[AmericanChopper]

I find this argument to be completely ridiculous, and it’s become remarkably common among those who wish to justify some of IPv6s shortcomings. Whether it was designed to be a security control or not, it is one, and it’s an incredibly important one. Anything that controls how hosts are allowed to communicate with each other is a security control. The argument is so absurd that I literally can’t believe people go around parroting it.

[zAy0LfpBZLC8mAC]

Please explain how NAT without a stateful firewall provides security against what.

[AmericanChopper]

It allows you to connect a private network to any other network, including the internet, without allowing hosts on that network access to hosts on the private network. It’s a form of access control. What is your justification for saying that access control measures are not security controls? That is so incredibly contrived.

[zAy0LfpBZLC8mAC]

> It allows you to connect a private network to any other network, including the internet, without allowing hosts on that network access to hosts on the private network.

So, how does it do that?

> What is your justification for saying that access control measures are not security controls?

I am not saying that. It simply isn't an access control measure.

[AmericanChopper]

> So, how does it do that?

By rewriting the IP headers of packets as they traverse routing devices. If you’re trying to say that all NAT devices are stateless firewalls, then your point is even more contrived than I first thought.

> It simply isn't an access control measure.

Then why can’t other internet connected devices connect to my internet connected laptop? If I’d connected my laptop directly to my ISP then they would be able to. But I didn’t do that, I connected my home router to my ISP, and I connected my laptop to my home router, which is providing access control for me.

[shock]

> Then why can’t other internet connected devices connect to my internet connected laptop?

Some of them can. For example a device in the ISP network that can deliver a packet directly to your router's WAN interface can connect to your LAN devices in the absence of a firewall that would drop them.

As an example consider this:

A packet from src 10.10.10.10 to dst 192.168.1.1 arrives on the WAN interface. There are no firewall rules that match and the NAT is stateless. The router looks at the route table and sees a route for 192.168.1.0/24 on the LAN interface. It puts the packet on the LAN interface and calls it a day. Since 10.10.10.10 was a device on the same ISP network segment/broadcast domain as your router's WAN interface, it just reached a device in your NATed LAN.

On the campus LAN we used as a best practice to drop all packets that arrived on the WAN interface with a destination to the private LAN IP range, that had no entries in the state table.

[hunter2_]

Why would the ISP's network deliver a packet to the customer despite that packet having an IP address that doesn't match the IP address the customer leased?

Does this require an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

[zAy0LfpBZLC8mAC]

> By rewriting the IP headers of packets as they traverse routing devices.

How does that prevent hosts on that other network from accessing hosts on your "private network"? Like, a packet addressed to one of the hosts on your "private network" arrives at your NAT gateway from the "other network". How does the NAT rewrite the IP headers, and how does that provide access control?

> If you’re trying to say that all NAT devices are stateless firewalls, then your point is even more contrived than I first thought.

Even that would not be contrived. If removing the NAT function does not change the security functions of a router, then the NAT obviously does not provide security, at best it implies the presence of certain security functions. But even that just isn't the case.

> But I didn’t do that, I connected my home router to my ISP, and I connected my laptop to my home router, which is providing access control for me.

Then that presumably is because your home router provides access control? What does that have to do with NAT, though?

[AmericanChopper]

Because without NAT, none of the devices on my home network would be able to connect to any internet connected hosts. That is, unless I assigned internet routable addresses to their network interfaces. If I did that, I’d either have to install firewalls on my devices, or expose all services running on my devices to the internet. But I don’t have to do that, because my home router uses NAT to allow all devices on my home network to connect to the internet, without allowing other devices on the internet inbound access.

If you have a point to make, then explain what it is. If you’re just gonna keep asking more contrived questions then I’ll presume you’re simply trolling.