Whether you’re really passionate about RPC, MQTT, Matrix or wayland, tell us more about the protocols or open standards you have strong opinions on!

      • cmnybo@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        22
        arrow-down
        3
        ·
        8 months ago

        NAT is not for security, that’s what the firewall is for. Nobody can access your IPv6 network unless you allow access through the firewall.

            • ReversalHatchery@beehaw.org
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              If computers connect to others through the internet, the IPv6 address can reveal how many computers there are on the local network, and if certain traffic to different destinations are coming from the same computer, but also if one of the computers has gone offline but then resumes from sleep/hibernation.
              To me their comment means they want to avoid that, and I agree, I want to avoid that too. To fix these, I would need to configure NAT on my router for IPv6.

              Yes IPv6 address privacy extensions help somewhat, but

              • computers won’t use a different v6 address for every distinct destination, they will just start using a new one from time to time
              • computers won’t stop using the old v6 address immediately after wakeup

              With v4 addresses these did not really matter, because everything was being sent from the same public IP, and and outside observer could only see what a “network” is doing collectively. But with v6 an address identifies a computer, across websites/services. Even if it’s just for a "short’ time, even if the address is randomized.

              • frezik@midwest.social
                link
                fedilink
                arrow-up
                1
                ·
                8 months ago

                If you want privacy, you need some kind of VPN or onion routing. Even if everything you list were correct, the difference between IPv4 and 6 for privacy would be marginal.

                • ReversalHatchery@beehaw.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  8 months ago

                  I don’t think this is so black and white. I’m a regular tor user, but so often it’s not worth it to load webpages through a dial-up connection, and then there are the sites that block access for tor users for some reason.

                  Even if everything you list were correct

                  Which parts weren’t?

                  the difference between IPv4 and 6 for privacy would be marginal

                  I disagree

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        1
        ·
        8 months ago

        You’re thinking of a firewall. NAT is just the thing that makes a connection appear to come from an IP on the internet when it’s really coming from your router, and it’s not needed with IPv6. But you would not see any difference with IPv6 without it.

        • Dave.@aussie.zone
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          8 months ago

          You’re thinking of a firewall. NAT is just the thing that makes a connection appear to come from…

          That connection only “appears to come from” if I explicitly put a rule in my NAT table directing it to my computer behind the router doing the NAT-ing.

          Otherwise all connections through NAT are started from internal->external network requests and the state table in NAT keeps track of which internal IP is talking to which external IP and directs traffic as necessary.

          So OP is correct, it does apply a measure of security. Port scanning someone behind NAT isn’t possible, you just end up port scanning their crappy NAT router provided by their ISP unless they have specifically opened up some ports and directed them to their internal IP address.

          Compare this to IPV6 where you get a slice of the public address space to place your devices in and they are all directly addressable. In that case your crappy ISP router also is a “proper” firewall. Strangely enough it usually is a “stateful” firewall with default deny-all rules that tracks network connections and looks and performs almost exactly like the NAT version, just without address translation.

          • Domi@lemmy.secnd.me
            link
            fedilink
            arrow-up
            2
            ·
            8 months ago

            So OP is correct, it does apply a measure of security. Port scanning someone behind NAT isn’t possible, you just end up port scanning their crappy NAT router provided by their ISP unless they have specifically opened up some ports and directed them to their internal IP address.

            You end up just port scanning their crappy router on IPv6 as well because ports that are not opened are stuck at the firewall either way, no matter if you use IPv4 or IPv6.

            Just because every device gets a public IP does not mean that IP is publicly accessible.

            An advantage that IPv6 has against port scanning is the absurdly large network sizes. For example, my ISP gives me a /56 prefix, that is 4,722,366,482,869,645,213,696 IPv6 addresses. Good luck finding the used ones with the port open you need.

            Even with just a /64 prefix you get 18,446,744,073,709,551,616 addresses, way outside the feasibility of port scanning.

          • KillingTimeItself@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            Compare this to IPV6 where you get a slice of the public address space to place your devices in and they are all directly addressable. In that case your crappy ISP router also is a “proper” firewall. Strangely enough it usually is a “stateful” firewall with default deny-all rules that tracks network connections and looks and performs almost exactly like the NAT version, just without address translation.

            realistically, it wouldnt surprise me if ISPs started NATing on residential IPV6 networks, just for the simplicity, but still allowed end users to assign their own IPs if they so pleased. Given the surge in shitty IOT devices, that’s probably a good thing for most people. Though a firewall would also accomplish this as well.

      • frezik@midwest.social
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        No. Stop spreading that myth. NAT does fuck all for security. If you want a border gateway, you can just have a border gateway.