The collapse in IPv4 transfer prices is what caught my eye here, dropping from a ~$55 peak in 2021 to a mean of $22 in early 2026 (figure 12).
This validates my hypothesis that the run-up in 2020–2022 was an artificial scarcity bubble driven largely by hyperscalers. AWS was right up there stockpiling before they shifted their pricing model. Once AWS introduced the hourly charge for public IPv4 addresses (effectively passing the scarcity cost to the consumer), their acquisition pressure vanished. The text notes Amazon stopped announcing almost 15M addresses in Nov 2025. I think they have moved from aggressive accumulation to inventory management.
We are seeing asset stranding in real-time. The market has realized that between the AWS tax and the efficacy of mobile CGNAT, the desperate thirst for public v4 space was not infinite. I'm curious to hear more takes on this.
This closes on a bit of a downer:
"As the Internet continues to evolve, it is no longer the technically innovative challenger pitted against venerable incumbents in the forms of the traditional industries of telephony, print newspapers, television entertainment and social interaction. The Internet is now the established norm. The days when the Internet was touted as a poster child of disruption in a deregulated space are long since over, and these days we appear to be increasingly looking further afield for a regulatory and governance framework that can challenge the increasing complacency of the very small number of massive digital incumbents.
It is unclear how successful we will be in this search for responses to this oppressive level of centrality in many aspects of the digital environment. We can but wait and see."> We can but wait and see.
Don't bring technology to a political fight, the hoarders've got more tech than you, "wait and see" is what a bag of sand does at the gun range.
If you think the time that a given social network spends at the top is long now, wait until there's a "regulatory and governance framework" knocking out most newcomers.
The real story here is China and India have been quietly buying up gobs of African IP blocks - most of which are used for botting operations. I see it in my server logs.
China already de-facto owns half of Africa so it's natural they would prey on their scarce IP resources as well.
When you see AI scraping at a massive scale originating from $AFRICAN_COUNTRY IP space, and that country's GDP is smaller than Rhode Island, you sure as shit know someone else is behind it.
I see this often that people refer to countries as actors. Are you implying that the government of these countries bought those resources and they're now owned by the government? Or are you saying that citizens/corporations of those countries are buying? I find it weird, I wouldn't use the phrase "The United States is buying XYZ" unless it was the current government doing so?
Both.
In the case of China, I believe it's government or CCP-controlled entities, and the end-game is something more nefarious.
For India, IMO it's private industry. They're just trying to make a buck.
China does not have a meaningful distinction between private industry and the state. She also maintains a level of surveillance and control, particularly in the IT world, that makes this hard with some level of government sanction.
Sidebar: I've never stopped and considered the gender of nations, but in the tradition of ships I guess it makes sense.
It seems to be widly accepted that the Chinese State (don't know about India) often imposes on or sponsers citizens to perform actions it finds adventagious.
And, I'd say, the US is known to do this. I'll lead with 'Project Azorian' to back it up.
India does it too. You see it on all socials as well as reddit. Brain dead posts and comments praising the current govt or gate against anyone criticising.
The official one isn’t but there are a lot more in support of it. They are just named differently. Local language (we have a lots of them) or endonyms etc.
I'm not sure the distinction matters, and attribution is inherently hard and easy to get wrong. I frequently read Country X is doing Y, less as a indicator of government action and more of a single that we can't be more specific of who within the country is performing an action but we know the behavior is occurring there.
In the case of IP address purchases, these are publicly tied to specific public and private entities and can be easily queried through the regional registries. These private entities are frequently the same kind of shell company you'll get with hiding shady financial details.
>Are you implying that the government of these countries bought those resources and they're now owned by the government
You have to take these issues with nuance instead of looking at them black and white.
If the US government gives you a billion dollar subsidy to do some particular action, is the action that is done the will of the corporation or the will of the government?
If the US government is paying private companies to 'gain information on' foreign entities, is that the will of the private companies or of the government itself?
If when a US company acquires a resource the US government can ask nicely for it with the threat of implied violence if you don't give it, is that a private resource or not?
And, note, I'm talking about the US that has relatively strong property rights and not about China where the government has far more leeway with the operation of companies, and absolutely uses them for nation state level information gathering.
In the US, the government can apply pressure and bargain with companies for favor, but there is no legal requirement of companies agreeing (shy of court orders). Far more than cases of corporate compliance with the government are cases of corporate defiance.
