fsebugoutzone.org:9999

       Post AYvFbeaQMHUPco4ma8 by borland@mastodon.nz
 (DIR) More posts by borland@mastodon.nz
 (DIR) Post #AYvFbdmRM7VV7mgrfk by nuintari@infosec.exchange
       2023-08-19T13:04:05Z
       
       0 likes, 0 repeats
       
       nuintari&#39;s rules of networking 0x14:NAT should never have needed to exist.NAT might have gone away, if y&#39;all had taken IPv6 seriously in the mid 2000s.But y&#39;all got addicted to NAT, and now it is here to stay.A significant number of complaints against IPv6 are now due to the sad reality that many people in IT do not understand networks without NAT.
       
 (DIR) Post #AYvFbeaQMHUPco4ma8 by borland@mastodon.nz
       2023-08-19T23:04:22Z
       
       0 likes, 0 repeats
       
       @nuintari what’s wrong with NAT? Most of the complaints I’ve seen take the stance that all devices inside a local network should be able to have addresses that appear on the publically routable internet, and hold that as some intrinsic good.Seems like a bad idea IMHO. I don’t want my Samsung FridgeToaster appearing on the public net
       
 (DIR) Post #AYvFbfGxo7W7kjykt6 by nuintari@infosec.exchange
       2023-08-20T12:43:03Z
       
       1 likes, 0 repeats
       
       @borland You are conflating the minor cloak of obscurity that NAT provides with a sense of security. A truth of security is that security through obscurity is no security at all. This is very obvious in terms of NAT when you realize that inbound NAT traversal attacks are actually very easy to pull off. You need to pair NAT with a  stateful firewall if you really want to protect your fridge. Unfortunately, people have been harking on about NAT being a &quot;pretty good firewall&quot; for so long, that people actually believe it now. Nat is a truly terrible firewall.Without NAT, a default deny policy at your network perimeter would be all that is necessary to protect your devices. Devices that needed an inbound connection could be simply given exceptions on the needed ports. But instead, we are left needing awful hacks such as port forwarding and uPNP. Both technologies that are significantly far more work computationally, as well as harder to set up for the operator. Especially true if the operator is a non-technical end user.And NAT isn&#39;t just in your home anymore. IPv4 exhaustion has led to ISPs resorting to Carrier Grade NAT to stretch their address pools to meet customer demand. This has lead to additional hacks on top of NAT such as full-cone sessions to allow game consoles that need inbound connections to continue to function. CGNAT gateways add additional latency to your Internet connection, and increase the number of points of failure in your ISPs network. All of these things would be far easier to deal with, and most would just go away, if we have end to end communications capability. Security models would actually be far simpler.IPv4 does not scale, and NAT is the bad hack job that we have continued to pile shitty fixes into in order to try to breath life into IPv4. Problem is, NAT has existed for so long as a default, that people think this is normal. It&#39;s the hack that became heroin. Everyone thinks you need NAT as part of a good security profile, when in reality it is making your network more fragile, your security harder to implement, and brings the bonus of creating a false sense of security with it.Fun fact, when I worked for a local ISP, I had our service. My house had no NAT. I had a /26 routed to myself for years. You know what made me give that up and turn on NAT? My Roku. It turns out, Rokus at the time refused to operate on a public IP address. I had Windows PCs, printers, scanners, all on public IPs. But they were behind a properly configured stateful firewall.