Hacker News new | ask | show | jobs
by jjjjmoney 959 days ago
> ok, but why?

Because NAT breaks a lot of services.

> Is that going to change with ipv6?

Yes. You no longer need NAT, so port negotiation is much easier (even when inbound is blocked)

> Are you _really_ just going to allow random traffic into your network?

Common misconception! Even without NAT, the router can have port/traffic policies. There's just no address translation happening.

There's a lot of good stuff about IPv6, and I would encourage more people to learn about it and try it out.

- ULAs can act like static internal LAN addresses

- A "strong" NAT is easier to avoid and no longer breaks connections to things that are sensitive like gaming consoles

- Randomized, temporary IPv6 public addresses are a nice feature, and mostly turned on by default

- The biggest one is people seem to equate NAT = router/firewall. This is absolutely not the case, and they are distinctly different. You can absolutely have a router/firewall without NAT!

- CG-NAT is becoming more popular due to the lack of IPv4 addresses, and I hate everything about that.

- You can even run a NAT64 to provide IPv4 access to your IPv6-only devices
2 comments
phpisthebest 959 days ago
>> The biggest one is people seem to equate NAT = router/firewall. This is absolutely not the case,

I dont think anyone equate that, but IPv6 proponents refuse to recognize that decades and decades, especially in home users, and SMB space, NAT was a layer of the security model, often times one of the biggest

Right or wrong is irrelevant, that is/was the reality

Just tossing IPv6 as a replacement for ipv4 with out factoring that in while simply screaming into the void "NAT IS NOT A FIREWALL" will be of little comfort to the elderly retiree that has their home computer ransomwared, or the small business that is put under due to a cyber attack because the ipv6 address was strait on the public internet

link
bluepizza 959 days ago
Home router NAT "layer of security" is equivalent to closing all ports.

If an IPv6 home router closes all ports by default, then the same level of security is achieved.

link
hot_gril 959 days ago
That's a big "if."

> Randomized, temporary IPv6 public addresses are a nice feature, and mostly turned on by default

I really do not want this.

link
devman0 959 days ago
It isn't a big if, it is literally the same connection tracking stack except without the address and port mapping.

If you take away the mapping the tracking doesn't go away. Inbound traffic still needs to match to to a session created by outbound traffic.

link
hot_gril 959 days ago
Yes, and every router has to do it properly by default, which so far they haven't really been. NAT is a lot harder to do wrong, cause the local IPs aren't even addressible.
link
icehawk 959 days ago
Its not harder to do wrong, its just less noticeable when done wrong, it's been a security consideration since NAT was created, and a persistent issue since then:

https://datatracker.ietf.org/doc/html/rfc2993#page-22

https://threatpost.com/remote-attackers-internal-network-dev... https://www.anvilsecure.com/blog/dhcp-games-with-smart-route...

link
devman0 958 days ago
If they haven't really been, then NAT wouldn't be working either, that's the point I'm making. NAT requires connection tracking to function, because NAT is actually an extra step on top of a basic stateful firewall, and the mapping part isn't the part that provides security, it is the connection tracking part.
link
saltminer 959 days ago
> I really do not want this.

Then disable it. IPv6 SLAAC privacy extensions are device-controlled, meaning neither your ISP nor your router can force you to use/not use them (unless they're so incompetent that they do things like hand out /128s).

I disable privacy extensions on my server so that I can give it a static IP within the prefix, so I can vouch that (at least on Linux) the process is quite simple.

link
hot_gril 959 days ago
Well, what I do is disable ipv6. I don't want the possibility that this is misconfigured, especially if the defaults tend to be wrong. Maybe my router doesn't even respect my firewall settings, like this: https://community.verizon.com/t5/Fios-Internet-and-High-Spee... Maybe the customer is wrong, but this shouldn't even be a question.

The rare times I want something publicly accessible, I use DMZ or port forwarding.

link
bluepizza 959 days ago
> That's a big "if."

Not really. Many home routers used to assign all ports to the first device to connect to the router, and you'd need to setup NAT just for your second computer. Eventually the default settings wised up.

It is much more probable that security defaults will be much tighter today than they were when ADSL initially took off.

link
jjjjmoney 959 days ago
> Just tossing IPv6 as a replacement for ipv4 with out factoring that in while simply screaming into the void "NAT IS NOT A FIREWALL" will be of little comfort to the elderly retiree that has their home computer ransomwared, or the small business that is put under due to a cyber attack because the ipv6 address was strait on the public internet

This is definitely what I'm seeing. IPv4 is really engrained in us - I actually had a really hard time conceptualizing how things worked until I forced myself to learn by deploying dual-stack and ipv6-only networks.

The major downside I see right now is that "addresses are harder to memorize," but there are solutions to that as well.

link
lxgr 959 days ago
> The major downside I see right now is that "addresses are harder to memorize," but there are solutions to that as well.

Definitely. That DNS thing sounds promising!

link
bigstrat2003 959 days ago
So we're supposed to do things wrong forever because some router vendors are too incompetent to set a firewall as well as NAT? That doesn't seem like a good approach to me.
link
phpisthebest 958 days ago
Right and wrong in this context is subjective there are many things in IPv6 that I find to be wrong convoluted and overly complex

When IPv6 was created they had the opportunity to just make it an expansion of the IPv4 space they chose not to do that and instead they added in a bunch of wish list items that were not needed to accomplish the goal that they were seeking to do which was prevent the exhaustion of IPv4 addresses

Absent address space exhaustion I massively prefer working with IPv4 than I do IPv6

link
adriancr 959 days ago
> Yes. You no longer need NAT, so port negotiation is much easier (even when inbound is blocked)

In practice someone can still configure NAT on IPv6 same as on IPv4 at least on Linux and some vendors, even if IETF resists standardizing it.

https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no...

So you might still see CGNAT if someone is determined to configure it.

link
jjjjmoney 959 days ago
Yes this is absolutely possible, but I do like that IPv6 doesn't mandate NAT.
link