Hacker News new | ask | show | jobs
by shock 2557 days ago
> Then why can’t other internet connected devices connect to my internet connected laptop?

Some of them can. For example a device in the ISP network that can deliver a packet directly to your router's WAN interface can connect to your LAN devices in the absence of a firewall that would drop them.

As an example consider this:

A packet from src 10.10.10.10 to dst 192.168.1.1 arrives on the WAN interface. There are no firewall rules that match and the NAT is stateless. The router looks at the route table and sees a route for 192.168.1.0/24 on the LAN interface. It puts the packet on the LAN interface and calls it a day. Since 10.10.10.10 was a device on the same ISP network segment/broadcast domain as your router's WAN interface, it just reached a device in your NATed LAN.

On the campus LAN we used as a best practice to drop all packets that arrived on the WAN interface with a destination to the private LAN IP range, that had no entries in the state table.
1 comments
hunter2_ 2557 days ago
Why would the ISP's network deliver a packet to the customer despite that packet having an IP address that doesn't match the IP address the customer leased?

Does this require an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

link
shock 2557 days ago
> Why would the ISP's network deliver a packet to the customer despite that packet having an IP address that doesn't match the IP address the customer leased?

It wouldn't under normal circumstances, but could in the case of a misconfiguration or a malicious actor.

> Does this require an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

Most likely. I also don't consider the scenario likely, because most NATs/firewalls are stateful in this day and age and if the ISP is compromised the attacker could also use TR-069 to upgrade the firmware on the custormer's router and place a malicious implant⁰.

⓪ - http://www.pcworld.com/article/2463480/many-home-routers-sup...

link
zAy0LfpBZLC8mAC 2556 days ago
Well, it is unlikely in practice because home access routers usually come with a stateful firewall. The important point is that that doesn't change when you remove the NAT. And that is important because people come to all kinds of nonsensical ideas about how IPv6 is dangerous or what you should do to make it less dangerous because you typically don't have NAT with IPv6.

Like, that you should use ULA and NAT with IPv6 so you don't lose the great security benefits of NAT. That is a completely logical conclusion if you believe that NAT provides security benefits. But it's just wrong.

And, yes, TR-069 is also a potential attack vector that you probably also should prevent in any halfway serious business context. Giving your ISP('s infrastructure) access to your internal network probably is not a good idea, no matter what the mechanism is.

link