20

I have been reading the Debian System Administrator's Handbook, and I came across this passage in the gateway section:

...Note that NAT is only relevant for IPv4 and its limited address space; in IPv6, the wide availability of addresses greatly reduces the usefulness of NAT by allowing all “internal” addresses to be directly routable on the Internet (this does not imply that internal machines are accessible, since intermediary firewalls can filter traffic).

That got me thinking... With IPv6 there is still a private range. See: RFC4193. Are companies really going to set up all their internal machines with public addresses? Is that how IPv6 is intended to work?

Community
  • 1
Questionmark
  • 321
  • 1
  • 3
  • 9
  • 7
    One premise of IP is that each device has a unique IP address. This allows the end-to-end connectivity around which IP was designed. NAT breaks that, and IPv6 restores that. – Ron Maupin Jul 08 '16 at 15:12
  • 6
    Yes, that's how IPv6 is intended to work. It was how IPv4 was intended to work as well, until it became obvious there weren't enough addresses.... in the early 1990s! See also [Switch to IPv6 and get rid of NAT? Are you kidding?](http://serverfault.com/q/184524/126632) which this is _probably_ a duplicate of... – Michael Hampton Jul 08 '16 at 16:47
  • @MichaelHampton Definitely a duplicate – Insane Jul 09 '16 at 03:42

5 Answers5

29

Is that how IPv6 is intended to work?

In short, yes. One of the primary reasons for increasing the address space so drastically with IPv6 is to get rid of band-aid technologies like NAT and make network routing simpler.

But don't confuse the concept of a public address and a publicly accessible host. There will still be "internal" servers that are not Internet accessible even though they have a public address. They'll be protected with firewalls just like they are with IPv4. But it will also be much easier to decide that today's internal-only server needs to open up a specific service to the internet tomorrow.

Are companies really going to set up all their internal machines with public addresses?

In my opinion, the smart ones will. But as you've probably noticed, it's going to take quite a while.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • 3
    "the smart ones will" is a... opinionated? A large part/bonus of NAT is also hiding "details" such as how many computers, server types, layout, etc... Giving "publicly addresses" leaks information. – WernerCD Jul 08 '16 at 19:14
  • 1
    It can, but not always. For instance, a purely internal host with all inbound traffic blocked and no DNS records published in internet facing servers is effectively no different than an unused IP as far as the outside world is concerned. – Ryan Bolger Jul 08 '16 at 19:25
  • 2
    @WernerCD Let's say I have an IPv6 enabled network of the minimum number of 2^64 individually addressable hosts. You are welcome to do a ping sweep across that any time you like. Now, a corporate assignment might be more on the order of a /48 to a /56 than a /64, further increasing the number of possible addresses by several thousand times... – user Jul 08 '16 at 19:42
  • 2
    @WernerCD public does not mean advertised or even published. It only means that the IPs are all from the same bucket. – njzk2 Jul 08 '16 at 19:55
  • 5
    @WernerCD The use of NAT can cause even more leaks. With NAT it is possible for a port number to be reused while it is still in use, whereby packets from one connection can leak into another connection. And NAT violates the guarantee about IPID being unique, which means fragmented packets can get reassembled incorrectly, so partial packets can leak to the wrong connection without even having a connection being timed out prematurely in the first place. – kasperd Jul 08 '16 at 22:34
  • 1
    @WernerCD See [RFC 4864](https://tools.ietf.org/html/rfc4864), in particular Section 3.4, Untraceable IPv6 Addresses. – Michael Hampton Jul 09 '16 at 00:27
21

We use public IPv6 addresses in our company network for all devices.

We use a stateful firewall on our gateway, that:

  • allows all icmpv6
  • allows new connections from internal network out
  • allows established connections from public to internal

No public traffic (except ICMP and established connections) should get into our network.

So far we had no problems with this setup and it works perfectly.

Canadian Luke
  • 885
  • 14
  • 41
Yarik Dot
  • 1,543
  • 12
  • 26
14

If there is no need for outside connectivity, then private networks can be used. That is the reason for defining private address space also in IPv6.

