IPv6 vs NAT security

[pcm81]

I know that IPv6 mandates certain security requirements better than IPv4 did, but:

Today we use NAT in home routers which passively acts as a firewall for ports that are not specifically open/forwarded on the router. As ISPs move to IPv6 and more and more users just use ISP provided modem, there is no more need for NAT at the modem interface. So, I could potentially see the ISP modem essentially assign public IPs to all attached devices.

Wouldn't that open up allot of currently hidden ports and holes?

In today's setup my scanner connects to my PC and drops a scanned PDF file via my local network. But if my computer were to now have a public IP, because modem can assign it one since NAT is no longer needed, a Lin Wing Chung from China could potentially connect to that same port and drop a virus in, in place of PDF that my scanner would drop...

This is a theoretical question that deals with dangers introduced by depreciation of NAT.

I realize that end user can still run a local router (hardware firewall) and protect himself. I am thinking for Mom's and Pop's who just plug the hardware in and don't know any better... There are many devices in existence today who's level of security was never intended for direct connection to the internet and lack of need for NAT opens up a possibility of connecting these devices to the internet without end user ever realizing how bad it is.

 

[sdifox]

Why would ISP make more work for themselves by giving you more than one ip?

 

[MtnMan]

NAT does not provide any security, and it breaks many things.

The SPI that is a by product of NAT is where the security occurs, and can be implemented without NAT, and the overhead that NAT requires.

 

[pcm81]

Why would ISP make more work for themselves by giving you more than one ip?

Because the world is ran by managers that only know buzz words and "We give you more IPs than our competitor" sounds better.

 

[pcm81]

NAT does not provide any security, and it breaks many things.

The SPI that is a by product of NAT is where the security occurs, and can be implemented without NAT, and the overhead that NAT requires.

I agree, but if there is no NAT, then there is unlikely to be any SPI either. Not that there can't be.

My point was that by eliminating need for NAT possibilities of big and bad corner cutting open up and some managers will cut them. Also, think of internet companies being able to see all of your devices individually and give government (US or otherwise) access to a particular device.

 

[JackMDS]

Not having NAT means that each computer as its own external IP and it sits directly on the Internet.

So while NAT does not provide high security per-se it more secure then computers and networks sitting Directly on the Internet.

Unfortunately most computer users are Ignorant about Networking.

ISPs and Vendors of Networking Hardware are aware of it and use Marketing "Lingo Twists" that are perceived by people as actual Technology facts.

 

[sdifox]

Because the world is ran by managers that only know buzz words and "We give you more IPs than our competitor" sounds better.

Or they can give you one IP and sell you more if you want more.

 

[pcm81]

Or they can give you one IP and sell you more if you want more.

Just like they could give you only 1 email address and charge you for more?

Depending on what is more profitable for them: selling you more IPs or sniffing your device-to-device traffic. As stated above having access to each device individually may become a lucrative backdoor for governments. People running ISPs are not stupid, even if they are tech illiterate. Right now they have no means to isolate your local webcam, with each device having its own IP sitting directly on the internet, they could.

Of course tech savy people will still be able to put up a 3rd party router/firewall, but I am talking about the masses and the problems that could follow from assigning each device a public IP. Especially since most devices were never intended for such exposure and lack security protocols to deal with it.

There was a CSPAN clip on youtube from some time ago with deputy director of CIA (or was it NSA) where the lady said "We have nothing against service providers offering strong encryption to the end user, they just need to figure out how to provide us the plain text too". All I am saying is that having abundance of IPs provides means of connecting all devices directly to the internet in a much less secure fashion than is implemented now. I am not claiming that IPv6 is government conspiracy, just throwing out there theories about possible reduction of security by having an option to connect all devices directly to the net. With IPv4 that is simply not possible...

 

[sdifox]

Just like they could give you only 1 email address and charge you for more?

Depending on what is more profitable for them: selling you more IPs or sniffing your device-to-device traffic. As stated above having access to each device individually may become a lucrative backdoor for governments. People running ISPs are not stupid, even if they are tech illiterate. Right now they have no means to isolate your local webcam, with each device having its own IP sitting directly on the internet, they could.

Of course tech savy people will still be able to put up a 3rd party router/firewall, but I am talking about the masses and the problems that could follow from assigning each device a public IP. Especially since most devices were never intended for such exposure and lack security protocols to deal with it.

