tc4m

joined 7 months ago
[–] [email protected] 3 points 1 month ago

Off topic, but I love Hurricane Electric's website. Simple, but not ugly. Straight to the point. I find it quite charming in contrast to the hyper designed, but barely functional sites of other companies. (fuck you HPE)

[–] [email protected] 14 points 1 month ago

NAT is not a security feature. Your firewall blocks incoming traffic, not NAT. It introduces new complexity that now needs to be solved.

In corpo environments you have to struggle with NAT traversal for VoIP communication.

In home networks "smart" devices attempt to solve it with shit like uPnP and suddenly you get bigger holes in your network security than before. You could find countless home network printers on shodan because of this. Even though (or maybe because) they were "behind" NAT.

[–] [email protected] 14 points 1 month ago (1 children)

NAT is just security by obscurity and actually not really security at all. What's protecting you from incoming scans, etc is your network firewall. That firewall works just the same for IPv6. Blocking incoming traffic for your home network is usually the default setting in your ISP issued router anyway.

Working as a network engineer, NAT in a large scale customer environment can quickly devolve into a clusterfuck. Many times we had week long reachability issues due to intermediate ISPs NATing unexpectedly.

My nemesis is GCNAT, which adds another layer of NAT because some ISPs don't have enough public IP space for all their customers to go around.

I have a customer where their ISP just assigned one of their locations public IPv4 addresses. Neither the customer, nor the ISP owned that address space. Their logic was that this address space is registered on a different continent, so it's basically fair game to use it themselves. Granted, they only route it internally for a MPLS network, but still...

What I'm getting at is that NAT increases complexity and breaks properly routed end to end connections. Everyone kinda fucks up with NAT, especially ISPs (in my opinion anyway).

I can really recommend the IPv6 study material from the major internet registries (took the v6 courses from RIPE NCC myself).

IPv6 is so much simpler for subnetting, writing firewall rules,... IMO the addresses just look kinda clunky.