[ATsch]

This is completly incorrect. While NAT is almost always combined with a stateful firewall, the NAT itself does not provide any security.

Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not. They are identical in terms of security.

[jedberg]

> This is completly incorrect. While NAT is almost always combined with a stateful firewall, the NAT itself does not provide any security.

It most certainly does. If you have an insecure device behind a nat, say something with telnet sitting open, a port scanner from the outside won't be able to find it (unless you've gone to great efforts to allow inbound connections without an established outbound connection). This is objectively better than if that device were directly addressable.

> Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not.

Not always. My last router came with the firewall off and that was just a few years ago. A lot of consumer ISPs don't bother with the firewall because they don't want to field customer service calls about things not working.

[lostlogin]

> A lot of consumer ISPs don't bother with the firewall because they don't want to field customer service calls about things not working.

This is amazing. How does it work? What stops me going to the devices behind the router?

[ATsch]

Nothing, apart from IPv6' ginormous address space.

However, I have yet to see proof of any provider that actually deployed home routers this way.

[Dagger2]

If you looked, I'm sure you could find somebody somewhere. It's not even close to common though.

[zAy0LfpBZLC8mAC]

> It most certainly does.

No, it doesn't. It's a commonly believed myth among people who don't have a clue how IP works, though.

> If you have an insecure device behind a nat, say something with telnet sitting open, a port scanner from the outside won't be able to find it

Why not?

[icedchai]

When most people say "NAT", they really mean "PAT". Port address translation: multiple private IP addresses behind a single public IP address. When a non-pedantic person sees "NAT", they understand it is actually "PAT." And in the typical consumer configuration, it actually does provide some level of security.

[Dagger2]

And when people talk about "PAT", they're actually talking about a form of NAT that doesn't block connections.

Here's how you do "PAT" on Linux: `iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE`. Notice how it's limited to outbound connections ("-o wan0")? That means it doesn't apply to inbound connections, and thus doesn't have any effect on the behavior of inbound connections.

If it doesn't have any effect on the behavior of inbound connections, then how could it possibly block inbound connections?

(The typical consumer configuration pairs "PAT" with a firewall, and the firewall does block inbound connections. It's also typical to pair it with RFC1918 addresses, which doesn't block connections but does make it much harder for most people to make the relevant connections in the first place. None of that changes the fact that "PAT" doesn't block connections.)

[icedchai]

So in other words, even without a firewall, it still provides some level of security. If your attacker can't route to your target's addresses because they are private RFC1918, they're "blocked" for all practical purposes. Yes, I know they're not technically blocked... but the typical attacker 10 hops away isn't going to know...

[zAy0LfpBZLC8mAC]

On the other hand, this might also give other people a false sense of security. Most people who tell you that "NAT provides security" think that NAT somehow drops packets, and if your network is actually targeted, this myth might well be the reason why someone ends up downloading all your files by connecting to your file server through your NAT gateway.

[Dagger2]

No... it doesn't drop connections, so it doesn't provide any security.

[rtempaccount1]

In standard consumer networking, say I have a /24 (say 192.168.1.0/24) and one dual-homed host performing Network Address Translation to a Internet routable address, how would an attacker easily initiate a connection to one of the hosts on that internal subnet from somewhere on the Internet?

They obviously can't address traffic directly to 192.168.1.0/24 over the Internet as that's a bogon address and the Internet routers will either reject it out of hand, or not know where to send it.

[zAy0LfpBZLC8mAC]

> They obviously can't address traffic directly to 192.168.1.0/24 over the Internet as that's a bogon address and the Internet routers will either reject it out of hand, or not know where to send it.

That's not obvious at all. Now, you obviously can't just inject a packet addressed to 192.168.1.1 anywhere on the internet and expect it to turn up on any particular LAN, but that just excludes a subset of the possible attack vectors for unwanted inbound connections.

Your ISP can still send you packets addressed to 192.168.1.1. Thus, obviously anyone compomising your ISP, or some subset of their routers can as well (hello Cisco hardcoded passwords!). Also, it has happened that ISPs failed to isolate customers from one another (think multiple customers on the same VLAN), so your neighbour could send packets addressed to 192.168.1.1 to your router's WAN interface as well. Or potentially malware on their network, if someone were to systematically exploit such a setup.

It isn't even unheard of that ISPs forgot to disable routing protocols on customer-facing interfaces and some CPE managed to advertise their RFC1918 space via RIP to their ISP's access network.

