Amazon finds $1B jackpot in its 100 million+ IPv4 address stockpile | The tech giant has cited ballooning costs associated with IPv4 addresses::undefined

  • frezik
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    11 months ago

    They need to stop that nonsense. NAT is not for security, and was not designed for security purposes. In fact, there are a few ways it subverts security, such as SNI in TLS making the connection less private than it could be.

    If they want to block external connections, a border firewall can do the job just fine without NAT. It’s arguably better, because NAT complicates existing firewall rules and their implementation in code. Complications are the enemy of security.

    • Blue_Morpho@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      a border firewall can do the job just fine without NAT

      How do you anonymize ip addresses without effectively recreating nat using firewall rules?

      • frezik
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        Mu. Why do you feel the need to anonymize IP addresses?

        • Blue_Morpho@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          There is no way to personally identify anyone. Right now advertisers have to jump through hoops of cookies and browser fingerprinting to identify you- which can be blocked.

          • frezik
            link
            fedilink
            English
            arrow-up
            2
            ·
            11 months ago

            They still wouldn’t. A single computer address is not an individual. They’re only slightly better off compared to knowing the edge router IP like they do now.

            If you really want to protect against that, then use a proxy or an onion router. NAT was never meant to do this, and it does it poorly.

            • Blue_Morpho@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              11 months ago

              A single computer address is not an individual.

              It is extremely likely to be the same user. Shared computers are rare today.

              • frezik
                link
                fedilink
                English
                arrow-up
                2
                ·
                11 months ago

                So what? They still don’t have much more information than the edge router IP. Again, if you want to protect yourself here, use a proxy, onion router, or VPN. NAT is not designed to tackle this, and does it poorly.

          • Dark Arc@social.packetloss.gg
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            In a large cooperate network, or even a small network, there’s nothing fixing a device to a specific network address. You can shuffle those around between people entering and leaving the building and device power cycles just like DHCP does for IPv4.