1. 1

    I’m still struggling to understand how exposing every device to the internet is more secure on IPv6 than a NAT. It seems like the reason is because it is exceedingly hard to ‘guess’ the IP, but that sounds an awful lot like ‘security through obscurity’ to me.

    1. 5

      You are not exposing every device to the Internet, you are making every device routable on the Internet.

      The article states you use a firewall, as you should be already, on the Internet. A pc-world/walmart/… $40 home router already utilises a stateful firewall (that happens to also do NAT) in it so there is no additional cost/complexity here for anyone.

      Actually the complexity goes down as you do not have to handle port forwarding, centralised discovery/rendezvous services or ‘intelligent’ NAT application helpers which have in the past had their own good share of security vulnerabilities.

      As for the point of ‘guess the IP’, as the article points out, is not so much to hide your IP its to make unfeasible to just brute force scan for potential vulnerable targets; it will slow down (maybe even stop) a whole class of worms style spreading.

      1. 1

        Does not reducing complexity also peel off one layer of security? With NAT, you can use a router to kill port requests before they even get to a system on the network. I’ve always considered things like upnp to be ‘bugs’ and never use them. shrug

        Granted, my understanding of how all this works is pretty basic, so I could be wrong (and welcome corrections!), but it sounds like with IPv6, it’s up to every individual system, each with potentially its own OS, patch level, applications (and their patch levels) to implement the first line of defense. While I don’t advocate that people just set up NAT and toss insecure systems behind it and call it good, it does happen.

        As for the point of ‘guess the IP’, as the article points out, is not so much to hide your IP its to make unfeasible to just brute force scan for potential vulnerable targets;

        Why couldn’t you just ‘detect’ the IP a request from the system to your system (e.g. user hits a website you are hosting, or opens an email with html that fetches some asset from your server, because this is still a thing that mail clients like to do, unfortunately), or use any other techniques to get a system to reveal its IP? And when it does, you can pound on it directly. With NAT, you at least have to get through some first level of defense.

        1. 5

          Does not reducing complexity also peel off one layer of security? With NAT, you can use a router to kill port requests before they even get to a system on the network. I’ve always considered things like upnp to be ‘bugs’ and never use them. shrug

          Granted, my understanding of how all this works is pretty basic, so I could be wrong (and welcome corrections!), but it sounds like with IPv6, it’s up to every individual system, each with potentially its own OS, patch level, applications (and their patch levels) to implement the first line of defense. While I don’t advocate that people just set up NAT and toss insecure systems behind it and call it good, it does happen.

          You can have a stateful firewall without NAT. And the firewall is what you actually want: the “security” you get from NAT is equivalent to a stateful firewall rule that rejects inbound packets that are not classified as either ESTABLISHED or RELATED.

          You still have a box that sits between the internet your network, it still provides a firewall, but it doesn’t need to provide NAT.

          1. 1

            The way it’s been explained to me is that NAT requires a stateful firewall, but you can have a stateful firewall, which is the actual secure part, without NAT

        2. 4

          IPv4 NAT is also at best “security through obscurity” - at worst it just happens to be obscurity that’s so obscure it breaks the end-to-end routability model, adds connection state fragility and takes down a whole class of peer-to-peer applications with it. If anything, getting rid of NAT is a good thing purely because it removes a layer of misunderstanding and complexity – we can fall back to the correct tool for protecting networks which is, and always has been, a firewall.

          Incidentally, one of the benefits of the IPv6 address space being so big is that devices have a much bigger space in which they can consume addresses even for short periods of time. Most modern operating systems have the concept of “temporary”/“secured” auto-configured addresses in which the host portion is near-enough random and can change at a given interval (often related to the lifetimes specified in the router advertisements). You might not want servers doing that but it’s perfectly acceptable for most clients.

          1. 1

            “we can fall back to the correct tool for protecting networks which is, and always has been, a firewall.”

            Close. A guard and endpoint security is the strongest default. Weaker approaches like firewalls if one can’t obtain or build a guard.