[HN Gopher] AWS to begin charging for public IPv4 addresses ___________________________________________________________________ AWS to begin charging for public IPv4 addresses Author : realshadow Score : 150 points Date : 2023-08-03 18:31 UTC (4 hours ago) (HTM) web link (www.infoq.com) (TXT) w3m dump (www.infoq.com) | cferry wrote: | The only barrier for me to go IPv6-only is those VPS that are | provided with a _single_ /128 IPv6, and I do not know of a | service that would offer IPv6 tunneling other than HE, that | requires an IPv4 endpoint. The day I get a full /48 or /64 with | my VPSes, I'm ready to drop IPv4. | kccqzy wrote: | Amazon gives you more than a single /128. So your complaint is | irrelevant if you actually use AWS. | devit wrote: | Do they offer shared IPv4 addresses with routing by HTTPS SNI? | Hikikomori wrote: | On ELB yes. | JoshTriplett wrote: | ELB is a substantial cost itself, though. | eastbound wrote: | And not very good, together with the auto scaling groups, | it performs the record act of not being able to do an | instance refresh without downtime. We've put countless | hours into that, seems like a simple problem, forums say | it's not solved. | dilyevsky wrote: | Could you point to relevant thread please? | Hikikomori wrote: | With a single instance? Could also do blue green instead. | zomglings wrote: | This is not true. | | You have to define health checks on your instances that | reflect the availability of all services they host. | | And you have to allow there to be more instances than | your target number in each autoscaling group. | anderspitman wrote: | Hot take. IPv6 adoption is never going to hit 100% because SNI | routing covers most of the cases people actually need. If UDP | functionality is necessary QUIC will be used. I wish this wasn't | the case. It would be nice if the software was good enough that | more people were enabled to self host. | NoZebra120vClip wrote: | Which has been a more significant driver of address-space | exhaustion: web servers, or consumer/corporate client devices? | kccqzy wrote: | Not a hot take at all. We don't need 100% IPv6 adoption because | we can't control what people do in their private networks. If a | load balancer supports IPv6 that's good enough, even if the | load balancer talks to the backend over IPv4. | supertrope wrote: | In practice the Internet does not deliver IP packets. Only UDP | or TCP is universally supported. Some firewalls, security | appliances, filters, and proxies limit end to end connectivity | to just TCP 443. Everything over IP has turned into everything | over HTTP. | grobbyy wrote: | This is a hidden price hike. It would be more reasonable if there | was a corresponding decrease in server costs. | barryrandall wrote: | The move may seem unreasonable, but it seems more unreasonable | to expect anything different from the oligarchy. | marcus0x62 wrote: | Their costs for delivering one service are increasing so they | should lower their prices on another? | ribosometronome wrote: | If they're separating out functionality from that service and | charging for it, sure. Customers who don't pay extra are | getting less service than they used to for the same money | they used to pay. | ketralnis wrote: | > Customers who don't pay extra are getting less service | than they used to for the same money they used to pay | | Sure, yeah. That's how price increases work. Nobody's | arguing that it's not a price increase. But if your | delivered pizza's costs are fuel+ingredients and the price | of fuel goes up, well, the whole price goes up or you have | to give on the amount of pizza. The price of the | ingredients didn't go down, so yeah you're just going to | have to pay more or get less pizza. Sorry. | | You can quibble on the pizzeria's margin I guess: AWS could | just eat the increased price themselves, and probably have | been until now. But apparently they don't want to so | they're raising the price to compensate in frankly the most | reasonable way possible. AWS has insane pricing for many of | its services, especially bandwidth, but this isn't one of | them. | whalesalad wrote: | IPv4 is a finite resource. This is a forcing function to ensure | that people who actually need IPv4 addresses are using them. | Gotta pay to play. | | I guarantee there are a ton of unused IP's just sitting on | accounts doing absolutely nothing. | mark242 wrote: | Addresses were already being charged if they weren't attached | to an interface. Increase that charge if you're looking to | churn unused IP addresses. | jeremyjh wrote: | That would not catch every public IP address that is | actually unused, because it can