126

This is a Canonical Question about IPv6 and NAT

Related:

So our ISP has set up IPv6 recently, and I've been studying what the transition should entail before jumping into the fray.

I've noticed three very important issues:

  1. Our office NAT router (an old Linksys BEFSR41) does not support IPv6. Nor does any newer router, AFAICT. The book I'm reading about IPv6 tells me that it makes NAT "unnecessary" anyway.

  2. If we're supposed to just get rid of this router and plug everything directly to the Internet, I start to panic. There's no way in hell I'll put our billing database (With lots of credit card information!) on the internet for everyone to see. Even if I were to propose setting up Windows' firewall on it to allow only 6 addresses to have any access to it at all, I still break out in a cold sweat. I don't trust Windows, Windows' firewall, or the network at large enough to even be remotely comfortable with that.

  3. There's a few old hardware devices (ie, printers) that have absolutely no IPv6 capability at all. And likely a laundry list of security issues that date back to around 1998. And likely no way to actually patch them in any way. And no funding for new printers.

I hear that IPv6 and IPSEC are supposed to make all this secure somehow, but without physically separated networks that make these devices invisible to the Internet, I really can't see how. I can likewise really see how any defences I create will be overrun in short order. I've been running servers on the Internet for years now and I'm quite familiar with the sort of things necessary to secure those, but putting something Private on the network like our billing database has always been completely out of the question.

What should I be replacing NAT with, if we don't have physically separate networks?

Ernie
  • 5,324
  • 6
  • 30
  • 37
  • 1
    Going without physically separated networks for servers with Ultra Private data is pretty shocking for me. I'm having trouble making the question less argumentative. I really do need an answer to that part in particular though. – Ernie Sep 24 '10 at 23:54
  • 10
    The things you are _shocked about_ don't exist. Perhaps you should reformat your question in a way describing the things you believe are facts and ask us to confirm them. Instead of complaining about things that you have assumed will work a certain way. – Zoredache Sep 25 '10 at 00:05
  • On what basis do you say this? "I don't trust Windows, Windows' firewall..." I'm not saying that the answer to your question is to only use host-based firewalls, the answers below point you to using a border device. – mfinni Sep 25 '10 at 01:08
  • 29
    Also - you're storing credit card information? And you have this many questions about security? Have you ever passed a PCI audit? Or are you breaking your contract by storing the credit card details? You may want to look into this, post-haste. – mfinni Sep 25 '10 at 01:09
  • 6
    I can't in good conscience down-vote or vote-to-close this question on either the grounds that the poster is ill-informed (surely that's half the point of the site). Granted, the OP is going off on a big tangent based on a false assumption, and the question could do with a re-write. – Chris Thorpe Sep 25 '10 at 01:47
  • 1
    @mfinni: They state in the PCI-DSS that a NAT router is *required*, which is also one of my concerns. For all intents and purposes however, it's probably worthwhile to just *not* include an internal IPv6 address as one of the external addresses on an edge router, when that day eventually comes. At least, by my understanding of such routers and firewalling. – Ernie Sep 27 '10 at 22:25
  • @Ernie - i saw that downthread. And it doesn't invalidate what anyone is saying - any proper firewall and/or router that can handle IPv6 can also do NAT without breaking a sweat, it's just another rule. We're saying that you can have proper security without NAT - you need a proper firewall to do it. If you also have to do NAT for one server - fine, you do it. – mfinni Sep 27 '10 at 22:52
  • 2
    However the question was asked, it illicited interesting replies, and probably turns up in search results for people with similar fears so +1 – dunxd Feb 15 '11 at 12:59
  • 3
    "No more NAT" is definitively one of the goals in IPv6. Though at the moment, it seems (at least here) that interest in actually offering IPv6 is not terribly big, except in datacenters (because bigger packets mean more bandwidth, and more bandwidth means more money for them!). For DSL it's the opposite though, pretty much everyone has flatrate, so IPv6 only means more trouble and more cost for the providers. – dm.skt Mar 23 '11 at 22:23
  • 1
    @dm.skt - that might be true, but CPE vendors and providers will NEED to switch their users to IPv6 simply because all the datacentres are offering it, and if it's offered, people will use it. I wish it weren't so. – Mark Henderson Mar 23 '11 at 23:51
  • Based on Zoredache's link, it Looks like sysadmin1138 and myself have been reading the same IPv6 material – Mark Henderson Mar 24 '11 at 02:04
  • 1
    One of the largest barriers to IPv6 is training and education. Not just for us (the sysadmins), but also for our technical peers in the office (the engineering staff, who understand some networking concepts), and our customers who still need to do troubleshooting on their own ("No, the site is not down, your DSL is down.") Sit a technical person down at a computer and ask them to ping an IPv6 address. Most people, even those with networking knowledge, will get it wrong on the first couple of tries. Education is needed. – Stefan Lasiewski Jun 09 '11 at 14:54
  • A firewall, of course. – user253751 Mar 03 '17 at 02:53

17 Answers17

209

First and foremost, there is nothing to fear from being on a public IP allocation, so long as your security devices are configured right.

What should I be replacing NAT with, if we don't have physically separate networks?

The same thing we've been physically separating them with since the 1980's, routers and firewalls. The one big security gain you get with NAT is that it forces you into a default-deny configuration. In order to get any service through it, you have to explicitly punch holes. The fancier devices even allow you to apply IP-based ACLs to those holes, just like a firewall. Probably because they have 'Firewall' on the box, actually.

