[jfries]

I'm probably missing something, but I think that, for home networks at least, NAT is wonderful because of how it requires some effort to make devices exposed on the external network. If we were given an unlimited supply of IP addresses from the ISP and all devices were accessible externally, it seems security issues in would be a much larger problem.

[rohan1024]

The original purpose of NAT was to get additional devices connected to Internet since we had shortage of Ipv4 addresses. For security, we have firewalls. If we had not been dependent on NAT for security, firewalls would have been actually configured. We will have to configure firewalls with ipv6 anyway.

[dboreham]

NAT arose long before any address shortage concerns. Rather it was a response to ISPs attempting to charge "per user" by associating a fee with each additional address (note this is long before residential ISP service we know today: Internet service was for businesses with retail subs only having ppp access via dialup). NAT allowed customers to work around the ISPs pricing model at the time.

[phate]

When my family first got broadband via Comcast@home back in the early 2000s they had a proviso saying if you wanted more then one computer required a separate subscription. My dad and my bother quickly figured out we could get around this by using Windows Internet Connection Sharing. We eventually got a Linksys Router that did the same job and was faster. IIRC even most dial up ISPs did the same thing, if you wanted more then one computer online you had to use separate creds.

[kalleboo]

> If we were given an unlimited supply of IP addresses from the ISP and all devices were accessible externally, it seems security issues in would be a much larger problem.

Nearly 40% of US traffic is already IPv6. 40% in Germany, 30% in Japan. I haven't heard of any massive increase in security issues caused by every device getting its own IP address.

[Macha]

Is that because there's still usually NAT at the users router or cell tower even with IPv6?

[Nextgrid]

I’ve never seen NAT being used with IPv6. I don’t see the point, it would be more effort to use it than not.

[tjoff]

Yes, but it would be worth it. There is no need nor benefit to have a per-device unique address advertised to the world.

If there is a desire for a certain device then absolutely, give it its own IP, but that is the exception.

[zAy0LfpBZLC8mAC]

> There is no need nor benefit to have a per-device unique address advertised to the world.

Yes, there is!

But possibly more importantly: There is no benefit to assigning devices ambiguous addresses. It's as sensible as having all rooms in your business have "1" as their room number because you somehow have convinced yourself that that prevents people from entering your building.

[tjoff]

What need or benefit?

I have no idea what you are trying to convey, I do not think you understood the concept.

I'm not talking about security.

[ilikepi]

The benefit is to eliminate the disadvantages and complexity (however opaque) of running NAT.

I don't think anyone is suggesting that all devices be reachable by default. It's entirely reasonable and prudent to have a firewall between my home network and the world, but NAT is not strictly required for this.

[tjoff]

That is a benefit, true. However I don't feel that it is comparable to the drawbacks.

I'm not suggesting that anyone suggest devices being reachable. Them having a unique identifier is bad enough.

[zimbatm]

Actually it would make P2P communication much simpler.

WebRTC or any other video conferencing software wouldn't need a STUN server if all the clients were able to talk directly to each-other.

[tjoff]

First real benefit I guess. Yeah that's nice. Not worth it for me personally though.

[dorfsmay]

For privacy, you can setup your OS to require a different random IP every time it reconnects to the network. You will always be in the same /64, but with a different IP.

[tjoff]

That's a hack that doesn't protect anything for ongoing sessions. Slight improvement but hardly enough.

[zshrdlu]

Perhaps they're talking about NAT64?

[namibj]

Well, it's a firewall that behaves like NAT.

[TrueDuality]

NAT is definitively not a security layer and was never intended as such. You can get better security with a simple stateful ingress firewall (block packets not associated with an established/related connection) which is what most people think of for security with NAT.

The only slight benefit it has imparted is the privacy benefit of hiding multiple devices behind a single address, but they can usually be individually profile anyway.

[jfries]

I've heard before that "NAT is not intended as security", but isn't the effect still the same, that an external device can't connect to a device behind NAT without explicit configuration allowing it?

[TrueDuality]

That is generally true, but has weird edge cases. For example using not so specially crafted ICMP packets[1] two hosts each behind independent NATs can communicate with each other without any change to a firewall configuration.

Also honorable mentions: The UPnP protocol & STUN servers

[1]: https://samy.pl/chownat/

[zx2c4]

For an even cooler trick, check out pwnat, also from Samy: https://samy.pl/pwnat/

Server sends constant icmp pings with fixed payload to unreachable dead Internet IP. Client sends icmp time exceeded message to server containing original fixed ping subpayload, which the server NAT lets through because the payloads match as related traffic. Server then learns client IP and usual chownat udp hole punching tricks apply.

[jakoblorz]

Wow that's insane!

[AmericanChopper]

I find this argument to be completely ridiculous, and it’s become remarkably common among those who wish to justify some of IPv6s shortcomings. Whether it was designed to be a security control or not, it is one, and it’s an incredibly important one. Anything that controls how hosts are allowed to communicate with each other is a security control. The argument is so absurd that I literally can’t believe people go around parroting it.

[zAy0LfpBZLC8mAC]

Please explain how NAT without a stateful firewall provides security against what.

[AmericanChopper]

It allows you to connect a private network to any other network, including the internet, without allowing hosts on that network access to hosts on the private network. It’s a form of access control. What is your justification for saying that access control measures are not security controls? That is so incredibly contrived.

[zAy0LfpBZLC8mAC]

> It allows you to connect a private network to any other network, including the internet, without allowing hosts on that network access to hosts on the private network.

So, how does it do that?

> What is your justification for saying that access control measures are not security controls?

I am not saying that. It simply isn't an access control measure.

[zAy0LfpBZLC8mAC]

No, NAT does not prevent connections, it only rewrites addresses. If your NAT router also has a stateful firewall, that is what prevents inbound connections, and removing the NAT from that equation does not change that.

[ComodoHacker]

The point is NAT is actually a couple of rules in router's stateful firewall, it is done by firewall, and firewall can't do it without explicit configuration. There can't be 'default allow NAT' config.

[zAy0LfpBZLC8mAC]

... which doesn't change that that "default allow" firewall will still pass through all packets, and thus allow access to all your internal devices/machines? Absence of NAT rules does not prevent packets from passing through the firewall, it only prevents rewriting of addresses.

[ComodoHacker]

The point you were objecting to was "external device can't connect to a device behind NAT without explicit configuration". Without NAT rules access to internal devices is prevented because packets don't get routed to private IPs.

[ubercow13]

So an inbound packet comes in to your NAT and there is no entry for it in the state table. Isn't it then dropped? Isn't that preventing a connection?

[zAy0LfpBZLC8mAC]

Why should it be dropped?

If there is no entry in the state table, then NAT rules are consulted to see whether a new rewrite entry should be added (such as DNAT/port forwarding rules on your home router), and if there is no matching rule either, it simply is forwarded without address rewriting.

[ubercow13]

Why would it be forwarded? Do you mean that it forwards it to itself, the NAT device addressed by the actual public IP? Wikipedia seems to disagree [0] "if the destination port number of the incoming packet is not found in the translation table, the packet is dropped or rejected because the PAT device doesn't know where to send it."

I am sure a NAT could be configured any number of ways, though, and could probably do anything you want with such packets.

[0] https://en.m.wikipedia.org/wiki/Network_address_translation