Similarly, your comment is a good example of the anti NAT cargo cult mentality that people think is smart but really isn’t.
The reality is that NAT has greatly improved the security of the internet, because before NAT people were exposing everything, including services like Windows file sharing, to the internet. NAT enabled those people to use multiple devices in their home and in return prevented them from unwittingly hosting things to the internet, which causes them to be hacked and turned into bots that harass the rest of the internet. Yes that still happens but not at the scale it happened before everyone was behind a NAT perimeter. If you want to see what could happen look up the SQL Slammer worm and imagine what could have happened if such a worm would have targeted a service more common than SQL Server.
It’s really nice to be able to host things on a consumer connection but it requires thought and management that most consumers just can’t and won’t care to provide and the damage they can cause is not only to themselves but to the rest of the internet as well. This capability really is better off by default.
And all those handwavy ‘workarounds’ for the ‘cargo cult mentality’, you typically can’t tell everyone on your network how to manage their computer to ‘just have their services listen on the local address’ and you can’t ‘just change the defaults of all routers’. But NAT makes it impossible for the default to be wrong and that is its great advantage.
Sure NAT has a lot of disadvantages and breaks the original idea of the internet with every host equally able to host services. But just as Postel’s law just doesn’t work out, every host being able to host services doesn’t work out. Because the internet is not a playground full of friendly colleagues and hasn’t been for a long time. It’s a war zone that requires strong, watertight defenses by default. And if you’re smart and careful enough to safely host a service to the internet, surely you can manage to forward a port.
Slammer (and other worms) propagated heavily despite NAT. If anything NAT made it worse, because once a single internal host got infected the worm now has a predictable and well known address space to scan for other devices it can infect.
NAT created a false sense of security, while also breaking a lot of other things. It is quite easy for the defaults to be wrong, you can end up with all kinds of unexpected scenarios which make internal hosts reachable - eg outbound traffic could open up inbound traffic on the same port from any source not just the one initially communicated with, UPNP can result in ports being opened, NAT slipstream attacks are another possibility, not to mention the fact that "not routable" and "there is no route" are two different things - someone who is on an adjacent network to your wan interface (ie other customers of the same isp) can easily direct traffic to your internal address space.
What reduced external attacks was not NAT, it was improved defaults - such as windows including a software firewall which blocks inbound connections by default, and unix based systems no longer shipping with large number of services (telnet, rpc, finger etc) enabled by default.
Consumer routers with IPv6 support don't allow unsolicited inbound traffic by default. Good luck scanning an IPv6 block in any case.
Slammer and other worms scanned sequential legacy IP addresses, including the well known and predictable RFC1918 space. This method simply couldn't work with IPv6 because the address space is too large, you would be flooding out huge amounts of traffic for years on end before you happened to hit upon an active device.
Once an unreachable host magically got infected, it scanned the entire IP address space but hey, it was worse because some hosts were in a predefined part.
NAT is bad because somehow magically a machine with an unroutable address can become routable. Because magically UPnP forwards every protocol in existence, not only a select group of programs that explicitly support it. And of course a connection opening up a theoretical hole to a specified host is just as bad (actually worse!) as opening it up to the whole internet.
Yet all routers have the right defaults and nobody ever makes a mistake. Oh and there’s so many addresses it’s so obscure it’s secure, and noone would guess to scan one’s own subnet in the absence of NAT.
These arguments are really grasping for straws, mostly nonsensical and the rest describes attacks so impractical they are pretty much impossible to carry out and are so much harder than simply sending a thousand emails with a link to an executable that pretty much nobody ever bothers.
Note I never said that IPv6 is worse, I said that NAT has relevant advantages and mostly irrelevant disadvantages. I really don’t care ftp doesn’t work with NAT.
The reality is that NAT has greatly improved the security of the internet, because before NAT people were exposing everything, including services like Windows file sharing, to the internet. NAT enabled those people to use multiple devices in their home and in return prevented them from unwittingly hosting things to the internet, which causes them to be hacked and turned into bots that harass the rest of the internet. Yes that still happens but not at the scale it happened before everyone was behind a NAT perimeter. If you want to see what could happen look up the SQL Slammer worm and imagine what could have happened if such a worm would have targeted a service more common than SQL Server.
It’s really nice to be able to host things on a consumer connection but it requires thought and management that most consumers just can’t and won’t care to provide and the damage they can cause is not only to themselves but to the rest of the internet as well. This capability really is better off by default.
And all those handwavy ‘workarounds’ for the ‘cargo cult mentality’, you typically can’t tell everyone on your network how to manage their computer to ‘just have their services listen on the local address’ and you can’t ‘just change the defaults of all routers’. But NAT makes it impossible for the default to be wrong and that is its great advantage.
Sure NAT has a lot of disadvantages and breaks the original idea of the internet with every host equally able to host services. But just as Postel’s law just doesn’t work out, every host being able to host services doesn’t work out. Because the internet is not a playground full of friendly colleagues and hasn’t been for a long time. It’s a war zone that requires strong, watertight defenses by default. And if you’re smart and careful enough to safely host a service to the internet, surely you can manage to forward a port.