[jacquesm]

NAT is a poor person's firewall, and even if everybody were to switch to IPV6 I believe that NAT'ing would be here to stay. There are lots of disadvantages to sitting behind a NAT but the positive part of it is that it actually does have some security benefits. I used to absolutely hate NAT but over the years I've come around a bit, and UPnP made it bearable from a tech point of view.

[ATsch]

This is completly incorrect. While NAT is almost always combined with a stateful firewall, the NAT itself does not provide any security.

Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not. They are identical in terms of security.

[jedberg]

> This is completly incorrect. While NAT is almost always combined with a stateful firewall, the NAT itself does not provide any security.

It most certainly does. If you have an insecure device behind a nat, say something with telnet sitting open, a port scanner from the outside won't be able to find it (unless you've gone to great efforts to allow inbound connections without an established outbound connection). This is objectively better than if that device were directly addressable.

> Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not.

Not always. My last router came with the firewall off and that was just a few years ago. A lot of consumer ISPs don't bother with the firewall because they don't want to field customer service calls about things not working.

[lostlogin]

> A lot of consumer ISPs don't bother with the firewall because they don't want to field customer service calls about things not working.

This is amazing. How does it work? What stops me going to the devices behind the router?

[ATsch]

Nothing, apart from IPv6' ginormous address space.

However, I have yet to see proof of any provider that actually deployed home routers this way.

[Dagger2]

If you looked, I'm sure you could find somebody somewhere. It's not even close to common though.

[zAy0LfpBZLC8mAC]

> It most certainly does.

No, it doesn't. It's a commonly believed myth among people who don't have a clue how IP works, though.

> If you have an insecure device behind a nat, say something with telnet sitting open, a port scanner from the outside won't be able to find it

Why not?

[icedchai]

When most people say "NAT", they really mean "PAT". Port address translation: multiple private IP addresses behind a single public IP address. When a non-pedantic person sees "NAT", they understand it is actually "PAT." And in the typical consumer configuration, it actually does provide some level of security.

[Dagger2]

And when people talk about "PAT", they're actually talking about a form of NAT that doesn't block connections.

Here's how you do "PAT" on Linux: `iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE`. Notice how it's limited to outbound connections ("-o wan0")? That means it doesn't apply to inbound connections, and thus doesn't have any effect on the behavior of inbound connections.

If it doesn't have any effect on the behavior of inbound connections, then how could it possibly block inbound connections?

(The typical consumer configuration pairs "PAT" with a firewall, and the firewall does block inbound connections. It's also typical to pair it with RFC1918 addresses, which doesn't block connections but does make it much harder for most people to make the relevant connections in the first place. None of that changes the fact that "PAT" doesn't block connections.)

[icedchai]

So in other words, even without a firewall, it still provides some level of security. If your attacker can't route to your target's addresses because they are private RFC1918, they're "blocked" for all practical purposes. Yes, I know they're not technically blocked... but the typical attacker 10 hops away isn't going to know...

[rtempaccount1]

In standard consumer networking, say I have a /24 (say 192.168.1.0/24) and one dual-homed host performing Network Address Translation to a Internet routable address, how would an attacker easily initiate a connection to one of the hosts on that internal subnet from somewhere on the Internet?

They obviously can't address traffic directly to 192.168.1.0/24 over the Internet as that's a bogon address and the Internet routers will either reject it out of hand, or not know where to send it.

[zAy0LfpBZLC8mAC]

> They obviously can't address traffic directly to 192.168.1.0/24 over the Internet as that's a bogon address and the Internet routers will either reject it out of hand, or not know where to send it.

That's not obvious at all. Now, you obviously can't just inject a packet addressed to 192.168.1.1 anywhere on the internet and expect it to turn up on any particular LAN, but that just excludes a subset of the possible attack vectors for unwanted inbound connections.

Your ISP can still send you packets addressed to 192.168.1.1. Thus, obviously anyone compomising your ISP, or some subset of their routers can as well (hello Cisco hardcoded passwords!). Also, it has happened that ISPs failed to isolate customers from one another (think multiple customers on the same VLAN), so your neighbour could send packets addressed to 192.168.1.1 to your router's WAN interface as well. Or potentially malware on their network, if someone were to systematically exploit such a setup.

It isn't even unheard of that ISPs forgot to disable routing protocols on customer-facing interfaces and some CPE managed to advertise their RFC1918 space via RIP to their ISP's access network.

Or, for that matter, an attacker could just hook into your uplink between you and your ISP, if you are a valuable enough target, to gain access to your CPE's WAN interface.

All of those are actually solved security-wise by having a stateful firewall, which will also prevent inbound connections from anywhere else on the internet.

