It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.
NAT still has its place in obfuscating the internal network. Also, it’s easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.
There’s no reason your clients can’t have public, world routeable IPs as well as security.
There are a lot of valid reasons, other than security, for why you wouldn’t want that though. You don’t necessarily want to allow any client’s activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn’t make anything more secure per se.
Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I’ve used.
That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn’t used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.
So I’m going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.
Yes, of course. But saying trite things like that doesn’t get around the idea that giving out a map of the internal network by default isn’t the best policy.
With CGNAT, governments still spy on individual addresses when they want. Since those individual addresses now cover a whole bunch of people, they effectively spy on large groups, most of whom have nothing to do with whatever they’re investigating. At least with IPv6, it’d be targetted.
NAT obscurity comes at a cost. Its gain is so little that even a small cost eliminates its benefit.
Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.
Making it harder for everyone else is the goal, and to do that you need a swiss cheese model. Hopefully all the holes don’t line up between the layers to make it that much harder to get through. You aren’t plugging all the holes, but every layer you put on makes it a little bit harder.
And NAT is not just simple to set up, it’s the intuitive base for the last 30 years of firewalls. I don’t see where you get a cost from it. As I said, separating network spaces with it comes naturally at this point. Maybe that’ll change, but I remember using routable IPV4 when it was it the norm, and moving to NAT made that all feel way more natural.
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?
The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.
The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.
This has a lot of security benefits.
Regardless, everything you said is sounds true to me.
I still have to initiate the outgoing UDP. Are you talking about the specific case where any software running on my host can initiate it without me requesting?
You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.
Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.
Yeah it’s a huge source of problems. If you are outside the US your IPv6 prefix is never gonna be correct in every GeoIP database, even if you send a request to have it corrected, so you sometimes get geoblocked and other sites just block you because it sometimes gets classified as VPN.
I did it by acquiring my own AS number and prefix, allowing me to set the geofeed, and announcing it via public BGP from a box in a data center. Took a few days for most things to pick it up the geolocation.
4k was fine until I tried watching 8k 60fps HDR on YouTube, disabling IPv6 fixed it. It was weird because speedtest and torrents were completely fine using full bandwidth, just YouTube needed me to disable ipv6
I’ve heard of all sorts of issues with my fiber ISP (Verizon Fios) rolling out IPv6. It’s been years that they’ve been slowly rolling it out for testing in a few places. There’s virtually no useful documentation on their website about it. And it’s still not available where I am.
ipv6 in companies…
ipv6 is not hard, but for internal networking no company (really) “needs” more than rfc1918 address space.
thus any decision in that direction is always “less” needed than any bonus for (da)magement personnel is crucial for the whole companies survival…
for companies services to be reachable from outside/ipv6 mostly “only” the loadbalancers/revproxies etc need to be ipv6 ready but … this i.e. also produces logs that possibly break decades old regexes that no one understands any more (as the good engineers left due to too many boni payed to damagement personnel) while other access/deny rules that could break or worse let through where they should block (remember that 192.168. could the local part of ipv6 IF sone genious used a matching mech that treats the dot “.” as a wildcard as overpayed damagement personnel made them rush too fast), could be hidden “somewhere”. altogether technical debt is a huge blocker for everything, especially company growth, and if no customer “demands” ipv6, then it stays on the damagement personnels list as “fulfilling the whishes of engineers to keep them happy” instead of on the always deleted “cleaning up technical debt caused by damagement personnel” list.
setting up firewalls for ipv6 is quite easy and if you go the finegrained “whitelisted or drop/block” approach from the beginning it might take a bit for ipv6 specials to be known to you, but the much bigger thing is IMHO the then current state of firewall rules. and who knows every existing rule? what rules should be removed already and must not be ported to ipv6? usually firewalls and their rules are a big mess due to … again too many boni payed to damagement personnel, hindering the company from the needed steps forward…
ipv6 adoption is slow for reasons that are driving huge cars that in turn speed up other problems ;-|
i once had to look at a firefall appliance cluster, (discovered, it could not do any failover in its current state but somehow the decider was ok with that) but when looking at its logs, i discovered an rsh and rcp access from an ip address that belonged to a military organisation from a different continent. i had to make it a security incident. later the vendor said that this was only the cluster internal routing (over the dedicated crosslink), used for synchronisation (the thing that did not work) and was only used by a separate routing table only for clustersync and that could never be used for real traffic.
but why not simply use an ip that you “own” by yourself and PTR it with a hint about what this ip is used for? instead of customers scratching their head why military still uses rcp and rsh. i guess because no company reads firewall logs anyway XD
someone elses ip? yes! becuase they’ll never find out !!1!
i really appreciate that ipv6 has things like a dedicated documentation address range and that fc00:/7 is nicely short.
deleted by creator
It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.
NAT still has its place in obfuscating the internal network. Also, it’s easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.
Given how large the address space is, it’s super easy to segregate out your networks to the nth degree and apply proper firewall rules.
There’s no reason your clients can’t have public, world routeable IPs as well as security.
Security via obfuscation isn’t security. It’s a crutch.
There are a lot of valid reasons, other than security, for why you wouldn’t want that though. You don’t necessarily want to allow any client’s activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn’t make anything more secure per se.
Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I’ve used.
That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn’t used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.
So I’m going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.
Obfuscation is not security, and not having IPv6 causes other issues. Including some security/privacy ones.
There is no problem having a border firewall in IPv6. NAT does not help that situation at all.
Yes, of course. But saying trite things like that doesn’t get around the idea that giving out a map of the internal network by default isn’t the best policy.
So instead we open up a bunch of other issues.
