Comment by izacus

5 days ago

This gaslighting keeps being repeated, but fact of the matter is that any consumer/home network will be exposed to the internet if they're using SOHO equipment via IPv6 and won't be via IPv4.

And huge % of SOHO routers won't even allow configuring IPv6 firewall which makes security a disaster.

8 comments

izacus

Reply
kstrauser  5 days ago

I have never seen a single router that supports IPv4 NAT, IPv6, and not an IPv6 firewall. I’m skeptical that they exist.

  • izacus  4 days ago

    Look harder - maybe start with equipment that ISPs give out as their internet boxes.

    • Dagger2  4 days ago

      If you look hard enough you will find some, but it's not common.

      Half of the Internet is using v6. If a lack of firewall was as common or as dangerous as people think, the supposed security disaster would have already happened. It hasn't.

bigfatkitten  5 days ago

> any consumer/home network will be exposed to the internet if they're using SOHO equipment via IPv6 and won't be via IPv4.

Only if the ISP does no egress filtering. Most mobile carriers I’ve used deny inbound connections.

  • izacus  4 days ago

    I don't think "IPv6 is safe because ISP is blocking all your ingress traffic" is a positive argument for an IP standard that's supposed to enable every device to be routable on the internet without things like NAT.

    (Also, why the fsck would I want to have an ISP that does that?)

Dagger2  5 days ago

It keeps getting repeated precisely because it isn't gaslighting. And yet we still see people claiming that NAT is security.

The only reason those networks aren't exposed to the whole Internet on v4 is because they're using RFC1918, not because of NAT -- but that still leaves them exposed to some outside networks, so routers come with firewalls, which act as an actual security boundary.

And they won't be exposed on v6, because those exact same firewalls work their magic on v6 too.

NAT doesn't provide and isn't needed for security. Its main security contribution is to confuse people about how secure their network is.

  • sedawkgrep  2 days ago

    NAT effectively stops inbound connectivity at the NAT edge. A system could be a dozen hops beyond that and no inbound traffic can reach it.

    IPv6 (without any NAT) means that the source and destination are fully routable.

    How folks DON'T see this as a functional component of security is beyond me.

    • Dagger2  14 hours ago

      I'd expect folks would see the behavior you're describing here as being part of security.

      However, NAT in the real world doesn't work the way you're describing here. My position is based on how NAT actually behaves, not on incorrect descriptions of how it behaves.

      Or perhaps you could explain how NAT stops inbound connectivity at the NAT edge? I've tested and it doesn't, so I don't think it's possible to explain how it does, but I'm open to being wrong on that if anybody could actually explain it in a way that doesn't contract actual observed behavior.