Will we still need NAT at our edge for IPv6 deployment?
It is an oft-repeated statement that NAT is an artefact of IPv4 address space shortage, and that will not be required in IPv6 deployment. The ability to give each host a publicly-routable address, and achieve end-to-end connectivity is touted as a notable benefit of IPv6. Network engineers have traditionally looked at NAT as an evil, which complicates deployment and operations.
The presentation was prepared by Mr Sanjeev Gupta, The Vice Chairman of IPv6 Forum (Singapore Chapter) for The Information Security Seminar 2013. For more information on the event, please visit https://www.isseminar2013.sg/index.php.
2. IPv6 Review
It will happen
In our careers
In our ISPs
In our enterprises
On our consumer devices
In things we cannot think of yet.
3. IPv6 Review
It is happening
ISPs are turning it on, to offload traffic
from IPv4
Alternative is to run CGN or NAT 444,
both of which are expensive, and short-
term
31% of Verizon Mobile traffic is over
IPv6, with users not realizing (Apr 2013)
Your “enterprise” OS have it turned on!
4. IPv6 Review
Recent news
Starhub has turned on 6to4 on MaxOnline, so
your home router has IPv6
And without your knowledge, therefore, so may
your home PC
So what is IPv6, and how does it differ
from IPv4?
5. IPv6 vis-à-vis IPv4
Some things remain the same
The concepts of Routing, Networks, and the 7-
layer OSI Stack. Firewalls, TCP, UDP, all remain
the same.
Enough things change
The definitions of default routers
Address assignments
Neighbour Discovery
And the entire language changes …
6. IPv6 vis-à-vis IPv4
Examples of minor changes
Cisco: show ip becomes show ipv6
Examples of major changes
Multicast
Need to understand Scopes
Multiple ways to write the same IPv6 address
2405:FC00:0000:0000:0000:0876:0001:0053
2405:FC00:0:0:0:876:1:53
2405:FC00::876:1:53
IPv6 devices will autoconfigure
magically!
7. IPv6 Security Implications
Autoconfiguration
As devices set themselves up, they will
start talking to each other, even when
you may not want them too.
Routers get discovered, and used.
Multiple Routers on a link are not only
possible, they are likely
Network discovery is easier, which may
be good or bad.
8. IPv6 Security Implications
Rouge Routers
Similar to the problem of rouge DHCP
servers in IPv4
A rouge router can override your real
router
Reasonably easy to setup MITM with
SLAAC
DAD conflicts
A rouge host can use DAD to block any
other host from assigning an IP address.
9. IPv6 Security Implications
Global Routability
Since we have as many IPv6 addresses
as we need, we would like (and are
encouraged) to use Globally Routable
Unicast Addresses
Hence, we say goodbye to the RFC1918
addresses
But this opens up a massive hole on our
edge!
10. IPv6 and NAT
NAT is generally a bad thing
Everyone says this, from the IETF to me!
NAT breaks many things, and makes
some protocols harder to run or debug
SIP: STUN, ICE
VNC: Teamviewer, etc
Even FTP and multi-player games
But NAT is good for one thing: a “default
deny incoming” policy.
11. IPv6 and NAT
Default Deny: we allow all outgoing (and
related), we deny all incoming
Why do we need this? Because host
firewalls are mis-configured, non-auditable,
or non-existant
Currently, anyone with a server/listener on
their host, cannot have packets routed in
from the Internet: RFC1918 is non-routable
Most SME IT managers cannot manage a
stateful FW, the number of rules would be
impossible to track part-time.
12. IPv6 and NAT
One solution (the simple and correct
one) is to use host-based firewalls
This works for your Server, PC, Laptop
Does your Network Printer have a firewall?
Does your Attendance Fingerprint Scanner?
Alternative is to implement rules on
your edge firewall
With SLAAC, do you know what the
printer’s current IPv6 address(es)
Do you know your CFO’s?
13. IPv6 and NAT
Alternative 1:
Turn off SLAAC, either use manual addressing(!)
or DHCPv6
Maintain rule tables in firewall, and spend all day
opening and closing ports (there are lots of
them)
BTW: make sure no one has admin control over
his laptop, he might change his IP address.
14. IPv6 and NAT
Alternative 2:
Use Unique Local Addresses (ULA)
Pick a 48-bit number randomly
(1111:2222:3333)
Concatanate to fd00::/8, to get a 64-bit
prefix (fd00:1111:2222:3333::/64)
SLAAC away!
FD00 is reasonably unique, but non-
routable
NAT away (as you have been doing)
between your Global IPv6 address
(singular) and the ULAs inside.
15. IPv6 and NAT
Alternative 2 (cont):
Do a 1-to-1 NAT
NAT away (as you have been doing)
between your Global IPv6 address (singular
or subnet) and the ULAs inside
Deny all incoming, except explicitly decided
You can examine Ports, or not
If your Global range changes, when you
change ISPs, you do not need to
reconfigure the LAN
Security becomes managable, again.
16. IPv6 and NAT
Disadvantages of #2 (ULA+NAT)
over #1
You are still not Edge-to-Edge, which was a
major driver for IPv6
You will be sneered at by your smarter colleagues
BitTorrent will be slower
People running servers need to come talk to you.
17. IPv6 and NAT
Advantages of #2 (ULA+NAT) over
#1
Your old model of NAT being Firewall works
Default deny for incoming (Local addresses, even
if they leak out, will not be routed by your ISP)
Your printer is cleanly visible inside your network,
yet not accesible from the outside
You can use SLAAC!!!
You do not need PI address space, you can use
your ISPs, avoid renumbering
People running servers need to come talk to you.
18. IPv6 and NAT: The Sequel
In an ideal world, we would do away
NAT
But in an ideal world, we would not
need Firewalls
It is very likely that NAT will remain,
but in newer guises
Maybe NAT64? NAT46? NAT66?
Just when you thought he was dead, he returned!