A correctly configured firewall provides exactly the same service as a NAT gateway. NAT gateways are frequently used because they're easier to get into a secure config than most firewalls.

I hear that IPv6 and IPSEC are supposed to make all this secure somehow, but without physically separated networks that make these devices invisible to the Internet, I really can't see how.

This is a misconception. I work for a University that has a /16 IPv4 allocation, and the vast, vast majority of our IP address consumption is on that public allocation. Certainly all of our end-user workstations and printers. Our RFC1918 consumption is limited to network devices and certain specific servers where such addresses are required. I would not be surprised if you just shivered just now, because I certainly did when I showed up on my first day and saw the post-it on my monitor with my IP address.

And yet, we survive. Why? Because we have an exterior firewall configured for default-deny with limited ICMP throughput. Just because 140.160.123.45 is theoretically routeable, does not mean you can get there from wherever you are on the public internet. This is what firewalls were designed to do.

Given the right router configs, and different subnets in our allocation can be completely unreachable from each other. You do can do this in router tables or firewalls. This is a separate network and has satisfied our security auditors in the past.

There's no way in hell I'll put our billing database (With lots of credit card information!) on the internet for everyone to see.

Our billing database is on a public IPv4 address, and has been for its entire existence, but we have proof you can't get there from here. Just because an address is on the public v4 routeable list does not mean it is guaranteed to be delivered. The two firewalls between the evils of the Internet and the actual database ports filter out the evil. Even from my desk, behind the first firewall, I can't get to that database.

Credit-card information is one special case. That's subject to the PCI-DSS standards, and the standards state directly that servers that contain such data have to be behind a NAT gateway1. Ours are, and these three servers represent our total server usage of RFC1918 addresses. It doesn't add any security, just a layer of complexity, but we need to get that checkbox checked for audits.


The original "IPv6 makes NAT a thing of the past" idea was put forward before the Internet boom really hit full mainstream. In 1995 NAT was a workaround for getting around a small IP allocation. In 2005 it was enshrined in many Security Best Practices document, and at least one major standard (PCI-DSS to be specific). The only concrete benefit NAT gives is that an external entity performing recon on the network doesn't know what the IP landscape looks like behind the NAT device (though thanks to RFC1918 they have a good guess), and on NAT-free IPv4 (such as my work) that isn't the case. It's a small step in defense-in-depth, not a big one.

The replacement for RFC1918 addresses are what are called Unique Local Addresses. Like RFC1918, they don't route unless peers specifically agree to let them route. Unlike RFC1918, they are (probably) globally unique. IPv6 address translators that translate a ULA to a Global IP do exist in the higher range perimeter gear, definitely not in the SOHO gear yet.

You can survive just fine with a public IP address. Just keep in mind that 'public' does not guarantee 'reachable', and you'll be fine.


2017 update

In the past few months, Amazon has been adding IPv6 support. It has just been added to their offering, and their implementation gives some clues as to how large scale deployments are expected to be done.

  • You are given a /56 allocation (256 subnets).
  • The allocation is a fully routeable subnet.
  • You are expected to set your firewall-rules () appropriately restrictive.
  • There is no NAT, it's not even offered, so all outbound traffic will come from the actual IP address of the instance.

To add one of the security benefits of NAT back in, they are now offering an Egress-only Internet Gateway. This offers one NAT-like benefit:

  • Subnets behind it can't be directly accessed from the internet.

Which provides a layer of defense-in-depth, in case a misconfigred firewall rule accidentally allows inbound traffic.

This offering does not translate the internal address into a single address the way NAT does. Outbound traffic will still have the source IP of the instance that opened the connection. Firewall operators looking to whitelist resources in the VPC will be better off whitelisting netblocks, rather than specific IP addresses.

Routeable does not always mean reachable.


1: The PCI-DSS standards changed in October 2010, the statement mandating RFC1918 addresses was removed, and 'network isolation' replaced it.

user1686
  • 8,717
  • 25
  • 38
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • 1
    I marked this as Accepted because it's the more complete answer. I guess that since every firewall configuration tome I've ever read (since about 1997, when I started in the field, and that includes building FreeBSD firewalls by hand) has stressed the use of RFC1918, that this didn't really make any sense to me. Of course, as an ISP we're going to have some issues with end users and their cheap routers when we run out of IPv4 addresses, and that's not going away anytime soon. – Ernie Sep 27 '10 at 16:11
  • "IPv6 address translators that translate a ULA to a Global IP do exist in the higher range perimeter gear, definitely not in the SOHO gear yet. " after resisting for many years linux added support for this in 3.9.0 . – Peter Green Jul 08 '16 at 19:27
  • 3
    I have a question about "NAT gateways are frequently used because they're *easier* to get into a secure config than most firewalls". For businesses with pro IT staff or for knowledgeable consumers that's no big deal, but for the general consumer / naive small business isn't something not being "easy" a huge security risk? E.g. decades of passwordless "linksys" wifi networks existed because not configuring security was "easier" than configuring it. With a house full of consumer-level IoT enabled devices I can't see my mom properly configuring an IPv6 firewall. Do you think this a problem? – Jason C Jan 27 '17 at 14:50
  • 7
    @JasonC No, because the consumer-level gear already being shipped is shipping with firewalls preconfigured by the ISP to deny all inbound. Or don't have v6 support. The challenge is the power-users who think they know what they're doing, but actually don't. – sysadmin1138 Jan 27 '17 at 15:03
  • @sysadmin1138 Unfortunately, there are plenty of consumer-grade routers out there with IPv6 and no firewall whatsoever. My own D-Link router had this problem (I believe it was a DIR-615, from 2010. I retired it a long time ago, but many people will still use it). There are also many consumer-grade routers available that have broken firewalls. – Kevin Keane Feb 12 '17 at 10:21
  • 1
    An excellent answer overall, but I downvoted it because it barely addressed the big elephant in the room: configuring the security device correctly is something you can't just take for granted. – Kevin Keane Feb 12 '17 at 10:24
64