In China, there is no meaningful difference between the party and any Chinese company. Companies are seed funded by the state and carry the will of the state. There is no "come back with a court order" in China. And even if there was, the courts are also just another arm of the party.
I pay close attention to IPv4 addresses for outgoing emails. At work we use several email services and pay for a dedicated IP(v4) at each. And when we provision a new service, we expect our new IP address to be “clean,” by which I mean it is ideally not found on any email reputation list.
For websites and services I don’t care. Some hosting platforms publish via CNAME, and some via A and AAAA records. Most seem to use a mix of v4 and v6 addressing.
The falling price of IPv4 addresses looks to me like we’ve made it to other side of the IPv6 rollout: demand for IPv4 is falling faster than supply now. Not clear if those prices are adjusted for inflation; the post-COVID spike looks like a lot of other nominal price graphs. If not, then the recent price drop is even more dramatic than it appears.
Perhaps in the long run, IPv4 becomes an artisanal choice for uses that depend on stable IP reputation: email sending, primarily. And everyone else relies on TLS for reputation signals, not caring about the IP address.
There is a growing grey market for IPv4 still, though, and probably always will be. It seemed like people were treating them like crypto for a while. Still people out there trying to re-route old abandoned ranges. There are still a lot of legacy ranges that belong to defunct organizations and never got properly sold.
> dig AAAA github.com > dig AAAA amazon.com
Hm...
It's more likely that the widespread deployment of CGNAT and 464XLAT in mobile networks made the IPv4 scarcity a non-issue. The some CGNAT solutions can multiplex more than 20000 devices onto a single IPv4 address.
I'm a very early adopter of IPv6, and I _still_ have operational issues with it.
amazon.com is IPv4-only redirector to www.amazon.com which is dual-staked.
The same is true for amazon.fr.
In the future we will have v6 only clients making v4 almost worthless since not all users will be able to connect to it.
Just yesterday--and I don't know how I wound up there--I looked at RFC1166 (from 1990) which is "a status report on the network numbers and autonomous system numbers used in the Internet community." There's a long list of companies and individuals who were assigned "internet numbers". To my surprise, my real name is listed there! I have no clue why.
Not to spoil the article (but there's a lot in there) but I was particularly intrigued by the ongoing tumbling of the price of IPs. After peaking in 2022, "these days the low price of $9 per address is back to the same price that was seen in 2014."
I was also surprised to find that out the other day when someone on Reddit was complaining they couldn’t get a good price on a /17 they were hoarding to sell for a profit. Good riddance.
There is no shortage. Go look at IPXO, you can sublease any block size. The RiR's should be reclaiming these unused addresses, but instead the ASN is allowed to sit on them or rent them out, regardless they're not being used. The shortage is caused by hoarding and RiR's not doing their job.
During the holidays I refactored my home network. It was a fun project and I'm still kind of tinkering with it. At one point I decided that now let's go all in on IPv6 and it works now. Only thing that I couldn't do was route traffic from internet to my end devices, because I understood my ISP and the provided modem. I'm yet to pressure them, maybe they can do it manually for me.. But I'm glad I did it and getting 10/10 in https://test-ipv6.com/ is satisfying. At least this home traffic contributes to migration..
I'm thinking about going full on IPv6 now with NAT64, but that a stretch already, because it needs upgrading a gear.
Fwiw (in case it hadn't occurred to you already), there's no technical requirement to run your NAT64 on your router/modem/CPE. You could run the NAT64 on a Raspberry Pi or some other little device for instance.
There are plenty of vectors left to squeeze the existing IPv4 space especially all the Legacy assignments held by deceased companies and individuals. There is no procedure to reclaim them. Even when you invest time and money to find the relatives, the RIR may decline a transfer so nobody invests here as long as plenty of former hosting, colocation and regional access providers leave the market after their customers moved to the US hyperscalers or out or business.
I think around 2000 every new LIR at RIPE got a /19 allocation. Smaller companies are now almost 30 years old and the founders divest their assets step by step unless someone buys everything.
I'm interested in any new successful startups going full IPV6 from the beginning. Once we cross that bridge, where your internal IPV4 knowledge is equivalent to token ring knowledge, there's nothing else to watch.
Github still refuses to switch on support for ipv6 traffic for some reason, so you can't interact with github then
There has to be a tech reason (beyond the normal) for that, right? What could it be?
[dead]
Relatedly: wouldn't there be many applications for which ipv4 isn't needed?
