IPv6 vs NAT security

[MtnMan]

Exactly.

For example I have a local DNS server with local hostnames to IP mappings, let's call it 10.1.1.10. I have several other servers at 10.1.1.11 and so on. My entire network relies on these to remain at those IPs. I have full control over this IP space. Also, if I lose my internet connection my network is still 100% operational.

Take out the NAT router, and now each device pulls a public IP from the ISP and relies on the ISP for assignment, I now lose control over my IP numbering, and if my internet goes down, my devices wont communicate any more. I also have to rely on individual device firewalls on everything. There are much more attack vectors.

Though some really expensive and beefy passive firewalls may be able to do filtering passively. So you have everything go through that first. But I doubt such devices will be available to general public.

No, the devices on your LAN will always use Link-Local addresses to communicate with each other, regardless of the status of your internet connection or Global addresses assigned by your ISP.

 

[Red Squirrel]

The ONLY time this becomes an issue is if you have multiple VLANs and need to talk across them. That is such a small number of home and small business users, though, that it's really a non-issue. The home users that need that should know how to re-IP their stuff (and it's really a non-issue anyway, as your ISP is only going to bridge you a /64 and that's it.)

Bingo. Just because it's a small number does not mean nobody does it. Not only will vlans be an issue but add fire wall rules to that list. Right now, I have 1 external IP, if I want to share a service, I setup a firewall rule pointing to the local IP. If the external IP changes, I have to update my online DNS server of course, but that's it. Everything local such as firewall rules does not have to be touched.

With IPv6 if my IPs keep changing all the time I need to keep redoing my firewall rules. Not cool.

Link local is not really the answer either, that's only really used for the initial configuration, and only works within the same broadcast domain. So they wont work on vlans, vpns etc.

I suppose one answer is to stick to ipv4 for LANs, but really we don't want to keep having to support 2 different types of networks, so it would be nice to switch 100% to ipv6.

NAT66 seems like the best answer to the IP renumbering issue. Or just get an ASN assignment and do BGP, but I really don't want to have to pay that kind of money just so I can keep control of my local address space and I doubt any ISP will even want to allow you to do that.

Though I wonder, could you setup a LAN using ULAs, but they also get an external IP? You would use the ULAs when talking to and configuring local devices just like you would in ipv4 world, but if they need to go on the internet, they use their assigned IP. Basically devices would have both a local and external IP. The external would use SLAAC or w/e and the internal would be static (if you wish) as normal.

This article talks about how no NAT can be an issue: http://theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/

 

[Red Squirrel]

I would argue the length of addressing being a bigger hindrance. I have been a network guy for over 15 years and i shudder when I think about having to do crap with ipv6 because the addresses are just so dang long. I understand completely how it works, and how you can shorten them and how the first portion will be your prefix all the time etc, but today i can tell a coworker a printer is 10 20 30 40 and they get it without the dots. When I go to ipv6 and have to say the printer is at FE80:0000:0000:0000:0202:B3FF:FE1E:8329 i just shudder. Again i know the shortening techniques but i just dont like it.

Also, you kids get off my damned lawn!

lol yeah that's going to be kinda annoying, but guess it's the nature of the beast, we need more IPs which means more bit space, so naturally, you need well, longer IPs, that are longer to type.

Everybody always says DNS, but someone still has to go in the DNS server to add all those records, and some devices are IP only, such as printers, and firewalls, so you still have to input IPs directly into various places and keep track of them in a spreadsheet or other mechanism.

Some of the solutions I heard are completely insane like using some kind of network management suite. Yeah, let's just throw some really expensive and complicated software at a problem that we created that did not exist before.

 

[pcm81]

The problem is not with IPv6 itself, but rather the way its design allows it to be implemented. Ok, I can see a legit reason for more IP numbers, think all wireless devices, smart watches, smart wearables, drones etc. But the problem with such abundance of IP numbers comes in it's implementation of connecting all end user devices (not just the next gen devices) to the internet. todays smart TVs and other smart devices which are not designed for direct internet exposure. Frankly, I think a 64-bit IP space would still be plenty, for future growth.

The real goal of this thread was to discuss IPv6 drawbacks and hopefully get the attention of right people to communicate to ISPs that even though they could connect all end user devices to the internet with ipv6, that does not mean they should.

 

[platoon]

its already been covered in this thread, those smart devices won't be exposed to the internet. if you have more than one device you need a router, that router will also have a stateful firewall. the exact same thing you currently have with ipv4 and NAPT.

 

[Red Squirrel]

its already been covered in this thread, those smart devices won't be exposed to the internet. if you have more than one device you need a router, that router will also have a stateful firewall. the exact same thing you currently have with ipv4 and NAPT.

