Will we still need NAT at our edge for IPv6 deployment? It is an oft-repeated statement that NAT is an artefact of IPv4 address space shortage, and that will not be required in IPv6 deployment. The ability to give each host a publicly-routable address, and achieve end-to-end connectivity is touted as a notable benefit of IPv6. Network engineers have traditionally looked at NAT as an evil, which complicates deployment and operations. The presentation was prepared by Mr Sanjeev Gupta, The Vice Chairman of IPv6 Forum (Singapore Chapter) for The Information Security Seminar 2013. For more information on the event, please visit https://www.isseminar2013.sg/index.php.

1. IPv6 Enterprise Security:
The NAT Returns
Sanjeev Gupta
Vice-Chairman
IPv6 Forum (Singapore)
sanjeev@dcs1.biz

2. IPv6 Review
 It will happen
 In our careers
 In our ISPs
 In our enterprises
 On our consumer devices
 In things we cannot think of yet.

3. IPv6 Review
 It is happening
 ISPs are turning it on, to offload traffic
from IPv4
 Alternative is to run CGN or NAT 444,
both of which are expensive, and short-
term
 31% of Verizon Mobile traffic is over
IPv6, with users not realizing (Apr 2013)
 Your “enterprise” OS have it turned on!

4. IPv6 Review
 Recent news
 Starhub has turned on 6to4 on MaxOnline, so
your home router has IPv6
 And without your knowledge, therefore, so may
your home PC
 So what is IPv6, and how does it differ
from IPv4?

5. IPv6 vis-à-vis IPv4
 Some things remain the same
 The concepts of Routing, Networks, and the 7-
layer OSI Stack. Firewalls, TCP, UDP, all remain
the same.
 Enough things change
 The definitions of default routers
 Address assignments
 Neighbour Discovery
 And the entire language changes …

6. IPv6 vis-à-vis IPv4
 Examples of minor changes
 Cisco: show ip becomes show ipv6
 Examples of major changes
 Multicast
 Need to understand Scopes
 Multiple ways to write the same IPv6 address
 2405:FC00:0000:0000:0000:0876:0001:0053
 2405:FC00:0:0:0:876:1:53
 2405:FC00::876:1:53
 IPv6 devices will autoconfigure
magically!

7. IPv6 Security Implications
 Autoconfiguration
 As devices set themselves up, they will
start talking to each other, even when
you may not want them too.
 Routers get discovered, and used.
 Multiple Routers on a link are not only
possible, they are likely
 Network discovery is easier, which may
be good or bad.

8. IPv6 Security Implications
 Rouge Routers
 Similar to the problem of rouge DHCP
servers in IPv4
 A rouge router can override your real
router
 Reasonably easy to setup MITM with
SLAAC
 DAD conflicts
 A rouge host can use DAD to block any
other host from assigning an IP address.

9. IPv6 Security Implications
 Global Routability
 Since we have as many IPv6 addresses
as we need, we would like (and are
encouraged) to use Globally Routable
Unicast Addresses
 Hence, we say goodbye to the RFC1918
addresses
 But this opens up a massive hole on our
edge!

10. IPv6 and NAT
 NAT is generally a bad thing
 Everyone says this, from the IETF to me!
 NAT breaks many things, and makes
some protocols harder to run or debug
 SIP: STUN, ICE
 VNC: Teamviewer, etc
 Even FTP and multi-player games
 But NAT is good for one thing: a “default
deny incoming” policy.

11. IPv6 and NAT
 Default Deny: we allow all outgoing (and
related), we deny all incoming
 Why do we need this? Because host
firewalls are mis-configured, non-auditable,
or non-existant
 Currently, anyone with a server/listener on
their host, cannot have packets routed in
from the Internet: RFC1918 is non-routable
 Most SME IT managers cannot manage a
stateful FW, the number of rules would be
impossible to track part-time.

12. IPv6 and NAT
 One solution (the simple and correct
one) is to use host-based firewalls
 This works for your Server, PC, Laptop
 Does your Network Printer have a firewall?
 Does your Attendance Fingerprint Scanner?
 Alternative is to implement rules on
your edge firewall
 With SLAAC, do you know what the
printer’s current IPv6 address(es)
 Do you know your CFO’s?

13. IPv6 and NAT
 Alternative 1:
 Turn off SLAAC, either use manual addressing(!)
or DHCPv6
 Maintain rule tables in firewall, and spend all day
opening and closing ports (there are lots of
them)
 BTW: make sure no one has admin control over
his laptop, he might change his IP address.

14. IPv6 and NAT
 Alternative 2:
 Use Unique Local Addresses (ULA)
 Pick a 48-bit number randomly
(1111:2222:3333)
 Concatanate to fd00::/8, to get a 64-bit
prefix (fd00:1111:2222:3333::/64)
 SLAAC away!
 FD00 is reasonably unique, but non-
routable
 NAT away (as you have been doing)
between your Global IPv6 address
(singular) and the ULAs inside.

15. IPv6 and NAT
 Alternative 2 (cont):
 Do a 1-to-1 NAT
 NAT away (as you have been doing)
between your Global IPv6 address (singular
or subnet) and the ULAs inside
 Deny all incoming, except explicitly decided
 You can examine Ports, or not
 If your Global range changes, when you
change ISPs, you do not need to
reconfigure the LAN
 Security becomes managable, again.

16. IPv6 and NAT
 Disadvantages of #2 (ULA+NAT)
over #1
 You are still not Edge-to-Edge, which was a
major driver for IPv6
 You will be sneered at by your smarter colleagues
 BitTorrent will be slower
 People running servers need to come talk to you.

17. IPv6 and NAT
 Advantages of #2 (ULA+NAT) over
#1
 Your old model of NAT being Firewall works
 Default deny for incoming (Local addresses, even
if they leak out, will not be routed by your ISP)
 Your printer is cleanly visible inside your network,
yet not accesible from the outside
 You can use SLAAC!!!
 You do not need PI address space, you can use
your ISPs, avoid renumbering
 People running servers need to come talk to you.

18. IPv6 and NAT: The Sequel
 In an ideal world, we would do away
NAT 
 But in an ideal world, we would not
need Firewalls 
 It is very likely that NAT will remain,
but in newer guises
 Maybe NAT64? NAT46? NAT66?
 Just when you thought he was dead, he returned!

19. Freddy Krueger returns!