For example, Walmart has electronic eink shelf tags they can update remotely. Each one needs a unique address. I wouldn't think it needs ipv4. It doesn't have to connect to the SpaceJam website.
I would think that as time goes by, the number of these new devices would swamp the number of old ones that need ipv4. v4 would still be around and might even seem important to the fogies using web browsers on laptops...meanwhile the street lamp has five ipv6 addresses and no ipv4 ones.
An example of this is Matter, the new industry standard for IoT devices. It uses IPv6 addressing, so if you want your IoT devices bridged onto your LAN, your LAN needs to support IPv6.
While definitely not a startup, the National Archives made https://clintonwhitehouse1.archives.gov/ and https://clintonwhitehouse2.archives.gov/ IPv6-only.
While I don't think a couple administration's website archives are enough to drive adoption, one could imagine there might be some government resources that might.
Sadly browsers don't seem to warn users that they couldn't connect because of the lack of IPv6 (and doing so would be difficult for IPv6-only DNS servers), so it just looks like a regular connection failure.
One interesting development is the Matter standard for controlling smart home devices is v6 only. Every lightbulb, switch, sensor etc gets a v6 address and can be individually communicated to without having a manufacturers hub translating in the middle.
It would be a strange and unnecessary risk to take for a startup in my opinion.
It's really not a risk, as long as you dual stack your edge.
Exclusively IPv6 without any transitional mechanisms would be difficult to succeed with.
However, there are network upstarts like Jio (India) which made huge v6 investments from day one which use 464xlat for subscribers to access v4-only resources.
>Exclusively IPv6 without any transitional mechanisms would be difficult to succeed with.
That's my point; why is it still difficult? What exactly are the pain points for a fully commercialized native IPV6-only business, and why do we think it will be easier to maintain the status quo?
There are still lots of customers with IPv6, if you go completely and totally v6 only then you limit your potential customer base. Now going v6 internally with a dual stack edge makes sense, Meta has done this.
Because a few large companies are holdouts. Github for example. Some AWS backend stuff. Many smaller ISPs that represent a very long tail.
Most of it is not any particular difficulty for you, but because of someone else.
Many wired networks are IPv4-only, so you've excluded a bunch of consumers. It'd be like not supporting the Edge browser.
Also every mobile phone network ever (with a handful of exceptions) is IPv6-only, with a slow translation layer to reach v4 sites. Your app or website literally runs faster if you use IPv6.
The country code GB in some of the tables should show the source economy being Great Britain right? Am I misunderstanding the table?
That looks weird. I am guessing that someone knows about the mismatch between ccTLDs (where the UK is .uk) and ISO codes (where the UK is GB and Ukraine is UA) and tried to correct something and got it wrong.
its correct in other tables.
.uk being the TLD, and .gb being the ISO 3166-1 alpha-2 code is a quirk of history that comes with .uk being on the internet very early.
What happens when a so-called "tech" company that cannot be trusted wants to punch holes in the user's firewall without prior consent from the user
Purely hypothetical, of course
For example, WhatsApp tries to connect to at least two servers on UDP port 3478 without asking the user if this is what they want to do or explaining the purposes of these connections
Example server addresses are
57.144.221.54
31.13.70.48
3478 is the port used for "Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)", or "STUN" for short
https://www.ietf.org/rfc/rfc3489.txt
Perhaps IPv6 would obviate the need for STUN
Unrelated to the post, but please include a viewport tag[0] on your website; it's one line of code that makes things far easier to read on mobile.
[0]: `<meta content="initial-scale=1,width=device-width" name="viewport">`
I’m curious about that meta viewport declaration and where it came from: I don’t believe I’ve ever seen it in that order. The customary ordering has the attributes and content properties all reversed:
<meta name="viewport" content="width=device-width,initial-scale=1">No. You either design the site to be fully responsive (which would necessarily include CSS changes), or leave out that line. If your CSS assumes a desktop layout, it is strictly better not to set the viewport width to device-width so that the mobile browsers will use the traditional desktop viewport and the user can zoom around without anything broken. In contrast, carelessly slapping that line without CSS changes will often lead to content being clipped and invisible on mobile. This is why I have a bookmarklet to delete any viewport meta elements.
Really need governments to start pushing harder on IPv6 adoption. We need sticks, not just carrots. My favorite is chaos engineering forced IPv4 downtime.
In the US, I really want the FCC to mandate that an ISP provides IPv6 connectivity in order to meet the criteria to be considered broadband (and access the subsidies related to that). Don't even care if the functionality is off by default / you have to call and agree the routing may be sub-optimal, whatever. I currently use HE tunnels but on top of additional latency, the HE <-> Cogent peering dispute still makes it difficult to access services over IPv6.
