NAT is useful for security, and need not be a bad thing, even if IPv6 is widely deployed. I’d rather have my company’s PCs behind a firewall/router that exposes only 1 IP address, instead of having a situation where the internal network architecture is exposed by making each PC visible to the entire world.

Hackers can attempt to hit the single IP address all day, but won’t be able to see what’s behind it as they are all machines in the 192.168.xxx.yyy or 10.aaa.bbb.ccc address spaces, which are private and unreachable.

NAT has nothing essential to do with security. Packet filtering is useful for security. Packet filtering is often bundled with NAT, but is completely independent. Packet filtering can be installed on any bottleneck with or without NAT.

Mike O’Donnell

NAT != Security.

It gives you certain invisibility, which is like a false sense of security. But it does not mean you are secure.

Right, I didn’t mean to imply it was the ultimate in security—“security through obscurity” never is the best choice. But, if all IP addresses were “public”, would that be better, rather than having the option to obscure things a little? Presumably IPv6 would have something comparable, though, to allow obscurity of devices that don’t need to be seen by the outside world? (e.g. you don’t need to see the IP address of my printer)

NAT is not really recognized as the biggest roadblock to VoIP when you have companies like Jasomi implementing NAT traversal engines.

NAT is the biggest roadblock to the newer emerging technologies, involved with pervasive and location-aware computing.  We can have “smart buildings” with NAT but we cannot have smart communities of smart buildings.

Having all IP addresses public is not any less secure or vulnerable, given a correct firewall configuration.  If you deny by default, and open exactly what should be allowed (address and port tuple), you are as secure as the firewall can do, short of advance features like protocol specific inspection, etc.

What does it matter if I see the IP address of your printer or not?  If I see your IPv6 subnet assignment, I can speculate every address you might have (billions and billions and ...) but cannot reach.  So what if I happen to just guess what your actual printer IP address is?  Since the firewall won’t let me reach it, I won’t know if it is really there or not.  All that I will be able to reach is what your firewall allows me to reach.  Surely you are not going to expose your internet printer names on your external authoritative DNS server.

By not having NAT, what I can learn about you that NAT would obscure, is whether or not different services are running on different addresses.  If you expose FTP and HTTP, I can see if they are the same IP address.  Even then, I won’t know that they are, or are not, IP aliases, or a multihomed machine.  I even recommend that, given enough IP addresses (which IPv6 will do for everyone), every service should be on a different IP address just so it can be “vectored” wherever you might choose to do so.

It sounds like perhaps you (like so many others) have become so dependent on NAT as a form of security, that your firewall is in fact wide open (e.g. does not deny by default).  It may be effectively secure that way, but the danger is that it taught an incorrect approach to security that does not work universally.

Even denying by default shouldn’t be necessary to be secure if all servers correctly understand who they are communicating with.  With IPsec or TLS layered connections, along with strong authentication, all a firewall does is keep unwanted traffic from eating up internal LAN bandwidth (which is generally going to be higher than the outside pipe).

I agree with you, Phil. The key is, as you said, “given a correct firewall configuration”. When IPv6 rolls out here, I’d likely take advantage of it properly, as I can be pretty confident about having a correct firewall configuration, having used and programmed computers for a while.

An average Joe User might not have that confidence, though, and might only be using the web and email, though. They can’t be counted on to keep everything updated and properly configured. The “KISS” principle, “Keep It Simple Stupid”, would apply. Although, hopefully firewalls become even easier to use, so that EVERYONE has one (one can see Microsoft is now making a big push for folks to get them, to reduce the impact of their operating system exploits).

There’s a discussion on IPv6 NAT on the NANOG mailing list too, by the way. See:

http://www.merit.edu/mail.archives/nanog/2003-10/msg01484.html

and related posts.

A “correct firewall” will also deny by default, and provide the owner/operator/administrator with a simple tool to designate what services are to be open.  A user not smart enough to know he needs to turn services on to make the firewall “work” would most likely be using Windows.  The (optional) software would immediately come up stating that the firewall is “blocking everything ... what would you like to unblock?”.  Joe user won’t need to know port numbers because the DUI (dumb user interface ... but they won’t know it means that) will just say things like “Your web server?  To allow access to it, enter the IP address of it” in a basic control panel.  Smarter firewalls might include buttons like “Autoconfigure” which finds services and asks if they should be open or not (for most services).

NAT’s “security” is a side-effect, none of which cannot be gotten by other means, whether IPv4 or IPv6.  NAT could still have some occaisional justified uses even in the IPv6 realm.  A “correct firewall” starts with the firewall makers.  The problem has been that too many non-NAT firewalls were “everything permitted by default”, and that’s not correct.

Will we be able to get rid of NAT as IPv6 goes into wide deployment?  No.  Will firewall makers all do “the right thing”?  No.  But at least we can say “You no longer need NAT” and be correct in that statement.  Joe User might still have it for his home LAN because he knows no better (and his firewall maker doesn’t, either).  But those who use correct firewalls, or have the smarts to know how to change those we have to become correct, can successfully deploy NAT-less IPv6 connectivity and be as secure as the current state of the art allows.

I agree with you 100%. What really, really bothers me is that in the past 25 years of the PC revolution, computers are still so hard to use. Was it the same 25 years after the telephone was invented, or TV, or the automobile? I doubt it. Just like most folks don’t want to tinker with the engine of their car, most folks don’t want to be wasting so much time on their PCs getting it to ‘work’—they’d want to just turn it on, and have it work.

When most grandmothers are online, I think then we’ll know that the PC revolution has succeeded.

It should be noted that NAT is not required or recommended by the policies of any Regional Internet Registry.  On the contrary, the assignment of public address space by ISPs to their customer networks is fully supported by well-defined policies and procedures, and additional addresses are readily available to ISPs which consume their address space in this manner. 

It does appear that many ISPs choose not to make public addresses available to customers, for a variety of reasons of technical or business policy.  However such policies are adopted at the choice of the ISP concerned, and are not encouraged in any way by RIRs.

Paul Wilson
Director General, APNIC
www.apnic.net