NAT is a hack that was invented to delay IPv4 address space exhaustion. NAT causes issues with applications, and to get the applications to work with NAT, more hacks are needed which conflict with the original design of IP.

So, the preferred way is to work like Yarik answered, use proper stateful firewall at the edge of the network.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
7

As stated, this is the way IP was designed to work, and it does work well. NAT introduces annoying problems at times. Some have described NAT's "hiding" of the internal IP as an advantage, but it can also be a disadvantage.

I worked in a place with a /16 and we used publicly routable IPv4 addresses on every device (including printers and mobile phones and electronic timeclocks). It worked just fine, and in addition it made tracking down misbehaving users and devices all that much easier. It also limited the impact of those users, so that if someone managed to start spreading malware or gets caught torrenting, it's less likely to affect (say) your mail servers' ability to communicate unhindered because of it being on a blacklist.

briantist
  • 2,535
  • 18
  • 34
  • Universities in my country all got huge IPv4 allocations so still use public IPv4 addresses for all workstations. But if you don't have this you can still do static IP allocation on a private IP address space and get those same benefits for auditing and access control. I wouldn't recommend putting NATed users behind the same public IP as a public facing server in any case, with IP reputation being one of the main reasons. – thomasrutter Aug 02 '22 at 07:55
3

The IPv6 proponets saw NAT as a temporary hack to alleviate IPv4 address exhaustion and hence NAT would not be needed with IPv6.

However NAT has a few advantages other than stopping address exhaustion.

  1. NAT decouples your internal addressing from your internet connectivity.
  2. At least on linux, NAT tends to fail-closed. If the iptables rules fail to load then devices with private IPs will have no connectivity to the internet, this will quickly be noticed and fixed. Packet inspection firewalls on the other hand can easilly fail open if IP forwarding is turned on but the iptables rules are not loaded.
  3. NAT hides which internal machine made a request. Privacy extensions help to some extent with this but they don't hide the subnet and they are a client-side feature so the client OS, not the network admin, chooses whether or not they are used.

As such I would expect at least some companies to chosee to deploy v6 with NAT in the same way they do for IPv4. Others may side with the IPv6 proponents and go for firewalls but no address translation.

I would strongly encourage you (and anyone else considering implementing NAT with IPv6) to reconsider, after reading RFC 4864 for advice on what to do instead of NAT

I have read it but I don't think it provides a complete reprelacement for NAT.

  1. NAT decouples your internal addressing from your internet connectivity.

The IPv6 propnents "soloution" to this is threefold, run multiple addresses in paralell, automate assignment of dynamic addresses from provider(s) to internal netwrks and use ULAs to provide long-term local addreses.

Running addresses of different lifetime in parallel runs the risk that non-permanent addresses will end up inadvertantly in long-term configuration. Running multiple internet addresses in paralell has the problem that client operating systems are not equipped to know which internet gateway their packets will leave from.

Prefix delegation has been solidly implemented for single-level scenarios where a single CPE router requests a prefix from the ISP and assigns it to one or more local interfaces but there doesn't currently seem to be a good implementation for multi-level delgation within a customer site.

  1. At least on linux, NAT tends to fail-closed. If the iptables rules fail to load then devices with private IPs will have no connectivity to the internet, this will quickly be noticed and fixed. Packet inspection firewalls on the other hand can easilly fail open if IP forwarding is turned on but the iptables rules are not loaded.

The IPv6 proponents doe not seem to provide any answer to this. They seem to simply assume that accidents will not happen.

  1. NAT hides which internal machine made a request.

Privacy extensions help to some extent with this but they don't hide the subnet and they are a client-side feature so the client OS, not the network admin, chooses whether or not they are used.

There is a proposal for assinging /128s to individual machines and then creating IGP entries to route them but i'm not aware of anyone actually implementing this in practice.

Peter Green
  • 4,056
  • 10
  • 29
  • 2
    I would **strongly** encourage you (and anyone else considering implementing NAT with IPv6) to reconsider, after reading [RFC 4864](http://tools.ietf.org/html/rfc4864) for advice on what to do instead of NAT. The network you save may be your own. – Michael Hampton Jul 09 '16 at 00:19