There should be rule that ISP with CGNAT must offer IPv6 as an alternative. The US doesn't use CGNAT as much as other countries, but would help people stuck behind crappy CGNAT.
Yeah I this is the bigger issue. CG-NATs break things, you shouldn't be able to sell a pooled IP CG-NAT only service as broadband connection. Looking at you MetroNet
Nah, we just need actual carrots. If something new is better than what people currently have, and you make it easy for them to get the new thing, people will naturally abandon the old thing. They'll do it happily. In fact, it will be hard to stop them from abandoning the old thing for the new thing.
IPv6 has failed at being better, being accessible, or both. Rather than punish people for failing to adopt something that isn't better or easy to get, either improve IPv6 so that it's actually attractive or admit defeat and start work on the next version that people will genuinely want.
The moment you start thinking "Let's make what people have now worse until they move to this other thing they don't want" its an admission that whatever you're pushing people to is shit.
> IPv6 has failed at being better, being accessible, or both.
I don't agree that it has. IPv6 is clearly better (no collisions between address space and thus no NAT requirement), and it's perfectly accessible to anyone who actually tries. I'm not by any means a top tier network guy but even to me IPv6 is dead easy to setup. The problem with the v6 transition is that people have very inaccurate views on one or both of those points (usually they falsely believe NAT provides security benefits, or they falsely believe IPv6 is a difficult thing to implement). I'm not sure how to fix this widespread misinformation but that is the problem from what I've seen.
IPv6 primarily solves a problem that most people either don't have ("I have IPv4 IPs already") or don't care about ("I don't know/care what my IP is") and it introduces a bunch of problems people didn't have before like worries over comparability with existing hardware/software (improving all the time) or even just "now I have to spend a bunch of time learning about how to correctly and securely implement this on my network" (still a problem)
Maybe one day in the distant future, IPv4 collisions/shortages will be an actual problem for most people. If that happens, those people will naturally make the switch. Until then, why would they?
It turns out a bunch of people actually like NAT. They like it so much that they pushed for solutions like NAT66 so that they can keep it even after switching to IPv6.
If IPv6 offered substantially better security/privacy, speeds, reliability, or introduced some new killer feature people didn't even know they wanted until they learned about it there wouldn't be any reason to try to force people to move to v6. Because it doesn't do any of that, and most people are happy with IPv4, they'll stick with what has been working for them.
Even 15 years ago IPv6 was much worse than IPv4 for most of the people. Only when the mobile operators has started to insist on it then the usage started to grow to significant numbers. Which showed the real problem with IPv6: lack of compatibility with IPv4. That was absolutely possible 30 years ago, but the designers decided that it would just complicate things.
I think the people complaining about compatibility are more talking about the concepts in IPv4 and IPv6. IPv6 could have been "everything is the same except the IP address is 16 bytes instead of 4". Instead there are new ways to do everything.
Addressing works differently (no broadcast, multicast everywhere, link-local is mandatory). Configuration works differently (SLAAC, RA, DHCPv6 is not a drop-in replacement for regular DHCP). Neighbor discovery replaces ARP and depends on ICMPv6 working. Fragmentation behavior changed. NAT is “not a thing” by design, which breaks a bunch of assumptions people built entire networks around.
No they didn't? v6 is compatible with v4 in tons of different ways, probably in almost every way that it's possible to be compatible with v4.
Admittedly, it's not compatible in the ways that _aren't_ possible. But it's highly unreasonable to blame that on the people who designed v6.
The US government is pushing IPv6 for government sites and contractors.
I think there needs to be a push for IPv6-first networks for companies. ISPs in the US are pretty good about IPv6. But network engineers learned IPv4, and don't want to change what works, so companies lag behind. Changing existing networks is hard, but IPv6 is good candidate for new networks. This includes writing docs and eventually the education so IPv6 is the default.
Or we should start a wall of shame of services not available on IPv6.
What holds them back though? Even my shitty self-hosted website on a not-so-known VPS supports IPv6.
I'm assuming priorities and convincing the old guard it's something to do
I did not have to put any additional engineering effort into it though.
What's the public good that justifies the government dictating which networking stack people use?
In 2021 I speculated on IP and acquired a /23 block by ARIN wait list. I figured on running some services from the IP space for a while and after the 5 years mandated wait time would cash in when surely it would fetch $100k from some party desperate for IPv4.
