Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Whenever i read these ipv6 discussions, i cant help to think there is a huge disconnect between users and designers of ipv6:

- Designers think globally routable internet is a huge achievement

- Users just want to hide their devices from the hellscape that is modern internet, with all its threats

These are fundamentally different approaches



I'm a user and I think they are compatible requirements and support each other well.

The alternative, having ambiguous addresses, makes systems hard to reason about and monitor, and add compplexity - eg when inevitably "internal" networks end up connected to each other in various kinds of reorganisations resulting in misconfigurations because nobody can tell anymore what the ambigous rule about a 10.xx address meant. Complexity and anbiguity are main enemies of security because you can only secure what you can understand well.

NATs are also hard to reason about in that there's no real spec about what kind of incoming traffic they allow and when. The NAT function is designed to facilitate communication in face of connectivity hurdle presented by the addressing, not limit communication.


Perhapse so, but i think psycologically, having your devices ’hide’ behind a NAT feels a lot more safe than having them out in the wild with only some firewall rules to protect them.

Secondarily, to many users both ipv6 routing and NAT are both incomprehensible. I think most home/sme IT admin people who have to maintain everything in their home/company are not in a position to learn everything about ipv6. Having a solution like NAT where you just cant connect from the outside (unless forwarded) really simplifies many things.

Many people are not in a position where they can understand networking fully.


As a user, I like that my router doesn't need to alter my traffic mid transit to connect to outside networks.

With attacks like NAT slipstreaming your devices are already globally reachable in any real network anyway. That, or FTP/SIP doesn't work, because ALG exploitation can be mitigated by just disabling those protocols.

Just ask the average gamer behind CGNAT how they feel about the security NAT provides them (and what kind of NAT they need), or your average network application developer about the joys of setting up handshake servers to punch holes through NATs.

The curse that is NAT has led to ridiculous workarounds like Nintendo telling people to put their Nintendo Switch in the DMZ if multiplayer doesn't work.


Except the devices are still quite well-hidden in IPv6 due to the large address space. Good luck scanning even a single /64 behind a normal home internet connection.

Only way around that is sniffing the communication (say some cloud service that some IoT device connects to) - which would also give you enough information to send your own packets through the NAT/firewall too. Not very feasible for the average attacker and assumes that the device initiates connections in the first place. If it doesn't, good luck finding it remotely.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: