Maybe I have Stockholm Syndrome, but I like NAT. It’s like, due to the flaws of IPv4 we basically accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections, which kinda implies you know what you’re doing (ssshh don’t talk about UPnP). Accidental security of a default deny policy even without any firewalls configured. Haha. I’m still getting into this stuff though, please feel free to enlighten me
Anything connected to an untrusted network should have a firewall, doesn’t matter if it’s IPv4 or IPv6.
There’s functionally no difference between NAT on IPv4 or directly allowing ports on IPv6, they both are deny by default and require explicit forwarding. Subnetting is also still a thing on IPv6.
If anything, IPv6 is more secure because it’s impossible to do a full network scan. My ISP assigned 4,722,366,482,869,645,213,696 addresses just to me. Good luck finding the used ones.
With IPv4 if you spin up a new service on a common port it usually gets detected within 24h nowadays.
Ahh, woah, I never thought about the huge address space would affect network scans and such.
With NAT on IPv4 I set up port forwarding at my router. Where would I set up the IPv6 equivalent?
I guess assumptions I have at the moment are that my router is a designated appliance for networking concerns and doing all the config there makes sense, and secondly any client device to be possibly misconfigured. Or worse, it was properly configured by me but then the OS vendor pushed an update and now it’s misconfigured again.
With NAT on IPv4 I set up port forwarding at my router. Where would I set up the IPv6 equivalent?
The same thing, except for the router translating 123.123.123.123 to 192.168.0.250 it will directly route abcd:abcd::beef to abcd:abcd::beef.
Assuming you have multiple hosts in your IPv6 network you can simply add “port forwardings” for each of them. Which is another advantage for IPv6, you can port forward the same port multiple times for each of your hosts.
I guess assumptions I have at the moment are that my router is a designated appliance for networking concerns and doing all the config there makes sense, and secondly any client device to be possibly misconfigured. Or worse, it was properly configured by me but then the OS vendor pushed an update and now it’s misconfigured again.
That still holds true, the router/firewall has absolute control over what goes in and out of the network on which ports and for which hosts. I would never expose a client directly to the internet, doesn’t matter if IPv4 or IPv6. Even servers are not directly exposed, they still go through firewalls.
I wouldn’t rely on the size of the address space to provide security. It’s possible to find hosts through methods other than brute force scanning. I remember seeing a talk from a conference (CCC? DEF CON? I can’t remember) where they were able to find hosts in government IPv6 address space (might have been DOD?) through stuff like certificate transparency logs and other DNS side channels.
Will take a look at the talk once I get time, thanks. If you can find the original one you were talking about, please link.
For servers, there is some truth that the address space does not provide much benefit since the addressing of them is predictable most of the time.
However, it is a huge win in security for private internet. Thanks to the privacy extension, those IPs are not just generated completely random, they also rotate regularily.
It should not be the sole source of security but it definitely adds to it if done right.
Could a hypothetical attacker not just get you to visit a webpage, or an image embedded in another, or even a speculatively loaded URL by your browser. Then from the v6 address of the connection, directly attack that address hoping for a misconfiguration of your router (which is probable, as most of them are in the dumbest ways)
Vs v4, where the attacker just sees either your routers IP address (and then has to hope the router has a vulnerability or a port forward) or increasingly gets the IP address of the CGNAT block which might have another 1000 routers behind it.
Unless you’re aggressively rotating through your v6 address space, you’ve now given advertisers and data brokers a pretty accurate unique identifier of you. A much more prevalent “attack” vector.
There is this notion that IPv6 exposes any host directly to the internet, which is not correct. When the client IP is attacked “directly” the attacker still talks to the router responsible for your network first and foremost.
While a misconfiguration on the router is possible, the same is possible on IPv4. In fact, it’s even a “feature” in many consumer routers called “DMZ host”, which exposes all ports to a single host.
Which is obviously a security nightmare in both IPv4 and IPv6.
Just as CGNAT is a thing on IPv4, you can have as many firewalls behind one another as you want. Just because the target IP always is the same does not mean it suddenly is less secure than if the IP gets “NATted” 4 times between routers. It actually makes errors more likely because diagnosing and configuring is much harder in that environment.