At this point the services I am running are far more lucrative than the IP space itself is turning out to be.
how realistic is it to buy a block in 2026 as an individual? I understand that it is useless, but how much so
Different RIRs & LIRs have different policies, but the "foolproof" way is to just set up an LLC and register resources through that. There are usually renewal fees as well. If you're not hoping to be able to sell them after you get them, a careful reading of RIR policies can usually net you one or two /24s without needing to buy any blocks.
In either case, if you end up with internet resources you can trawl through sites like https://bgp.services/ to find a cheap VPS provider near you that supports peering. I run my own AS and advertise 3 network blocks (2 IPv4 + 1 IPv6) out of 2 different DCs for several hundred $ per year all in all (including renewal fees, VPS, taxes, etc).
Unrelated to the post, but I love the left texture when I'm on vertical tab mode in FF. Very cool
I am on zen which you can consider to be as vertical tab mode in FF as well (considering zen is based on FF) (but all be it, I love how slick zen looks! Zen is amazing)
And I have the same texture too! I hadn't observed it until your message
Unless I misunderstand something, that texture is not especially related to Firefox or vertical tabs.
I have it both under Firefox or Chromium, and whether my tabs are vertical or not. It's just the website's background.
My ISP added IPv6 support and my router began handing out IPv6 addresses. How did I know this?
1. My AppleTV began stuttering during playback.
2. My old iMac began crashing every time it connected to the wifi.
At least the iMac has an option to disable IPv6. The AppleTV has no such option so I had to do it in the router.
It always sends me to sleep when IP enthusiasts lament the lack of adoption for IPv6.
It's obvious to anyone that looks at the two formats that any kind of hacky workaround like NAT gateways will be preferable indefinitely to actually adopting the monstrosity that is IPv6.
NAT is the monstrosity, not IPv6.
But has the nice side-effect of working as a firewall, before traffic gets to you.
- Did you disable UPnP on your router? If not, any device behind the router can simply ask the router to open a port, typically without authentication, bypassing this "firewall" completely.
- TURN and STUN trivially bypass this side-effect, and a side effect of that is a third party has to often be involved, which can be collecting data later leaked or used against you.
- The monstrosity of NAT is that it's the core thing that drives centralization - because of NAT any two Internet hosts generally have to involve a third party to communicate, a third party which again, can be collecting data later leaked or used against you.
If you don't care about the security implications of the above, then you don't really care about the "firewall" either.
> That third party involved is my ISP which will see the packets anyway, even if NAT is not used.
The ISP doesn't meaningfully see packets as long as encryption is used. It sees stuff that if analyzes can be used to make guesses, but that's about it. I probably should have used a better term than "third party" but I was meaning services that collect data on everyone like Facebook, Twitter, etc. These services actually receive meaningful, trackable, surveillable data about you and they would not have to receive as much if NAT wasn't a thing.
Inside attacks are important. If you don't care about those, saying you like NAT because of any security benefit doesn't make sense.
I was surprised as well as it's something I turn off on devices I control and I haven't really assumed it was a thing. But recently at a friends house I decided to install upnpc on my Linux laptop and give this a try:
| upnpc -a 192.x.x.x 8080 80 tcp
And to my surprise it just worked. This friend just upgraded to fiber and had just received a new router.
IPv6 routers use a stateful firewall just like NAT includes. Just without the problems of NAT.
I doubt that most consumer routers expose this functionality. IPv6 NAT is rarely needed and should be avoided. Interestingly enough I stumbled upon a use case today. No IPv6 connectivity at my office but at my dad's house. Since a WireGuard tunnel is layer 3 I can't use router advertisements and the prefix is dynamic, so private IPv6 addresses and NAT66 it is. It was an exercise out of curiosity though, route64.org works much better for IPv6 connectivity.
No, it does not. Always use a firewall if you need a firewall. NAT is not a replacement for it.
You just have outbound NAT enabled, so that your internal nodes can access the internet, no mapping to any internal nodes is set from the outside and no firewall. (just NAT alone) So all packets to your router's address will terminate at the router. Right?
OK, let's say I send a packet to your router's external interface with destination IP set to internal address of one of nodes in your network.
Will it reach your internal host? Will I get a response? ;-) I hope you now appreciate how NAT is not a firewall at all.
NAT has the side-effect of working as a shower curtain. It will mostly keep light drops of water out, but will not stand up to a fire.