There was a CSPAN clip on youtube from some time ago with deputy director of CIA (or was it NSA) where the lady said "We have nothing against service providers offering strong encryption to the end user, they just need to figure out how to provide us the plain text too". All I am saying is that having abundance of IPs provides means of connecting all devices directly to the internet in a much less secure fashion than is implemented now. I am not claiming that IPv6 is government conspiracy, just throwing out there theories about possible reduction of security by having an option to connect all devices directly to the net. With IPv4 that is simply not possible...

That is an insane amount of traffic to even contemplate monitoring.

 

[pcm81]

That is an insane amount of traffic to even contemplate monitoring.

I agree with "insane amount of traffic to even contemplate monitoring", but that does not prevent accessing. I am not talking about wholsale of user traffic or even traffic statistics, I am specifically talking about access to a device that was not intended for such public exposure.

 

[sdifox]

I agree with "insane amount of traffic to even contemplate monitoring", but that does not prevent accessing. I am not talking about wholsale of user traffic or even traffic statistics, I am specifically talking about access to a device that was not intended for such public exposure.

Worry more about ddos than government snooping. Imagine hackers hijacking your smart tv for dos attack.

 

[pcm81]

Worry more about ddos than government snooping. Imagine hackers hijacking your smart tv for dos attack.

Yup. I just used government as an example, but as stated above, the real problem is directly connecting to the internet the devices who's protocols were never intended for such a public access. IPv6 removes the NEED for isolation, it does not directly impact the security, but if there is no NAT isolation, because it is no longer NEEDED and most users are too ignorant to recognize the problems with direct access, we will return to wild wild west of 1990s...

 

[sdifox]

Yup. I just used government as an example, but as stated above, the real problem is directly connecting to the internet the devices who's protocols were never intended for such a public access. IPv6 removes the NEED for isolation, it does not directly impact the security, but if there is no NAT isolation, because it is no longer NEEDED and most users are too ignorant to recognize the problems with direct access, we will return to wild wild west of 1990s...

Fortunatly no one is ready to pony up and do wholesale upgrade to IP v6.

 

[pcm81]

Interesting timing, but an article linked in another thread states that there is an increasing number of DDoS attack vectors coming from IPv6 networks as compared to IPv4 and modern day DDoS guards are not able to deal with them as effectively as they should, b/c they are designed to ban IPv4 adress. http://venturebeat.com/2013/06/07/a...pv6-will-be-fully-implemented-on-may-10-2048/

 

[Red Squirrel]

The biggest issue with lack of NAT is not security as you can still have a firewall (it has to be able to pull more than one IP from the ISP and act in passive mode though, which is $$$$$$$) but the problem is that you lose control over your local address space. If you have lot of local devices that you manage, IP spreadsheets, local DNS server etc this is very problematic as any time your ISP decides to assign a new range, all your stuff changes IP. Basically you wont have local IPs anymore. Well, you cans till have those, but those wont route to the outside world, at all.

I think what will end up happening is NPT. Network Prefix Translation. Basically it's like a 1:1 NAT. At least I hope that becomes the standard. That seems like the best of both worlds.

There are solutions to the IP renumbering issue but they only make sense for big corps. One of them is to actually buy your own IP space. So a company like Microsoft, who owns their very own IP space does not have to worry about it changing, they actually own the range. So they'd have some "internal" and some external. But for a SMB or geek like me who has lot of LAN servers it will be problematic.

That's the other thing with no NAT, you lose the idea of having an internal network, everything is public facing. I don't care how many firewalls you install, that is still very scary.

 

[matricks]

Why would ISP make more work for themselves by giving you more than one ip?

Amount of work does not scale in any rate that is related to the number of IP addresses available to customers. On the network provider side, IPv6 is designed around the idea that you assign each customer a subnet, not an address. NAT wasn't part of the IPv6 spec from the beginning, it was added later on. By choosing to assign exactly one address to a customer the ISP will break with intended IPv6 behavior, they will also need to implement NAT on IPv6 (meaning customer equipment must be more complex than if the customer gets a subnet). More complexity, more things that can go wrong, more work.

We can always hope that IPv6 will reveal the horrible security of most smart devices. We already know, but when everyone with a Samsung TV loses their Internet access because their TV is part of a giant botnet, people will eventually buy TVs from other manufacturers, and eventually Samsung might fix their shit (Samsung is just an example, they are all horrible at security).

The biggest issue with lack of NAT is not security as you can still have a firewall (it has to be able to pull more than one IP from the ISP and act in passive mode though, which is $$$$$$$) but the problem is that you lose control over your local address space. If you have lot of local devices that you manage, IP spreadsheets, local DNS server etc this is very problematic as any time your ISP decides to assign a new range, all your stuff changes IP. Basically you wont have local IPs anymore. Well, you cans till have those, but those wont route to the outside world, at all.

