TIP: Click on subject to list as thread! ANSI
echo: ipv6
to: Markus Reschke
from: Victor Sudakov
date: 2019-01-26 21:49:00
subject: NAT
Dear Markus,

26 Jan 19 12:12, you wrote to me:

 VS>> With the proliferation of IPv6 I hear more and more often that
 VS>> NAT is a great security mechanism because it hides your intranet
 VS>> infrastructure from outsiders,

 MR> There's a lot of misunderstanding of NAT and security. The typical
 MR> case is that NAT is done by a dedicated firewall or a router with
 MR> firewall features, i.e. the firewall/router does packet filtering and
 MR> NAT. So a lot of people think that NAT implies security, but it
 MR> doesn't.

The security guidelines I have read don't specify "NAT must be used." They 
specify "RFC1918 addresses must be used in the internal network."

 MR> NAT is exactly what the acronym says: network address
 MR> translation. An 1:1 NAT simply translates one address or subnet to
 MR> another. How could that provide any security?

A static NAT has limited usage and indeed does not provide much additional 
security. But the dynamic NAT and especially PAT provide a very important 
security feature no packet filter provides: they *hide* the *source* 
*addresses* of internal hosts thus effectively hiding the network structure 
from outsiders.

 MR> What you need is packet
 MR> filtering (plus proxies and so on).

Yes, a proxy would do the same hiding as a dynamic NAT.

 VS>> infrastructure from outsiders, and how unfit IPv6 is for
 VS>> enterprise       networks because it lacks the notion of NAT
 VS>> which makes IPv6 networks     so very very much insecure.

 MR> There's also NAT for IPv6.

Never heard of that, other than DNS64/NAT64 which are for a different purpose.

 MR> BTW, IPv6 has a nice feature called Privacy
 MR> Extensions to automatically change IP addresses regularly.

Yes, with Privacy Extensions it becomes more difficult to map a single host, 
but all your /64 internal networks are still mappable. For example, by 
analyzing browsing behaviour, you can easily guess which /64 in your company is 
for engineering staff and which is for the management.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20160322-b20160322
* Origin: Ulthar (2:5005/49)
SOURCE: echomail via QWK@pharcyde.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.