IPv6 Network details from ISP

Lin4Fun

@derelict
like you may know are private networks not routed in wan. So the only reachable point is the public address the nat is configured to. That is the advantage.
If the server has a public IP then it is much easier to reach it somehow even with a firewall in front because do the attacker find a way through this firewall the server will answer due to the public address. Private will may answer inside the lan but will not be routed outside of the lan.

Derelict

If an attacker can find a way through the firewall they will be going through NAT too. No advantage gained.

You either block the traffic or you don't.

You either have another way into the network or you don't.

Lin4Fun

@derelict
That is so far correct, but you ignore the fact that private networks will not be routed in wan. That is the point with NAT. That private networks can be used internally over and over again and so we save public addresses.

I could almost securely connect a server with 192.168.0.10 direct to the wan switch without the need to be scared that somebody from WAN will access it, because they can´t since the package from that network will be dropped immediately it comes to the next public addressed router.

And that is definitely a "somehow" security advantage.

Otherwise please define for me the point of NAT else the point that we are able to use private addresses reachable from WAN? All this of course because there are to less IPv4 networks available.

JKnott

@lin4fun said in IPv6 Network details from ISP:

That is so far correct, but you ignore the fact that private networks will not be routed in wan.

Once you've compromised NAT, you have access to everything behind it. While the packets from those private addresses might not be routed over the network, that's not the only way to attack systems behind the firewall. Again, tell me why a firewall that blocks all isn't as good as NAT.

BTW, I just started reading the book "The Cuckoo's Egg" again. I first read it almost 30 years ago. It's a good read that indicates how attackers can work their way around systems. Incidentally, at the time this story happened, I was a computer tech working on VAX 11/780 computers and others. I had an insider's view of the tech involved. Even my wife (a very non tech person) had some insight when reading that book, due to me showing her stuff at work.

Lin4Fun

@jknott said in IPv6 Network details from ISP:

Again, tell me why a firewall that blocks all isn't as good as NAT.

Who in hell said here that a blocking firewall isn´t as good as NAT?
In addition to a firewall which is blocking all unwanted traffic, NAT can be an advantage for security reason! For sure that´s not why NAT does exist but it is an advantage.

Of course, if a hacker wants to come into a system he will get in if he is a good one. Everything is hackable somehow!
BUT, another step in addition like NAT makes it harder and it will take may longer time where you could be warned and take action like in 1989 for example, just pull the plug!

Another funny thing, I am from Hannover Germany. The book sounds interesting and remembers me about a movie I saw a long time ago. But I have no idea what this has to do with this case or what your wife is understanding or not.
Regarding the VAX11/780, I hope you learned a lot since. ;-) In that time, where I was a boy around 10 years old, I started with an Amstrad CPC-Series Schneider CPC464 which is a universe ahead of the VAX I guess. Since I am born in the 70th, nobody can expect that I was playing around with transistors like the VAX is made of.

JKnott

@lin4fun said in IPv6 Network details from ISP:

Who in hell said here that a blocking firewall isn´t as good as NAT

A lot of people seem to think that NAT is a firewall. It isn't. It is the stateful nature of NAT that provides the protection, just like a stateful firewall.

Since I am born in the 70th, nobody can expect that I was playing around with transistors like the VAX is made of.

Perhaps you should update your knowledge of mini-computers. Every computer I ever worked on was built around integrated circuits, though there were still some transistor based systems around. However, I didn't work on them. The VAX and Data General Eclipse generation of computers had a CPU built around bit slice processors and used microcode to create the instruction set. I would occasionally work at the microcode level on the Eclipses. The Eclipse used the AMD2900 series and I believe the VAX did too. On the VAX, the microcode was loaded from floppy at boot up.

Lin4Fun

@jknott
I am sure that you do not need to tell me something about electronics or special transistors or "mini-computers", whatever you mean by that since one of my favorite jobs over years was working at Texas Instruments and another Chip producer I am not allowed to mention here. My favorite tool in these days is the Cortex M4F which I am playing with (teensy).

Have a nice day, I need to keep on with more important things.

Derelict

@lin4fun said in IPv6 Network details from ISP:

Otherwise please define for me the point of NAT else the point that we are able to use private addresses reachable from WAN? All this of course because there are to less IPv4 networks available.

That is a practical advantage - which IPv6 renders moot - not a security advantage. NAT also breaks some protocols which is a practical disadvantage.

Gertjan

@derelict said in IPv6 Network details from ISP:

NAT also breaks some protocols

Ah, yeah ! Can we have FTP back ?? Please ? ^^
(sorry, couldn't resist)

JKnott

@gertjan said in IPv6 Network details from ISP:

Ah, yeah ! Can we have FTP back ?? Please ? ^^

How about VoIP or some games, where you need to use an STUN server to tell the devices what the real world address is for something hidden behind NAT. There's also IPSec authentication headers, which are broken by NAT. What if you want to run two servers, running the same protocal, behind NAT? Then you need to do remap some port numbers.