Or, for that matter, an attacker could just hook into your uplink between you and your ISP, if you are a valuable enough target, to gain access to your CPE's WAN interface.

All of those are actually solved security-wise by having a stateful firewall, which will also prevent inbound connections from anywhere else on the internet.

[raesene9]

So it does provide practical protection to use NAT in that you've reduced the set of valid attackers from "anyone on the Internet" to "people with the ability to affect the upstream router in my ISP"

That (for most average consumers) is a vastly reduced attacker set.

Security is not binary, it's a scale.

[zAy0LfpBZLC8mAC]

> So it does provide practical protection to use NAT in that you've reduced the set of valid attackers from "anyone on the Internet" to "people with the ability to affect the upstream router in my ISP"

Except it really doesn't because you haven't?

There are two practically relevant circumstances where the statement "NAT provides security" is made:

1. With regards to real-world home routers (which also come with a stateful firewall), in which case the statement is simply false: Adding or removing NAT makes no difference whatsoever for security. This is also the scenario that then is used to argue against IPv6, because IPv6 supposedly lacks this security, when it just doesn't, because the IPv6 router also comes with a stateful firewall, and adding NAT (or disabling IPv6 because of a "lack of NAT") achieves absolutely nothing security-wise, because there is no problem in the first place.

2. By people who falsely believe that NAT does in fact prevent all inbound connections and for that reason fail to configure the necessary firewall rules on more business-oriented routers, so the belief that "NAT provides security" keeps them from actually securing their network, and that in particular in scenarios where it is much more relevant than for your typical home user.

So, it is technically true that NAT could have security-enhancing effects under artificial circumstances. But under all real circumstances, it either just doesn't, or the belief that it has is what causes the configuration to be less secure than it easily could be, if only people didn't have the completely not-understood belief that "NAT provides security".

[jacquesm]

You're technically correct but in practice ever since NAT has been a thing routers have stopped passing on incoming connections to the machines behind it unless specifically - and usually laboriously - configured to do so. This is also why NAT is considered hostile to a peer-to-peer internet, which prompted this very good article:

https://www.fourmilab.ch/documents/digital-imprimatur/

by John Walker, of Autodesk fame.

The router has a public IP and everything behind it has a local one. That you can do NAT in different contexts and that technically you could have NAT without the firewall functionality doesn't change that this is 99.9% of all NAT applications.

A bit more text about this concept:

https://security.stackexchange.com/questions/176744/why-is-n...

[ATsch]

I think this distinction is very important, for the following reason: Once you've acknowledged that firewalls are technically optional, but used in 99% of cases, there's no reason to say why home routers wouldn't come out of the box with IPv6 firewalls in 99% of cases too.

And this is in fact what we see in the real world with IPv6 deployments. Roughly 50% of my country has IPv6, and every single provider provisions it with sensible default firewall rules.

[zAy0LfpBZLC8mAC]

By that same logic, NAT provides internet connectivity. 99.9% of all NAT applications come with an internet uplink. Therefore, you need NAT for internet access. Not.

[gregmac]

> NAT itself does not provide any security

This is just arguing semantics. It's not "NAT itself", but a side effect of using it is that it requires deliberate effort to allow inbound connections to get to devices behind the router. This has many of the same effective security benefits as a firewall blocking inbound connections does.

Another way of saying this: the companies that make cheap, crappy routers can do the absolute bare minimum and not end up exposing internal devices to inbound internet traffic. So NAT provides security against the cheap, crappy router manufacturers.

With IPv6, the opposite is true: The router manufacturer has to do deliberate extra effort to block inbound connections, beyond just making the router "work". Will most router manufacturers do this extra effort and include a properly-configured firewall? Probably yes, especially if they don't want to get a terrible reputation for being insecure, which would (hopefully) eventually drive them out of business.

Will absolutely 100% of them always do this properly and never make a mistake? I wouldn't bet on it.

[nybble41]

> It's not "NAT itself", but a side effect of using it is that it requires deliberate effort to allow inbound connections to get to devices behind the router.

Unless your router has UPnP port forwarding enabled—as most home routers do by default, since popular apps require it—in which case any device can open a hole in the firewall for whatever incoming traffic it wants. In this scenario NAT provides no additional protection beyond what the client device could provide for itself by simply not accepting incoming connections. To get security from a NAT setup you need to disable UPnP and manually configure any required port forwarding, which is at least as much effort as properly configuring an IPv6 firewall.

