nctnico, you keep digging the hole deeper and deeper... Just admit you're wrong and move on!
You say IPV6 is "too new", which isn't remotely true; it's nearly a *twenty year old* standard now! Every major OS, router and device made in the last 10 years has a working, mature IPV6 stack...
Fun Fact: IPV6 (1998) is older than NAT (1999)! So, if IPV6 is a "new" standard that's "full of security holes and bugs", then so is NAT!
The only way in which NAT-PMP can be exploited is if you *download* and *install* a piece of malware, which then (being on your local network) can setup any port forwarding it wants. Do you know how to stop that? Enable you're firewall on the router. Even with NAT-PMP off, a virus could still setup port forwarding by directly access the router's configuration page. How many people really change the "default" password? If you can change the password, you can turn on the firewall.
The "average user" very much can configure their own router. I once wrote a "how-to" guide explaining how to find, download and flash a specific OpenWRT build onto this particular router. Hundreds of people were able to follow the guide, including a housewife, a plumber and an elderly gentleman. All of whom had zero "expert" knowledge. If they can do that, then there's no excuse why anyone else can't figure out how to configure their router.
The big problem is that most people don't realize they *need* to change any settings. And, though it's getting better, factory or ISP default settings are often very poor from a security point of view. (They would rather the router be insecure than deal with technical support calls from users asking why their Netflix isn't working because the firewall blocked it.)
Not only that, but the firmware on a lot of these ISP provided routers is atrocious, with gaping back doors that hackers could access. At one point, people started writing viruses targeting various insecure routers. They could install it on one router and it would scan the subnet, install itself onto the next router it found and so on. I once knew a guy who had a bot net composed of around 100,000 routers.
Anyway, I'm digressing.
You say that NAT-PMP is a security nightmare, but where's *your* proof? See, without NAT-PMP, you wouldn't be able to use P2P, some video chat protocols, some games, etc. without manually setting up port forwarding. It's an *essential* part of why these services, for the most part, "just work" today.
You also say you tried downloading a torrent through a double-NAT, but how was it setup? Was the second NAT layer your ISP, or did you just plugin two routers back to back? Or use a VM?
You keep trying to say that we're saying NAT is a "dirty kludge" or otherwise bad, but that's not what we're saying at all. NAT is an essential part of the IPV4 Internet, the problem is we're out of IPV4 addresses. NAT was never designed to be run behind another NAT.
So, what I *am* saying, for the third time now, is that an ISP using NAT internally to share a public IP address with multiple users (by assigning their router a private IP, which is in turn shared on their LAN with a second layer of NAT) is a dirty kludge. It breaks all sorts of things. This is a proven fact.
IPV6 has been slowly rolling out for nearly 20 years. It's mature. It's ready. The only thing we're waiting on is the ISPs to get their shit together and start using it.
And, if you don't want the devices on your LAN to have public IPV6 addresses, that's no problem either. Your router can pickup a single public IPV6 address and all the devices on your LAN can use private IPV6 addresses, just like you do today with NAT. *Or* you can use a public IPV6 address and all the devices on your LAN can keep using private IPV4 addresses, simply by using NAT64 or 6to4.
By the way, I spent over 10 years of my life in IT and security (in a professional capacity). At 16 I started a web hosting company which I nurtured into a very successful and profitable business, having tens of thousands of subscribers at its peak. At 23 I sold the company to a large hosting firm and spent the next few years doing consulting. I setup and secured servers for a variety of companies. Not once did any machine I setup get compromised. So, I know a thing or two about this...
Home
Help
Search
Login
Register
