Adam Tauno Williams said the following on 08/05/2010 06:20 AM:
On Thu, 2010-08-05 at 10:25 +0300, HG wrote:
Slightly off-topic (but so this seems to be already anyhow), I personally like to have all my home computers behind NAT. It acts as nice firewall.
No, it doesn't. NAT is *NOT* a security solution.
IPv6 settings in my router are "link-local" and none of the other settings (static IPv6, DHCPv6, PPPoE, IPv6 in IPv4 tunnel, 6to4 mode) seem to offer similar hiding of the local computers.
NAT does not "hide" computers. Capture a NAT'd stream of traffic and it isn't very hard to separate the conversations of multiple computers behind the NAT. NAT is just a coping mechanism for IPv4's constrained address space [good riddance!]
Well, that's how it seems - of course, there is no real documentation and I'm just guessing :-(
For IPv6 you just use a firewall to filter routed traffic, the way IP is supposed to work. NAT does nothing at all, except break things.
I'm allergic to absolutes. In particular absolute statements. NAT doesn't 'break things'. What it does is use unrouteable addresses. Its your last statement that's core. The original model of the 'Net had no provision for security and the idea was that every node (aka address) should be routable and hence addressable by every other address. That is what you mean by "the way IP is supposed to work". Which is a bit like saying "two's compliment arithmetic is the way computers are supposed to work". Or "linear address spaces are the way computers are supposed to work". The thing is that NAT renders a subnet inaccessible to the 'Net at large because the addresses on it are unroutable. That's not 'breaking', that's a lazy way of filtering. Unless you have tunnels or exceptions (which most NAT'ing devices allow for) that is equivalent to a firewall with a "DENY ALL INCOMING INITIATED" policy. Yes its not a firewall in that it it doesn't do a lot of other things a firewall could and should, but that doesn't mean its not a security barrier. A lazy one, and incomplete one, one that can't be trusted, but then the same can be said about locking your front door when a good kick can break the frame or a burglar can break a window. The unroutable subnets were not *intended* as an address exhaustion mechanism. That was unintended side effect that has taken over - the tail that is wagging the dog - and yes, has impeded the acceptance of IPV6. Vendors saw how they could "add features" and as far as Joe Sixpack goes Please do not attribute intent where there is not one. As for security and filtering of IPV6 addresses ... Don't make me laugh. The malware of today does not rely on machines 'raw' on the net unfiltered. The ones behind NAT, the ones behind filters, can still download malware and one running that malware can still 'tunnel' out to 'Net, report keylogging and form Botnets. IPV6 and filtering won't stop that any more than NAT or IPV4 and filters ever did. Its not a packet or address level problem. A completely different set of tools is needed for *that* security. I also object to the absolute implied in saying "NAT is not security solution". That's trite and unhelpful. AV is not a security solution; deep filtering is no a security solution; proxies are not a security solution; user awareness is not a security solution; whitelisting is not a security solution. All these and more are just components that can be used to improve your security stance. A simple NAT'ing router has value to Joe Sixpack for many reasons. For him it means he doesn't have to argue with his ISP to get a (as you point out, ever scarcer) subnet, doesn't have to acquire the technical expertise to manage it and does' have to pay the ISP or all those extra addresses. From his POV it simply lets him connect his, his wife's and his kid's computers to the 'Net. He doesn't know about IPV4 or IPV6. he doesn't care either. He paid his - somewhere between $10 and $60 - for the router and as far as he's concerned its 'plug and play'[1]. Your 'solution' of making him use IPV6 means he's going to have to get and manage a subnet. That there's plenty to go round is beside the point. Joe Sixpack bought that NAT router to avoid needing the technical knowledge that you and I take for granted. What he's going to do is wait until a vendor comes up with another 'box' that does it all invisibly for him. And the vendors are used to selling based on features, like NAT, like DHCP. Like making it easy for Joe. And do you imagine they will let go of NAT? Joe is used to certain keywords. The stuff he's bought in the past with those 'features' works fine so he's going to seek them out again. What do you want to bet the next generation of IPV6 'routers' targeted at the home market (where there are an enormous number of potential customers) will see "more of the same"? Not everyone out there using NAT is as sophisticated or technically competent as you and I. I suspect many people on this list aren't either. [1] Well, OK, maybe he was foolish enough to get a wireless router for less than $10 on eBay perhaps, and then he's got a whole pile of other security problems, but tat has nothing to do with IPV4, IPV6 or NAT. -- There are two ways to slide easily through life: to believe everything or to doubt everything; both ways save us from thinking. -- Alfred Korzybski -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org