Complexity of USB stack vs. TCP/IP stack

[nctnico]

Video conferencing and gaming work without needing a fixed IP address. They solved that problem years (>decade) ago because you simply can't rely on people having a fixed IP address. Even IF people have some sort of fixed IP address it can change when they reset their modem or change providers. The only things on internet which need a fixed IP address are servers.

Well, no, not exactly... First off, are you talking about private IPs (the ones used inside your LAN, like 192.168 and 10.0)? Or public IPs (the one that *should* be globally routable and unique to you).

If you're talking about public IPs, I never said you needed a static IP address. Dynamic works just fine. (Also, no, a fixed (static) IP will never change, even when they reset their modem. That's the entire point! A dynamic IP can change when you reset your modem, or even when the DHCP lease expires.)

The issue I raised has nothing to do with that. The issue is about TCP/UDP ports, and how to correctly route them when you have more than one device using a single public IP. This was solved about a decade ago, with things like NAT-PMP (Network Address Traversal-Port Mapping Protocol) and UPnP (Universal Plug and Play).

This is called "double NAT" and it's bad. The only way around this is with IPv6, which would allow each device on your LAN to have its own public IP address, allowing us to do away with NAT and port forwarding all together.

AFAIK UPnP has already been abandoned / not recommended for being unsafe. The ISP I'm using has always disabled UPnp in their routers by default and I'm not sure the most recent models even support it. The reality is that you don't need things like NAT-PMP or UPnP. All modern software works without those because most people don't know how to configure their router or are in a (semi) enterprise environment where reconfiguring something on a router takes weeks.

Sure there are ways around it but when making gadgets which just need to work you don't want to rely on people having a publicly routable IP address or certain features enabled in their internet access. And this also leads to where IPv6 support can be low on the list. BTW a big problem with IPV6 is that it uses (may use) the MAC address of the ethernet interface for the IPV6 addres. MAC adresses aren't unique (a very stubborn myth!) and can also be used to identify traffic from a certain device which could make it easier for an attacker to identify (filter) certain traffic.

The same goes for having directly routable IPV6 addresses to devices. With NAT you have to be very lucky to get a response from a device because it has to have an open connection at the time of attack. Without NAT you can attack a device directly on all ports (services it provides to the network) whether they are connected or not. People have been saying NAT is bad but the reality is that it works for billions of devices and performance doesn't seem to be a problem. Maybe NAT is bad from a technical point of view but security wise NAT does offer a first layer of protection by not exposing a device to raw internet directly.

[timb]

AFAIK UPnP has already been abandoned / not recommended for being unsafe. The ISP I'm using has always disabled UPnp in their routers by default and I'm not sure the most recent models even support it. The reality is that you don't need things like NAT-PMP or UPnP. All modern software works without those because most people don't know how to configure their router or are in a (semi) enterprise environment where reconfiguring something on a router takes weeks.

You really don't know what you're talking about... While UPnP is an old, mostly obsolete standard, NAT-PMP isn't. The whole reason that modern software "just works" is *because of* protocols like NAT-PMP! The whole point behind that is so that people *don't* have to manually configure their routers...

Sure there are ways around it but when making gadgets which just need to work you don't want to rely on people having a publicly routable IP address or certain features enabled in their internet access. And this also leads to where IPv6 support can be low on the list. BTW a big problem with IPV6 is that it uses (may use) the MAC address of the ethernet interface for the IPV6 addres. MAC adresses aren't unique (a very stubborn myth!) and can also be used to identify traffic from a certain device which could make it easier for an attacker to identify (filter) certain traffic.

For TCP/IP to work as intended, you need a publicly routable IP address. Period. I have no problem with people using NAT on their local networks, but when your ISP is giving you a non-public IP and routing you through a second NAT layer, it breaks all sorts of things. I've seen it first hand. If you don't believe me, head on over to the DSLReports forums and look at some of the threads on the topic. It breaks everything from BitTorrent to FaceTime to Xbox Live!

Also, I don't know where you got the idea that IPV6 uses your MAC address as your IP address, but it doesn't. (Though, if you're assigned a /64, there is an "auto discovery" protocol similar to DHCP that can assign the last few pair of digits based on your MAC address. However, this behavior is up to the particular IPv6 stack you use, and your auto-assigned address can be randomized. iOS and OS X devices do said randomization to prevent any sort of tracking.)

