A hill I’ll die on every time: NAT is a security feature. It wasn’t intended as one, it shouldn’t be used as one, but it IS one. If I go into my router and disable the firewall, then do the same on every device I own, not a single extra device on my network becomes publicly exposed. That is security. It makes it hard for users with poor cybersecurity awareness to accidentally expose devices to the entire internet. If we disabled uPNP by default, we’d see a huge drop in automated exploitation.
Conversation
Notices
-
Embed this notice
Marcus Hutchins :verified: (malwaretech@infosec.exchange)'s status on Saturday, 07-Dec-2024 10:36:17 JST 
Marcus Hutchins :verified:
-
Embed this notice
mhoye (mhoye@mastodon.social)'s status on Saturday, 07-Dec-2024 10:36:17 JST 
mhoye
@malwaretech 100%. The only reason the internet is usable at all today is because home-router NAT is protecting billions of vulnerable devices entirely by historical accident.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Saturday, 07-Dec-2024 10:36:17 JST 
Rich Felker
@mhoye @malwaretech If it hadn't been for NAT, these garbage devices and Windows boxes with sharing & shit enabled by default would have been DOA, never would have been viable to sell. That was a harm to security not a benefit. Because while NAT makes them vaguely look safe, they're trivially attacked via another popped/infected device that gets connected to home LAN.
-
Embed this notice
FL | エフル (fl@infosec.exchange)'s status on Saturday, 07-Dec-2024 10:41:21 JST 
FL | エフル
@danwing @vurpo @DJGummikuh also, the IPv6 privacy protection is very different from things like CGNAT which essentially act as a no-log VPN (some Telco providers do save NAT tables history, but that's extremely expensive and difficult to keep in the long time)
Being shielded by your ISP is a huge privacy feature, comparable to being shielded by cloudflare on server side.
Rich Felker repeated this. -
Embed this notice
Dan Wing :unverified: (danwing@infosec.exchange)'s status on Saturday, 07-Dec-2024 10:41:21 JST 
Dan Wing :unverified:
@fl @vurpo @DJGummikuh To avoid that ongoing logging, the three vendor CGNAT implementations I am aware of use fixed port ranges per subscriber. For example if the CGNAT is configured to give everyone 1024 ports that means neighbor Bob gets 1024 ports and his range might be 10000-11024, I would get the next set of 1024 ports (11025-12049), neighbor Sue gets the next set of 1024 ports, and so on. Some CGNATs have an 'overflow' pool of ports shared amongst subscribers, so a subscriber can 'burst' beyond their 1024 ports to consume 2x or 3x that amount. Those overflow which are dynamically assigned likely create logs when they are mapped to a subscriber. See https://datatracker.ietf.org/doc/html/rfc7422 and see vendor documentation for more details.
-
Embed this notice
Dan Wing :unverified: (danwing@infosec.exchange)'s status on Saturday, 07-Dec-2024 10:41:22 JST
Dan Wing :unverified:
@vurpo @DJGummikuh IPv6 privacy changes the client IPv6 address every couple 24-ish hours on most OSs; it's a lot of effort to do better (such as a fresh IPv6 source address per IPv6 destination which would be perhaps the ideal). The 24 hour behavior makes all the IPv6 activity from that client very trackable. An IPv4 NAPT does a better job at obscuring if connections are from one client or multiple clients.
-
Embed this notice
DJGummikuh (djgummikuh@mastodon.social)'s status on Saturday, 07-Dec-2024 10:41:23 JST 
DJGummikuh
@malwaretech in all honesty, I DISABLED IPv6 after I noticed that it essentially 'makes NAT obsolete' - and at the very least allows enumeration of devices in my network.
-
Embed this notice
vurpo 🏳️⚧️ (vurpo@mastodon.coffee)'s status on Saturday, 07-Dec-2024 10:41:23 JST 
vurpo 🏳️⚧️
@DJGummikuh there's IPv6 Privacy which fixes that
-
Embed this notice
All GNU social JP content and data are available under the