What do you mean? Public IPv4 addresses can change, and cause exactly the same problems. RFC1918 addresses (private IPv4 - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are not supposed to be routable on the Internet, just like ULA (unique local addresses, fc00::/7).

 

[pcm81]

What do you mean? Public IPv4 addresses can change, and cause exactly the same problems. RFC1918 addresses (private IPv4 - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are not supposed to be routable on the Internet, just like ULA (unique local addresses, fc00::/7).

With his NAT router he is not relying on the public IP. But if ISP were to assign public IP to all his devices, and then change it, he would have a problem. I suspect that geeks like most of us will just run a NAT router even though ISP will offer a dynamic or static IP range to each customer. It's not the geeks that I am worried about, but rather the mom's and pop's with smart TVs (and other devices)...

 

[razel]

Just recently and correctly enabled IPV6 on my home Internet. By the way, simply having IPV6 ready equipment is just the 1st step. My modem was passing IPV6 correctly, but my router by default wasn't configured correctly. Anyways...

Yes, you do not need a NAT with IPV6. Yes, in one router with DD-WRT, once you configure it, by default it's firewall did not block any ports to my computer. Luckily if your Windows PC is set to public network, you are fine. Set it to private and you'll ok by default unless you have changed permissions to allow anything off private networks.

On another router, the excellent ASUS RT-AC56, IPV6 by default wasn't configured correctly. Once it is, it's IPV6 firewall is on and works as expected. The other router mentioned above Linksys EA6400 with DD-WRT once it's firewall is configured works fine as well.

I tried to get IPV6 working on family member's Internet connections. It appears as if most older DSL modems +3 years old hardly support IPV6.

 

[Red Squirrel]

With his NAT router he is not relying on the public IP. But if ISP were to assign public IP to all his devices, and then change it, he would have a problem. I suspect that geeks like most of us will just run a NAT router even though ISP will offer a dynamic or static IP range to each customer. It's not the geeks that I am worried about, but rather the mom's and pop's with smart TVs (and other devices)...

Exactly.

For example I have a local DNS server with local hostnames to IP mappings, let's call it 10.1.1.10. I have several other servers at 10.1.1.11 and so on. My entire network relies on these to remain at those IPs. I have full control over this IP space. Also, if I lose my internet connection my network is still 100% operational.

Take out the NAT router, and now each device pulls a public IP from the ISP and relies on the ISP for assignment, I now lose control over my IP numbering, and if my internet goes down, my devices wont communicate any more. I also have to rely on individual device firewalls on everything. There are much more attack vectors.

Though some really expensive and beefy passive firewalls may be able to do filtering passively. So you have everything go through that first. But I doubt such devices will be available to general public.

 

[matricks]

Your devices can have multiple IP(v6) addresses, and will likely do so by default. For example, Windows does this. I'm not IPv6 enabled on the WAN side, but if I boot my router with a default OpenWrt, which enables as many IPv6 features on the network as it can manage, all my Windows devices will take two IPv6 addresses on their interfaces without any action of mine. One is a unique local address from the ULA prefix (OpenWrt generates one on first boot if none is set, and none is discovered already in use on the local network), which is an address space I control in my own network, just like any RFC1918 address space. ULA prefixes are non-routable on the Internet like RFC1918, and will only be routed by routers specifically configured to be aware of them (so a company with a large network can segment its ULA prefix(es) as much as it wants, and route internally between them as complex as they like - again just like RFC1918). The other is a link-local address from fe80::/10 (reserved for link-local addresses). No router should route link-local addresses, these addresses are analogous to the 169.254.0.0/16 space in IPv4.

Furthermore, unless your ISP specifically decides to break with how IPv6 is intended to be used, the ISP gives you a prefix, not an address. You (can) control what public addresses your devices are assigned within the prefix. Preferably by having a DHCPv6 server - your DHCPv6 server requests a prefix from the ISP, and your own server manages addresses within the assigned prefix. The ISP might assign you a new prefix, which as you say will change the public IP address, but the host part remains the same (unless you get a narrower prefix than you had, and you used the now lost bits of the prefix in the address).

 

[mv2devnull]

Take out the NAT router, and now each device pulls a public IP from the ISP and relies on the ISP for assignment, I now lose control over my IP numbering, and if my internet goes down, my devices wont communicate any more. I also have to rely on individual device firewalls on everything. There are much more attack vectors.

Who told to take out the router? The router remains, just without NAT. The "normal" user probably needs an AP and the "router" does that. It better have a firewall already, for both IPv4 and IPv6.

