Comment by Dagger2
2 days ago
I get all of that... but it just sounds like you're arguing that either using RFC1918, or someone's inability to route to your router, is a firewall. Neither of these things are NAT! Nor will either of them protect you from all inbound connections, so neither of them count as firewalls either (although I'll grant that they limit the number of people that could make such a connection).
You can't trust an attacker to politely not send you packets that you think they can't send you. They can run `ip route add 10.5.5.5 dev vpn`/`via <next-hop>` just fine if they happen to be in the right place to do it, and your NAT won't help you.
The reason the packets are being dropped does matter. The issue at hand is all the people thinking that v6 is insecure because NAT is a security barrier; they're wrong, because it's not a security barrier, and if they continue to misattribute their security to it then they're going to keep reaching the wrong conclusions about v6.
> I get all of that... but it just sounds like you're arguing that either using RFC1918, or someone's inability to route to your router, is a firewall.
Yes and no. The effect is the same; packets are dropped. If you have no path to a target and no way to create one, it's a security barrier.
> Neither of these things are NAT!
You're right. They're a *result* of having a NAT boundary.
> They can run `ip route add 10.5.5.5 dev vpn`/`via <next-hop>` just fine if they happen to be in the right place to do it, and your NAT won't help you.
'If they happen to be in the right place to do it' is doing a LOT of heavy lifting here. You'd have to have root access on a compromised host, e.g., a linux system, immediately adjacent to the router/firewall/VPN doing NAT. And boy would that be a stupid design for an enterprise, and it would never happen at the Internet edge. So we're talking about the edgiest of edge case unicorns.
Even if you had all that go right, return packets are going to be addressed wrong (NAT) so you'd have to figure out how to deal with that.
Your stance seems to boil down to security being an active security measure - e.g. packet filter policy. My stance is that NAT and the reality of network design naturally results in preventing unwanted traffic flows, effectively producing the same result.
I'm not saying firewalls aren't critical, just that NAT does create a barrier, and v6 advocates always blare on that it doesn't.