On Thu, 2010-08-05 at 09:04 -0400, Anton Aylward wrote:
Adam Tauno Williams said the following on 08/05/2010 06:20 AM:
On Thu, 2010-08-05 at 10:25 +0300, HG wrote:
Slightly off-topic (but so this seems to be already anyhow), I personally like to have all my home computers behind NAT. It acts as nice firewall. No, it doesn't. NAT is *NOT* a security solution. IPv6 settings in my router are "link-local" and none of the other settings (static IPv6, DHCPv6, PPPoE, IPv6 in IPv4 tunnel, 6to4 mode) seem to offer similar hiding of the local computers.
NAT does not "hide" computers. Capture a NAT'd stream of traffic and it isn't very hard to separate the conversations of multiple computers behind the NAT. NAT is just a coping mechanism for IPv4's constrained address space [good riddance!]
Well, that's how it seems - of course, there is no real documentation and I'm just guessing :-( For IPv6 you just use a firewall to filter routed traffic, the way IP is supposed to work. NAT does nothing at all, except break things. I'm allergic to absolutes. In particular absolute statements. NAT doesn't 'break things'.
Wrong; NAT *DOES* break things. It creates issues with active FTP, various VOIP systems [SIP, H.323, etc...] It does break things, absolutely.
What it does is use unrouteable addresses. Its your last statement that's core. The original model of the 'Net had no provision for security
Well, "had no provision for security" is absolutely false. It just isn't a transport protocol issue.
and the idea was that every node (aka address) should be routable and hence addressable by every other address. That is what you mean by "the way IP is supposed to work".
Yep, because it is the way IP is supposed to work. Every other arraignment is broken. If you want to limit traffic - use a firewall.
The thing is that NAT renders a subnet inaccessible to the 'Net at large because the addresses on it are unroutable.
False. It does *not* render the subnet inaccessible. It merely obscures the network. Find a decent hacker and watch them blow straight into a NAT'd network.
That's not 'breaking',that's a lazy way of filtering.
No, filtering is the job of firewalls.
Unless you have tunnels or exceptions (which most NAT'ing devices allow for) that is equivalent to a firewall with a "DENY ALL INCOMING INITIATED" policy. Yes its not a firewall in that it it doesn't do a lot of other things a firewall could and should, but that doesn't mean its not a security barrier. A lazy one, and incomplete one, one that can't be trusted, but then the same can be said about locking your front door when a good kick can break the frame or a burglar can break a window. The unroutable subnets were not *intended* as an address exhaustion mechanism. That was unintended side effect that has taken over -
Ok, but that was now, this is then. If IPv4 addresses were plentiful [and thus cheap] people wouldn't NAT. Every sys/net-admin I know would be very happy to be rid of NAT and thus NAT induced headaches.
Please do not attribute intent where there is not one.
I don't need to 'attribute' intent. People use IPv4 private addresses because public IPv4 addresses are scarce [and thus expensive].
As for security and filtering of IPV6 addresses ... Don't make me laugh. The malware of today does not rely on machines 'raw' on the net unfiltered. The ones behind NAT, the ones behind filters, can still download malware and one running that malware can still 'tunnel' out to 'Net, report keylogging and form Botnets. IPV6 and filtering won't stop that any more than NAT or IPV4 and filters ever did. Its not a packet or address level problem.
You are now discussing something entirely off-topic to 'network'
security.
--
Adam Tauno Williams