When you see a public (IPv4) IP, you could presume that it hides (NAT) a subnet and lacks firewall. You could probe it to see whether your guess is right. There are less than 2^32 addresses hiding behind the IP.

Let say that an IPv6 user has a /64 prefix subnet. There are potentially 2^64 machines with public addresses in that subnet (or perhaps just one PC directly on FTTH). The 2^64 is some more to probe than 2^32. Naturally, if the real devices reach out, their addresses are learned.

 

[drebo]

The biggest issue with lack of NAT is not security as you can still have a firewall (it has to be able to pull more than one IP from the ISP and act in passive mode though, which is $$$$$$$) but the problem is that you lose control over your local address space. If you have lot of local devices that you manage, IP spreadsheets, local DNS server etc this is very problematic as any time your ISP decides to assign a new range, all your stuff changes IP. Basically you wont have local IPs anymore. Well, you cans till have those, but those wont route to the outside world, at all.

I think what will end up happening is NPT. Network Prefix Translation. Basically it's like a 1:1 NAT. At least I hope that becomes the standard. That seems like the best of both worlds.

There are solutions to the IP renumbering issue but they only make sense for big corps. One of them is to actually buy your own IP space. So a company like Microsoft, who owns their very own IP space does not have to worry about it changing, they actually own the range. So they'd have some "internal" and some external. But for a SMB or geek like me who has lot of LAN servers it will be problematic.

That's the other thing with no NAT, you lose the idea of having an internal network, everything is public facing. I don't care how many firewalls you install, that is still very scary.

Except that it's not. If you're a small or home envirnoment, and you're concerned about this, you can just use stateless auto config and if you have a device that you need to address statically (a printer, etc) would just use its link-local address. You don't have to use its global unicast address.

The ONLY time this becomes an issue is if you have multiple VLANs and need to talk across them. That is such a small number of home and small business users, though, that it's really a non-issue. The home users that need that should know how to re-IP their stuff (and it's really a non-issue anyway, as your ISP is only going to bridge you a /64 and that's it.)

If I'm a home environment on IPv6, I'm not going to care or notice. Stateless autoconfig takes care of getting me internet access and link-local addressing lets me talk to all of my other shit. If I'm a small business, I'd probably run DHCPv6, but that's easy to change if I ever move ISPs.

So, in short, complete non-issue.

 

[drebo]

Exactly.

For example I have a local DNS server with local hostnames to IP mappings, let's call it 10.1.1.10. I have several other servers at 10.1.1.11 and so on. My entire network relies on these to remain at those IPs. I have full control over this IP space. Also, if I lose my internet connection my network is still 100% operational.

Take out the NAT router, and now each device pulls a public IP from the ISP and relies on the ISP for assignment, I now lose control over my IP numbering, and if my internet goes down, my devices wont communicate any more. I also have to rely on individual device firewalls on everything. There are much more attack vectors.

Though some really expensive and beefy passive firewalls may be able to do filtering passively. So you have everything go through that first. But I doubt such devices will be available to general public.

IT hobbyists not knowing how IPv6 works is the biggest hindrance to deployment.

 

[RadiclDreamer]

IT hobbyists not knowing how IPv6 works is the biggest hindrance to deployment.

I would argue the length of addressing being a bigger hindrance. I have been a network guy for over 15 years and i shudder when I think about having to do crap with ipv6 because the addresses are just so dang long. I understand completely how it works, and how you can shorten them and how the first portion will be your prefix all the time etc, but today i can tell a coworker a printer is 10 20 30 40 and they get it without the dots. When I go to ipv6 and have to say the printer is at FE80:0000:0000:0000:0202:B3FF:FE1E:8329 i just shudder. Again i know the shortening techniques but i just dont like it.

Also, you kids get off my damned lawn!

 

[drebo]

I would argue the length of addressing being a bigger hindrance. I have been a network guy for over 15 years and i shudder when I think about having to do crap with ipv6 because the addresses are just so dang long. I understand completely how it works, and how you can shorten them and how the first portion will be your prefix all the time etc, but today i can tell a coworker a printer is 10 20 30 40 and they get it without the dots. When I go to ipv6 and have to say the printer is at FE80:0000:0000:0000:0202:B3FF:FE1E:8329 i just shudder. Again i know the shortening techniques but i just dont like it.

Also, you kids get off my damned lawn!

I agree to some extent, but there are ways around it. When I build dual-stack networks, I'll take my /64s and just make the last 4 hextets the same as my IPv4 address. Sure, I waste tons of space, but who cares? Makes it easy.

FWIW, EUI-64 addressing is the dumbest thing ever.