Having one and a half firewalls doing overlapping work and making things more complicated is not what I call nice.
The real hacky workaround that we have adopted is just centralizing the whole internet in like 5 giant companies and making everyone else into passive consumers who can't even make a voice call to each other without giving some form of payment to a cloud giant.
This article would be more useful if it started with an abstract.
IPv6 will change the world. Believe in it
How many more decades will I have to wait to have IPv6 from my ISP though?
Try switching ISPs. [0] Even Comcast provided me IPv6 service fifteen, twenty years ago.
[0] Yes, I am aware that that's simply not possible for most folks. I used to be most folks, so I definitely know.
You're underestimating just how rare IPv6 is in my country. It's mostly found only in datacenters.
> underestimating
How could I have even begun to estimate? At the time I wrote my comment, I had zero information on which to base an estimate.
TLDR: IPv4 is fully exhausted and no longer growing. Internet growth now depends on IPv6 adoption and address sharing, but IPv6 rollout is still uneven across regions.
The CGNAT point is underrated. Carriers have zero incentive to move away from it - thousands of users per public IP, no transition cost.
The interesting downstream effect is on IP reputation systems. Traditional detection assumed 1 IP = 1 user. CGNAT breaks that entirely - platforms can't aggressively filter mobile carrier IPs without blocking legitimate customers by the thousands.
Makes sense the IPv4 price dropped once mobile networks proved you can serve massive user bases with relatively few public addresses.
Expect CG-NAT boxes are expensive, and introduce another point of failure into the network. Most mobile carriers are running IPv6 first networks these days anyway.
Like you said, CG-NAT does have the benefit of making v4 address reputation less reliable, which means it's not as big a deal for the transition to v6.
>CG-NAT does have the benefit of making v4 address reputation less reliable
heh, less reliable is doing a lot of heavy lifting there. You mean "complete and total trash". We need to get to the point where Cloudflare/AWS/some other big sites just block CG-NAT nodes for a day going this IP address is a risk.
Instead if you're a website, instead of doing an easy block by IP, you're left filtering out AI crawlers, spammers, and lots of other crap hiding behind a single IP with thousands of other users behind it, and ISPs that don't really give a shit about doing anything about it.
We need to push the value of IPv4 to nearly zero and finally move away from that crap.
Could you please stop posting unsubstantive comments and flamebait? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
Why? How is it "discrimination" if it actually corresponds to a single user, who has been doing bad things to your server (e.g. slamming it with requests)? Do you expect to be able to go and knock on people's doors all day and not have them tell you off?
Anecdotally on how this affects the day to day user experience: I just deployed T-Mobile 5G Business Internet to a temporary pop-up art space (it's only active for a few months) and I'd say twice daily I get a CAPTCHA challenge on Google search.
And I hope it gets worse for users behind CG-NAT to the point that websites and ISPs move to IPv6.
I would have thought that a 5G connection would have IPv6 and wouldn't need CGNAT to Google properties
I wonder if all these new tools that punch through CGNAT like tailscale will end up breaking it when they force these NAT boxes to maintain tons of long lived connections.
With the uptake in smart home and internet connected CCTV by consumers, things could dramatically shift.
I personally hate CGNAT, but I cannot deny that nowadays, the overwhelmingly vast majority of customers most likely does not care (and much less know) that they are behind CGNAT, so this is valid.
Come to think of it, for my use cases, I would probably be fine to be behind IPv4 NAT as long as I also have an un-NATted IPv6 prefix. But a big part of the question here of course is whether IPv6 adoption is worthwhile...
It is noteworthy that in 2020 AWS had very limited ipv6 support, but these days they have at least some support in the most critical services.
> efficacy of mobile CGNAT
At driving the majority of mobile traffic to IPv6? Otherwise, it seems hard to describe mobile CGNAT as efficacious to me.
Amazon LEO
Aka Kuiper
>stopped announcing almost 15M addresses in Nov 2025
As someone with a background in electronics who doesn't manage any internet-connected equipment but has multiple embedded devices connected to a WAN, I'm glad that IPv4 still seems to have a bit of life left in it.
When IPv6 was developed, over 30 years ago, connecting everything to the internet seemed like a great idea. I know that IPv6 can be made secure, but I don't have the background or research time to learn how to do so, and the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy that makes it impossible to accidentally directly connect anything to the internet.
I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next is developed with the modern proliferation of cheap insecure IoT in mind.
