9

This is a follow up to a snippet from another answer.

There, user Ninefingers writes:

(...) only allow outbound connections, ever. Do this in spite of NAT as IPv6 will make those NAT defences disappear.

Can someone please explain what this means? Or, rather, how this affects the average user that has his Windows 7 PC(s) running behind his local router that's doing NAT and connecting to the DSL modem.

Community
  • 1
Martin
  • 1,247
  • 2
  • 12
  • 19

3 Answers3

8

Yes I can.

IPv4, due to the size of the address pool, has long had a technique called Network Address Translation. In a simplistic view, let's assume you are allocated the (invalid) IP address for your router 256.10.20.30 (I use invalid addresses so people don't go around pinging them etc). Locally, your router is 192.168.0.1 and your host is 192.168.0.2 like this:

/----------\       /-------------------------------\       /----------------\
| Internet |-------| Your router                   |-------| A computer     |
\----------/       | Internet sees as 256.10.20.30 |       | has only:      |
                   | You see as 192.168.0.1        |       | 192.168.0.2    |
                   \-------------------------------/       \----------------/

As such, your router appears to the internet as a public facing IP-address; however, unless you deliberately route connections on ports from the router to a computer on the private IP address range, the computers on the private LAN side are not directly addressable from the internet. The route is performing two functions - both NAT and routing.

In IPv6 there are a lot of addresses. The idea fundamentally is that there are no private IP address ranges (which isn't exactly true; an RFC for that does exist) and as such the IPv6 situation looks like this:

/----------\       /-------------------------------\       /----------------\
| Internet |-------| Your router                   |-------| A computer     |
\----------/       | Internet sees as 2000::...    |       | has:           |
                   | You see as 2000::...          |       | 2001::...      |
                   \-------------------------------/       \----------------/

There isn't really enough space in these boxes to write out the full addresses, but in the IPv6 model, the router performs its routing function (it gets packets to the computers on the LAN) but crucially here it routes both from and to the internet, rather than routing / NATing outwards.

The effect of this is that the default case for IPv4, namely that home computers aren't directly accessible by nature of the fact they have no IP address unless the router knows about the connection goes away. The computer becomes addressable from the internet, much like a server.

Clearly, such connections can still be firewalled, with firewalls denying all incoming (non-client-initiated) connections, however, you've lost needing to explicitly configure your router to route internet packets to you. If the firewall doesn't filter the incoming packet, the client better be able to cope with it. There is, therefore, a slightly increased security risk to home users using IPv6.

I expect (hope?) most home routers will come configured with this firewall setting. As such, while the risk is slightly increased, it is still probably dwarfed by the threat from browser-based exploits (the "outbound stuff").

4

NAT is a solution to the IPv4 address-shortage problem: you hide many systems behind one IP address. With IPv6, an end-user will have many addresses, so the need for NAT disappears. This is great from a networking standpoint, since NAT is an ugly hack (from the network perspective) that makes many applications harder.

From a security standpoint however, NAT provides some security by hiding your systems behind a firewall (that NAT router). This NAT router must be configured explicitly to forward incoming connections to internal hosts (not considering UPnP). When NAT disappears and all your systems have a unique, globally reachable IPv6 address, malware can open up a listening socket for connectback.

chris
  • 3,000
  • 14
  • 22
  • With IPv4 for a private user, the ISP will only assign one public IP anyway, that's why NAT is needed in the 1st place. Does it remain to be seen whether ISP will provide more than one public IP(v6) address? – Martin Oct 03 '11 at 11:03
  • 1
    Currently, ISPs who have pilots with IPv6 (that I know of) are assigning at least /56 to end users. This is in accordance with the RIPE assignment policy, I think ARIN and APNIC have similar policies. – chris Oct 03 '11 at 11:37
  • After looking around I'm not *entirely* sure what `/56` means, except that it would mean multiple public IPv6 addresses for me. On the other hand, here where I live, consumer DSL lines just get a DSL modem that get's assigned *one* IPv4 address, and I'm not sure why providers should (without charging me extra) change that policy once they assign me an IPv6 address, especially since many home users should be better off behind NAT. (But I guess this is getting off topic -- maybe you could add a link or two for some background.) – Martin Oct 03 '11 at 12:17
  • 1
    /56 means 2^(128-56) addresses for your home. If you follow the standard and make subnets of 64 bits, you can have 2^8=256 subnets in your house. ISPs won't charge extra because this is how IPv4 is *supposed* to be assigned, and they aren't charged for their /32s either. http://www.ripe.net/ripe/docs/ripe-523 – chris Oct 03 '11 at 13:07
  • chris - did you mean to write "this is how IPv4 is supposed to " in your comment or did you mean to write "IPv6"? thanks. – Martin Oct 03 '11 at 13:09
  • I meant IPv6 indeed. However, it is how the internet is supposed to work, NAT is just an ugly hack to deal with a shortage :-) – chris Oct 03 '11 at 13:22
  • "_are assigning at least /56 to end users_" Free SAS assigns /60 per box (but you can only use /64 unless you use your modem instead of the box). – curiousguy Dec 29 '11 at 22:59
3

The first problem, that comes to my mind, is that you may have an IPv6 connection that you are not even aware of.

Microsoft Windows has build in support for Teredo. Teredo tunnels IPv6 through IPv4 UDP packets. This provides full duplex IPv6 connectivity.

Furthermore Teredo is designed to work through IPv4 NAT: The client regularly sends queries to the nearest Teredo relay. If this relay has packets for the client, it will answer and the NAT will let the answer through. These packets may contain a connection attempt from the outside.

Some software may activate Teredo support, uTorrent (see Release Announcement 1.8 Build 7237) even did it automatically by default.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121