undefined | Better HN

0 pointsunethical_ban2y ago0 comments

NAT is a bandage over a crippling of proper network behavior. You trust your port forwarding isn't illicitly opening itself, no? Then you can trust a default deny inbound policy on IPv6.

0 comments

hot_gril2y ago

My port forwarding would have to actively try to allow traffic to my host. It doesn't even know where to forward to. And like it or not, NAT has momentum. Getting rid of NAT would be a big migration in of itself.

Dagger22y ago

This is actually wrong, and dangerously so. Your router knows perfectly well where to forward any given packet to: it forwards it to the IP that's in the packet's "destination IP" header.

If a connection comes into your router with the destination IP set to one of your LAN machines, NAT will not stop the connection.

There's no reason to be using NAT to protect yourself from inbound connections, because that's not a thing NAT even does in the first place. It often makes things actively worse even, by making it easier to port scan for your servers and by giving you a false sense of security.

unethical_banOP2y ago

NAT66 exists, it just isn't a necessity in IPv6. There are also private IPv6 networks.

They are called Unique Local Addresses (ULA) and are in the range fd00::/8.

Which itself is so much better than RFC 1918 addresses. If you need private, non-Internet routable addresses, then you generate a random one. In the event two private networks need to communicate over VPN, for example, there is no clash.

j / k navigate · click thread line to collapse