Issue is that will require something quite advanced like a Cisco ASA or other commercial grade solution. Most home users are just going to hookup a switch when they realize their cheap linksys or dlink router wont work.

 

[platoon]

Issue is that will require something quite advanced like a Cisco ASA or other commercial grade solution. Most home users are just going to hookup a switch when they realize their cheap linksys or dlink router wont work.

their "cheap linksys or dlink router" will work just fine...

 

[drebo]

Bingo. Just because it's a small number does not mean nobody does it. Not only will vlans be an issue but add fire wall rules to that list. Right now, I have 1 external IP, if I want to share a service, I setup a firewall rule pointing to the local IP. If the external IP changes, I have to update my online DNS server of course, but that's it. Everything local such as firewall rules does not have to be touched.

With IPv6 if my IPs keep changing all the time I need to keep redoing my firewall rules. Not cool.

Link local is not really the answer either, that's only really used for the initial configuration, and only works within the same broadcast domain. So they wont work on vlans, vpns etc.

I suppose one answer is to stick to ipv4 for LANs, but really we don't want to keep having to support 2 different types of networks, so it would be nice to switch 100% to ipv6.

NAT66 seems like the best answer to the IP renumbering issue. Or just get an ASN assignment and do BGP, but I really don't want to have to pay that kind of money just so I can keep control of my local address space and I doubt any ISP will even want to allow you to do that.

Though I wonder, could you setup a LAN using ULAs, but they also get an external IP? You would use the ULAs when talking to and configuring local devices just like you would in ipv4 world, but if they need to go on the internet, they use their assigned IP. Basically devices would have both a local and external IP. The external would use SLAAC or w/e and the internal would be static (if you wish) as normal.

This article talks about how no NAT can be an issue: http://theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/

I'll refer to my previous statement:

IT hobbyists not knowing how IPv6 works is the biggest hindrance to deployment.

 

[Gryz]

IT hobbyists not knowing how IPv6 works is the biggest hindrance to deployment.

The biggest hindrance to IPv6 deployment is the fact that IPv6 has zero benefits over IPv4. Absolutely nothing.

IPv4 and IPv6 routing works exactly the same way. (Of course there are some small differences. But those differences don't bring real benefits. Only annoyance). If you have enough IPv4-addresses (like most people in the western world), there is zero reason to migrate to IPv6. The only benefit would be that you can call yourself a "good Internet citizen". That's not enough for most corporations and people. Especially because there is a monetary cost involved to migrate.

There are problems that could have been solved with IPv6. (Host-multihoming, site-multihoming, site-renumbering, mobility, etc). But the people involved with IPv6 in the mid-nineties didn't seem it worth to fix those problems. They were mostly applications-people, not routing-people. The result is a new layer-3 protocol that doesn't bring us anything, except a few more bits in the addresses. It was a missed opportunity. The fact that 20 years later, we are still waiting for the majority to migrate, is evidence that IPv6 kinda failed.

 

[Genx87]

I know that IPv6 mandates certain security requirements better than IPv4 did, but:

Today we use NAT in home routers which passively acts as a firewall for ports that are not specifically open/forwarded on the router. As ISPs move to IPv6 and more and more users just use ISP provided modem, there is no more need for NAT at the modem interface. So, I could potentially see the ISP modem essentially assign public IPs to all attached devices.

Wouldn't that open up allot of currently hidden ports and holes?

In today's setup my scanner connects to my PC and drops a scanned PDF file via my local network. But if my computer were to now have a public IP, because modem can assign it one since NAT is no longer needed, a Lin Wing Chung from China could potentially connect to that same port and drop a virus in, in place of PDF that my scanner would drop...

This is a theoretical question that deals with dangers introduced by depreciation of NAT.

I realize that end user can still run a local router (hardware firewall) and protect himself. I am thinking for Mom's and Pop's who just plug the hardware in and don't know any better... There are many devices in existence today who's level of security was never intended for direct connection to the internet and lack of need for NAT opens up a possibility of connecting these devices to the internet without end user ever realizing how bad it is.

To be honest even though i do this for a living, IPv6 hasnt been on my radar for things to look into due to IPv4 having more legs than anybody thought 20 years ago.

Anyways, couldn't some of this be alleviated by utilizing privacy extensions? I imagine future ipv6 home routers would pass along the sub net they are assigned while the hosts constantly change IP addresses? Or am I not understanding this feature of IPv6 and how sub netting will work?

 

[MtnMan]

IPv6 does have advantages over IPv4.

