[lacnog] A Disaster for IPv6 - Brought by Fortinet

Mar Jun 9 10:20:45 -03 2026

Hi!

On 6/8/26 7:26 PM, Fernando Gont wrote:
> Hi, Carlos,
>
> On 08/06/2026 17:15, Carlos Martinez - Cagnazzo wrote:
>>
> The argument of "NAT is not a security technology" is an old one -- 
> and, IMO, a discussion that never made sense.
An old one, but still a relevant one. And yes it makes a lot sense since 
it sends a message to less technical folk. Not you or me, but the wider 
public live under a false sense of security.
>
> At the end of the day, NAT is a technology that does make the life of 
> an attacker harder. Network topology information is typically of use 
> to an attacker -- and NATs do hide it.  OTOH, a NAT results, as a side 
> effect, in a diode-like firewall -- a policy that also makes the life 
> of an attacker harder.
It depends on which side of the NAT the attacker is on. If he/she is on 
the public side, my opinion would be a qualified "maybe". If the 
attacker is on the private side, well, NAT is a wonderful hiding tool 
that actually makes his/her life *a lot easier*. If we are talking a 
multi-layer CGN, even better.
>
>
> Discussions of the kind of "Oh! But the resulting filtering policy 
> doesn't have to do with NAT itself, but is actually a side effect" 
> seem more like the kind of philosophical debates one would have over a 
> glass of one (for the sake of debating), than one of any practical 
> implication. :-)

No, it is not a philosophical debate. It's an actual operational 
consideration. Public addresses on both sides of a firewall do not mean 
there is no stateful firewall in operation. This is also true for IPv4. 
During the ramp up to a few LACNIC meetings we have met people who 
actually believe _it was not possible_ to have public IPv4 addresses  on 
both sides of a stateful firewall.

This is the kind of damage NAT does, not only technically, but to the 
operational ability of well intentioned folk.

>
>
>
>> Someone mentioned the ability of protocols like UPnP to punch holes 
>> in NAT as a "good thing". I honestly believe it is a terrible idea, 
>> and that it always has been, a a sad example of the things we've been 
>> forced to accept in this IPv4 port-translated Internet. 
>
> Again, it's tool/mechanism. In some scenarios it might be a good 
> thing, in other it might not. In an Enterprise or managed network, 
> it's possible a bad idea. In an unmanaged network, it's definitely 
> orders of magnitude better than simlpy assigning global addresses to 
> all devices and simply allowing all incoming conenctions.
>
It seems to be that there is a significant cognitive disonance here. On 
one hand we are afraid of some yet-to-be found issues with IPv6 but we 
are ok with a 10 usd camera punching holes through a firewall. I think 
our collective risk perception here is not right.

/Carlos