The same goes for having directly routable IPV6 addresses to devices. With NAT you have to be very lucky to get a response from a device because it has to have an open connection at the time of attack. Without NAT you can attack a device directly on all ports (services it provides to the network) whether they are connected or not. People have been saying NAT is bad but the reality is that it works for billions of devices and performance doesn't seem to be a problem. Maybe NAT is bad from a technical point of view but security wise NAT does offer a first layer of protection by not exposing a device to raw internet directly.

This is not at all true. Even with IPv6, you can turn on the Firewall in your router, which should close down all incoming ports. Then, if a device needs that port open for incoming traffic, it can send an outbound packet on that specific port first, essentially "punching through" the firewall. It has the same effect as NAT-PMP.

I never said NAT is bad. It's fine! It's allowed us to stretch IPv4 out for a lot longer than originally thought possible. I have no problem with that... My problem is with an ISP running NAT internally to share a single IPv4 address with multiple customers.

The simple fact is, we can't do that and we've run out of IPv4 space, so, like it or not, we'll all be forced to transition to IPv6 in the next few years, end of story.

TL;DR: NAT = OK, DOUBLE NAT = BAD

[Zbig]

NAT is a dirty kludge and not a security measure. Saying that NAT is good for security is like saying that missing one leg is good for your health as you're not able to run too fast and hurt yourself. And I will keep my publicly routed IP address, nctnico because I do need it, thank you very much. As timb said more than once, firewall is what you want for security, not a bloody NAT. In my Asus router's firmware, IPv6 firewall is enabled by default and is whitelist-based, i.e. all unsolicited incoming traffic is blocked by default unless permitted explicitly.

[nctnico]

NAT is a dirty kludge and not a security measure. Saying that NAT is good for security is like saying that missing one leg is good for your health as you're not able to run too fast and hurt yourself. And I will keep my publicly routed IP address, nctnico because I do need it, thank you very much. As timb said more than once, firewall is what you want for security, not a bloody NAT. In my Asus router's firmware, IPv6 firewall is enabled by default and is whitelist-based, i.e. all unsolicited incoming traffic is blocked by default unless permitted explicitly.

Like timb you are missing the point completely. Over 20 years of experience with networking, security and IP enabled gadgets have made me very skeptical about security and interoperability. Sure a network 'expert' can configure his router but the average user is completely lost and doesn't want to be bothered with configuring a router. If you look up information about uPnP and NAT-PMP you'll see a comment about both being unsafe because both protocols allow strangers to access/scan the network behind the router/firewall. Also notice the comments about dodgy/incomplete implementations. There is a reason the router I (recently) got from my ISP (one of the biggest telecom operators in the NL!) doesn't support NAT-PMP and has uPNP disabled by default. The router also doesn't support IPv6 so I guess a multi billion dollar company is stupid for not seeing the benefits of IPv6.

I also don't see IPv6 as a solution for the near future. It is too new and a lot of security related issues have to be ironed out. IPv6 actually makes things worse because IPv6 has been naively designed to have all devices connected to a publicly routed address. Rule number one is that you don't want anything accessible from the internet directly. A technical person will instantly Pavlov into 'put a firewall in between and all your problems are solved'. But ask yourself this: say you make an IP enabled gadget which needs internet access and you sell 10.000 pieces. Who is going to configure 10.000 firewalls (routers)? Who is going to sit behind the helpdesk and talk to angry customers with a non-working device because their router needs configuring? Who is going to create step-by-step instructions for each router a customer may have? And what will ordinary users do anyway? That was a rethorical question: they will disable their firewalls alltogether because they really don't want to bother themselves with stuff that doesn't work. They are totally oblivious to the fact they open their internal networks to all worms and malware available. I hope this makes clear that simply putting a firewall in between with a whitelist isn't going to work for a commercially viable device. Whitelisting also requires maintenance because what if the server gets relocated or servers are added (load balancing)? Who is going to inform all the users in a timely manner?

Technical people keep insisting NAT is a dirty kludge but the proof is always missing. After all anecdotal evidence is what it is; if NAT where really that bad it would have been replaced ages ago by something better. Bandaids like uPnP and NAT-PMP have proven to be security nightmares which you don't want. For kicks I tried downloading a torrent (Debian Linux) through a double NAT and it works just fine (as expected). I never hear my kids complain their online games on their various game consoles don't work due to NAT either. The thing is that NAT is the most common way to allow devices from inside the network to access internet without the devices being accessible from the outside (except for devices/processes which expect network traffic) which provides a simple but effective layer of security (note: most routers offer additional protection against other attacks on their internet connected interface). Just like VHS NAT became the defacto standard and NAT has been around for 20 years so interoperability problems are unlikely to happen.