[raesene9]

So it does provide practical protection to use NAT in that you've reduced the set of valid attackers from "anyone on the Internet" to "people with the ability to affect the upstream router in my ISP"

That (for most average consumers) is a vastly reduced attacker set.

Security is not binary, it's a scale.

[jacquesm]

You're technically correct but in practice ever since NAT has been a thing routers have stopped passing on incoming connections to the machines behind it unless specifically - and usually laboriously - configured to do so. This is also why NAT is considered hostile to a peer-to-peer internet, which prompted this very good article:

https://www.fourmilab.ch/documents/digital-imprimatur/

by John Walker, of Autodesk fame.

The router has a public IP and everything behind it has a local one. That you can do NAT in different contexts and that technically you could have NAT without the firewall functionality doesn't change that this is 99.9% of all NAT applications.

A bit more text about this concept:

https://security.stackexchange.com/questions/176744/why-is-n...

[ATsch]

I think this distinction is very important, for the following reason: Once you've acknowledged that firewalls are technically optional, but used in 99% of cases, there's no reason to say why home routers wouldn't come out of the box with IPv6 firewalls in 99% of cases too.

And this is in fact what we see in the real world with IPv6 deployments. Roughly 50% of my country has IPv6, and every single provider provisions it with sensible default firewall rules.

[zAy0LfpBZLC8mAC]

By that same logic, NAT provides internet connectivity. 99.9% of all NAT applications come with an internet uplink. Therefore, you need NAT for internet access. Not.

[gregmac]

> NAT itself does not provide any security

This is just arguing semantics. It's not "NAT itself", but a side effect of using it is that it requires deliberate effort to allow inbound connections to get to devices behind the router. This has many of the same effective security benefits as a firewall blocking inbound connections does.

Another way of saying this: the companies that make cheap, crappy routers can do the absolute bare minimum and not end up exposing internal devices to inbound internet traffic. So NAT provides security against the cheap, crappy router manufacturers.

With IPv6, the opposite is true: The router manufacturer has to do deliberate extra effort to block inbound connections, beyond just making the router "work". Will most router manufacturers do this extra effort and include a properly-configured firewall? Probably yes, especially if they don't want to get a terrible reputation for being insecure, which would (hopefully) eventually drive them out of business.

Will absolutely 100% of them always do this properly and never make a mistake? I wouldn't bet on it.

[nybble41]

> It's not "NAT itself", but a side effect of using it is that it requires deliberate effort to allow inbound connections to get to devices behind the router.

Unless your router has UPnP port forwarding enabled—as most home routers do by default, since popular apps require it—in which case any device can open a hole in the firewall for whatever incoming traffic it wants. In this scenario NAT provides no additional protection beyond what the client device could provide for itself by simply not accepting incoming connections. To get security from a NAT setup you need to disable UPnP and manually configure any required port forwarding, which is at least as much effort as properly configuring an IPv6 firewall.

The right solution IMHO is to have a separate LAN/WLAN/VLAN for the untrusted IoT devices which rejects all inbound connections from the WAN (no UPnP support) as well as all outbound connections to the main LAN. Outbound connections to the WAN for updates or cloud-base control are permitted but logged; inbound connections from the main LAN are also permitted, to control the IoT devices locally. For the main LAN the router should only perform basic filtering for malformed or misrouted packets—ones with an external or multicast destination address or an internal source address, for example. Apart from that, devices on the main LAN are expected to handle their own security. Laptops, smartphones, tablets, and other mobile devices are already required to handle this since they are routinely connected directly to untrusted networks.

[dboreham]

In my experience upnp is no longer enabled by default (because: not secure). UDP hole punching usually works though.

[mike_hock]

My guess is the firewall functionality will stay as long as IPv4 and thus NAT remain relevant. Once IPv4 has faded into obscurity, we'll see the advent of IPv6-only routers that are really only dumb routers ... and wireless access points.

[zAy0LfpBZLC8mAC]

But that just isn't true. There is nothing in NAT that requires dropping inbound connections, so crappy router manufacturers might be failing to do so right now. If there is no firewall on the device, it won't prevent inbound connections, no matter how much NAT it does.

[anticensor]

NAT66 is something real.

[jandrese]

In theory NAT provides no security. In practice it does.

The way common household NAT works is you have hosts on a private IP space behind a NAT device with an ephemeral internal IP/port table. When an internal device initiates a connection outward the NAT device takes a note of the IP address and port it is connecting to and writes them to the table, along with its own port mapping.

When a packet arrives addressed to the NAT device it checks the table and if it finds a matching entry it rewrites the packet and forwards it back to the original host.

So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table.

Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device and have somehow routed a packet with a destination address that is on your internal network. In this case, the NAT will just forward the packet onto your internal host and provide no protection as they say. However, it ignores the difficulty of getting your ISP to route an RFC 1918 address to your NAT device in the first place. The very fact that your internal hosts are on non-routeable addresses is a form of protection provided by NAT.

[Dagger2]

> So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table.

The lack of a mapping table entry just means that your packet doesn't get translated. It doesn't mean that inside hosts are unreachable.

> Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device

Yeah, so: NAT isn't a firewall. The firewall is a firewall. NAT is typically deployed together with a firewall precisely because NAT isn't a firewall.

This is an important distinction, because it means that the security you think you're getting from NAT is actually coming from the firewall, meaning you don't need NAT to get that security.

Note that I'm not ignoring the issue of reaching non-routeable addresses either. Your ISP can route to your LAN range easily, and there are plenty of people who could trick or force your ISP into cooperating. If you want to be secure, you can't rely on "probably I won't receive any evil connections, it'll be fine", you need to actually block them. If you're in a situation where non-routeability is relevant then you were already insecure.

You've also forgotten that NAT doesn't provide you with non-routeable addresses, even if it's typically deployed with them. It works on any address range and it has no impact on the routeability of the range you use. NAT is also not required to use non-routeable addresses (which as mentioned aren't even secure in the first place). So, again, it provides no security.

[peterwwillis]

> They are identical in terms of security.

A bit incorrect. There are IPv6 protocol changes (ex. ICMP vs ICMPv6) where the newer protocols are more secure. But actually having a private IP behind a NAT gateway is more secure in general, because nobody can directly route to a host behind your NAT, without exploiting reverse NAT traversal. IPv6 will allow easier exploitation of default host configurations due to being able to route to them easier.

[Dagger2]

Will it? You'd still have to get around the router firewall, the host would have to have no firewall of its own and be exploitable and also you'd have to _find_ the host first.

This also needs to be balanced against the difficulty of exploiting servers that have been deliberately exposed to the internet, for example cameras or NASs. People often expose those deliberately (via port forwards on v4) so they can access them remotely.

v6 will make it harder to exploit those devices, because it makes it harder to find them in the first place. Most botnets that run on cameras etc spread via random network scanning, so making those devices harder to find makes it harder for botnets to spread. You can consider this akin to vaccination's effect on the R value for a contagious disease: vaccination can eliminate a disease even when it doesn't eliminate 100% of infections. If a botnet can't find enough vulnerable hosts to exploit, it'll die out.

NAT with port forwards makes it far easier to find devices like that, because it reduces the search space. v4 reduces the search space further still, to the point where it's quite feasible to do an exhaustive search.

On balance, I think this makes the larger address space (without NAT) less exploitable.

[mindslight]

A stateful firewall that rejects incoming connections is conceptually simple even without NAT.

NAT itself does have the security benefit of masking more bits of client identity though. If I had a bunch of machines on an ip6 prefix, I would still want their outgoing connections to be NATted, to avoid address-based tracking.

[ecksii]

That isn't really necessary any longer. Modern IPv6 stacks devices use and periodically rotate through temporary IPv6 auto-allocated addresses for privacy reasons.

[mindslight]

AFAIK "privacy extensions" are just designed to avoid putting the (customarily) fixed MAC address onto the wider Internet. If each device still has a specific /128 at any given time, then the number of devices and the connections from the same device can be inferred - the statistical distribution is still drastically different than per-connection NAT.

We can envision a better version where each device pulls multiple addresses at a time and rotates through them basically per-topic, but I don't think stacks are really set up to do that. But sure we could get there eventually, at least modulo outdated firmware stuck with said vulnerabilities. On the other hand, if we already need maintained premise routers to manage incoming connections, they can simply NAT outgoing connections and get a perfect probability distribution across IP6+port that fully masks the internal network.

Ultimately I think the distinction between "outgoing" and "incoming" connections is only going to continue increasing, regardless of IP6.

[stingraycharles]

Most IPv6 routers allow you to keep the same behavior as NAT, e.g. simply do not allow new incoming connections to your prefix.

Not saying that you’re incorrect, but the problem might not be as big as you think.

[dspillett]

NAT is really firewalling at all. It just accidentally implies a "default block new inward" policy, which any good actual firewall setup for IPv4/IPv6/other would have as a default anyway.

Were it not for home routers supporting NAT because they need to with IPv4, the same routers would have a basic firewall with that default block rule in place.

[jacquesm]

I think you meant 'isn't', and we're in agreement. It is just that it has some of the same effects.

[dspillett]

Yep, small accident between the brain and the typing fingers there.