← Back to context

Comment by Latty

6 hours ago

Except in the real world everyone is also running UPnP, so NAT is also one misconfiguration away from exposing something publicly. In the real world your ISP might enable IPv6 one day and suddenly you do have a public address. Relying on NAT is a bad idea because it's less explicit, a firewall is saying you only want to allow these things through, of course nothing is perfect, you can mess up, but NAT is just less clear, the expectation is not "nothing behind NAT should ever be exposed", it's "we don't have enough addresses and need to share".

9 comments

Latty

Reply
deng  5 hours ago

UPnP is not tied to NAT, where do you have this from? UPnP is used to request direct connections, a firewall can implement UPnP just as well as a NAT.

lostmsu  1 hour ago

UPnP won't expose my SMB to the world on its own. For that you'd need an attacker already inside the NAT. So already on that side of the hatchway.

willis936  5 hours ago

It's not "relying on NAT" to have it as a layer in the swiss cheese. Relying on any one thing is a bad strategy.

  • Latty  1 hour ago

    Sure, and that's fine, but relying on it isn't, and it isn't a reason not to use IPv6 (if you want namespacing, there are tools for that outside hiding behind a single IPv4). Hence the advice is not to rely on NAT.

    This is people talking past each other, and to be fair, saying "everyone" in my post made it unclear, I was being glib in response to "because that's not what people run IRL", when evidently people do, I've seen it happen.

sedawkgrep  3 hours ago

> Except in the real world everyone

...and goes on to ignore enterprise businesses, which consume most of the v4 space and are among the biggest resisters of v6.

skywhopper  6 hours ago

No, not everyone is running UPnP. Maybe on most home networks, but that’s not the audience that even knows or cares about NAT.

  • Latty  1 hour ago

    I think this is where the disconnect is: the home users are precisely the ones being talked about, because they are the ones most likely to be treating NAT like it is a security system for their devices in the real world.

    I've literally seen someone's ISP turn on IPv6, and then have their long-running VNC service compromised because they were just relying on NAT to hide their services.

everdrive  4 hours ago

>Except in the real world everyone is also running UPnP

Definitely not. I've been disabling that for years.