With CGNAT, governments still spy on individual addresses when they want. Since those individual addresses now cover a whole bunch of people, they effectively spy on large groups, most of whom have nothing to do with whatever they’re investigating. At least with IPv6, it’d be targetted.
NAT obscurity comes at a cost. Its gain is so little that even a small cost eliminates its benefit.
Governments are not anyone’s issue other than other governments. If your threat model is state actors, you’re SOL either way.
Making it harder for everyone else is the goal, and to do that you need a swiss cheese model. Hopefully all the holes don’t line up between the layers to make it that much harder to get through. You aren’t plugging all the holes, but every layer you put on makes it a little bit harder.
And NAT is not just simple to set up, it’s the intuitive base for the last 30 years of firewalls. I don’t see where you get a cost from it. As I said, separating network spaces with it comes naturally at this point. Maybe that’ll change, but I remember using routable IPV4 when it was it the norm, and moving to NAT made that all feel way more natural.
You don’t need to give up IPV6 to have NAT though.
That’s what temporary privacy addresses are for. Clients can just keep generating new addresses in your /64, which is it’s own subnet.
Why do you say NAT doesn’t make a network more secure?
deleted by creator
This article is biased to selling you more F5 equipment but is a reasonable summary:
https://www.f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?
The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.
The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.
This has a lot of security benefits. Regardless, everything you said is sounds true to me.
deleted by creator
I still have to initiate the outgoing UDP. Are you talking about the specific case where any software running on my host can initiate it without me requesting?
Edit: apparently NAT is full of security bugs
deleted by creator
You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.
Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.
My ISP doesn’t support IPv6, now what?
It’s really bullshit.
Really bullshit ISP indeed.
deleted by creator
Hurricane Electric have a free tunnel broker that is super simple to set up if you really want to get on the bandwagon.
https://tunnelbroker.net/
Though honestly I’d say the benefits of setting it up aren’t really worth the trouble unless you’re keen.
Yeah it’s a huge source of problems. If you are outside the US your IPv6 prefix is never gonna be correct in every GeoIP database, even if you send a request to have it corrected, so you sometimes get geoblocked and other sites just block you because it sometimes gets classified as VPN.
I agree. GeoIP was never a good idea, but here we are. Any ASN could be broken up and routed wherever (and changed) but it’s still far too prevalent.
I did it by acquiring my own AS number and prefix, allowing me to set the geofeed, and announcing it via public BGP from a box in a data center. Took a few days for most things to pick it up the geolocation.
Sounds (labor and money) expensive.
I had network speed issues and the solution was literally to disable ipv6… Fiber 1gbit network still had issues. https://www.reddit.com/r/youtube/comments/owbjdl/anyone_else_getting_buffering_when_using_ipv6/
deleted by creator
4k was fine until I tried watching 8k 60fps HDR on YouTube, disabling IPv6 fixed it. It was weird because speedtest and torrents were completely fine using full bandwidth, just YouTube needed me to disable ipv6
Weird. Ipv6 and YouTube stats for nerds shows between 140mbit and 600mbit depending on what’s being watched and the time of day.
Is it possible your isp has problems with their ipv6 setup?
IPv6 overheads should only have a marginal impact on max speeds.
I’ve heard of all sorts of issues with my fiber ISP (Verizon Fios) rolling out IPv6. It’s been years that they’ve been slowly rolling it out for testing in a few places. There’s virtually no useful documentation on their website about it. And it’s still not available where I am.
ipv6 in companies… ipv6 is not hard, but for internal networking no company (really) “needs” more than rfc1918 address space. thus any decision in that direction is always “less” needed than any bonus for (da)magement personnel is crucial for the whole companies survival…
for companies services to be reachable from outside/ipv6 mostly “only” the loadbalancers/revproxies etc need to be ipv6 ready but … this i.e. also produces logs that possibly break decades old regexes that no one understands any more (as the good engineers left due to too many boni payed to damagement personnel) while other access/deny rules that could break or worse let through where they should block (remember that 192.168. could the local part of ipv6 IF sone genious used a matching mech that treats the dot “.” as a wildcard as overpayed damagement personnel made them rush too fast), could be hidden “somewhere”. altogether technical debt is a huge blocker for everything, especially company growth, and if no customer “demands” ipv6, then it stays on the damagement personnels list as “fulfilling the whishes of engineers to keep them happy” instead of on the always deleted “cleaning up technical debt caused by damagement personnel” list.
setting up firewalls for ipv6 is quite easy and if you go the finegrained “whitelisted or drop/block” approach from the beginning it might take a bit for ipv6 specials to be known to you, but the much bigger thing is IMHO the then current state of firewall rules. and who knows every existing rule? what rules should be removed already and must not be ported to ipv6? usually firewalls and their rules are a big mess due to … again too many boni payed to damagement personnel, hindering the company from the needed steps forward…
ipv6 adoption is slow for reasons that are driving huge cars that in turn speed up other problems ;-|
deleted by creator
i once had to look at a firefall appliance cluster, (discovered, it could not do any failover in its current state but somehow the decider was ok with that) but when looking at its logs, i discovered an rsh and rcp access from an ip address that belonged to a military organisation from a different continent. i had to make it a security incident. later the vendor said that this was only the cluster internal routing (over the dedicated crosslink), used for synchronisation (the thing that did not work) and was only used by a separate routing table only for clustersync and that could never be used for real traffic. but why not simply use an ip that you “own” by yourself and PTR it with a hint about what this ip is used for? instead of customers scratching their head why military still uses rcp and rsh. i guess because no company reads firewall logs anyway XD
someone elses ip? yes! becuase they’ll never find out !!1!
i really appreciate that ipv6 has things like a dedicated documentation address range and that fc00:/7 is nicely short.