Hacker News new | ask | show | jobs
by otabdeveloper4 1883 days ago
> Azure's network team decided to unnecessarily use NAT for IPv6, making it exactly (100%!) as complex as IPv4...

People like the NAT. It's a feature, not a bug. If your selling point for IPv6 is "no more NAT" then no wonder it never went anywhere!

P.S. No, "you're doing it wrong" and "you're not allowed to like the NAT" are not valid responses to user needs.
2 comments
dijit 1883 days ago
> "you're not allowed to like the NAT"

Well, the bigger question might be why do they like NAT?

If it's about having a single /128 address so they can do ACLs then that's easily fixed by just lowering the CIDR number. (unless you have an ancient version of fortigate on prem, which likely doesn't work with ipv6 anyway).

If it's about not having things poking at your servers through the NAT then the "NAT" really isn't helping anything, it's the stateful firewall doing _all_ the work there and those things are entirely independent systems. -- They're just sold to consumers as a single package.

link
otabdeveloper4 1883 days ago
Again: "you're doing it wrong" and "you're not allowed to like the NAT" are not valid criticisms.

People like NAT because it's an easy batteries-included way to manage, secure and understand your LAN.

Taking it away and forcing them to migrate to an incompatible zoo of firewall technologies for no benefit is asinine.

> They're just sold to consumers as a single package.

Exactly. How in the world is this a bad thing now? Do we really want to make network security for the average do-it-yourself home LAN harder?

link
w7 1883 days ago
It's less of a "you're doing it wrong" or "you're not allowed to like the NAT" and a more complex "you've incorrectly attributed your protection to NAT"
link
otabdeveloper4 1881 days ago
Trying to separate "NAT" from "stateful firewall" is pointless and only causes pain to the end user.
link
w7 1878 days ago
If this helps you understand, NAT and stateful firewalling are often the same code base. NAT is basically just a sub-feature, purely for translation, that is it.

The NAT feature solves the problem of:

  - public ipv4 exhaustion
You get in return:

  - higher latency

  - higher user & administrator mental overhead

  - limited public ports

  - protocol breakage (TCP & IPSec)
If you _remove_ NAT:

  - users no longer have to figure out why they can’t connect to their local web/minecraft server using the public address/domain even after a port forward (the very common NAT hairpin problem)

  - do not need to google “what’s my IP” as the machine knows its address in any context

  - do not have to tunnel to a VPS, or use a VPN in cases of CGNAT (ISP provided double-NAT) to expose a server
 
  - no longer have to maintain a split DNS zone for public/private addresses of a *public* server

  - no longer have to google “how do in enable NAT traversal for this VPN”

  - no longer have to learn what addresses are OK and not OK to use locally (rfc1918)

  - no longer get confused into thinking NAT is a hard-requirement for any and all routing (ex: green admins whos only experiance is a basic pfsense install adding 3 layers deep of NAT in labs)
These are all problems I’ve either been paid to help figure out, or done for free on forums/discord, regularly.

Removal of NAT requires no user interface change, the same “port forward” terminology AND user interfaces can remain. There can still be a port forward tab where you enter an address and port. SOHO firewalls/routers that use stuff like iptables ALREADY add both NAT and normal firewall rules, and hide that fact. The security of user devices with a proper firewall/router does not change, the exposed interfaces do not need to change, everything gets simpler. I repeat, the basic abstraction presented to users does not need to change. The only reason to insist on NAT is ignorance; removal of NAT is removal of complexity.

link
dijit 1883 days ago
Nothing changes; the firewall instead says "do you want this port open to this device" [y/N]:

Personally I think this is much easier to reason about.

And all I'm saying is that the NAT part of it absolutely does nothing to defend you, it's trivially defeated, people just conflate the two.

link
otabdeveloper4 1883 days ago
> the firewall instead says "do you want this port open to this device" [y/N]

That's exactly what I don't want to do. I have over 20 devices in the home LAN at any given point in time; why do you want to make my life difficult for no good reason?

link
dijit 1883 days ago
then don't click the "I want to open this device to incoming traffic" button?

Honestly I think you don't understand what NAT is.

Stateful firewalls basically work by watching your connections and then allowing the return traffic through. All firewalls are stateful, there are "stateless ACLS" in networking which are stupid and don't watch things; we're not talking about those ... in fact 99% of internet users will never interact with a stateless ACL.

What happens when you make a connection is that your router adds your state to it's "state table" _and_ pops open a port on your gateway to allow return traffic through, if you did not have a stateful firewall in place then the whole internet would be able to poke that port.

If you remove the NAT the only thing that happens is that your router doesn't have to pop open a port and route traffic from that port to your device, the stateful firewall stays in place, meaning that random devices on the internet CANNOT TALK to your internal network at all, unless you manually allow that, which is the same as what happens with port forwarding today.

The only thing you "lose" is that your whole house looks like one device.

You gain a significant reduction in latency, online games will work better and p2p networking (such as voip) will have significantly fewer problems, because the whole internet was designed without NAT in mind, because NAT is genuinely a terrible hack.

link
otabdeveloper4 1881 days ago
> Honestly I think you don't understand what NAT is.