Our office NAT router (an old Linksys BEFSR41) does not support IPv6. Nor does any newer router

IPv6 is supported by many routers. Just not that many of the cheap ones aimed at consumers and SOHO. Worst case, just use a Linux box or re-flash your router with dd-wrt or something to get IPv6 support. There are many options, you probably just have to look harder.

If we're supposed to just get rid of this router and plug everything directly to the Internet,

Nothing about a transition to IPv6 suggests you should get rid of perimeter security devices, like your router/firewall. Routers and firewalls will still be a required component of pretty much every network.

All NAT routers effectively act as a stateful firewall. There is nothing magic about the use of RFC1918 addresses that protect you all that much. It is the stateful bit that does the hard work. A properly configured firewall will protect you just as well if you are using real or private addresses.

The only protection you get from RFC1918 addresses is that allows people to get away with errors/laziness in your firewall config and still not be all that vulnerable.

There's a few old hardware devices (ie, printers) that have absolutely no IPv6 capability at all.

So? It is hardly likely that you will need to make that available over the Internet, and on your internal network, you can continue to run IPv4, and IPv6 until all your devices are supported or replaced.

If running multiple protocols is not an option you may have to setup some kind of gateway/proxy.

IPSEC are supposed to make all this secure somehow

IPSEC encrypted and authenticates packets. It has nothing to do with getting rid of your border device, and has more protecting the data in transit.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 2
    Right in so many ways. – sysadmin1138 Sep 25 '10 at 00:49
  • 4
    Exactly, get a real router and you won't have to worry. SonicWall has some excellent options to provide the security you need and will support IPv6 without a problem. This option will probably offer better security and performance than what you currently have. (http://news.sonicwall.com/index.php?s=43&item=1022) As you can see in this article, you can also do ipv4 to ipv6 translation with sonicwall devices for those that can't handle ipv6. – MaQleod Sep 25 '10 at 04:54
36

Yes. NAT is dead. There have been some attempts to ratify standards for NAT over IPv6 but none of them ever got off the ground.

This has actually caused issues for providers who are attempting to meet PCI-DSS standards, as the standard actually states that you must be behind a NAT.

For me, this is some of the most wonderful news I've ever heard. I hate NAT, and I hate carrier-grade NAT even more.

NAT was only ever meant to be a bandaid solution to get us through till IPv6 became standard, but it became ingrained into the internet society.

For the transition period, you have to remember that IPv4 and IPv6 are, apart from a similar name, are totally different 1. So devices that are Dual-Stack, your IPv4 will be NATted and your IPv6 will not. It's almost like having two totally seperate devices, just packaged into the one piece of plastic.

So, how does IPv6 internet access work? Well, the way the internet used to work before NAT was invented. Your ISP will assign you an IP range (same as they do now, but they generally assign you a /32, which means that you only get one IP address), but your range will now have millions of available IP addresses in it. You are free to populate these IP addresses as you chose (with auto-configuration or DHCPv6). Each one of these IP addresses will be visible from any other computer on the internet.

Sounds scary, right? Your domain controller, home media PC and your iPhone with your hidden stash of pornography are all going to be accessable from the internet?! Well, no. That's what a firewall is for. Another great feature of IPv6 is that it forces firewalls from an "Allow All" approach (as most home devices are) into a "Deny All" approach, where you open up services for particular IP addresses. 99.999% of home users will happily keep their firewalls default and totally locked down, which means that no un-solicited trafffic will be allowed in.

1Ok there's way more to it than that, but they are in no way compatible with each other, even though they both permit the same protocols running on top

