• 0 Posts
  • 1 Comment
Joined 8 months ago
cake
Cake day: April 6th, 2024

help-circle
  • NAT is just security by obscurity and actually not really security at all. What’s protecting you from incoming scans, etc is your network firewall. That firewall works just the same for IPv6. Blocking incoming traffic for your home network is usually the default setting in your ISP issued router anyway.

    Working as a network engineer, NAT in a large scale customer environment can quickly devolve into a clusterfuck. Many times we had week long reachability issues due to intermediate ISPs NATing unexpectedly.

    My nemesis is GCNAT, which adds another layer of NAT because some ISPs don’t have enough public IP space for all their customers to go around.

    I have a customer where their ISP just assigned one of their locations public IPv4 addresses. Neither the customer, nor the ISP owned that address space. Their logic was that this address space is registered on a different continent, so it’s basically fair game to use it themselves. Granted, they only route it internally for a MPLS network, but still…

    What I’m getting at is that NAT increases complexity and breaks properly routed end to end connections. Everyone kinda fucks up with NAT, especially ISPs (in my opinion anyway).

    I can really recommend the IPv6 study material from the major internet registries (took the v6 courses from RIPE NCC myself).

    IPv6 is so much simpler for subnetting, writing firewall rules,… IMO the addresses just look kinda clunky.