[AusNOG] IPv6 excuses

Mark Newton newton at atdot.dotat.org
Sun May 29 11:52:56 EST 2016


On 28 May 2016, at 1:13 PM, Peter Fern <ausnog at 0xc0dedbad.com> wrote:
>> Being behind a NAT doesn't protect devices. All it takes is a single
>> compromised machine.  The same applies to firewalls.  Each and every
>> device needs to protect itself.
> 
> Being behind NAT (or a CPE firewall) does protect insecure devices from
> providing additional pivots into the network though.  And, you know,
> stops the Internet from playing with people's 'smart' lights, watching
> their IP cams, etc.

You are simply wrong.
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/

Being behind a NAT might protect you against classes of attacks that were
considered big deals back in Internet ancient history, but they don’t make
any realistic difference to anything on today’s internet.

You seem to have this belief that you can erect a countermeasure such as a
NAT, and the people doing the attacking will throw their hands up and say,
“Well, dammit, he’s installed a NAT now. We’re screwed. Oh well, let’s go
and play golf.”

No. What actually happens is that you put up a NAT in 2001, and by 2003 the
threat landscape moved on to other attack vectors, so whether you’re using a
NAT or not has been rendered irrelevant.

But meanwhile, you’re still sitting back here talking about NAT improving 
security as if it’s still 2001.

> You might argue that end users should deal with this themselves, but
> many end users are either incapable or uninformed, and if it's trivial
> to provide protection at the CPE with minimal impact, how is this a bad
> idea?

Is this seriously an excuse for not deploying IPv6? That IPv6 should not be
deployed because people on the IPv4 internet suffer application-based attacks?

O_o

  - mark





More information about the AusNOG mailing list