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 3
    What about all the people that claim that having computers behind NAT provides added security? I hear this a lot from some other IT admins. It won't matter if you say that a proper firewall is all you need, because so many of these people believe that NAT adds a layer of security. – user9274 Mar 24 '11 at 00:30
  • 4
    @user9274 - it provides security in two ways: 1) it hides your internal IP address from the world (which is why PCI-DSS demand it), and 2) it's an extra "hop" from the internet to the local machine. But to be honest, the first is just "security through obscurity" which is not security at all, and as for the second a compromised NAT device is just as dangerous as a compromised server, so once the attackers are past the NAT that can likely get into your machine anyway. – Mark Henderson Mar 24 '11 at 00:34
  • In addition, any security gained through the use of NAT was and is an unintended benefit in the effort to stave off the depletion of IPv4 addresses. It certainly wasn't part and parcel of the design goal, that I'm aware of. – joeqwerty Mar 24 '11 at 00:46
  • 7
    The PCI-DSS standards were amended in late October 2010 and the NAT requirement was removed (section 1.3.8 of v1.2). So even they are catching up with the times. – sysadmin1138 Mar 24 '11 at 02:17
  • @sysadmin - iiiinteresting, that means our datacentre haven't read the latest specs then, because when we requested a PCI-DSS compliant system and then also asked for IPv6 the guy treated me like I was an idiot. Well, maybe I am, but at I'm going to find the updated spec and point him to it. – Mark Henderson Mar 24 '11 at 02:32
  • I still ambiguous about having my whole corporate network using ipv6 instead of having internal network on ipv4 and a 4to6 nat/bridge/proxy. I admit I must read more, though. – coredump Mar 24 '11 at 02:34
  • @coredump - have a look at [sysadmin1138's answer on a very similar question here](http://serverfault.com/questions/184524/) - it sounds daunting at first, because the word "public" keeps getting thrown around, but "public" does *not* mean "accessible" – Mark Henderson Mar 24 '11 at 02:37
  • 2
    @Mark, not sure if it's worth mentioning but NAT64 is getting off the ground, but it's not the NAT most people think of. It allows IPv6 only networks to access the IPv4 Internet without client 'cooperation'; it requires DNS64 support to make it work. – Chris S Mar 24 '11 at 03:15
  • @Chris S - sounds like it's worth a mention. I hadn't heard of it before. You might want to post an answer about it. – Mark Henderson Mar 24 '11 at 03:47
  • @user9274 - I believe that NAT will only cease to be used when IPv4 dissapears from the public internet. And I don't think that will happen in our lifetime, or even our childrens lifetime. Our grandchilderen will probably have grandchilderen of their own when the last IPv4 host is taken off the internet. But the point of my answer is that IPv6 has no real need for NAT, and thus NAT is dead. – Mark Henderson Mar 24 '11 at 04:13
  • 2
    How does IPv6 force firewalls to deny all by default? What am I missing? – user253751 Mar 03 '17 at 02:57
18

The PCI-DSS requirement for NAT is well known to be security theater and not actual security.

The most recent PCI-DSS has backed off from calling NAT an absolute requirement. Many organizations have passed PCI-DSS audits with IPv4 without NAT showing stateful firewalls as "equivalent security implementations".

There are other security theater documents out there calling for NAT, but, because it destroys audit trails and makes incident investigation/mitigation more difficult, a more in-depth study of NAT (with or without PAT) to be a net security negative.

A good stateful firewall without NAT is a vastly superior solution to NAT in an IPv6 world. In IPv4, NAT is a necessary evil to be tolerated for the sake of address conservation.

Owen DeLong
  • 197
  • 1
  • 2
  • 2
    NAT is "lazy security". And with "lazy security" comes lack of attention to detail, and the ensuing loss of the security that was intended. – Skaperen Aug 21 '12 at 17:14
  • 1
    Completely agree; though the way most PCI-DSS audits are carried out (audit by monkey with checklist) it's *all* lazy security, and carries those flaws. – MadHatter Mar 01 '15 at 09:02
  • For those who claim that NAT is "security theater" I'd like to point to The Networking Nerd's article on the Memcached vulnerability a few months ago. https://networkingnerd.net/2018/03/02/memcached-ddos-theres-still-time-to-save-your-mind/ He is an avid IPv6 proponent, and NAT hater, but had to point out that thousands of companies had left their memcached servers wide open on the internet due to firewall rules that "weren't crafted carefully". NAT forces you to be explicit about what you allow into your network. – Kevin Keane May 25 '18 at 20:32
13

There is a huge amount of confusion about this subject, as network administrators see NAT in one light, and small business and residential customers see it in another. Let me clarify.

Static NAT (sometimes called one-to-one NAT) offers absolutely no protection for your private network or an individual PC. Changing the IP address is meaningless as far as protection is concerned.

Dynamic Overloaded NAT/PAT like what most residential gateways and wifi AP's do absolutely helps protect your private network and/or your PC. By design the NAT table in these devices is a state table. It keeps track of outbound requests and maps them in the NAT table--the connections time out after a certain amount of time. Any unsolicited inbound frames that don't match what's in the NAT table are dropped by default--the NAT router doesn't know where to send them in the private network so it drops them. In this way, the only device you are leaving vulnerable to being hacked into is your router. Since most security exploits are Windows based--having a device like this between the internet and your Windows PC's really helps protect your network. It may not be the originally intended function, which was to save on public IP's, but it gets the job done. As a bonus, most of these devices also have firewall capabilities that many times block ICMP requests by default, which also helps protect the network.

Given the above information, disposing with NAT when moving to IPv6 could expose millions of consumer and small business devices to potential hacking. It will have little to no affect on corporate networks as they have professionally managed firewalls at their edge. Consumer and small business networks may possibly no longer have a *nix based NAT router between the internet and their PC's. There is no reason that a person couldn't switch to a firewall only solution--much safer if deployed correctly, but also beyond the scope of what 99% of consumers understand how to do. Dynamic Overloaded NAT gives a modicum of protection just by using it--plug in your residential router and you are protected. Easy.

That said, there is no reason that NAT couldn't be used in the exact same way it is being used in IPv4. In fact, a router could be designed to have one IPv6 address on the WAN port with an IPv4 private network behind it that NAT's onto it(for example). This would be a simple solution for consumer and residential people. Another option is to put all devices with public IPv6 IP's--- the intermediate device then could act as a L2 device, but provide a state table, packet inspection, and fully functioning firewall. Essentially, no NAT, but still blocking any unsolicited inbound frames. The important thing to remember is that you shouldn't plug your PC's directly into your WAN connection with no intermediary device. Unless of course you want to rely on the Windows firewall. . . and that's a different discussion. Every network, even home networks, need an edge device protecting the local network, in addition to using the Windows firewall.