So how do you create an internet connected gadget which works out of the box and doesn't create a service and maintenance nightmare? The answer is simple: design your IP enabled gadget and server software in a way they will work with multiple NAT translations in between. Facebook, Whatsapp, etc can do it... Only worry about IPv6 when customers start asking for it. That will be soon enough (and that point is probably more than a decade away).

[timb]

nctnico, you keep digging the hole deeper and deeper... Just admit you're wrong and move on!

You say IPV6 is "too new", which isn't remotely true; it's nearly a *twenty year old* standard now! Every major OS, router and device made in the last 10 years has a working, mature IPV6 stack...

Fun Fact: IPV6 (1998) is older than NAT (1999)! So, if IPV6 is a "new" standard that's "full of security holes and bugs", then so is NAT!

The only way in which NAT-PMP can be exploited is if you *download* and *install* a piece of malware, which then (being on your local network) can setup any port forwarding it wants. Do you know how to stop that? Enable you're firewall on the router. Even with NAT-PMP off, a virus could still setup port forwarding by directly access the router's configuration page. How many people really change the "default" password? If you can change the password, you can turn on the firewall.

The "average user" very much can configure their own router. I once wrote a "how-to" guide explaining how to find, download and flash a specific OpenWRT build onto this particular router. Hundreds of people were able to follow the guide, including a housewife, a plumber and an elderly gentleman. All of whom had zero "expert" knowledge. If they can do that, then there's no excuse why anyone else can't figure out how to configure their router.

The big problem is that most people don't realize they *need* to change any settings. And, though it's getting better, factory or ISP default settings are often very poor from a security point of view. (They would rather the router be insecure than deal with technical support calls from users asking why their Netflix isn't working because the firewall blocked it.)

Not only that, but the firmware on a lot of these ISP provided routers is atrocious, with gaping back doors that hackers could access. At one point, people started writing viruses targeting various insecure routers. They could install it on one router and it would scan the subnet, install itself onto the next router it found and so on. I once knew a guy who had a bot net composed of around 100,000 routers.

Anyway, I'm digressing.

You say that NAT-PMP is a security nightmare, but where's *your* proof? See, without NAT-PMP, you wouldn't be able to use P2P, some video chat protocols, some games, etc. without manually setting up port forwarding. It's an *essential* part of why these services, for the most part, "just work" today.

You also say you tried downloading a torrent through a double-NAT, but how was it setup? Was the second NAT layer your ISP, or did you just plugin two routers back to back? Or use a VM?

You keep trying to say that we're saying NAT is a "dirty kludge" or otherwise bad, but that's not what we're saying at all. NAT is an essential part of the IPV4 Internet, the problem is we're out of IPV4 addresses. NAT was never designed to be run behind another NAT.

So, what I *am* saying, for the third time now, is that an ISP using NAT internally to share a public IP address with multiple users (by assigning their router a private IP, which is in turn shared on their LAN with a second layer of NAT) is a dirty kludge. It breaks all sorts of things. This is a proven fact.

IPV6 has been slowly rolling out for nearly 20 years. It's mature. It's ready. The only thing we're waiting on is the ISPs to get their shit together and start using it.

And, if you don't want the devices on your LAN to have public IPV6 addresses, that's no problem either. Your router can pickup a single public IPV6 address and all the devices on your LAN can use private IPV6 addresses, just like you do today with NAT. *Or* you can use a public IPV6 address and all the devices on your LAN can keep using private IPV4 addresses, simply by using NAT64 or 6to4.

By the way, I spent over 10 years of my life in IT and security (in a professional capacity). At 16 I started a web hosting company which I nurtured into a very successful and profitable business, having tens of thousands of subscribers at its peak. At 23 I sold the company to a large hosting firm and spent the next few years doing consulting. I setup and secured servers for a variety of companies. Not once did any machine I setup get compromised. So, I know a thing or two about this...

[westfw]

TCP/IP also has a long history of published papers and lively discussions and books and classes and so on, all about how to do it right.  Or "well", anyway.  For several different definitions of "well." :-)   As we see :-)

USB has a committee-written 600-page specification (hey!  It's downloadable!  I thought you had to pay before you could look at it!)

[joeqsmith]

I designed an Ethernet print server that sniffs a Centronics port and routes the data to printer.   All in assembler on an Motorola 6811.   Not something I recommend.