I'm one of those who values end-to-end connectivity, but I can remember when it was the rule instead of the exception.
There was a time -- before the rise of NAT -- when one could directly establish connections to others across the Internet without having to jump through hoops or implement other tools (port forwarding, UPNP, a third-party(!), etc.) to do it.
In general, as a network engineer, I dislike anything (especially NAT) that breaks end-to-end connectivity, simply because of the inherent problems that arise as a result.
In addition, some of the DDoS attacks we've seen recently would be a lot easier to prevent if NAT wasn't a thing (e.g., as an ISP, I could easily shut off a specific device; I can't just shut off a customer's entire access).
>In addition, some of the DDoS attacks we've seen recently would be a lot easier to prevent if NAT wasn't a thing
I know that NAT is not a security feature but, pragmatically, one could argue the opposite: lots of vulnerable devices today aren't part of a botnet just because they haven't been discovered being hidden behind NAT.
That's the reason why IP webcams are so popular in recent botnets: usually they need to be remotely accessible so they are outside NAT (or, seldom, they get port forwarding or in some sort of DMZ).
>I know that NAT is not a security feature but, pragmatically, one could argue the opposite: lots of vulnerable devices today aren't part of a botnet just because they haven't been discovered being hidden behind NAT.
But in the same way, I feel like NAT has allowed a false sense of security. Maybe if NAT wasn't there to hide everyone's PC, more machines would be broken into, and device security would be a lot better today.
I hope that with IPv6 NAT disappears. But almost all devices comes with only one network interface, that assumes it's on the LAN, but still needs to access the Internet ... How can that be done without NAT ?
A single IPv6 interface can have multiple IP addresses. You can either use your global IPv6 addresses for LAN communication or additionally use a unique local address (https://en.wikipedia.org/wiki/Unique_local_address) on that same interface. There's no need for NAT at any point.
I'm not sure if I'd want that, for reasons of privacy and security. At the moment, your device IP (phone, computer, laptop) is usually shared with other devices, due to the scarcity of IPv4. If this gets dropped, couldn't some providers could get the idea to statically assign IP addresses to each device?
Most people wouldn't know how to rotate IP addresses of their devices even if it was possible. Having one static address (or even a subnet) for each device seems like the worst thing that could happen to privacy.
I also could imagine that having all phones exposed directly could make vulnerabilities much worse. It's bad enough that the recent attacks were possible because cameras were exposed via UPNP, but as far as I know, it wouldn't easily be possible to build a large botnet of smartphones just because you know a vulnerability in their network communication.
AFAICT smartphones are mostly exposed already, they usually get an IPv6 address, along with some IPv4 connectivity behind the phone company's NAT.
OTOH I just tried to ping6 my phone, and got a 'no route to host'. I wonder if it's my wired connection's problem, or a security measure from the phone company's side.
Why perform a surgical drone strike over a carpet bombing?
The exact same reasoning applies to the above suggestion of just blocking access from the rogue device and then telling the customer that "The device with the address of X was misbehaving, please get it fixed and let us know".
Well, you can, but if you do it to lots of people at once your customer support phone banks will get flattened and then everybody else who has a problem at the same time will be angry at you too.
I did ISP operations once back in the day and balancing "will this make things better or will it just crush our CS dept a different way?" was one of the things you had to think about.
There was a time -- before the rise of NAT -- when one could directly establish connections to others across the Internet without having to jump through hoops or implement other tools (port forwarding, UPNP, a third-party(!), etc.) to do it.
In general, as a network engineer, I dislike anything (especially NAT) that breaks end-to-end connectivity, simply because of the inherent problems that arise as a result.
In addition, some of the DDoS attacks we've seen recently would be a lot easier to prevent if NAT wasn't a thing (e.g., as an ISP, I could easily shut off a specific device; I can't just shut off a customer's entire access).