There will be some growing pains moving to IPv6, but there isn't any problem that won't be able to be resolved fairly easily. Will you have to ditch your old IPv4 router or residential gateway? Maybe, but there will be inexpensive new solutions available when the time comes. Hopefully many devices will just need a firmware flash. Could IPv6 been designed to fit more seamlessly into the current architecture? Sure, but it is what it is and it's not going away--So you might as well learn it, live it, love it.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
Computerguy
  • 139
  • 1
  • 2
  • 3
    For what it's worth, I'd like to reiterate that the current architecture is fundamentally broken (end-to-end routability) and this creates practical problems in complex networks (redundant NAT devices are overly complex and expensive). Dropping the NAT hack will reduce complexity and potential points of failure, while security is maintained by simple stateful firewalls (I can't imagine for a second a SOHO router coming without the stateful firewall enabled by default so customers can plug-n-play without a thought). – Chris S Jun 09 '11 at 14:51
  • Sometimes broken end-to-end routability is exactly what you want. I don't want my printers and PC's being able to be routed to from the internet. While NAT started as a hack, it has evolved into a very usable tool, that in some instances can improve security by removing the potential for packets to route directly to a node. If I have an RFC1918 IP assigned statically on a PC, under no circumstances is that IP going to be routeable on the internet. – Computerguy Jun 09 '11 at 20:01
  • 7
    Broken routability is *A Bad Thing™*. What you want is for your devices to be unreachable by the Internet (by firewall), that's not the same thing. See [Why would you use IPv6 internally?](http://serverfault.com/q/274181). Also, RFC1918 states that those address should be used for private networks only, and access to the Internet should only be provided by application layer gateways (which NAT is not). For external connections the host should be assigned an address from an IANA coordinated allocation. Hacks, no matter how useful, make unnecessary compromises and aren't the 'right' way. – Chris S Jun 09 '11 at 20:56
12

It will (sadly) be a while before you can get away with a single-stack IPv6-only network. Until then, dual-stack with preference for IPv6 when available is the way to run.

While most consumer routers don't support IPv6 with stock firmware today, many can support it with 3rd-party firmwares (eg, Linksys WRT54G with dd-wrt, etc.). Also, many business-class devices (Cisco, Juniper) support IPv6 out-of-the-box.

It's important not to confuse PAT (many-to-one NAT, as is common on consumer routers) with other forms of NAT, and with NAT-free firewalling; once the internet becomes IPv6-only, firewalls will still prevent exposure of internal services. Likewise, an IPv4 system with one-to-one NAT is not automatically protected; that's the job of a firewall policy.

techieb0y
  • 4,161
  • 16
  • 17
12

RFC 4864 describes IPv6 Local Network Protection, a set of approaches for providing the perceived benefits of NAT in an IPv6 environment, without actually having to resort to NAT.

This document has described a number of techniques that may be combined on an IPv6 site to protect the integrity of its network architecture. These techniques, known collectively as Local Network Protection, retain the concept of a well-defined boundary between "inside" and "outside" the private network and allow firewalling, topology hiding, and privacy. However, because they preserve address transparency where it is needed, they achieve these goals without the disadvantage of address translation. Thus, Local Network Protection in IPv6 can provide the benefits of IPv4 Network Address Translation without the corresponding disadvantages.

It first lays out what the perceived benefits of NAT are (and debunks them when appropriate), then describes the features of IPv6 which can be used to provide those same benefits. It also provides implementation notes and case studies.

While it's too long to reprint here, the benefits discussed are:

  • A simple gateway between "inside" and "outside"
  • The stateful firewall
  • User/application tracking
  • Privacy and topology hiding
  • Independent control of addressing in a private network
  • Multihoming/renumbering

This pretty much covers all the scenarios in which one might have wanted NAT and offers solutions for implementing them in IPv6 without NAT.

Some of the technologies you will use are:

  • Unique local addresses: Prefer these on your internal network to keep your internal communications internal and to ensure that internal communications can continue even if the ISP has an outage.
  • IPv6 privacy extensions with short address lifetimes and not-obviously structured interface identifiers: These help prevent attacking individual hosts and subnet scanning.
  • IGP, Mobile IPv6 or VLANs can be used to hide the topology of the internal network.
  • Along with ULAs, DHCP-PD from the ISP makes renumbering/multihoming easier than with IPv4.

(See the RFC for complete details; again, it's much too long to reprint or even take significant excerpts from.)

For a more general discussion of IPv6 transition security, see RFC 4942.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
11

If NAT survives in the IPv6 world, it'll most likely be 1:1 NAT. A form a NAT never seen in IPv4 space. What is 1:1 NAT? It's a 1:1 translation of a global address to a local address. The IPv4 equivalent would be translating all connections to 1.1.1.2 only to 10.1.1.2, and so on for the entire 1.0.0.0/8 space. The IPv6 version would be to translate a global address to a Unique Local Address.

Enhanced security could be provided by frequently rotating the mapping for addresses that you don't care about (like internal office users browsing Facebook). Internally, your ULA numbers would stay the same so your split-horizon DNS would continue to work just fine, but externally clients would never be on a predictable port.

