this post was submitted on 24 Jun 2024
676 points (97.9% liked)

Programmer Humor

32479 readers
645 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 4 months ago (1 children)

Obfuscation is not security

Yes, of course. But saying trite things like that doesn't get around the idea that giving out a map of the internal network by default isn't the best policy.

[–] [email protected] 1 points 4 months ago (1 children)

So instead we open up a bunch of other issues.

With CGNAT, governments still spy on individual addresses when they want. Since those individual addresses now cover a whole bunch of people, they effectively spy on large groups, most of whom have nothing to do with whatever they're investigating. At least with IPv6, it'd be targetted.

NAT obscurity comes at a cost. Its gain is so little that even a small cost eliminates its benefit.

[–] [email protected] 3 points 4 months ago* (last edited 4 months ago) (1 children)

Governments are not anyone's issue other than other governments. If your threat model is state actors, you're SOL either way.

Making it harder for everyone else is the goal, and to do that you need a swiss cheese model. Hopefully all the holes don't line up between the layers to make it that much harder to get through. You aren't plugging all the holes, but every layer you put on makes it a little bit harder.

And NAT is not just simple to set up, it's the intuitive base for the last 30 years of firewalls. I don't see where you get a cost from it. As I said, separating network spaces with it comes naturally at this point. Maybe that'll change, but I remember using routable IPV4 when it was it the norm, and moving to NAT made that all feel way more natural.

[–] [email protected] 4 points 4 months ago

Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.

That's a silly way to look at it. Governments can be spying on a block of people at once, or just the one person they actually care about. One is clearly preferable.

Again, the obscurity benefit of NAT is so small that literally any cost outweighs it.

I don’t see where you get a cost from it.

  • Firewall rules are more complicated
  • Firewall code is more complicated
  • Firewall hardware has to be beefier to handle it
  • NAT introduces more latency
  • CGNAT introduces even more latency
  • It introduces extra surface area for bugs in the firewall code. Some security related, some not. (I have one NAT firewall that doesn't want to setup the hairpin correctly for some reason, meaning we have to do a bunch of workarounds using DNS).
  • Lots of applications have to jump through hoops to make it through NAT, such as VoIP services
  • Those hoops sometimes make things more susceptible to snooping; Vonage VoIP, for example, has to use a central server cluster to keep connections open to end users, which is the perfect point to install snooping (and this has happened)
  • . . . and that centralization makes the whole system more expensive and less reliable
  • A bunch of apps just never get built or deployed en masse because they would require direct addressing to work; stuff like a P2P instant messenger
  • Running hosted games with two people behind NAT and two people on the external network gets really complicated
  • . . . something the industry has "fixed" by having "live service" games. In other words, centralized servers.
  • TLS has a field for "Server Name Indication" (SNI) that sends the server name in plaintext. Without going far into the details, this makes it easier for the ISP to know what server you're asking for, and it exists for reasons directly related to IPv4 sticking around because of NAT. Widespread TLS use would never have been feasible without this compromise as long as we're stuck with IPv4.

We forced decisions into a more centralized, less private Internet for reasons that can be traced directly to NAT.

If you want to hide your hosts, just block non-established, non-related incoming connections at your firewall. NAT does not help anything besides extending IPv4's life.