be attached to an interface | and yet not be needed or actually used by any client. But I | don't agree with GP that this is an important reason for | the price increase. They are increasing prices simply | because costs have increased. | mark242 wrote: | Anything that an IP address can be attached to is already | accumulating a charge, just by existing and running. EC2, | NAT gateway, ELB, etc. What's "actually unused" then? | Minimum amount of traffic? I don't think it's in Amazon's | purview to make those judgement calls. | jeremyjh wrote: | What I meant by unused is that there might not be a | client that ever connects to that IP address, so the | public IP address itself might not be used even if its | attached to a resource. | | > I don't think it's in Amazon's purview to make those | judgement calls. | | I already said I don't agree with GP that this is a | motive for Amazon. | ketralnis wrote: | I don't think either of those is true? | | It's not hidden, they put it right up on their blog | https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address... | the opening line of which is "We are introducing a new charge | for public IPv4 addresses" and when it starts and what the cost | is. I assume like every other AWS charge it's broken out in | great detail on their billing statements and even have APIs to | query costs. Usually they send an email with these changes too | so if they haven't I assume they will. It's a regular old price | hike but it's not a hidden one. | | Secondly since "the cost to acquire a single public IPv4 | address has risen more than 300% over the past 5 years", | there's no accompanying decrease in server costs that would be | "reasonable" to account for this. Charging for the IP itself | makes total sense since that's the cost they're accounting for. | If it were packed into the instance costs, then instances | without a public IP would be paying for it too. This | incentivises you to do exactly what they want you to do: use | fewer public IPs where you don't need them. This is way more | reasonable than an across-the-board instance cost bump which | _would_ be a hidden price hike. This is a bridge toll that | covers the cost of the bridge by its users instead of raising | taxes on everyone. | | I guess you're wanting to pay the same and just distribute the | cost between the IP and the instance differently? And hey me | too, I love not being charged more. But they want to account | for their costs without eating into their margin and this is | how they're going about it. You don't have to _like_ it; I sure | don 't. You can wish AWS would just keep eating the cost for | you; me too! But I don't think "hidden" or "unreasonable" is | accurate. | ChrisArchitect wrote: | [dupe] | londons_explore wrote: | As long as IPv6 remains free, and there is some kind of ipv4 | accessible proxy for web stuff for free, I'm happy. | mnutt wrote: | I don't see where the latter is the case? For that I believe | regular NAT gateway bandwidth charges apply? | blibble wrote: | the ipv6 support is sporadic and not in all regions | | https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-su... | | why are these large hosting companies so incompetent? | psanford wrote: | aws is many things but 'incompetent' is not one of them. | blibble wrote: | explain that page any other way | est31 wrote: | AWS has spent billions (with a b) on ipv4 addresses: | https://news.ycombinator.com/item?id=36991477 | | This investment wasn't just of a strategic nature: they | have enough market power to hold back the move towards | ipv6. | blibble wrote: | how does reducing your competitiveness in the ipv4 market | (what they've done today) hurt ipv6? | | it will have the exact opposite effect | Beached wrote: | because they don't have to be. when you own 20% of the entire | Internet, you can just do whatever you want, very few can | compete | ArchOversight wrote: | > ipv4 accessible proxy for web stuff for free | | Not within AWS. | wongarsu wrote: | This finally puts real pressure on software and services to work | on IPv6 only. I wouldn't be surprised if within 1-2 release | cycles lots of distributions suddenly update just fine with just | IPv6, package mangers can download packages over IPv6, lots of | APIs gain solid and well-tested IPv6 support, etc. | NoZebra120vClip wrote: | TIL that my Chromebook connects to the Internet with a 6to4 | address rather than the real /64 that my ISP assigns. | [deleted] | p1mrx wrote: | This seems unlikely, as 6to4 was deprecated in 2015: | https://datatracker.ietf.org/doc/html/rfc7526 | NoZebra120vClip wrote: | I couldn't believe it either, but using Chome on