But really, it's a small amount of improved security for the hassle it creates. Scanning IPv6 subnets is a really large task and is infeasible without some recon on how IP addresses are assigned on those subnets (MAC-generation method? Random method? Static assignment of human-readable addresses?).

In most cases, what'll happen is that clients behind the corporate firewall will get a global address, maybe a ULA, and the perimeter firewall will be set to deny all incoming connections of any kind to those addresses. For all intents and purposes, those addresses are unreachable from the outside. Once the internal client initiates a connection, packets will be allowed through along that connection. The need to change the IP address to something completely different is handled by forcing an attacker to thumb through 2^64 possible addresses on that subnet.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • @sysadmin1138: I like this solution. As I currently understand IPv6, if my ISP gives me a /64, I'm supposed to use that /64 on my entire network if I want my machines to be IPv6 internet-accessible. But if I get fed up with that ISP and move to another, now I have to completely renumber everything. – Kumba Apr 06 '11 at 04:41
  • 1
    @sysadmin1138: That said, however, I have noticed that I can assign multiple IPs to a single interface a lot easier than with IPv4, so I can forsee using the ISP-given /64 for external access and my own private internal ULA scheme for comms between hosts, and use a firewall to make the ULA addresses unreachable from the outside. More setup work involved, but it seems like it'll avoid NAT altogether. – Kumba Apr 06 '11 at 04:42
  • @sysadmin1138: I STILL scratch my head on why ULA are, for all intents and purposes, private, yet they are expected to still be globally unique. It's like saying that I can have a car of any make and model currently available, but not any make/model/year already used by someone else, even though it's my car and I'll be the only driver it'll ever have. – Kumba Apr 06 '11 at 04:46
  • @sysadmin1138: Last comment-spam, I just wanted to say that while TODAY port scanning 65,535 ports on 18 quintillion IPv6 addresses (a /64) is entirely unfeasible, what about 10-15 years from now? This is the most common counter-argument to IPv6 NAT that I see. Computing power will increase, and we might see the introduction of things like optronics which would change the playing field a LOT. Scanning IPv6 /64 blocks, I imagine, will be far easier in 2021 than in 2011. So I think this counter-argument is a recipe for disaster by giving people a false sense of security in the long-term. – Kumba Apr 06 '11 at 04:50
  • @Kumba Yeah, you'll have to renumber everything if you change ISP. Which is why you should probably be using RA / DHCPv6. If you have a complex network, then get a PI /48. – Richard Gadsden Apr 12 '11 at 13:08
  • @Richard: It's just my home network :) This is why I like 1:1 NAT. Maybe as IPv6 gets wider adoption, someone will draft a new RFC to correct small use cases like this. – Kumba Apr 13 '11 at 23:51
  • @Kumba if it's your home network, why do you need static IPs on your home computers anyway? Make sure you have working DDNS and you're done. – Richard Gadsden Apr 14 '11 at 09:59
  • @Richard: Because I've always used static on my home network. I run multiple machines, use internal DNS, and a few other things. It's fun, and I learn from it. I don't want/need the "easy" features of IPv6, else I won't learn anything. – Kumba Apr 23 '11 at 06:40
  • @Kumba Fair 'nough. But on a small network, you can just renumber everything anyway. Or set your machines to use autoconf and use MAC-generated IP addresses and then you know what address each one will get, which is lieke a static. – Richard Gadsden Apr 26 '11 at 11:01
  • 2
    @Kumba The reason RFC 4193 addresses should be globally unique is to ensure you won't have to renumber in the future. Maybe one day you need to merge two networks using RFC 4193 addresses, or one machine which could already have an RFC 4193 address may need to connect to one or more VPNs, which also have RFC 4193 addresses. – kasperd Jul 04 '14 at 09:33
  • @kasperd: True, but the large domain of IPv6 addresses available under the fd00::/8 range is so large, the chances of that should be incredibly remote, even if you simply numbered your network sequentially. Most people will likely stick with numbering internal machines using their ISP-provided /64 block anyways. Few will use the RFC4193 addresses. – Kumba Jul 05 '14 at 19:49
  • 1
    @Kumba If everybody used fd00::/64 for the first segment on their network, then you'd certainly run into a conflict as soon as any pair of two such networks had to communicate. The point of RFC 4193 is that as long as you choose your 40 bits randomly, you can assign the remaining 80 bits however you please and remain confident, that you won't have to renumber. – kasperd Jul 06 '14 at 18:56
  • That you *probably* won't have to renumber, anyway (until you have 2^20 networks to merge). It's not a strict guarantee, only a best effort thing, to save headaches. – user253751 Jan 29 '18 at 00:21
8

Kind of. There's actually different "types" of IPv6 addresses. The closest to RFC 1918 (10/8, 172.16/12, 192.168/16) is called "Unique local address" and is defined in RFC 4193:

http://en.wikipedia.org/wiki/Unique_local_address

So you begin with fd00::/8, then add a 40-bit string (using a pre-defined algorithm in the RFC!), and you end up with a pseudo-random /48 prefix that should be globally unique. You have the rest of the address space to assign however you want.

You should also block fd00::/7 (fc00::/8 and fd00::/8) at your (IPv6) router to outside of your organization—hence the "local" in the address name. These addresses, while in the global address space, should not be reachable to the world at large, just with-in your "organization".

