While others across the industry battle it out over 10-gig claims, Google Fiber is looking to go bigger, plotting the rollout of a symmetrical 20-gig service for select residential and business cus | The service will use Nokia's 25G-PON gear and initially be available later this year as an invite-only product.
No, stop this. NAT is not a security measure. It was not designed as one, and does not help security at all.
Why doesn’t it help security? Is everybody’s device supposed to be publicly accessible?
Because hiding addresses does very little. A gateway firewall does not need NAT to protect devices behind it.
In fact, NAT tends to make things more complicated, and complication is the enemy of security. It’s one extra thing that firewalls have to account for. Firewalls behind NAT also don’t know where traffic is originally coming from, meaning they have one less tool at their disposal. This gets even worse with CGNAT, which sometimes has multiple levels of NAT.
Security is a very common objection to getting rid of NAT, and it’s wrong.
I’m curious and quite ignorant in networking, so excuse the questions.
How would the house devices communicate with each other?
In my home LAN behind a router and NAT, each device gets an internal IP thanks to DHCP. If I want to make my homeserver media server with DLNA available only internally, there’s nothing I have to do. Just start it up with
0.0.0.0
and it’ll be picked up (if I’m not mistaken by sending a multicast packet to the router). It’s then possible for any smart TV in my home to pick it up, and my phone or computer with VLC don’t need any configuration either.And if I have a service that should be available to the world, port forwarding does it for me. Should a user want to torrent or use some P2P application, the router can also selectively enable UPnP to open ports for that user’s device. It’s not that complicated.
What is complicated that makes NAT worse for security? How would a gateway firewall improve it? Doesn’t it have to keep track of connections too in order to know what’s going on? For example just because a device (A) establishes a connection with an external one (B), doesn’t mean that another external device © is allowed to use that port to communicate with the the internal device (A).
What else besides address translation falls away if you remove NAT?
For internal communication on IPv4, everything has some unique internal IP. There are blocks reserved for private space. Usually people use 192.168.x.x or 10.x.x.x. DHCP hands it the address.
If you wanted this to work in the IPv6 world, you are assigned a prefix by your ISP, and everything is inside that prefix. Services still have to discover each other by some mechanism. Perhaps by DHCPv6, or perhaps broadcasting their existence.
Port forwarding is only necessary with NAT. If you have a gateway firewall that blocks incoming new connections by default, then you will need to open the port going to a specific device. Current home networking “routers” combine port forwarding and opening the firewall together as a convenience, but there’s no reason an IPv6 world would need to do that. UPnP can open the port the same way if you want that (though that’s a whole other security issue).
In a home networking “router”, the gateway firewall is already combined in. In fact, I’m putting the “router” in quotes because it’s really a firewall with NAT and some other services like DHCP. It doesn’t typically do things like BGP that we would normally see in a router outside of an edge network like your home. A router out there is an allow-by-default device.
Adding NAT to the gateway firewall makes the code more complicated. For example, here’s a command on Linux that activates NAT for the iptables firewall:
That “MASQUERADE” bit is handled as NAT, and iptables has to implement more code just to do that.
If we wanted to simply drop all new incoming connections, we would do:
Which tells it to drop packets by default that aren’t otherwise accepted, and then accept packets that are already part of a connection. Even with NAT, we typically want to do this, anyway, so we’re not making things any easier with NAT.
If we want to add a service listening on port 80 for host 10.0.0.5, we would do:
Which works just fine in a NAT-less world. With NAT, we also have to add this:
Which translates the stuff coming in from outside to port 80 to 10.0.0.5 on the same port, and then also translates replies going back the other way. And I might be getting some of the commands wrong, because it’s been a while since I’ve had to configure this.
Suffice it to say, dropping NAT greatly simplifies firewall rules. Your home router is still doing all this (many of them are just Linux iptables these days), but it’s hiding the details from you.
Edit: This doesn’t cover how protocols have been designed to work around NAT, and that’s resulted in a more centralized Internet that’s easier to spy on. That’s a whole other problem that is hidden from most people.
I still consider it important part of the whole package. It’s not a be all end all solution but hiding your private network from outside world is a good first step. In situation you are describing DHCP would have to sit with ISP then, effectively giving them control over what you get to install at your home or limiting bandwidth of certain devices which is a huge issue. Of course you can do traffic shaping with NAT as well, but then whole connection has to be limited and not individual device. While NAT does complicate things a lot, and I mean a lot, it does provide a level of segregation and control which you can’t have otherwise.
So the choice boils down to either run Proxy/Gateway or NAT and latter is far easier for common user since routers come pre-configured. Or worst case scenario provide public IP to everything and mess around with gateway’s firewall to protect each individual device from outside.
IPv6 has DHCP, but it doesn’t work like that. You generally get a prefix and other details about the network, like the gateway address and DNS, and autoconfiguration based on the MAC address does the rest. It was first hoped that DHCP wouldn’t be needed at all for IPv6, but it turned out to be still useful. There’s some more complications here, but suffice it to say that you shouldn’t try to take your knowledge of IPv4 and try to map it on top of IPv6. They’re separate beasts.
A gateway can block incoming traffic to the whole internal network if you want. It doesn’t need NAT to do that.
I’ll have to look more into it then. However I still consider hiding your private network to be a good thing, if for no other reason then privacy, even though traffic might be blocked. And I am aware that security through obscurity is not a good form of security, however when added on top of other properly secure methods, it’s an addition, no matter how trivial. As for NAT I do wish it went away as I’ve had nothing but troubles with it. But it did play an important role with IPv4.
If privacy is what you want, then NAT is forcing a bunch of decisions that make things less private.
Consider a VoIP service like Skype or Vonage. In a world without NAT, you can directly dial the device. It’s easy to encrypt it end to end. You can have several such devices on a single network. Just need to open the port(s) on the firewall to that device.
In a world with NAT, end users would need to forward those ports. That alone might be reasonable for the average customer to do, but having more than one device behind the gateway becomes hairy.
So what a lot of these companies did was build a datacenter that serves connections. Your VoIP device or software initiates a connection to that server from its side, so you don’t have to configure anything. Another device dialing you connects to that server, looks up your connection, and pipes through everything.
Now it’s a bit harder to implement end to end encryption. You could still do it, but it’s more complicated, and that complication means it’s easier to get wrong. Out of either laziness or malice, maybe the company doesn’t bother. Now its datacenter becomes a central point for snooping on conversations. Oh, and the whole service is more expensive because the cost of this datacenter has to be paid off.
NAT is not for security or privacy. It’s harming both. The benefit of obscuring addresses on your network is far outweighed by other problems.