20 years ago I was a student, testing IPv6 at the UNH-IOL and we also thought it was right around the corner.
NAT has been so successful, that IPv6 is shocking to users who cannot even fathom why public traffic is being introduced to what was 'supposed' to be a private network.
Heh. A lot of folks don't remember the days before NAT, when people had public IPv4 on their desktop. I worked at a couple of ISPs and one early startup that was set up that way. No firewalls, either!
Here at several Dutch universities, the WiFi still hands out public IP addresses, sometimes with a firewall, often without. At the particular university I'm at right now, every device has a publically reachable IPv4 address just as the system was originally intended.
This leads to some very peculiar traffic being routed around. For example, some kind of Logitech gaming driver is broadcasting a constant of packets with someone's PC stats to my publically reachable desktop/server/laptop, because the software thinks it runs behind a trusted NAT. There's also a HUGE amount of devices you can connect to if you open the Windows network overview because everyone clicked "home network" when Windows asked them what kind of network eduroam is supposed to be.
It's funny how scared people are when they realise they're not behind any strict firewall. They all know they shouldn't be disabling the firewall on their devices anyway, or so they claim, but this method of networking still instills fear into people as if NAT is a security measure (NAT slipstreaming works, NAT is not a firewall!)
Are there any security risks with using a public IP address though? I also use EduRoam at a Dutch university, should I treat it as sceptically as a coffee-shop WiFi? (Assuming it’s marked as a public network). Also, shouldn’t your university’s firewall stop such a Logitech driver sending data (if it’s an uncommon port)?
After reading up about public IP addresses I realised that my (Dutch) ISP has also provided me a public IP... and that the Netherlands has a lot more IP addresses per capita than most European countries.[1]
Most ISPs in Western companies will hand out public IPs because they were bought when they were cheap.
The danger associated with public IPs is not that high as long as you use software that binds to localhost instead of 0.0.0.0 for network services or use a firewall on your PC. The problem is that many software developers don't expect end user devices to be reachable from the internet so security practices are sometimes lax.
When I was at university in Cape Town, the IT department started rolling something like this out for main campus network, but didn't necessarily tell everyone. I remember one day getting spammed emails from a compute cluster I managed because of failed root ssh logins and was totally confused how IPs from China were able to connect to a network I thought was internal/private to the university.
NAT (standard one to many SNAT) is absolutely a firewall. You can't connect to the machines behind it from outside, which serves the exact same purpose as a default deny inbound firewall.
This is a false meme right up there with "docker is not a security boundary".
That is not true. It is problematic in general but in some limited cases it is possible. For example, neighbors on WAN network could just send packets with dst address from your private LAN range directly to the WAN port of your router.
If the router is configured as both NAT (SNAT) and firewall, it will drop such packet as not associated with any existing flow, but if it is just configured as SNAT, then such packet would be just forwarded inside unmodified.
You can't easily connect to devices behind NAT but that's more of a restriction than a security measure. Once you can trick a device into making an outgoing connection, you can bypass a lot of security in most NAT implementations [0], allowing an attacker access to any port of the victim computer. A variant was also discovered and later hot-patched [1] that could even expose other devices in the internal network.
NAT was never designed to be a security boundary and should not be considered one. It's only a matter of time until the next NAT slipstreaming attack is discovered. That doesn't mean your computer is in some kind of immediate danger or that you should cut your internet cable right now, of course. It's just good to know what does and what doesn't work when it comes to your network security and why IPv6 changes very little.
In fact, I'd argue that most IPv6 routers are actually more secure than IPv4 NAT because incoming traffic will never be translated as if it came from your router like some NAT implementations do, and incoming traffic is usually always blocked. The lack of a need for parsing and interpreting network packets makes your firewall a lot easier to reason about.
Docker is not designed as a security boundary, but it does provide some security functionality if used correctly that would otherwise be a pain. Sticking something in a docker container and just running it as root is dangerous, but Docker makes it easy to apply strict, complex security measures, which its security bonus comes from.
NAT is the opposite, it's supposed to work like magic. That's why network protocols like UPnP were invented, not to automate firewall management, but to make application use transparent to the user.
I remember these days, and they were pretty ridiculous. One time I was playing Quake in middle school, talking some smack. Someone didn't like it and threatened to crash my computer. I didn't believe it. "Oh yeah, do it!" And they did. Got my IP from the server (the server listed users and their IPs) and bada-bing: BSOD! I was floored. I don't remember the exact Windows 95 exploit, but it was a staple for a while. It was nice when firewalls came out and you could at least have something between you and the Internet.
Just had a memory trip to the early 00s. Anyone remember the Windows Messenger Service alerts that would randomly pop up? It was such a common thing, and the only fix was to turn off the service altogether in Windows XP.
When I went to college in the mid 90's, we had a similar setup. All public IP, no firewalls, 10 megabit ethernet jacks in each dorm room. The entire school was on a single T1, however.
NAT has been so successful, that IPv6 is shocking to users who cannot even fathom why public traffic is being introduced to what was 'supposed' to be a private network.