Unless you’re aggressively rotating through your v6 address space, you’ve now given advertisers and data brokers a pretty accurate unique identifier of you. A much more prevalent “attack” vector.
That is what the privacy extension was created for, with it enabled it rotates IP addresses pretty regularily, there are much better ways to keep track of users than their IP addresses. Many implementations of the privacy extension still have lots of issues with times that are too long or with it not even enabled by default.
Hopefully that will get better when IPv6 becomes the default after the heat death of the universe.
Since you can have multiple IPv6 addresses on one machine, you can use a rotating address for all outbound connections and a permanent address for inbound connections. If you visit a malicious website that tries to attack the IP that visits it, there will be no ports open. They would have to scan billions of addresses to find the permanent address. All of that scanning would be easily detected and blocked by an IDS.
There is this notion that IPv6 exposes any host directly to the internet, which is not correct.
TP-Link routers used to actually do this. They didn’t have an IPv6 firewall at all. In fact they didn’t add an IPv6 firewall to their “enterprise-focused” 10Gbps router (ER8411) until October 2023.
I don’t think you have Stockholm syndrome. You just like what you already understand well. It’s a normal part of the human condition.
All those features of nat also work with IPV6 with no nat in the exact same way. When I want to open up a port I just make a new firewall rule. Plus you get the advantages of being able to address the ach host behind the firewall. It’s a huge win with no losses.
Every time I see a defense of IPv4 and NAT, I think back to the days of trying to get myself and my roommate to play C&C: Generals together online, with a 2v2 game, with one of us hosting. Getting just the right combination of port forwarding working was more effort than us playing C&C: Red Alert on dial up when we both lived at home.
With IPv6, the answer is to open incoming traffic on the port(s) to the host machine (or just both since the other guy is might host next time). With IPv4, we have to have a conversation about port forwarding and possibly hairpin routes on top of that. This isn’t a gate for people “who know what they’re doing”, it’s just a bunch of extra bullshit to deal with.
Instead of nat and port forwards that rewrite, your firewall is set to only forward specific traffic, exactly how’d you’d configure outbound forwarding on a nat network (but opposite directions)
Maybe I have Stockholm Syndrome, but I like NAT. It’s like, due to the flaws of IPv4 we basically accidentally get subnets segmented off, no listening ports, have to explicitly configure port forwarding to be able to listen for connections, which kinda implies you know what you’re doing (ssshh don’t talk about UPnP). Accidental security of a default deny policy even without any firewalls configured. Haha. I’m still getting into this stuff though, please feel free to enlighten me
Anything connected to an untrusted network should have a firewall, doesn’t matter if it’s IPv4 or IPv6.
There’s functionally no difference between NAT on IPv4 or directly allowing ports on IPv6, they both are deny by default and require explicit forwarding. Subnetting is also still a thing on IPv6.
If anything, IPv6 is more secure because it’s impossible to do a full network scan. My ISP assigned 4,722,366,482,869,645,213,696 addresses just to me. Good luck finding the used ones.
With IPv4 if you spin up a new service on a common port it usually gets detected within 24h nowadays.
Ahh, woah, I never thought about the huge address space would affect network scans and such.
With NAT on IPv4 I set up port forwarding at my router. Where would I set up the IPv6 equivalent?
I guess assumptions I have at the moment are that my router is a designated appliance for networking concerns and doing all the config there makes sense, and secondly any client device to be possibly misconfigured. Or worse, it was properly configured by me but then the OS vendor pushed an update and now it’s misconfigured again.
The same thing, except for the router translating 123.123.123.123 to 192.168.0.250 it will directly route abcd:abcd::beef to abcd:abcd::beef.
Assuming you have multiple hosts in your IPv6 network you can simply add “port forwardings” for each of them. Which is another advantage for IPv6, you can port forward the same port multiple times for each of your hosts.
That still holds true, the router/firewall has absolute control over what goes in and out of the network on which ports and for which hosts. I would never expose a client directly to the internet, doesn’t matter if IPv4 or IPv6. Even servers are not directly exposed, they still go through firewalls.
