Comment by muvlon
4 hours ago
It's sad how much of this thread of supposed hackers comes from people who are simply parroting this dogma because it has been drilled into them. People were even preaching this before IPv6 privacy extensions came into use, either downplaying the privacy issues or outright telling people they were bad for wanting privacy because IPv6 is more important.
I understand the difference between NAT and firewall perfectly well. I have deployed and configured both for many years. The strawman of "NAT without firewall" is pretty much irrelevant, because that's not what people run IRL.
Firewalls are policy-based security, NAT is namespacing. In other fields, we consider namespacing an important security mechanism. If an attacker can't even name a resource they're not allowed to access, that's quite a strong security property. And of course, anyone can spoof IP and try to send traffic to 192.168.0.6 or whatever. But if you're anywhere in the world other than right inside my ISP's access network, you can't actually get the internet to route this to my local 192.68.0.6. On the other hand, an IPv6 firewall is one misconfigured rule away from giving anybody on the planet access.
> It's sad how much of this thread of supposed hackers comes from people who are simply parroting this dogma because it has been drilled into them.
It's only been drilled into people because it's true:
* https://blog.ipspace.net/2011/12/is-nat-security-feature/
Thank you. This is the first time that someone admits here that NAT actually adds some security. IPv4 will never go away less that an important share because of it's simplicity and NAT-level security it offers to millions of professionals and amateurs that tinker with their routers.
Except in the real world everyone is also running UPnP, so NAT is also one misconfiguration away from exposing something publicly. In the real world your ISP might enable IPv6 one day and suddenly you do have a public address. Relying on NAT is a bad idea because it's less explicit, a firewall is saying you only want to allow these things through, of course nothing is perfect, you can mess up, but NAT is just less clear, the expectation is not "nothing behind NAT should ever be exposed", it's "we don't have enough addresses and need to share".
UPnP is not tied to NAT, where do you have this from? UPnP is used to request direct connections, a firewall can implement UPnP just as well as a NAT.
It's not "relying on NAT" to have it as a layer in the swiss cheese. Relying on any one thing is a bad strategy.
> Except in the real world everyone
...and goes on to ignore enterprise businesses, which consume most of the v4 space and are among the biggest resisters of v6.
>Except in the real world everyone is also running UPnP
Definitely not. I've been disabling that for years.
No, not everyone is running UPnP. Maybe on most home networks, but that’s not the audience that even knows or cares about NAT.