It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
Honestly, these days I have no idea. When I said “wouldn’t recommend” that wasn’t an assertion to avoid; just a lack of opinion. Most of my recent experience is with Cloud vendors wherein the problem domain is quite different.
I’ve had experience with most of the big vendors and they’ve all had quirks etc. that you just have to deal with. Fundamentally it’ll come down to a combination of price, support requirements, and internal competence with the kit. (Don’t undermine the last item; it’s far better if you can fix problems yourself.)
Personally I’d actually argue that most corporates could get by with a GNU/Linux VM (or two) for most of their routing and firewalling and it would absolutely be good enough; functionally you can do the same and more. That’s not to say dedicated machines for the task aren’t valuable but I’d say it’s the exception rather than rule that you need ASICs and the like.
It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?
The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.
The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.
This has a lot of security benefits.
Regardless, everything you said is sounds true to me.
You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.
Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.
If your home router blocked incoming connections on IPv4 by default now, then it’s likely to continue doing so for IPv6. At least, I would hope so. The manufacturer did a bad job if otherwise.
I still have to initiate the outgoing UDP. Are you talking about the specific case where any software running on my host can initiate it without me requesting?
I think you’ll find some ISPs will be reluctant to let go of CGNAT - they’re doing quite nicely by charging extra for ‘commercial’ services where it’s not in the way.
Fortunately, many of us know about cloudflare tunnelling and other services, so NAT really isn’t a problem to self hosters and even SMEs any more.
NAT still has its place in obfuscating the internal network. Also, it’s easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.
There’s no reason your clients can’t have public, world routeable IPs as well as security.
There are a lot of valid reasons, other than security, for why you wouldn’t want that though. You don’t necessarily want to allow any client’s activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn’t make anything more secure per se.
Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I’ve used.
That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn’t used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.
So I’m going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.
Yes, of course. But saying trite things like that doesn’t get around the idea that giving out a map of the internal network by default isn’t the best policy.
With CGNAT, governments still spy on individual addresses when they want. Since those individual addresses now cover a whole bunch of people, they effectively spy on large groups, most of whom have nothing to do with whatever they’re investigating. At least with IPv6, it’d be targetted.
NAT obscurity comes at a cost. Its gain is so little that even a small cost eliminates its benefit.
Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.
Making it harder for everyone else is the goal, and to do that you need a swiss cheese model. Hopefully all the holes don’t line up between the layers to make it that much harder to get through. You aren’t plugging all the holes, but every layer you put on makes it a little bit harder.
And NAT is not just simple to set up, it’s the intuitive base for the last 30 years of firewalls. I don’t see where you get a cost from it. As I said, separating network spaces with it comes naturally at this point. Maybe that’ll change, but I remember using routable IPV4 when it was it the norm, and moving to NAT made that all feel way more natural.
Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.
That’s a silly way to look at it. Governments can be spying on a block of people at once, or just the one person they actually care about. One is clearly preferable.
Again, the obscurity benefit of NAT is so small that literally any cost outweighs it.
I don’t see where you get a cost from it.
Firewall rules are more complicated
Firewall code is more complicated
Firewall hardware has to be beefier to handle it
NAT introduces more latency
CGNAT introduces even more latency
It introduces extra surface area for bugs in the firewall code. Some security related, some not. (I have one NAT firewall that doesn’t want to setup the hairpin correctly for some reason, meaning we have to do a bunch of workarounds using DNS).
Lots of applications have to jump through hoops to make it through NAT, such as VoIP services
Those hoops sometimes make things more susceptible to snooping; Vonage VoIP, for example, has to use a central server cluster to keep connections open to end users, which is the perfect point to install snooping (and this has happened)
. . . and that centralization makes the whole system more expensive and less reliable
A bunch of apps just never get built or deployed en masse because they would require direct addressing to work; stuff like a P2P instant messenger
Running hosted games with two people behind NAT and two people on the external network gets really complicated
. . . something the industry has “fixed” by having “live service” games. In other words, centralized servers.
TLS has a field for “Server Name Indication” (SNI) that sends the server name in plaintext. Without going far into the details, this makes it easier for the ISP to know what server you’re asking for, and it exists for reasons directly related to IPv4 sticking around because of NAT. Widespread TLS use would never have been feasible without this compromise as long as we’re stuck with IPv4.
We forced decisions into a more centralized, less private Internet for reasons that can be traced directly to NAT.
If you want to hide your hosts, just block non-established, non-related incoming connections at your firewall. NAT does not help anything besides extending IPv4’s life.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !programmerhumor@lemmy.ml
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.
It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.
Why do you say NAT doesn’t make a network more secure?
