this post was submitted on 19 Jun 2024
314 points (85.5% liked)

Programmer Humor

19512 readers
315 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 

Today in our newest take on "older technology is better": why NAT rules!

you are viewing a single comment's thread
view the rest of the comments
[–] mholiv@lemmy.world 84 points 4 months ago (15 children)

I think it’s worth taking the time to learn IPv6 property. If you have a good understanding of IPv4 it shouldn’t take you more than an afternoon.

Eliminating NAT and just using firewall rules (ie what NAT does behind your back) is incredibly freeing.

I don’t get people complaining about typing out IPs. I like to give all of my clients full FQDNs but you don’t have to. Just using mDNS would be enough to avoid typing a bunch of numbers.

[–] FrostyCaveman@lemm.ee 30 points 4 months ago (14 children)

Maybe I have Stockholm Syndrome, but I like NAT. It’s like, due to the flaws of IPv4 we basically accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections, which kinda implies you know what you’re doing (ssshh don’t talk about UPnP). Accidental security of a default deny policy even without any firewalls configured. Haha. I’m still getting into this stuff though, please feel free to enlighten me

[–] domi@lemmy.secnd.me 18 points 4 months ago (9 children)

Anything connected to an untrusted network should have a firewall, doesn't matter if it's IPv4 or IPv6.

There's functionally no difference between NAT on IPv4 or directly allowing ports on IPv6, they both are deny by default and require explicit forwarding. Subnetting is also still a thing on IPv6.

If anything, IPv6 is more secure because it's impossible to do a full network scan. My ISP assigned 4,722,366,482,869,645,213,696 addresses just to me. Good luck finding the used ones.

With IPv4 if you spin up a new service on a common port it usually gets detected within 24h nowadays.

[–] Forbo@lemmy.ml 5 points 4 months ago* (last edited 4 months ago) (1 children)

I wouldn't rely on the size of the address space to provide security. It's possible to find hosts through methods other than brute force scanning. I remember seeing a talk from a conference (CCC? DEF CON? I can't remember) where they were able to find hosts in government IPv6 address space (might have been DOD?) through stuff like certificate transparency logs and other DNS side channels.

Man, I need to go find that talk now....

Edit: I don't think this is the one I saw previously but is in a similar vein: https://www.youtube.com/watch?v=AayifEqLbhI

[–] domi@lemmy.secnd.me 2 points 4 months ago* (last edited 4 months ago)

Will take a look at the talk once I get time, thanks. If you can find the original one you were talking about, please link.

For servers, there is some truth that the address space does not provide much benefit since the addressing of them is predictable most of the time.

However, it is a huge win in security for private internet. Thanks to the privacy extension, those IPs are not just generated completely random, they also rotate regularily.

It should not be the sole source of security but it definitely adds to it if done right.

load more comments (7 replies)
load more comments (11 replies)
load more comments (11 replies)