ChromeOS | 114, updated yesterday, all the public sites report that I | am connecting from 2002::/16 | p1mrx wrote: | Interesting. It's only possible to terminate 2002::/16 | using a public IPv4 address, so if you're behind a NAT | router, then the router itself must be running 6to4. | NoZebra120vClip wrote: | Aha! Thanks for the hint: I recently had to reconfigure | my router from factory settings. The IPv6 configuration, | sure enough, was kicked into 6to4 mode. I set it to "Auto | Config" and now I've got end-to-end IPv6 connectivity | with, look Ma, no NAT! | | Thank you, p1mrx! | Macha wrote: | As a business... $40/year/server is nothing. | | As a individual/hobbyist, it's a much bigger disincentive. | | For students and the like, it might actually be prohibitive. | | The problem is it's really the first group that needs to drive | the remaining IPv6 adoption by replacing their middleware boxes | etc. and they're the group who are unlikely to care at this | price. | kccqzy wrote: | Apple has been demanding apps support IPv6 only for years now. | They reject your app if it fails under NAT64. The end user side | is mostly a solved problem. | ketralnis wrote: | For iOS maybe. Most of those applications are also using | Apple's networking libraries and are effectively required to | be on Apple's infinite software update treadmill to continue | to be listed, keeping them young and hip in perpetuity. This | is the upside to that treadmill, things are up to date or | just stop working. | | But I don't think that's representative. "Or just stop | working" isn't a valid alternative to the rest of the world. | Outside of mobile ecosystems and maybe web development most | things aren't on these 6 to 12 month update cycles. It would | be absolutely unreasonable to tell a hospital that every | piece of hardware and software and MRI machine in their | building has to be upgraded every 2 years or it's positively | geriatric and do you even `pacman -Syyu` bro? | | Theres a whole world of things that haven't been, and may | never be, transitioned. Useful things like utility control | computers and even peoples' 10 year old, still perfectly | functional and supported desktops. Heck, my "end user" newly- | installed fibre ISP doesn't support IPv6! And their previous | DSL installation to the same address did! So much for "solved | problem" :( | kccqzy wrote: | A hospital's MRI machine doesn't need an internet | connection. IPv4 only intranets are fine and we are never | going to get rid of them. | | But anything that connects to the internet needs to be | updated regularly, if only for security and vulnerability | reasons. If you have a 10-year-old functional and supported | desktop, it most likely supports being IPv6 only just fine. | The typical 10-year-old desktop came from the factory with | Windows 8 and could be upgraded to Windows 10 (since it's | supported). It even gets relatively new features such as | IPv6 RDNSS allowing DHCP-less deployments. | p_l wrote: | Windows networking became v6-first in Vista, over a | decade ago. | candiddevmike wrote: | Businesses and organizations are holding IPv6 back, not | consumers. No one I talk to is prioritizing IPv6 migrations or | spending money to upgrade gear that will support it. Maybe some | net new stuff might get it, but for most businesses IPv4 is and | will be the default, simply because they can't be bothered to | do something different. | jiggawatts wrote: | It's worse than that: new software and hardware is being | developed or rolled out right now that is incapable of | working on an IPv6 network. Not just unable to use it, but | actively incompatible -- failing to run if _other_ devices | use IPv6! | | This was an issue with Azure's PostgreSQL service, which | would fail if you deployed other unrelated IPv6 services in | the same virtual network. | | We need a guild of software engineering so that the people | responsible for this can be summarily ejected from it. | 0cf8612b2e1e wrote: | Serious question, is there any enterprise gear made today | which does not support IPv6? I have assumed that the natural | hardware upgrade cycles made it so 99% of all active | equipment could support the technology, even if it was not | configured to do so. | candiddevmike wrote: | That door alarm thing that has a Windows XP workstation VM | the facilities team touches once a month probably doesn't | support IPv6. | | Repeat that scenario across multiple BUs and multiple | locations and no leader wants to commit to doing that kind | of due diligence. What's wrong with our current IP? | jandrese wrote: | Man in the middle certificate re-signing deep packet | inspection firewalls are notorious for not supporting IPv6. | Most everything else has switched, but many network admins | fear IPv6 and don't want to have to learn something new. | Aeolun wrote: | Hmm, I use IPv4 mostly because nobody in their right mind can | remember a IPv6 address... | post-it wrote: | Who's out there remembering IPv4 addresses? | brickteacup wrote: | If only there were some sort of a system for translating | human readable names to network addresses... | mgaunard wrote: | Anything in the cloud is 10 times the price it's worth. | | It's essentially a tax on the people gullible enough to believe | in cloud tech or unable to set up real hardware. | anonymous344 wrote: | inflation is wild. dollar is predicted to crash any time. So now | all the big companies are just taking what they can. I've seen | everywhere 40% increases to prices, without any notification to | the customer, for example Misshosting and many others | sacnoradhq wrote: | Inflation has been aberrant over the past 3 years in some | areas, i.e., food, from profit-price spirals but there is not | widespread hyperinflation. | | No one reputable is predicting the USD will crash imminently. | | US T-bills lost a notch of rating due to long-term declining | governance tied to the cozy relationship and revolving door | between Wall St. and federal regulators. This is a form of | corruption that undermines the economy and strategic power. | dragonwriter wrote: | > dollar is predicted to crash any time. | | Clever use of passive voice but predicted _by whom_? | netcraft wrote: | I personally dont think 45$ per year is going to change habits | that much, especially for larger customers who have a lot of | public IPs. | lokar wrote: | Already a lot of discussion about this at my job. It's a lot of | $ at scale. We will put a bunch of work in to avoid the fee. | rblatz wrote: | At $45 a year per IP address you'd have to spend less than a | man hour per address to even conceivably approach break even. | | And I normally would be worried if my company was focusing on | break even initiatives instead of higher impact ones. | wongarsu wrote: | But if you have 100 backend servers that mostly communicate | on the internal network/VPC and need their IPv4 mostly for | updates, it seems easy to justify standing up a proxy and | reconfiguring your template. At least if your engineers | aren't in Silicon Valley and thus don't cost you $400/h. | toast0 wrote: | Depends how many IPs you're using. If you're using 10, who | cares; if you're using 100, I dunno. If it's 1,000 or more, | that's real money you probably shouldn't be pissing away. | (OTOH, a lot of cloud spend is pissing away money, so | what's another $45k/year) | lokar wrote: | And at 100,000+ it's worth real engineering | Beached wrote: | you don't have to break even on implementation. you will | get billed every single year, so if you can have two dudes | solve this in 3 months, you can break even in 3 years and | every year after that you saved money | mrweasel wrote: | Some companies have been allocating a bunch of pointless IPv4 | addresses and I think that's why AWS is doing this. A friend | of mine have reduced the number of IPv4 addresses his | employer uses by 80% (100+ IPs) in less than a week. That's a | huge saving, but those IPs should never have been allocated | to begin with. | foobarian wrote: | Huh, speaking of lots of public IPs, most of MIT's old class A | is now owned by Amazon :-( | | NetRange: 18.32.0.0 - 18.255.255.255 | Analemma_ wrote: | Why :-( ? There's no way MIT was using more than a tiny | fraction of that /8; now it's actually being put to real use, | and MIT probably got some money out of it. Everybody wins. | amluto wrote: | MIT _was_ using it. Not efficiently, but MIT sold addresses | that were in use at the time due to what appeared to be IT | ineptitude. | | It was also shortsighted. It was a massive resource, MIT | presumably sold it for under $200M (I assume far under), | and now AWS plans to rent the addresses at a rate that will | be around $600M _per year_ if they manage to rent them all. | wmf wrote: | The market is working :-) | kiririn wrote: | Hobby customers can buy an entire VPS, complete with IPv4 to | tunnel through, for 1/4 that | [deleted] | Operyl wrote: | Hobby customers aren't using AWS, by and large. And it's only | a matter of time before we see more and more costs for IPv4 | down in these tiers as well. | preommr wrote: | Counterpoint: My hobby projects all use AWS because that's | what I am familiar with, and they have the cheapest prices. | I also reuse a lot of resources like a database to further | save costs. | Aeolun