WingNews logo WingNews
top | item 43045948

(no title)

dent9876543 | 1 year ago

That NAT is a problem presumes that we actually want our IoT devices reaching out to the out-of-intranet zone.

NAT gets the blame, and the intranet as a concept is generally a big corp term.

But I prefer my IoT devices not to need to reach out of my network. For me, NAT is an unwitting ally in the fight against such nonsense.

discuss

order

vollbrecht|1 year ago

The mere existence of Tailscale should give a hint that NAT is only a speedbump and not any protection whatsoever. It protects you against nothing. Every method that Tailscale uses to traverse NAT can be in isolation used by any other piece of software. For more info about that you can read the following article.

https://tailscale.com/blog/how-nat-traversal-works

immibis|1 year ago

What people really want is a firewall, and since NAT acts as a firewall, they confuse it with that.

My university has a public IP for every computer, but you could still only connect to the servers, not random computers, from the outside. Because they had a firewall.

phendrenad2|1 year ago

"not any protection whatsoever" is way too strong a statement. NAT does raise the bar to exploiting a random smart lightbulb in your house significantly higher.

kccqzy|1 year ago

The big distinction is that for Tailscale both endpoints know they want to talk to each other, and that both have Internet access. That's not the usual case firewalls are designed for.

Tailscale doesn't strictly need NAT traversal. They can run only their DERP servers and still continue to work. If your firewall tries to block two devices from communicating and yet allows both devices internet access, you have already lost.

lxgr|1 year ago

Sounds like you like the idea of a stateful firewall, and good news: There are stateful firewalls for IPv6!

They have all the upsides of NATs (i.e. an option to block inbound connections by default), with none of the downsides (they preserve port numbers, can be implemented statelessly, they greatly simplify cooperative firewall traversal, you can allow inbound connections for some hosts).

Spivak|1 year ago

I found it weird that IPv6 folks are so against NAT as a cultural thing when it works perfectly well on IPv6. They're not fundamentally opposed.

I could have all of my servers in public subnets and give them all public IP addresses, but I still prefer to put everything I can in private. Not only does the firewall not allow traffic in, but you can't even route to them. It now becomes really hard to accidentally grant more access than you intended.

I would hazard that most devices on there internet are in the boat of want to talk to the internet but not be reachable on it.

rcxdude|1 year ago

If you don't want that, then complain about a lacking a configuration as such and configure your firewall so that that they can't. But don't cheer on something that's breaking functionality that others might want (especially if it doesn't actually achieve your own goals reliably).

dent9876543|1 year ago

Oh, I do that too.

But to your point about not cheering on NAT, well I will because I see NAT as useful tool.

It is not an opinion well aligned with the preferences of the IETF. But the purist model of transparent end-to-end networking has never sat well with me. It’s just not a thing we want.

vv_|1 year ago

A telematics tracker in a vehicle that logistic companies use (e.g. Amazon, FedEx) is also considered as an IoT device. I don't believe that the author is talking about Smart Home appliances exclusively.

kstrauser|1 year ago

What NAT are you using that doesn’t have a firewall? I haven’t personally used one of those since the ‘90s.

kazinator|1 year ago

The first NAT I used in the middle 90's was IP Masquerading in the Linux kernel, by Pauline Middelink. That had a firewall.

bluGill|1 year ago

I agree until I discover I'm doing something where I want to access/change that device. It is really nice when I'm returning home early that I can change my thermostat out of vacation mode. I've often wished I had a way to tell if I left a door unlocked.

Security and privacy is of course critical to all this, but the concept of internet itself is not wrong.

craftkiller|1 year ago

That's what a VPN is for. Every router I've had in the past decade has had support for running a VPN server so you can have one running 24/7 without any additional hardware. Even my retired elderly parents run a VPN server on their home router.

procaryote|1 year ago

Especially if the data is unencrypted and only authenticated by source ip and a long lived token-like thing