If your PCI-DSS servers need an IPv6 for connectivity to other internal IPv6 hosts, you should generate an ULA prefix for your company and use it for this purpose. You can use IPv6's auto-config just like any other prefix if you wish.

Given that IPv6 was designed so that hosts can have multiple addresses, a machine can have—in addition to a ULA—a globally routable address as well. So a web server that needs to talk to both the outside world, and to internally machines, can have both an ISP-assigned prefex address and your ULA prefix.

If you want NAT-like functionality you can look at NAT66 as well, but in general I'd architect around ULA. If you have further questions you may want to check out the "ipv6-ops" mailing list.

DAM
  • 81
  • 1
  • 1
  • 1
    Hah. I write all those comments to sysadmin1138, and didn't even think to look at your answer about using dual addresses for global and local comms. However, I vehemently disagree with the precepts of ULA needing to be globally unique. I don't like randomized, 40-bit numbers _at all_, especially for my internal LAN, of which **I** am the only user. They probably do need a world database of ULAs to be registered (SixXS runs such), but drop the random number mess and let people be creative. Like personalized license plates. You apply for one and if it's taken, you try for another. – Kumba Apr 06 '11 at 04:57
  • 1
    @Kumba they're trying to stop every single network using the same addresses - random means you don't need a public database and each network is independent; if you wanted to issue IP addresses centrally, then just use global ones! – Richard Gadsden Apr 14 '11 at 09:58
  • @Richard: That's a...How do I put it, silly concept, IMHO. Why should it matter if small Joe Company in a town in Montana uses the same IPv6 addressing as another small company in Perth, Australia? The odds of the two ever crossing, while not impossible, are pretty improbable. If the intention of the IPv6 designers was to try and do away entirely with the concept of "private networks", then they need to have their coffee checked, because that's not realistically feasible. – Kumba Apr 23 '11 at 06:43
  • 2
    @Kumba I think it's the scars from when you try to merge two large IPv4 private networks in 10/8 and you have to renumber one (or even both) of them that they're trying to avoid. – Richard Gadsden Apr 26 '11 at 10:59
  • 2
    @Richard: Exactly, there's nothing more painful than using VPN to connect to another network with the same private subnet, some implementation will just stop working. – Hubert Kario Aug 12 '11 at 10:37
4

Hopefully, NAT will go away forever. It's useful only when you have an IP address scarcity and has no security features that aren't provided better, cheaper and more easily managed by a stateful firewall.

Since IPv6 = no more scarcity, it means we can rid the world of the ugly hack that is NAT.

growse
  • 7,830
  • 11
  • 72
  • 114
4

IMHO: not.

There are still some places where SNAT/DNAT can be usefull. For expample some servers were moved to another network, but we don't want/we can't change IP of application.

sumar
  • 2,086
  • 12
  • 12
  • 2
    You need to be using DNS names instead of IP addressess in your application configurations. – rmalayter Apr 06 '12 at 15:10
  • DNS doesn't resovle your problem, if you need create network path without modifying your whole routing topology and firewalling rules. – sumar May 15 '12 at 13:43
4

I have not seen a definitive answer on how the loss of NAT (if it truly does go away) with IPv6 will affect user privacy.

With individual device IP addresses publicly exposed, it will be much easier for web services to surveille (collect, store, aggregate over time and space and sites, and facilitate a multitude of secondary uses) your travels around the internet from your various devices. Unless... ISPs, routers, and other equipment make it possible and easy to have dynamic IPv6 addresses that can be frequently changed for each device.

Of course no matter what we will still have the issue of static wi-fi MAC addresses being public, but that's another story...

LogEx
  • 41
  • 2
  • 2
    You just need to enable privacy addresses. That will give you just as much privacy as a NAT would have done. Additionally by using IPv6 you will be much less exposed to problems caused by poor IPID selection. – kasperd Sep 30 '15 at 08:20
2

There are many schemes to support NAT in a V4 to V6 transition scenario. However, if you have an all IPV6 network and connect to an upstream IPV6 provider, NAT is not part of the new world order, except that you may tunnel between V4 networks over V6 networks.

Cisco has plenty of general information on 4to6 scenarios, migration, and tunneling.

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel.html

Also at Wikipedia:

https://secure.wikimedia.org/wikipedia/en/wiki/IPv6_transition_mechanisms

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
2

Politics and basic business practice will most likely further the existence of NAT. The plethora of IPv6 addresses means ISPs will be tempted to charge per device or limit connections only to a restricted number of devices. See this recent article on /. for example:

http://news.slashdot.org/story/11/03/17/0157239/British-ISPs-Could-Charge-Per-Device

Steve-o
  • 829
  • 6
  • 12
  • 2
    I'm not so sure. I think there will be a huge technical revolt against any ISP that attempts to charge per device. Although I can see why ISP's would jump at this idea, because now they can actually tell how many devices are on the other end of a connection. – Mark Henderson Mar 24 '11 at 03:04
  • 1
    Given the move to provide some level of anonymity by using temporary addresses for outgoing connections, enforcing per device rules would be complex, if not impossible. A device could have 2 or more active global addresses under this scheme, in addition to any other assigned. – BillThor Mar 24 '11 at 04:41
  • 2
    @Mark Henderson - There already are ISPs who charge per device. AT&T, for example, charge extra for "tethering". – Richard Gadsden Apr 14 '11 at 13:15
  • 1
    @Richard - if that was the case, if I were with AT&T I would drop them like it's hot – Mark Henderson Apr 14 '11 at 23:03
  • @Mark - That's AT&T wireless (look at the iPhone contracts, for instance). – Richard Gadsden Apr 15 '11 at 09:30
  • Any ISP that tries to charge per device will quickly find that privacy addresses make it a bad idea. – user253751 Mar 03 '17 at 03:30
-2

FYI, anyone interesting is using NAT/NAPT with IPV6 can. All BSD operating systems that have PF support NAT66. Works great. From a blog we used:

ipv6 nat (nat66) by FreeBSD pf

although nat66 is still under draft, but FreeBSD pf already support it for long time.