wrote: | AWS have many things, but they most definitely do not | have the cheapest prices. Unless you are pricing in | convenience. | pnpnp wrote: | Totally disagree! :) | | My monthly costs are minuscule with a reserved with a t4g | instance, Lambda, S3 and Cloudfront as my primary usage. | | Honestly, it beats out the "budget" VPS providers I was | previously using, and is a heck of a lot more | powerful/reliable. | Operyl wrote: | I knew I'd get the counter points here on HN, but I'd | argue we're probably the exception here. AWS can be | really cheap, but it is easy for things to go wrong. | Bandwidth, commonly unmetered at places like OVH or | Hetzner, can cost a fortune at AWS if you get attacked. | And while AWS will refund you once or twice, after that | you're either left scared or on the hook eventually. | pnpnp wrote: | Absolutely! It just happens to be a good fit for me :) | | I use very little bandwidth and processing with the vast | majority of my projects. In the even that I do need heavy | lifting for a couple hours, it still tends to be a pretty | minimal cost. | | Now for sustained heavy loads/bandwidth... I definitely | would look elsewhere for hobby projects. | | Edit: and I agree with your point about attacks. I have | pretty aggressive monitoring set up around billing. | voytec wrote: | > Hobby customers aren't using AWS | | AWS has the easy to use Lightsail[1] VPS offer with | cheapest product at $3.5/mo but they'll likely increase | these prices as well, since there's an IPv4 address | included. | | [1] https://aws.amazon.com/lightsail/pricing/ | rusl1 wrote: | I've got a 2GB ram 2 CPU for the same price on IONOS | znpy wrote: | Hobby provider most often are already charging for ipv4 | addresses. | GabeIsko wrote: | They want people to use EIP right? Is this really a problem for | anything other than a device that cannot perform dns lookups. | decasia wrote: | So I have a tiny personal website hosted on ec2. Right now the | DNS points to the server's public IPv4 address. But I don't | really want to pay $40+/year for an IPv4 for my personal project. | | Does anyone have experience switching a small personal site to | IPv6 only in 2023? | | I'm guessing the vast majority of my (North American/European- | based) friends and visitors can probably connect just fine to an | IPv6 address. I wish I knew what percentage it is. | | I guess I could add an AAAA record and check what percentage of | traffic actually uses it. | avereveard wrote: | How about removing the public IP and receiving connection from | cloudfront? Or have it hosted in apprunner. Then you cname your | domain to the services' domain, and skip the cost. | decasia wrote: | Yep I think that's plan B, thanks. | capableweb wrote: | According to Google | (https://www.google.com/intl/en/ipv6/statistics.html), 60% of | word-wide users wouldn't be able to visit your website. | | In the US, it would be about ~50% of users, while in Europe | it's ranging from 30% (France) to 98% (Spain) who wouldn't be | able to visit the website. | | But yeah, I'd do what you say in the bottom of your comment. | Add AAAA records and then see how many people uses ipv6 | compared to ipv4 and then decide. | KAMSPioneer wrote: | I understand that Movistar, the largest Spanish ISP, is | currently deploying IPv6 in beta at the moment. I expect that | will trickle down to the various resellers of Movistar's | network shortly after. Hopefully that will get that 98% down | in the near future. :( | decasia wrote: | Sigh, so basically it's impossible to switch without | shredding an already tiny audience. I'm sure it won't be a | nice UX either to have a "can't connect to this IP" error in | someone's browser. | | IPv6 has been around for so long now, I'm disappointed it | doesn't have a little bit higher adoption. | smileybarry wrote: | And if all else fails, you can put something like | Cloudflare in front of it to handle IPv4 traffic. | doublerabbit wrote: | Which than you're back to paying $40+/year to ensure you | don't get wiped from their "free" tier when they feel | like it. | | Nothing is free forever. | amluto wrote: | > A new blog post shows you how to use Elastic Load Balancers and | NAT Gateways for ingress and egress traffic, while avoiding the | use of a public IPv4 address for each instance that you launch. | | It would be nice if this came with reasonably priced NAT | gateways. The current pricing is outrageous. | brickteacup wrote: | Not to mention the absurd fact that accessing (IPv4) AWS APIs | from a private subnet requires paying for either a NAT gateway | or an interface endpoint (we got bitten by sending a ton of | Kinesis