The right solution IMHO is to have a separate LAN/WLAN/VLAN for the untrusted IoT devices which rejects all inbound connections from the WAN (no UPnP support) as well as all outbound connections to the main LAN. Outbound connections to the WAN for updates or cloud-base control are permitted but logged; inbound connections from the main LAN are also permitted, to control the IoT devices locally. For the main LAN the router should only perform basic filtering for malformed or misrouted packets—ones with an external or multicast destination address or an internal source address, for example. Apart from that, devices on the main LAN are expected to handle their own security. Laptops, smartphones, tablets, and other mobile devices are already required to handle this since they are routinely connected directly to untrusted networks.

[dboreham]

In my experience upnp is no longer enabled by default (because: not secure). UDP hole punching usually works though.

[mike_hock]

My guess is the firewall functionality will stay as long as IPv4 and thus NAT remain relevant. Once IPv4 has faded into obscurity, we'll see the advent of IPv6-only routers that are really only dumb routers ... and wireless access points.

[zAy0LfpBZLC8mAC]

But that just isn't true. There is nothing in NAT that requires dropping inbound connections, so crappy router manufacturers might be failing to do so right now. If there is no firewall on the device, it won't prevent inbound connections, no matter how much NAT it does.

[anticensor]

NAT66 is something real.

[jandrese]

In theory NAT provides no security. In practice it does.

The way common household NAT works is you have hosts on a private IP space behind a NAT device with an ephemeral internal IP/port table. When an internal device initiates a connection outward the NAT device takes a note of the IP address and port it is connecting to and writes them to the table, along with its own port mapping.

When a packet arrives addressed to the NAT device it checks the table and if it finds a matching entry it rewrites the packet and forwards it back to the original host.

So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table.

Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device and have somehow routed a packet with a destination address that is on your internal network. In this case, the NAT will just forward the packet onto your internal host and provide no protection as they say. However, it ignores the difficulty of getting your ISP to route an RFC 1918 address to your NAT device in the first place. The very fact that your internal hosts are on non-routeable addresses is a form of protection provided by NAT.

[Dagger2]

> So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table.

The lack of a mapping table entry just means that your packet doesn't get translated. It doesn't mean that inside hosts are unreachable.

> Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device

Yeah, so: NAT isn't a firewall. The firewall is a firewall. NAT is typically deployed together with a firewall precisely because NAT isn't a firewall.

This is an important distinction, because it means that the security you think you're getting from NAT is actually coming from the firewall, meaning you don't need NAT to get that security.

Note that I'm not ignoring the issue of reaching non-routeable addresses either. Your ISP can route to your LAN range easily, and there are plenty of people who could trick or force your ISP into cooperating. If you want to be secure, you can't rely on "probably I won't receive any evil connections, it'll be fine", you need to actually block them. If you're in a situation where non-routeability is relevant then you were already insecure.

You've also forgotten that NAT doesn't provide you with non-routeable addresses, even if it's typically deployed with them. It works on any address range and it has no impact on the routeability of the range you use. NAT is also not required to use non-routeable addresses (which as mentioned aren't even secure in the first place). So, again, it provides no security.

[peterwwillis]

> They are identical in terms of security.

A bit incorrect. There are IPv6 protocol changes (ex. ICMP vs ICMPv6) where the newer protocols are more secure. But actually having a private IP behind a NAT gateway is more secure in general, because nobody can directly route to a host behind your NAT, without exploiting reverse NAT traversal. IPv6 will allow easier exploitation of default host configurations due to being able to route to them easier.

[Dagger2]

Will it? You'd still have to get around the router firewall, the host would have to have no firewall of its own and be exploitable and also you'd have to _find_ the host first.

This also needs to be balanced against the difficulty of exploiting servers that have been deliberately exposed to the internet, for example cameras or NASs. People often expose those deliberately (via port forwards on v4) so they can access them remotely.

v6 will make it harder to exploit those devices, because it makes it harder to find them in the first place. Most botnets that run on cameras etc spread via random network scanning, so making those devices harder to find makes it harder for botnets to spread. You can consider this akin to vaccination's effect on the R value for a contagious disease: vaccination can eliminate a disease even when it doesn't eliminate 100% of infections. If a botnet can't find enough vulnerable hosts to exploit, it'll die out.

NAT with port forwards makes it far easier to find devices like that, because it reduces the search space. v4 reduces the search space further still, to the point where it's quite feasible to do an exhaustive search.

On balance, I think this makes the larger address space (without NAT) less exploitable.