• The overhead, thus latency of NAT is eliminated.
• IPSec is 'baked into' IPv6 meaning that IPV6 ICMP packets can be secured, vs. IPv4 where the common solution is to simply block all ICMP at the firewall.
• True end-to-end connectivity at the network layer improving VoIP and QoS
• Simpler network configuration, i.e. no subnetting/VLSMs
• Multicast for multimedia streaming
• No layer 3 checksum eliminating the need to recalculate at each hop (overhead and latency)
• More efficient routing (smaller routing tables)
• Maximum MTU of a path can be determined, placing the fragmentation task on the source and not routers.
• No DHCP server required, host simply gets prefix from router and generates its own IPv6 address.
• Hosts can have multiple network addresses.

 

[razel]

+1 above. Do some of you really want to stick to IPV4? How are you going to handle more devices of the future? That's like saying you want to stick to 1MB of addressable RAM and the rest of your 7.9GB of RAM will be viewable in smaller chunks of pages only.

 

[Gryz]

IPv6 does have advantages over IPv4.

Nonsense.

The overhead, thus latency of NAT is eliminated.

Irrelevant. You are talking about one layer of routers in the network (the home-routers of end-users and small businesses). Most routers in the Internet don't do NAT. So the cost there is irrelevant. Also, most traffic that goes through NAT is not latency-sensitive. (As opposed to, e.g., server-to-server traffic in datacenters). In access-networks (where NAT is used), latency is usually impacted by queuing-delays. Not by the cost of forwarding itself.

If you don't use NAT, most often you will want a firewall. For TCP you can probably get away without a statefull firewall. (Just look at the SYN-bit. Aka "established"-keyword in cisco ACLs). But for other traffic (like UDP) you do need to keep state. And the paranoid probably want to do stateful for TCP too. And even then, the impact on forwarding cost will be minimal, imho.

Wanna talk about cost ?
Forwarding gets harder (and thus more expensive) the more inward you go, to the center of the Internet. (The Default Free Zone. The Tier-2 and Tier-1 ISPs). Those routers carry 600k routes. They forward Terabits of traffic per second. All those boxes use TCAM for their forwarding tables. TCAM is very expensive memory. With IPv6, because you have longer addresses, and longer prefixes, you can typically store only half the amount of prefixes in TCAM as you can with IPv4.

IPSec is 'baked into' IPv6 meaning that IPV6 ICMP packets can be secured, vs. IPv4 where the common solution is to simply block all ICMP at the firewall.

1) You can do IPSec with IPv4 too. I'm not too familiar with IPSec. Are you telling me that you can't do IPSec with ICMPv4 today ? 2) BTW, I suspect even if admins could let ICMP through their firewalls, they will still not do that.

True end-to-end connectivity at the network layer improving VoIP and QoS

1) Yes, you are right here. Being able to connect to services inside a network (e.g. calling someone with VoIP) is easier with IPv6. However, this also causes extra security concerns. I think you will end up having to configure rules for the services you want to expose. This will be *exactly* the same amount of work as configuring port-forwarding in NAT. The big benefit is that you can have multiple devices with the same service.

Notice, this is a benefit of getting rid of NAT. It's not a direct benefit of IPv6 over IPv4.

2) QoS is better with IPv6 ? QoS is better with end-to-end connectivity ? What makes you think that ?

Simpler network configuration, i.e. no subnetting/VLSMs

We have classless routing in IPv4 for over 20 years now. Both IPv4 and IPv6 deal with prefixes. It's the same.

Multicast for multimedia streaming

Last time I looked, IPv4 has multicasting.

No layer 3 checksum eliminating the need to recalculate at each hop (overhead and latency)

Oh God. People keep repeating this.
Have you ever looked at the IPv4 header checksum ? Did you look how it works ? It's a sum. Literally a sum of all bytes in the IP-header. Very simple. Now let's look at what changes when a router forwards a packet. All that changes in the IP-header is that the TTL is decremented by 1. That means the checksum has to be decremented by 1 as well !! That's all there is too it. When forwarding a packet, the routers does:
ippacket->ipheader->ttl--;
ippacket->ipheader->checksum--;
Just one extra instruction. That is absolutely irrelevant. Compared to all the other work a router must do (route lookup, packet classification for QoS, ACL-filtering, accounting, etc), that one extra instruction is absolutely irrelevant.

More efficient routing (smaller routing tables)

Nonsense.
IPv4 routing and IPv6 routing works exactly the same. Longest-match route-lookup. Hop-by-hop forwarding. The size of the routing tables depends on 1) strictness of address-allocation, 2) amount of site multi-homing needed. With IPv6 the allocation was a little more strict in the beginning than with IPv4 in the eighties. True. But the more IPv6-addresses that will be assigned, the more the entropy will increase. In the end, there will be hardly any difference in entropy between IPv4 and IPv6 entropy.