For some background on why IoT products are so insecure:
Hardware manufacturers don't really comprehend the idea of updates, let alone timely of security patches. Hardware has to work on the day of release, so everything is documented and tested to verify it will work. I have hardware with a TCP/IP stack that was released 20 years, (https://docs.wiznet.io/Product/Chip/Ethernet/W5500) and doesn't have a single errata published, despite widespread use. This is expected for every single component, for even the smallest 1-cent transistor, which has dozens of guaranteed performance characteristics laid out over several pages of documentation (https://en.mot-mos.com/vancheerfile/files/pdf/MOT2302B2.pdf).
When manufacturers venture into a product that runs software, they don't realize that for a given complexity, working through undocumented or, worse yet, incorrectly documented APIs takes more time than the equivalent hardware development and documentation. I've worked on multiple projects where software bugs were fixed with hardware workarounds, because it's faster, cheaper, and easier to develop, test, document, retool, and add a few cents of bill-of-materials cost per product, than to get reliable output from the already-written library that's supposed to provide the functionality.
The hardware TCP/IP stack that I linked to was developed at a time when it was the cheapest way to connect a low-power embedded system to a network. Modern low-power embedded systems have multiple cores running at hundreds to thousands of MIPS making the resources to run a softtware TCP/IP stack trivial, but the product still sells well, because when security is an absolute must, the hardware development and maintenance cost for the functionality is still cheaper than through software, even when there's no marginal cost to run the software.
> the NAT-by-default of IPv4
IPv4 is not NAT-by-default. The reality of the world we live in today is that most home networks have a NAT, because you need multiple devices behind a single IP.
That said, I agree: it's quite unknowable how many services I've turned on on local machines with the expectation that a router firewall sat between me and potential clients.
But that doesn't go away with IPv6 - the NAT does, the router doesn't, and the firewall shouldn't either. For example, the default UniFi firewall rules for IPv6 are: 1. Allow Established/Related Traffic (outbound return traffic), 2. Block Invalid Traffic, 3. Block All Other Traffic
You must explicitly open a firewall rule for inbound IPv6 traffic. NAT is not the firewall.
> NAT is not the firewall.
NAT _is_ a firewall. And a much safer one than IPv6 firewalls, because NAT will fail safe if misconfigured.
The article actually remarks on this kind of argument.
While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably proven to be quite effective against a lot of malicious activity.
Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats.
You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall.
A NAT will drop all packets, until something upstream opens a port. Dropping packets is the default behavior of a NAT.
> I know that IPv6 can be made secure, but I don't have the background or research time to learn how to do so, and the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy that makes it impossible to accidentally directly connect anything to the internet.
To get the "unsolicted traffic is rejected or dropped" behavior of the typical IPv4 NAT, forward inbound traffic that's related to an established connection and drop or reject the rest.
You can also use the exact same NAT techniques you use for IPv4 addresses with IPv6 addresses. The only differences are that instead of you using RFC 1918 Private Internets addresses (10./8 and friends) you use RFC 4193 ULA addresses (fd00::/8), and you need the usual NAT rules on your edge router, except for IPv6, rather than IPv4. Remember that IPv6 is still IP, just with larger addresses.
It's recommended that you generate your ULA subnet rather than selecting one by hand, but absolutely nothing stops you from choosing fd::/64. If you're statically assigning addresses to your LAN hosts, then your router could be -say- fd::1 and you count up from there. Also note that DHCP exists for IPv6 [0] and is used by every non-toy OS out there except for Android.
> I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next...
IPvnext is not happening in either of our lifetimes. You're either going to have to buy edge gear that's set up with a "reject or drop unsolicited inbound forwarding traffic" firewall, or learn how to set it up yourself. Either path is not hard. Well, I guess there's secret option #3: "Die without doing either.". That's also not hard.
[0] It has been around for nearly twenty-three years.
Yeah, that's the kind of stuff that I know how it works from a network protocol standpoint, but have no clue how to configure on any given system, let alone verify I configured it correctly. I installed DD-WRT on my router, hoping it would be easier to set up. The user interface was much easier to navigate, but the labels of the settings were so sparse that I couldn't tell what anything was referring to, even knowing the terminology for the the lower layers of network protocols. I wouldn't be surprised if I never get around to working on it in my lifetime, as long as I can play around with electronics projects.
