No. Please stop spreading this nonsense that NAT is solution for security and privacy. NAT was solution for getting systems online without increasing address space. It served that well. Now it needs to die.
If you have security issues that is because you failed to configure your firewall properly. Besides Internet was always supposed to work the way IPv6 would allow.
All the major firewalls have GUIs. But try this with some of your non tech family, and tell me how difficult it was. Then imagine this on a global scale. Then imagine how many people are gonna disable said firewall to allow them to play some game or because something asked them too.
Not all games use p2p for matches. Fortnite is the easiest example of one that’s not. Hell, games are not even built the same way anymore and what you think is a server is in reality a cluster of AWS services.
You mean without? Well you're wrong. It's not a security concern at all. Allowing anyone from the outside to connect to any port they want is a security concern, simply because there's a lot of insecure software people run that doesn't account for malicious connections. However, allowing a user to intentionally let a piece of software listen for outside connections is in no way insecure.
> However, allowing a user to intentionally let a piece of software listen for outside connections is in no way insecure.
It is. Considering the kernel access often given to multiplayer games for anti cheat, and the abysmal attention to security and ability to write secure code by the average application developer, letting Internet randos send arbitrary instructions directly to your machine may not be the best idea.
If the software is executing "arbitrary instructions" from remote sources, then its a malicious piece of software, or so horribly negligent to amount to the same thing. So I don't agree that direct connections are the problem - the badly written software is the problem.
No, "a user" in my sentence is intended to mean a human. Its very possible to program software to require human approval for connections. Also, if malicious software is already running, then it will be able to make connections to remote servers that it wants, no need for it to passively listen. IPv6 does not make this problem worse.
It’s not nonsense though. The implementation of NAT literally implies a stateful firewall.
I want ipv4 dead as well but to bury your head in the sand and pretend NAT doesn’t offer the protections it does only hurts your argument.
> Besides Internet was always supposed to work the way IPv6 would allow.
Yep, but the real world - where all of the unpatched IoT devices are running - has NAT at basically every home protecting devices from unsolicited connections.
NAT doesn't imply stateful firewall at all. NAT is literally just rewriting IP addresses on incoming/outgoing packets. I could have a single machine behind a middlebox, and the middlebox could just rewrite the IP source/destination of egress/ingress packets, and that would be NAT - and I'd still be able to successfully receive incoming packets from the big bad web. In fact, you can do this without the middlebox using an iptables MASQUERADE rule.
But even then, the added security of a stateful firewall as provided by a router is dubious. You know what else has a "stateful firewall"? Your kernel's TCP/IP stack. It isn't gonna accept random connections from the Internet unless there is an application actively listening to a port and accepting packets. And I trust the Linux/NT/BSD kernel to be more secure with ensuring that than a binary firmware blob from a router manufacturer.
Sorry, you’re very confused about the NAT that is widely deployed. It’s absolutely not 1:1 NAT because that buys effectively nothing from a scaling perspective.
> But even then, the added security of a stateful firewall as provided by a router is dubious. You know what else has a "stateful firewall"? Your kernel's TCP/IP stack. It isn't gonna accept random connections from the Internet unless there is an application actively listening to a port and accepting packets.
That’s the fucking problem. All kinds of vulnerable/misconfigured software just binds to 0.0.0.0:<whatever> and calls it good. My fridge does this, my washer does this, my TV does this. This is the world of IoT.
> And I trust the Linux/NT/BSD kernel to be more secure with ensuring that than a binary firmware blob from a router manufacturer
It’s not, it takes a single API call to have a program start listening because that’s the entire job of the kernel. You have to configure a firewall on top of it to make sure vulnerable software isn’t exposed to the internet.
The kind of NAT that's widely deployed doesn't act as a firewall though. It buys you nothing from a security perspective. It's entirely possible to connect inwards over a NATing router unless there's also an additional firewall configured.
Stateful NAT does imply state tracking, which is a major component needed to implement a stateful firewall, but it is not itself a stateful firewall.
"Beware of appeals to the 'real world'; and to what it supposedly demands. It is always an invitation to leave unchallenged the speaker's tacit assumptions."
Not demands. It’s just the reality of where we are. People who claim everything will improve by allowing p2p connections by default are woefully out of touch with the shit show that is IoT.
The IoT shitshow is never going to improve, if IoT device makers can't be made to stop offloading the cost of their laziness and bad systems thinking onto a network layer that was never intended, and is poorly suited, to be the ne plus ultra of device security.
If you have security issues that is because you failed to configure your firewall properly. Besides Internet was always supposed to work the way IPv6 would allow.