Wanna talk about routing-table sizes ?
IPv6 addresses are 4x longer. That means the IPv6 routing tables will use more memory. If you implement a Radix-tree, you will have to traverse more bits to find the route. If you use TCAM, you will need twice the amount of TCAM (expensive). If you use a 256-way B-Tree, you will need a lot more memory. IPv6 loses.

Maximum MTU of a path can be determined, placing the fragmentation task on the source and not routers.

All IPv4 implementations use PMTU. IPv6 uses the exact same algorithms. Stuff that works well, and stuff that works less well, is exactly the same for IPv4 and IPv6. If I am mistaken, please enlighten me in which scenario IPv6 works better.

No DHCP server required, host simply gets prefix from router and generates its own IPv6 address.

SLAAC is of the devil. People with a clue use DHCPv6. And even if everybody would use SLAAC, it would hardly make a difference.

Hosts can have multiple network addresses.

Holy moly ! Are you telling me that hosts can not have multiple network addresses with IPv4 ?


May I suggest you read the following articles ?
http://blog.ipspace.net/2010/02/ipv6-myths.html
http://searchtelecom.techtarget.com/tip/Seven-IPv6-networking-myths-that-dont-match-reality
http://blog.ipspace.net/2015/04/video-ipv6-myths-and-reality.html (movie)

Those articles are from Ivan Pepelnjak's blog. Ivan has been an independant networking guy for over 20 years. His blog is awesome. He is very knowledgable. He is very interested in all the new stuff (SDN, IPv6, data-center stuff). But he doesn't drink the coolaid. Very refreshing. If you want to learn more about networking than the standard marketing fluff, his blog is an excellent source of information.

 

[Gryz]

+1 above. Do some of you really want to stick to IPV4? How are you going to handle more devices of the future? That's like saying you want to stick to 1MB of addressable RAM and the rest of your 7.9GB of RAM will be viewable in smaller chunks of pages only.

Nobody wants to stick to IPv4 just because.
But when the whole world has to migrate, it would have been nice if the new technology would have had some real benefits. But the new technology has no benefits. IPv6 was a missed opportunity.
The proof of that, is the fact that IPv6-adaptation is going so slow. Nobody really seems to want IPv6. If people would have found true benefits in IPv6, they would have moved 10 years ago.

Will we fully migrate to IPv6 ?
Maybe.
Maybe in 10 years. Maybe in 20 years. Who knows ?
Maybe there will be a new version of IP. IPv7 or whatever. Something that fixes current routing problems. Something that will make the Internet more robust, cheaper to configure, cheaper to build, easier to troubleshoot. Something that has benefits.
Or maybe someone will augment IPv6, and fix it. Knowledgeable people seem to know what is needed to fix IPv6. But there is too much political turmoil to get anything done. (I'm talking about the IETF here, not real politics).

 

[Red Squirrel]

I'll refer to my previous statement:

I know how it works, at least enough to know that there are some issues, that I've already outlined. IP renumbering is the biggest one. No, none of the official solutions are good enough. There are many instances on a network where you need to refer directly to an IP. If all your "local" IPs are not local anymore, but controlled by your ISP, you loose control of your whole network. Printers, DNS servers, firewall rules. Those are all things that you need a static IP for since they are referred to by IP. When you add your DNS in /etc/resolv.conf, it's a static IP. When you add a DNS zone, you need to input the IP. etc. Currently in IPv4 everything on your network is a private IP, such as 10.1.1.5. That IP never changes because you are in charge of what is behind the NAT.

With IPv6 and no NAT you don't get to use local IPs. Yeah there are ULAs, but without NAT they are not really very useful unless you are strictly doing a private lab network or something.

But like I said, I think the best solution will probably be NPT. it's basically a 1:1 NAT. So your local network will use ULAs that just translate to whatever prefix your ISP assigns you. If it changes, it wont affect your local network. This will also allow for multi homing and other such setups which require the LAN IPs to be static.

Renumbering is something that seems to be overlooked, because the big companies will have their own BGP route and static IPs that they own, and the very small grandma networks wont have any local servers or anything of that nature to really worry about wanting anything to be static. But for SMB and enthusiasts who DO have servers and other local network devices, vlans with inter vlan firewall rules etc, it IS a big problem. People have to stop denying that and ensure we have some kind of NAT standard that sticks around like NPT. Another issue is people like to adopt the cloud approach too much. No, I am not moving ANY of my servers to the cloud or anywhere on the internet. They are internal for a reason, and they will stay that way.

 

[MtnMan]

What OS are you running, 95 or 98?