And I'm telling you :
- you DO NOT need to be on an unaddressable private address (192.x.y.z or fxxx:::) to not receive any traffic.
No shit. Then again, how many "average joe 6-pack" users get assigned anything bigger than a /32 (i.e. a single address) for IPv4, or anything at all for IPv6?
Here around on our side of the pond ?
Let me count :
- Most of the ISP here around in Europe that I know of (Switzerland, France, Germany) are providing IPv6.
Usually they are 6RD (rapid deployment), i.e.: their network (fiber, xDSL, etc.) is still legacy IPv4,
but their router automatically establish a 6to4 tunnel to the ISP's IPv6 access point,
Usually, most 6rd deployment offer /60 or /56 prefix, so each (IPv6-enabled) device on the home network can get its very own 64bits suffix based on the MAC-Address (and the router get a few extra 4 or 8 bits of headroom for its internal management).
So anyone plugging "the box" they've received from their ISP is automatically on IPv6.
And automatically getting sensible IPv6 packet filtering on said box (to go back to the subject of this discussion)
(And hopefully also getting sensible default passwords for amdin and Wifi in the form of long random base32 strings printed on the backside of the box)
- Lots of 3G/4G wireless providers are moving to IPv6 (well, obviously as 4G is a purely packet-switched network. IPv6 is more or less an unofficial requirement)
(Though usually, a smartphone will get a publicly addressable IPv4 and IPv6 on lots of networks. Not all though, some wireless providers are moving to NATed IPv4 and only publicly addressable for the IPv6 prefix)
(3G/4G to USB+Wifi routers do work similarily to above-mentionner xDSL/FITH routers. They advertise a publicly accessible IPv6 prefix and provide packet-filtering).
- Most universities I've seen also provide both IPv4 and IPv6 (but usually provide publicly addressable IPs on both).
(Though not necessarily on the "eduroam" shared wireless network. They used to be on IPv4 on some universities, and as of lately, all univesrities I've been in seem to move their eduroam on a different special IPv4-only subnet).
(And though to go back to the current discussion, universities here around seldom do any filtering. As soon as you plug in your laptop, your start to see failed login attempts in your SSHD logs)
- If you want your very own special IPv6 prefix, you can get one from SiXXS over a 6in4 or AYIAY tunnel.
(But then again that's not average joe).
And with only a single globally routable address, you do NEED to be on RFC1918 network.
Obviously this isn't the only way one can do NAT, but it's the only way joe sixpack's router does it.
Most users in a non backwater countries will get a 6rd publicly addressable IPv6 prefix, too.
By default, the box they've received from their ISP and they've plugged into the wall will filter the packets by default.
So please stop with this "NAT increases security".
And I'm telling you, the extra security provided to joe sixpack DOES come from the fact that he's being NATted, since he's still unreachable when any other packet filtering is disabled.
Yup. We've reached a conclusion.
We both agree that for security, you need packet filtering.
You need a "magic box" standing between the wild wide interweb and the home network that does this filtering.
Usually this box is the xDSL/Cable/FITH/whatever router that the user has recieved from the ISP.
NAT'ing, is one of the peculiar types of packet filtering that happens on this box and provides some form of security (simply because of the reason it's a type of packet filtering).
IPv6 by itself isn't usually subject to NAT'ing (not needed, nearly every deployment I've encountered - include at home of random non-techie users - gets a publicly addressable prefix), but still isn't any less secure BECAUSE IT NEEDS TO GO THROUGH THE EXACT SAME MAGIC BOX (the router) THAT STILL DOES PACKET-FILTER NO MATTER WHAT (which happens *not* to be NAT in this exact context).
The joe six pack himself doesn't care, he just plugs the "magic box" that he got from his ISP, painstakingly copies the overly long password from the sticker on the back of the magic box (while cursing why isn't he allowed to use "Passw0rd!" as a passwrod. Com'on, there's even an uppercase and number), or simply flashes the QR-code from the OLED mini-screen (for the lastest generation of router that have one for that purpose).
And for the records *NO, PRIVATE ADDRESSE AREN'T INHERENTLY SECURE*.
They used to be a time when users did connect to the wild wide interwebs over an Analog Modem (those screeching boxes that you use to plug into your computer's COM port), or later ISDN Modem (no screenching, but basically the same). Back at the time, a computer thus connected was completely exposed to anything coming at it (Ah, the joys of a time when you could "winnuke" any computer on the net), and lots of software (FTP, IRC, direct file send in IM, P2P file sharing) counted on it.
So when xDSL arrived, I've seen lots of weird setups.
- xDSL *modem*. That plug straight into the USB port of the computer, and the computer gets a public address just like in the time of Analog/ISDN connections.
And that also includes weird routers :
- Router with USB (as a network device) and a single Ehternet port,
that did hand out a private address over DHCP to the computer,
BUT THEN DID A 1:1 STRAIGHT MAPPING between the public IP address and the private address of the computer.
(What was the name of this already? "cone NAT" ?)
- Same as above. Except that now the DHCP can hand out 3 other adresses (to plug a networked printer ?)
But still does straight 1:1 Mapping with the first address (printer doesn't need to have internet access at all, and the whole internet needs to be able to win-nuke the windows machine).
I still have such a useless junk from ZyXel collecting dust somewhere - it got used only a couple of hours, the time it took me to go buy something better.
So the reason current NAT'ing does security is because in addition of employing private address, it does sensible packet filtering (block inboud traffic, allows on-demand outbound traffic for all parties, requires manual TCP-forwarding configuration or UPnP to allow inboud traffic), but there exist asinine ways to do unsecure private addresse that used to actually exist in the wild.