for Made in China 2025 you’ll get the wrong impression that their success is due to more recent pushes; the vision is far more universal and has existed for far longer. You don’t get to the forefront of advanced manufacturing from nothing in ten years. Look at the 5th and 6th Five-Year Plans, into the seventh… you see the groundwork laid for present day China. The US rarely does that sort of long term thinking or planning these days, and it’s not even about the political winds changing or short-termism as much as that we lack one unified vision. Without that unified vision you can’t plan long term and you also can’t correct glaring problems. For example, if we had a unified vision on manufacturing, an obvious issue would be the lack of an American JLCPCB. You could create one with a stick and carrot approach, tariff assembled PCBs, new rule that any imported assembled PCB has to prominently display “electronics made in China”, smart subsidies for US board houses that encourage scaling and cost reduction. But that level of cohesion and vision rarely happens in the US and so we get a chaotic hodgepodge.
Nope, you are spot on. The broad argument is "Engineers are in power in China, lawyers in America." I see the US as no different as when Boeing and McDonnell Douglas merged; everything about making and building takes a back seat to line go up. Well, you can't eat, live in, build with, or go to war with line go up. The stock market is not the economy, nor your industrial and manufacturing base. But it keeps going up, so everything must be fine, right?
What's stopping you from creating a "localhost.mydomain.com" DNS record that initially resolves to a public IP so you can get a certificate, then copying the certificate locally, then changing the DNS to 127.0.0.1?
> Are IP addresses more transient than a domain within a 45 day window?
If I don't assign an EIP to my EC2 instance and shut it down, I'm nearly guaranteed to get a different IP when I start it again, even if I start it within seconds of shutdown completing.
It'd be quite a challenge to use this behavior maliciously, though. You'd have to get assigned an IP that someone else was using recently, and the person using that IP would need to have also been using TLS with either an IP address certificate or with certificate verification disabled.
It's probably not a good solution if you're dealing with clients you control.
Otoh, if you're dealing with browsers, they really like WebPKI certs, and if you're directing load to specific servers in real time, why add DNS and/or a load balancer thing in the middle?
If it was about stopping violent criminals, they wouldn't raid restaurant kitchens and crop fields, where workers are trying to make an honest living for their family.
It's nationalism and racism, full stop.
reply