I wouldn’t rely on the size of the address space to provide security. It’s possible to find hosts through methods other than brute force scanning. I remember seeing a talk from a conference (CCC? DEF CON? I can’t remember) where they were able to find hosts in government IPv6 address space (might have been DOD?) through stuff like certificate transparency logs and other DNS side channels.
Man, I need to go find that talk now…
Edit: I don’t think this is the one I saw previously but is in a similar vein: https://www.youtube.com/watch?v=AayifEqLbhI
Will take a look at the talk once I get time, thanks. If you can find the original one you were talking about, please link.
For servers, there is some truth that the address space does not provide much benefit since the addressing of them is predictable most of the time.
However, it is a huge win in security for private internet. Thanks to the privacy extension, those IPs are not just generated completely random, they also rotate regularily.
It should not be the sole source of security but it definitely adds to it if done right.
Could a hypothetical attacker not just get you to visit a webpage, or an image embedded in another, or even a speculatively loaded URL by your browser. Then from the v6 address of the connection, directly attack that address hoping for a misconfiguration of your router (which is probable, as most of them are in the dumbest ways)
Vs v4, where the attacker just sees either your routers IP address (and then has to hope the router has a vulnerability or a port forward) or increasingly gets the IP address of the CGNAT block which might have another 1000 routers behind it.
Unless you’re aggressively rotating through your v6 address space, you’ve now given advertisers and data brokers a pretty accurate unique identifier of you. A much more prevalent “attack” vector.
There is this notion that IPv6 exposes any host directly to the internet, which is not correct. When the client IP is attacked “directly” the attacker still talks to the router responsible for your network first and foremost.
While a misconfiguration on the router is possible, the same is possible on IPv4. In fact, it’s even a “feature” in many consumer routers called “DMZ host”, which exposes all ports to a single host. Which is obviously a security nightmare in both IPv4 and IPv6.
Just as CGNAT is a thing on IPv4, you can have as many firewalls behind one another as you want. Just because the target IP always is the same does not mean it suddenly is less secure than if the IP gets “NATted” 4 times between routers. It actually makes errors more likely because diagnosing and configuring is much harder in that environment.
That is what the privacy extension was created for, with it enabled it rotates IP addresses pretty regularily, there are much better ways to keep track of users than their IP addresses. Many implementations of the privacy extension still have lots of issues with times that are too long or with it not even enabled by default.
Hopefully that will get better when IPv6 becomes the default after the heat death of the universe.
Since you can have multiple IPv6 addresses on one machine, you can use a rotating address for all outbound connections and a permanent address for inbound connections. If you visit a malicious website that tries to attack the IP that visits it, there will be no ports open. They would have to scan billions of addresses to find the permanent address. All of that scanning would be easily detected and blocked by an IDS.
TP-Link routers used to actually do this. They didn’t have an IPv6 firewall at all. In fact they didn’t add an IPv6 firewall to their “enterprise-focused” 10Gbps router (ER8411) until October 2023.
I don’t think you have Stockholm syndrome. You just like what you already understand well. It’s a normal part of the human condition.
All those features of nat also work with IPV6 with no nat in the exact same way. When I want to open up a port I just make a new firewall rule. Plus you get the advantages of being able to address the ach host behind the firewall. It’s a huge win with no losses.
Every time I see a defense of IPv4 and NAT, I think back to the days of trying to get myself and my roommate to play C&C: Generals together online, with a 2v2 game, with one of us hosting. Getting just the right combination of port forwarding working was more effort than us playing C&C: Red Alert on dial up when we both lived at home.
With IPv6, the answer is to open incoming traffic on the port(s) to the host machine (or just both since the other guy is might host next time). With IPv4, we have to have a conversation about port forwarding and possibly hairpin routes on top of that. This isn’t a gate for people “who know what they’re doing”, it’s just a bunch of extra bullshit to deal with.
You can intentionally get that behaviour by using a firewall.
Instead of nat and port forwards that rewrite, your firewall is set to only forward specific traffic, exactly how’d you’d configure outbound forwarding on a nat network (but opposite directions)
Open forwarding is a router, not a firewall