this post was submitted on 19 Jun 2024
315 points (85.6% liked)

Programmer Humor

19817 readers
65 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
 

Today in our newest take on "older technology is better": why NAT rules!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 6 months ago (2 children)

There is this notion that IPv6 exposes any host directly to the internet, which is not correct. When the client IP is attacked "directly" the attacker still talks to the router responsible for your network first and foremost.

While a misconfiguration on the router is possible, the same is possible on IPv4. In fact, it's even a "feature" in many consumer routers called "DMZ host", which exposes all ports to a single host. Which is obviously a security nightmare in both IPv4 and IPv6.

Just as CGNAT is a thing on IPv4, you can have as many firewalls behind one another as you want. Just because the target IP always is the same does not mean it suddenly is less secure than if the IP gets "NATted" 4 times between routers. It actually makes errors more likely because diagnosing and configuring is much harder in that environment.

Unless you’re aggressively rotating through your v6 address space, you’ve now given advertisers and data brokers a pretty accurate unique identifier of you. A much more prevalent “attack” vector.

That is what the privacy extension was created for, with it enabled it rotates IP addresses pretty regularily, there are much better ways to keep track of users than their IP addresses. Many implementations of the privacy extension still have lots of issues with times that are too long or with it not even enabled by default.

Hopefully that will get better when IPv6 becomes the default after the heat death of the universe.

[–] [email protected] 2 points 6 months ago

Since you can have multiple IPv6 addresses on one machine, you can use a rotating address for all outbound connections and a permanent address for inbound connections. If you visit a malicious website that tries to attack the IP that visits it, there will be no ports open. They would have to scan billions of addresses to find the permanent address. All of that scanning would be easily detected and blocked by an IDS.

[–] [email protected] 2 points 6 months ago

There is this notion that IPv6 exposes any host directly to the internet, which is not correct.

TP-Link routers used to actually do this. They didn't have an IPv6 firewall at all. In fact they didn't add an IPv6 firewall to their "enterprise-focused" 10Gbps router (ER8411) until October 2023.