Yes, I do. It's the "masquerade" rule in my router's firewall rules table.

> The only thing you "lose" is that your whole house looks like one device.

That's a feature, not a bug.

> You gain a significant reduction in latency, online games will work better and p2p networking (such as voip) will have significantly fewer problems

99.99999% of those problems are caused by shoddy Wi-Fi. IPv6 does nothing to fix it. (Directional antennas and a standard way to bridge L2 over Wi-Fi is the real solution; expanding the IPv4 address space does nothing.)

Again: what's the benefit of IPv6 to me? So far I only see downsides.

link
funcDropShadow 1883 days ago
What do people like about NAT? I am guessing that the perceived increase in security. But perhaps there are more real or perceived advantages.
link
w7 1883 days ago
What I find common is people conflate NAT with stateful firewalling, and believe that if you lose NAT you lose all forms of edge/perimeter network security. They don't understand that you can still filter and prevent unwanted packets from reaching hosts without NAT.
link
otabdeveloper4 1883 days ago
Of course you can. But why would you? You're replacing something that is simple, easy to understand and works perfectly well with a nebulous something that invites user error and security nightmares.

For example, my (modest) home LAN is five routers, a NAS/media server, a media player, two "smart TVs" and dozens of notebooks and phones connected via Wi-Fi.

What do you propose? Manage a firewall on each of those devices?

I suppose you mean setting up a firewall on the WAN link to block all incoming traffic? How is that different from a NAT? Merely a lack of 'masquerade' setting on the firewall rule? What's the benefit to me and why should I care?

Or do you propose some sort of hybrid scheme to intelligently block traffic while making all my countless devices pingable from the Internet? Not in this timeline, sorry.

link
femiagbabiaka 1883 days ago
Your home network and a cloud datacenter aren’t comparable. Many clouds have host level firewall policies as a core feature, and anyone competent is managing them profile-style using Terraform or an equivalent. It’s really quite easy from that perspective.
link
otabdeveloper4 1883 days ago
> Your home network and a cloud datacenter aren’t comparable.

Of course they are. I didn't need to think about firewall automation before, and now I do. For what gain?

> anyone competent

Not an option for most people. Let's make networking and security things more foolproof, not less, okay?

link
jiggawatts 1882 days ago
You really are refusing to listen to what people are telling you.

I have an Internet router, which uses NAT for IPv4, same as everyone else. If I want to punch a hole through for something like RDP or SSH, I have to use unique port numbers because I only have one Internet-facing IP address. Because there are only 3 billion IPv4 addresses for the whole World, all of them are regularly scanned by Bad People for open ports, making this RISKY.

I also have IPv6 enabled on it. No NAT. If I want to punch a hole through for RDP or SSH, I can use the standard ports because each device has a unique Internet-facing IP address. My router alone has 2^64 (millions of trillions) of unique addresses, of which a random 5 or 6 have been allocated. There is no way anyone ever is going to be able to scan these. I can SAFELY open standard port numbers and not have to worry about drive-by attacks.

THERE IS NO OTHER DIFFERENCE.

The router works the same, the firewall works the same, the Internet works the same, the GUI is the same. IT IS ALL THE SAME!

NAT is not magic. It is not a firewall. It is not necessary. It is not beneficial.

link
femiagbabiaka 1883 days ago
Nobody is stopping you from running a NAT gateway until 2120 at home. IPv6 solves specific problems in a datacenter context, namely address exhaustion. You'll never run into that problem at home.
link
w7 1883 days ago
Nothing new needs to be proposed. Nothing is being replaced. The current state of things is that whatever your edge device is provides actual security with stateful firewalling and translation with NAT, already. It's simple to understand because most home router products and projects like pfsense make them look like inseparable things that perform the same function. Removal of NAT won't even require a UI change for consumers because all these port forwarding UIs add both a DNAT/PNAT rule and a firewall rule already. You can keep the exact same user interfaces and "port forward" terminology when removing NAT.
link
znpy 1883 days ago
> What do people like about NAT?

NAT allows people to be very dumb about networking. Either you "open a port" or you don't.

It works very well as long somebody else is managing the network for you and you just ask for stuff to happen and then that somebody else has to actually make it work.

link
jiggawatts 1882 days ago
Replace the word NAT with Firewall and all security-related statements are the same.
link
dx034 1883 days ago
At home I really appreciate the NAT. I'm glad not every device has a public IP and gets hammered with attacks 24/7. It's not fail-safe but it definitely adds some security..

As for cloud, no idea what the benefit should be there.

link
coddle-hark 1883 days ago
This is what a firewall is for.
link
dx034 1883 days ago
Most people use ISP provided routers at home, firewalls in those aren't necessarily great.
link
jiggawatts 1882 days ago
It would be literally the EXACT SAME firewall with IPv6 as with IPv4 NAT.

Most IPv6 routers are also IPv4 routers and behave exactly the same for both. They share the same router code, the same firewall, etc...

link