(edit the pf.conf and insert following codes)

v6_wan_if="your-v6-wan-interface-name"

v6_wan_ip="your-v6-wan-ip-address"

no nat on $v6_wan_if inet6 from $v6_wan_ip to any

nat on $v6_wan_if inet6 from any to any -> $v6_wan_ip    

You are all set!

Works great for us folks who have been using squid with a single IP address for years. With IPv6 NAT, I can get 2^120 private addresses (site local) which includes 2^56 subnets long with my 5 /64 subnets. That means I must be 100 billion times smarter than any other IPv6 guru here because I have more addresses.:D

The truth is that just because I have more addresses (or may have used IPv6 longer than you), really does not make IPv6 (or me for the same issue) better. It does, however, make IPv6 more complex where a firewall is required in place of PAT and NAT is no longer a requirement, but is an option. The goal of the firewall is to allow all outbound connections and keep the state, but block inbound initiated connections.

As for NAPT (NAT with PAT), it will take some time to get people out of the mindset. For example, until we can get your great-grandfather to setup his own IPv6 firewall without site-local addressing (private addresses) and without any guru assistance, it might be a good idea to toy with the possible idea of NAT since that will be all he knows.

  • 2
    Your average SOHO gear which eventually supports IPv6 will almost certainly come without IPv6 NAT (which the NAT66 you're quoting doesn't work the same as NATv4, but we'll go with it anyway) and come with a default to deny rule for inbound traffic (along with an allow outbound connections statefully) which is provides almost all the same security today's IPv4 SOHO gear does. As other have pointed out, we understand people get complacent and comfortable with their hack technologies, that doesn't mean they're necessary or little more than security theater. – Chris S Jun 04 '11 at 02:53
  • NAT66 does not need to work the same as NAT44. It only needs to sounds the same so we can nab people quicker onto IPv6. Once they are onto IPv6, we should be able to work as a team to get them properly configuring a firewall. Either we work as a team or we need to starting using NAT44444. Your choice. – gnarlymarley Jun 13 '11 at 04:28
  • It's not just PF. In practical terms, most routers can do the same kind of NAT on IPv6 as on IPv4, just just frowned up. I've seen this feature in Fortinet routers, as well as OpenWRT. – Kevin Keane May 25 '18 at 20:39
-2

The recent proposals put forward for ipv6 have suggested engineers working on the new technology will incorporate NAT into ipv6, reason given: NAT offers an additional layer of security

The documentation is on the ipv6.com website, so it would seem all these answers stating NAT offers no security are looking a little embarrassed

andrew
  • 31
  • 1
    Maybe you could expand on exactly what it is about NAT you think offers an additional layer of security? Specifically, what risk against what particular threat is mitigated? – growse Oct 27 '12 at 11:46
  • The 'security' provided by NAT is obfuscation and forcing a network into a default-deny posture, the former is debatable while the later is a good idea. Default-deny can be achieved through other means just as easily though, and IPv6 removes one of the major *technical* reasons for NAT: IP scarcity. – sysadmin1138 Oct 27 '12 at 13:29
  • 2
    There's a page on [IPv6.com about NAT](http://ipv6.com/articles/nat/NAT-Pros-and-Cons.htm). Amongst other things, it has this to say: "The security issue is often used in the defense of the Network Address Translation process. However, the core principle of Internet is to offer an end-to-end connectivity to the different network resources." and also this: "As the IPv6 slowly replaces the IPv4 protocol, the network address translation process will become redundant and useless." – Ladadadada Oct 27 '12 at 13:29
-6

I realize that at some future point (that can only be speculated) regional IPv4 address's will inevitably run out. I agree IPv6 has some serious user disadvantages. The issue of NAT is extremely important as it does inherently provide security,redundancy,privacy and allows users to connect almost as many devices as they want without restriction. Yes a firewall is the golden standard against unsolicited network intrusion, but NAT not only add's another layer of protection it also generally provides a secure by default design regardless of the firewall configuration or the end user's knowledge there of,no matter how you define it IPv4 with NAT and a firewall is still more secure by default then IPv6 with only a firewall. Another issue is privacy, having an internet routable address on every device will open up users to all kinds of potential privacy violations,personal information collection and tracking in way's that are hardly imaginably today in such mass. I'm also of the opinion that without Nat we may be opened up to added costs and control through Isp's. Isp's may start charging on per device or per user usage rates like we already see with USB tethering, this would greatly reduce the end user's freedom to openly connect any device they see fit on there line. As of right now few US ISP's offer IPv6 in any form and I feel non tech business's will be slow to switch because of the added cost with little or no value gained. Certainly IPv6 has a few advantages without NAT but with the added complexities of IPv6 not to mention application and service availability and many other issues will propel IPv4 for at least another ten years if not longer.