traffic through a NAT gateway once) | pnpnp wrote: | I completely agree. It's odd they would announce charging for | dedicated IPv4 while not having a free shared egress solution | (unless I'm misunderstanding). | | I would expect them to reduce NAT pricing in the long run, but | who knows. | [deleted] | SteveNuts wrote: | I'm shocked this isn't a feature of a VPC out of the box | (shared internet bound traffic). You should only need a NAT | gateway if you want the traffic to come out of a single set | of external IPs that you control. | | Almost all of my use cases I could easily ride out to the | internet through a shared pipe (apt updates and such) and | don't care whatsoever what IP that exits the AWS network | from, since I'm not applying firewall rules or anything. | patmcc wrote: | >>> and don't care whatsoever what IP that exits the AWS | network from | | You'll start to care pretty quickly if it's the same IP as | a bad actor that's blocked everywhere. | ishanjain28 wrote: | So for this, Run your apps in public subnets that are | attached to IGW. | ransackdev wrote: | I think that as a business and given the fact they are now | charging for a previously free service (public IPs), offering | a now paid service as free would nullify the reasons for | doing what they are doing. They don't owe anyone anything for | free. | inopinatus wrote: | That doesn't follow, because the reason is that IP | addresses are scarce. | hnav wrote: | You can stand up your own on top of a t3.micro or something if | you don't care too much about HA (e.g. you just wanna be able | to hit the internet when SSHed into your instances). | nodesocket wrote: | 100% agree, they need to offer steep reserved instance pricing | for NAT gateways. To deploy 3 NAT gateways (HA one in each | availability zone) is $99/mo just for the instances. | whalesalad wrote: | $40/mo is outrageous? We spend thousands a month on AWS and | drive most traffic thru a single NAT gateway. It's rock solid | and it "just works" without any fuss. Totally worth it. | mgaunard wrote: | Leasing an IPv4 is 0.40 per month. The 39.60 on top is just | their margin. | ishanjain28 wrote: | Where? | est31 wrote: | Exchange prices are still in that region, at least for | some RIRs: https://www.ipxo.com/market-stats/ | paulddraper wrote: | For a lot of traffic $40 is not outrageous. | | For a little traffic $40 is outrageous. | Dylan16807 wrote: | Most users are below 10Mbps average, so yes $480 per year is | a huge price for a fraction of a percent share of a router | (plus redundancy). | ishanjain28 wrote: | Okay and those users can easily use a much cheaper NAT | instance instead of managed NAT Gateways. | cdchn wrote: | There is where people usually start chiming in about how they | can run a VPS at Whatever Hosting and Waffles Inc. for $4/mo. | whalesalad wrote: | yep, and they should. aws has never really been suited to | the hobbyist. does it work for that? of course. is it most | cost effective? absolutely not. is it cost effective for | people who need the resources? yes. | Spivak wrote: | Yes it is which is why Lightsail exists. The whole mantra | of the cloud is only pay for what you need and scale down | to zero. | [deleted] | otabdeveloper4 wrote: | > is it cost effective for people who need the resources? | yes. | | There is no possible use case in no possible universe | where AWS is cost effective. | | Renting the same compute resources wholesale will cost | you 20 times less. (Not a typo.) | finikytou wrote: | sure they became a multi billion dollar business by not | being cost effective | [deleted] | dijit wrote: | They became a multi-billion dollar business by: | | A) Promising scale (and delivering to a certain extent) | | B) being significantly more convenient than contemporary | solutions | | C) becoming trendy | | D) hoodwinking CxO's into the belief that not owning your | data is better for you, actually. (CapEx vs OpEx) | | E) unfathomable amounts of DevRel. | | Nobody has _ever_ claimed AWS was cost effective, they | have said that "it's worth the cost" though. | dmattia wrote: | I run a number of personal projects on AWS entirely on | their serverless offerings and pay $0 outside of domain | registration as I'm well within their free tiers. That | seems pretty cost effective. | AlchemistCamp wrote: | Yes, and for bandwidth, AWS is closer to 100x overpriced. | electroly wrote: | The expensive part of NAT Gateway is the $0.045/GB. | cj wrote: | Plus $0.045 per gigabyte of data that passes through it. | | AWS has notoriously high egress fees. | CSSer wrote: | I ran into a SaaS company recently that had a guide for how | to setup a