[AmericanChopper]

> So, how does it do that?

By rewriting the IP headers of packets as they traverse routing devices. If you’re trying to say that all NAT devices are stateless firewalls, then your point is even more contrived than I first thought.

> It simply isn't an access control measure.

Then why can’t other internet connected devices connect to my internet connected laptop? If I’d connected my laptop directly to my ISP then they would be able to. But I didn’t do that, I connected my home router to my ISP, and I connected my laptop to my home router, which is providing access control for me.

[shock]

> Then why can’t other internet connected devices connect to my internet connected laptop?

Some of them can. For example a device in the ISP network that can deliver a packet directly to your router's WAN interface can connect to your LAN devices in the absence of a firewall that would drop them.

As an example consider this:

A packet from src 10.10.10.10 to dst 192.168.1.1 arrives on the WAN interface. There are no firewall rules that match and the NAT is stateless. The router looks at the route table and sees a route for 192.168.1.0/24 on the LAN interface. It puts the packet on the LAN interface and calls it a day. Since 10.10.10.10 was a device on the same ISP network segment/broadcast domain as your router's WAN interface, it just reached a device in your NATed LAN.

On the campus LAN we used as a best practice to drop all packets that arrived on the WAN interface with a destination to the private LAN IP range, that had no entries in the state table.

[hunter2_]

Why would the ISP's network deliver a packet to the customer despite that packet having an IP address that doesn't match the IP address the customer leased?

Does this require an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

[shock]

> Why would the ISP's network deliver a packet to the customer despite that packet having an IP address that doesn't match the IP address the customer leased?

It wouldn't under normal circumstances, but could in the case of a misconfiguration or a malicious actor.

> Does this require an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

Most likely. I also don't consider the scenario likely, because most NATs/firewalls are stateful in this day and age and if the ISP is compromised the attacker could also use TR-069 to upgrade the firmware on the custormer's router and place a malicious implant⁰.

⓪ - http://www.pcworld.com/article/2463480/many-home-routers-sup...

[zAy0LfpBZLC8mAC]

Well, it is unlikely in practice because home access routers usually come with a stateful firewall. The important point is that that doesn't change when you remove the NAT. And that is important because people come to all kinds of nonsensical ideas about how IPv6 is dangerous or what you should do to make it less dangerous because you typically don't have NAT with IPv6.

Like, that you should use ULA and NAT with IPv6 so you don't lose the great security benefits of NAT. That is a completely logical conclusion if you believe that NAT provides security benefits. But it's just wrong.

And, yes, TR-069 is also a potential attack vector that you probably also should prevent in any halfway serious business context. Giving your ISP('s infrastructure) access to your internal network probably is not a good idea, no matter what the mechanism is.

[zAy0LfpBZLC8mAC]

> By rewriting the IP headers of packets as they traverse routing devices.

How does that prevent hosts on that other network from accessing hosts on your "private network"? Like, a packet addressed to one of the hosts on your "private network" arrives at your NAT gateway from the "other network". How does the NAT rewrite the IP headers, and how does that provide access control?

> If you’re trying to say that all NAT devices are stateless firewalls, then your point is even more contrived than I first thought.

Even that would not be contrived. If removing the NAT function does not change the security functions of a router, then the NAT obviously does not provide security, at best it implies the presence of certain security functions. But even that just isn't the case.

> But I didn’t do that, I connected my home router to my ISP, and I connected my laptop to my home router, which is providing access control for me.

Then that presumably is because your home router provides access control? What does that have to do with NAT, though?

[AmericanChopper]

Because without NAT, none of the devices on my home network would be able to connect to any internet connected hosts. That is, unless I assigned internet routable addresses to their network interfaces. If I did that, I’d either have to install firewalls on my devices, or expose all services running on my devices to the internet. But I don’t have to do that, because my home router uses NAT to allow all devices on my home network to connect to the internet, without allowing other devices on the internet inbound access.

If you have a point to make, then explain what it is. If you’re just gonna keep asking more contrived questions then I’ll presume you’re simply trolling.

[vardump]

> If I did that, I’d either have to install firewalls on my devices, or expose all services running on my devices to the internet.

Your router could still firewall them all the same. NAT or no NAT. You would not need to have a firewall on each individual device.

[AmericanChopper]

So you can replace the security controls provided by NAT with security controls provided by a firewall. How does this support the argument that NAT doesn’t provide any security controls?

[vardump]

NAT is not meant for security. It just unintentionally provides some by preventing inbound connections.

That's something you can circumvent in certain scenarios. The technique is called "NAT hole punching".

[zAy0LfpBZLC8mAC]

> It just unintentionally provides some by preventing inbound connections.

No, it doesn't.

[zAy0LfpBZLC8mAC]

The point is that IP doesn't work how you think it works, but I have no clue what exactly your misconception is, so I don't know what I need to explain to you to make you see the error in your reasoning.

And unfortunately, you don't even answer my questions, instead just hand-waving your way through the explanation, ignoring all the details that would show where your misunderstanding lies.

In any case, no, if you only remove NAT from your home router that also has a stateful firewall, nothing changes security-wise. It just doesn't. No need to install firewalls on all your devices or anything like that, having a firewall on your uplink router is still perfectly sufficient for that without NAT.

And if your home router really only does NAT, without a stateful firewall that prevents inbound connections, then no, your NAT-only router does not prevent inbound access to your home network.

I understand that you believe otherwise, but your belief simply is incorrect, but you won't be able to understand why if you don't dive into how a NAT gateway actually works instead of hand-waving your way through the explanation.

[AmericanChopper]

> if you only remove NAT from your home router that also has a stateful firewall, nothing changes security-wise.

But now I don’t have an internet connection, because none of the devices on my home network have an internet routable IP.

[privateSFacct]

NAT - regardless of firewalls or anything else - requires explicit config to allow packets to a host behind NAT. That’s is a security feature. Carrier grade NAT makes that even clearer. Note - I’ve configured non Firewall NATs - still requires explicit config. Some load balancer are basically non firewall NATs

[zAy0LfpBZLC8mAC]

For one, that does not strictly follow, because you can use NAT with globally routable addresses on your home network.

But in any case, the implied assumption was that you also switch to globally routable addresses for all your devices/that we are possibly talking about IPv6, where that would be the norm anyway. The point is that actually usable internet connectivity without NAT and with a stateful firewall has exactly zero differences security-wise vs. a setup that uses NAT and a stateful firewall. That is, except for the fact that all those misconceptions that people have about NAT can make people think that their network is secure when it is not, simply because they have NAT--if you don't have NAT, you can not mistakenly believe that it protects you against inbound connections.