This article is biased to selling you more F5 equipment but is a reasonable summary:
https://www.f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
What would you recommend? I have a client with some pretty old hardware (FVS 318) installed that I suspect is causing some issues on their network.
Honestly, these days I have no idea. When I said “wouldn’t recommend” that wasn’t an assertion to avoid; just a lack of opinion. Most of my recent experience is with Cloud vendors wherein the problem domain is quite different.
I’ve had experience with most of the big vendors and they’ve all had quirks etc. that you just have to deal with. Fundamentally it’ll come down to a combination of price, support requirements, and internal competence with the kit. (Don’t undermine the last item; it’s far better if you can fix problems yourself.)
Personally I’d actually argue that most corporates could get by with a GNU/Linux VM (or two) for most of their routing and firewalling and it would absolutely be good enough; functionally you can do the same and more. That’s not to say dedicated machines for the task aren’t valuable but I’d say it’s the exception rather than rule that you need ASICs and the like.
deleted by creator
Thank you
It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?
The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.
The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.
This has a lot of security benefits. Regardless, everything you said is sounds true to me.
You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.
Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.
I didn’t mean prevent, just makes it harder by default. You can still open connections from within the NAT
Edit: I do admit to failing at accessing my IPv6 PC from my IPv6 phone
Edit2: apparently NAT is full of security bugs
If your home router blocked incoming connections on IPv4 by default now, then it’s likely to continue doing so for IPv6. At least, I would hope so. The manufacturer did a bad job if otherwise.
I figure the mobile carrier was blocking incoming connections to my phone. This was a couple of years ago, things might have changed since then.
Yeah, no. If remote hosts could not send traffic to hosts behind NAT almost nothing would work.
The hacks employed to make NAT work make security worse, not better.
You’re talking about NAT traversal? We do have control over which we apps we run though?
Edit: apparently NAT is full of bugs
deleted by creator
I still have to initiate the outgoing UDP. Are you talking about the specific case where any software running on my host can initiate it without me requesting?
Edit: apparently NAT is full of security bugs
deleted by creator
Understood. CG-NAT has been so annoying, I would love for IPv6 to completely replace v4 ASAP
I think you’ll find some ISPs will be reluctant to let go of CGNAT - they’re doing quite nicely by charging extra for ‘commercial’ services where it’s not in the way.
Fortunately, many of us know about cloudflare tunnelling and other services, so NAT really isn’t a problem to self hosters and even SMEs any more.
NAT still has its place in obfuscating the internal network. Also, it’s easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.
Given how large the address space is, it’s super easy to segregate out your networks to the nth degree and apply proper firewall rules.
There’s no reason your clients can’t have public, world routeable IPs as well as security.
Security via obfuscation isn’t security. It’s a crutch.
There are a lot of valid reasons, other than security, for why you wouldn’t want that though. You don’t necessarily want to allow any client’s activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn’t make anything more secure per se.
Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I’ve used.
That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn’t used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.
So I’m going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.
That’s what temporary privacy addresses are for. Clients can just keep generating new addresses in your /64, which is it’s own subnet.
Obfuscation is not security, and not having IPv6 causes other issues. Including some security/privacy ones.
There is no problem having a border firewall in IPv6. NAT does not help that situation at all.
You don’t need to give up IPV6 to have NAT though.
But why bother? “Let’s make my network slower and more complicated so it works like a hack on the old thing”.
Yes, of course. But saying trite things like that doesn’t get around the idea that giving out a map of the internal network by default isn’t the best policy.
So instead we open up a bunch of other issues.
With CGNAT, governments still spy on individual addresses when they want. Since those individual addresses now cover a whole bunch of people, they effectively spy on large groups, most of whom have nothing to do with whatever they’re investigating. At least with IPv6, it’d be targetted.
NAT obscurity comes at a cost. Its gain is so little that even a small cost eliminates its benefit.
Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.
Making it harder for everyone else is the goal, and to do that you need a swiss cheese model. Hopefully all the holes don’t line up between the layers to make it that much harder to get through. You aren’t plugging all the holes, but every layer you put on makes it a little bit harder.
And NAT is not just simple to set up, it’s the intuitive base for the last 30 years of firewalls. I don’t see where you get a cost from it. As I said, separating network spaces with it comes naturally at this point. Maybe that’ll change, but I remember using routable IPV4 when it was it the norm, and moving to NAT made that all feel way more natural.
That’s a silly way to look at it. Governments can be spying on a block of people at once, or just the one person they actually care about. One is clearly preferable.
Again, the obscurity benefit of NAT is so small that literally any cost outweighs it.
We forced decisions into a more centralized, less private Internet for reasons that can be traced directly to NAT.
If you want to hide your hosts, just block non-established, non-related incoming connections at your firewall. NAT does not help anything besides extending IPv4’s life.