Regarding Android OS, I'm not convinced it isn't a toy OS. I feel like they threw in the Linux kernel, but didn't bother including most of the useful features, and pat themselves on the back whenever they add one back. It took almost a decade before they figured out that you could install fonts without reinstalling the operating system. If they ever discover DKMS, we can stop throwing our phones away every few years, and have some actually useful hardware. Then again, it took Apple two years to add copy and paste to a phone, so maybe it's an industry-wide problem. If I could buy a modern Jornada 700 series running Linux or BSD, I'd never need to pick up an Android or iOS device again.
> DD-WRT
Since you're in the mood for experimentation, you might try OpenWRT. They even have a somewhat-fancy-shmancy configuration GUI called LuCI.
I don't think you even need a stateful firewall. If it's an IoT device that's not meant to provide services to the internet then it seems to me you can just drop all non local subnet originated traffic and get most of the security you would expect with NAT.
If you want to drop all non-local subnet originated traffic, you need to keep state. Otherwise, how can you tell which side originated the flow?
Even that is only a partial solution - UPNP hole punching exploits holes in this logic to allow peer-to-peer traffic into a network which otherwise has a default-deny ACL.
IPv6 is just as secure as IPv4. NAT usually combines address translation with a stateful firewall. I remember when they were separate things. IPv6 has the stateful firewall, all the same security but without the mess of address translation.
Also, if you have devices connected to WAN, then they are insecure because they are not NATed.
Oops, I meant to say LAN, not WAN.
NAT is not a security measure at all. It just obscures what's behind a firewall, but that is leaky and not reliable from a security perspective. It might make you feel better, but that is not security.
A firewall has nothing to filter, if nothing is routed to it. My IoT devices communicate with a server running in my network. As long as I am behind an IPv4 router, their communications to that server will never make it to the internet, and any communications from the internet have no way of addressing any device on my network. I literally can't add any security to a firewall because there's no communications to handle. Sure, I have personal computers on the same network, which aren't on a separate VLAN because I'm not familiar enough with my router to set that up, so a compromised PC could forward attacks to my IoT devices, but the firewall would be useless at that point.
If I have an IPv6 router, I can miss-configure it in a way where all of my internal communications between IoT devices work as expected, but they also have discoverable addresses on the internet. This would give the firewall something to do, but I'd rather there be no route in the first place.
Also, if I trusted myself to properly configure my router for IPv6, I would put all of my IoT equipment on ULAs, which much like an IPv4 NAT would leave me with nothing to configure in the firewall.
If I were to take your claims at face value, using GUAs with packet filtering is far more reliable and secure than ULAs, and that seems preposterous.
A properly configured firewall for sure adds security, but isolation always wins out.
Yea, people consider NAT a firewall, but at best it stops direct connections from outside. People use this as a rationale to non secure individual devices on the network. Then the moment a single device on your network is compromised (do you really trust that Chinese IOT device?) every host that doesn't have its own firewall is at risk.
With IPv6 you at least say "Holy crap, anyone could connect to this, I better secure it from outside and inside attacks" which is how actual security works.
For some background why IoT products will stop being insecure: if you sell one in the EU, you're liable for all the damage your botnet causes.
Luckily, common EU home routers have firewalls, even for IPv6. And it's so much easier to punch holes on purpose! Instead of messing with port forwarding and internal and external IP addresses, you can just say "this device is a server, please allow traffic on port 80 and 443, thank you"
I don't see how the logistics for that would work. Even when you know what devices are part of a botnet, which itself is no easy task, each device in a botnet is only doing cents worth of damage, and mostly to the target, but product liability only applies to the owner of the product.
Also, everyone I know that lives in Europe (although most of them not within EU countries) imports their IoT controllers directly from China or the US, because there is very little available from manufacturers in Europe.
[dead]
[dead]
When AWS rolled out plans to start charging for IPv4 addresses:
https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address...
"As you may know, IPv4 addresses are an increasingly scarce resource and the cost to acquire a single public IPv4 address has risen more than 300% over the past 5 years. This change reflects our own costs and is also intended to encourage you to be a bit more frugal with your use of public IPv4 addresses and to think about accelerating your adoption of IPv6 as a modernization and conservation measure."
Their move disgusted me and I moved from AWS to OCI.
What disgusted you about it? I'm out of the loop
They hadn't bothered to add ipv6 support to most of their services and the ones that did have it usually were only dual stack - still requiring an ipv4 address.
Which requires dual-stack and all the issues that come with it, especially with private addresses.
That sounds like a failure in every direction. I see why you moved
It was clearly a corporate money grab, not an altruistic motion as they made it sound.