white-label domain using route 53 and Cloudfront | for one of their services. The SaaS company charges for | service bandwidth usage, and they host their infrastructure | on AWS, so if you opt to follow their guide they get a fat | margin bump in the form of avoiding an egress charge and | you get to be double-charged for bandwidth. You've gotta | love it. | dilyevsky wrote: | It's not just egress in case of NAT - they charge you 4.5c | per _processed_ GB which means in both directions. This | trips a lot of people up. | aednichols wrote: | NAT is pretty computationally intensive, this is why e.g. ISPs | & mobile carriers are pushing IPv6 over CGNAT. | NoZebra120vClip wrote: | For example, rather than simply routing IP packets and then | forgetting them, you need to statefully inspect every TCP | segment and every supposedly connectionless UDP conversation, | you need to maintain state for every live conversation, and | you need to mitigate DOS with all those resources. | | At that point, you might as well be running a Layer 7 | Firewall or an Intrusion Protection System. | tptacek wrote: | UDP is connectionless precisely so you can build novel | stateful protocols on it. There's no promise in UDP that | you'll be able to statelessly monitor it. | debugnik wrote: | Which is why game networking libraries put a lot of | emphasis on NAT traversal, forcing NATs to recognise the | "connection". And why game console manufacturers tell | users to just forward all incoming traffic unmanaged by | the NAT to the console. | colmmacc wrote: | UDP is actually more expensive to NAT than TCP is. The | reason is UDP fragmentation, which is my vote for the | worst, and least forgivable, design error of TCP/IP. | | Instead of putting the fragmentation in L4 (like QUIC now | does) and including a UDP header on every fragmented | packet in a datagram, UDP only includes the header on the | first packet. With fragmentation happening; firewalls, | NATs, and end-hosts have to buffer and coalesce IP | packets based on IP IDs, before the destination can be | identified. It's a real nuisance. A lot of CGNAT | "stateless" implementations can't handle this and you get | very hard to debug issues when there are fragmentation | and MTU mismatches. | Bluecobra wrote: | > At that point, you might as well be running a Layer 7 | Firewall or an Intrusion Protection System. | | If you go down this path consider using Transit Gateway so | you can route multiple VPC traffic to a central security | VPC in a region. I've done this a Palo Alto VM and it seems | to work well. | amluto wrote: | AWS NAT gateway is $0.045 per hour plus $0.045 per GB. The | hourly fee seems mostly okay - for largish users, one or two | per region is fine. | | $0.045 per GB is _nuts_. That's $20.25 /hour or $14580/mo for | 1 Gbps. One can buy a cheap gadget using very little power | that can NAT 1 Gbps at line rate for maybe $200 (being | generous). One can buy a perfectly nice low power server that | can NAT 10Gbps line rate for $1k with some compute to spare. | One can operate one of these systems, complete with a rack | and far more power than needed, _plus_ the Internet | connection, for a lot less money than $14580 /mo. (Never mind | that your $14580 doesn't actually cover the egress fee on | AWS.) | | A company with a couple full time employees could easily | operate quite a few of these out of any normal datacenter, | charge AWS-like fees, and make a killing, without breaking a | sweat. But they wouldn't get many clients because most | datacenter customers already have a NAT-capable router and | don't need this service to begin with. | | In other words, the OpEx associated with a service like this, | including the sysadmin time, is simply not in the ballpark of | what AWS charges. | ttt3ts wrote: | Bit confused. Couldn't you just run a Linux VM to do your | NAT and only pay normal egress? | deadmutex wrote: | > just run a Linux VM | | + Run extra for failover, HA etc + manage security + | Monitor performance + ... | xxpor wrote: | It's not really computationally expensive, it's memory | expensive. You need per connection state. | blibble wrote: | it already has stateful firewall | | so that's: source ip, dest ip, protocol, source port, dest | port, connection state (say 16 bytes total) | | doing NAT too is what, 3 more bytes per connection (8 bits | for an offset into an IP table and 16 bits for the | translated port) | p1mrx wrote: | Generally an ISP does not have a stateful firewall prior | to deploying CGNAT. | dijit wrote: | NAT and Stateful firewalling are commonly bundled | together (especially on home systems) but I would not go | so far as to say "NAT has a stateful firewall"- | | I hear such takes all the time and its really | frustrating; usually in threads regarding IPv6, | incidentally it is usually programmers who think they | understand everything about networks because they know | how tcp operates. | blibble wrote: | > but I would not go so far as to say "NAT has a stateful | firewall"- | | > I hear such takes all the time and its really | frustrating | | maybe you'd be less frustrated if you understood what | people were saying, because I didn't say that | | AWS already do 1:1 NAT and there's additionally a | stateful firewall, which necessitates connection state | tracking | | adding the extra few bytes to do port translation | shouldn't vastly increase the memory required | | > incidentally it is usually programmers who think they | understand everything about networks because they know | how tcp operates. | | from someone who has written a commercial packet filter: | in terms of complexity, TCP blows the preceding layers of | the stack out of the water | meragrin_ wrote: | > ISPs & mobile carriers are pushing IPv6 over CGNAT | | LOL. Not Metronet. They are doubling down on CGNAT. They've | acquired ISPs with IPv6 and killed it in favor of CGNAT. | Spivak wrote: | This is missing the point mostly, my own sites have supported | ipv6 for a going on a decade because it was fun to get it | working. But that's a very different thing than supporting | _only_ IPv6. | p1mrx wrote: | It's best for an ISP to deploy IPv6 and CGNATv4 in | parallel, so the NAT only needs to handle traffic for | services that don't support IPv6 (e.g. | news.ycombinator.com) | secondcoming wrote: | Last time we used GCP's NAT gateway it was constantly dropping | SYN packets. We had to revert to using External IPs on machines | that talked to the wider internet. | wmf wrote: | Previously: https://news.ycombinator.com/item?id=36910855 | https://news.ycombinator.com/item?id=36910994 | https://news.ycombinator.com/item?id=36942424 | metadat wrote: | Thanks! Macro-expanded: | | _AWS: IPv4 addresses cost too much, so you're going to pay_ | | https://news.ycombinator.com/item?id=36942424 (3 days ago, 186 | comments) | | _AWS Begins Charging for Public IPv4 Addresses_ | | https://news.ycombinator.com/item?id=36910994 (6 days ago, 36 | comments) | | _AWS Public IPv4 Address Charge and Public IP Insights_ | | https://news.ycombinator.com/item?id=36910855 (6 days ago, 9 | comments) | alberth wrote: | This was expected, and rent seeking. | | AWS over the last decade has spent $ billions buying up ASN | blocks. | | I've never been one to use the word "rent seeking", but owning | IPs is the ultimate rent seeking cloud business. Domain names can | change registries but if you own the underlining IP being used | (and there's a depleting supply of them) - it's a great business | to charge rents on. | | https://www.techradar.com/news/amazon-has-hoarded-billions-o... | madsbuch wrote: | Most applications will be able to move to v6 eventually. | Hopefully moves like this will push that development. | andrewstuart2 wrote: | Even already, I think you can get away with doing almost | everything v6 with a much smaller number of ipv4s for legacy | traffic. I say that but still largely use v4 for everything, | so maybe I'm not one to talk. | pantalaimon wrote: | Unless you need to pull anything from GitHub... | kccqzy wrote: | Then direct your anger at Microsoft, not Amazon. | doublerabbit wrote: | Why not both? | | Both are dominating the internet-cyberspace and both are | screwing it over for everyone else. | efitz wrote: | Looking at it a different way, IPv4 addresses are scarce so it | makes more economic sense to have fewer, central owners that | can maximize usage, rather than millions of individuals owners, | many or most of which would not necessarily be using them at | any given time. | | Putting a price on IP address usage again is a mechanism to | prevent squatting/hoarding a scarce resource. | | But if you don't want to "rent" IP addresses from anyone, you | can still find blocks for sale. Last time I checked (last year) | class C blocks were going for $15k-$20k. | efitz wrote: | BTW AWS specifically allows you to bring your own IP | addresses. | | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoi. | .. | yieldcrv wrote: | Most of the internet is rent seeking | | VPNs just resell internet under a "more private than the next" | unverifiable claim, and hope they get enough sycophants | believing it | | Most of YC this year resells access to ChatGPT | | Its the game ___________________________________________________________________ (page generated 2023-08-03 23:00 UTC)