[HN Gopher] NAT still exists for IPv6
___________________________________________________________________
NAT still exists for IPv6
Author : watchdogtimer
Score : 41 points
Date : 2022-08-12 09:05 UTC (3 days ago)
(HTM) web link (blogs.infoblox.com)
(TXT) w3m dump (blogs.infoblox.com)
| LeoPanthera wrote:
| I really want to love IPv6 but my ISP (Xfinity in California)
| will not provide a stable prefix.
|
| This doesn't matter with IPv4, because all my internal IPv4
| addresses are NATed. But with IPv6, although each device on the
| network can receive a globally routable IPv6 address, the prefix
| keeps changing, and so the address keeps changing. This makes
| _internal_ networking a nightmare, since the address of my
| devices is not under my control.
|
| I don't use NPT, but it would fix the problem, so people are
| going to continue using it until dynamic prefixes go away. Which
| will probably be never.
| starfleet_bop wrote:
| I thought best practice for IPv6 is to essentially 'ignore' IP
| addresses as each NIC can have multiple addresses + the
| extended length making it unwieldy. Instead you either use a
| combination of zeroconf / Bonjour for DNS registration /
| service discovery + stateless IP address assignment (SLACC). If
| you want full control you can use DHCPv6 which can register
| hosts on a proper DNS service.
| hotpotamus wrote:
| Is SLACC still used? I thought it used EUI-64 assignments
| which leaks MAC addresses which is supposed to be a problem
| for some reason.
| gerdesj wrote:
| SLAAC is a core component of IPv6 - it's how a machine
| determines an address on a subnet without DHCPv6.
| Basically:
|
| "yoohoo - where am I?"
|
| "You are on 2001:1001:1001:f0d::/64. My name is [ipv6] and
| I am a router and for some odd reason, I won't tell you
| where DNS comes from because ... stupid design"
|
| "Cool, I'll fiddle in my drawers and play with my MAC
| address and create a really long number that starts
| 2001:etc. I'll also create a few other addresses randomly
| to hide my private parts (which is a waste of time but
| looks good - lol)"
|
| No idea what you are on about wrt EUI-64 being tied to
| SLAAC. Why not have a go at it instead of pontificating?
|
| Having used IPv6 in anger for several years now, it is a
| bit different but it is actually quite beautiful at times.
| It does enforce decent DNS and who here has not said "its
| DNS"?
| throw0101a wrote:
| > _I thought it used EUI-64 assignments which leaks MAC
| addresses which is supposed to be a problem for some
| reason._
|
| You're about a decade (2007) behind the times:
| Nodes use IPv6 stateless address autoconfiguration to
| generate addresses using a combination of locally
| available information and information advertised by
| routers. Addresses are formed by combining network
| prefixes with an interface identifier. On an interface
| that contains an embedded IEEE Identifier, the
| interface identifier is typically derived from it.
| On other interface types, the interface identifier
| is generated through other means, for example, via random
| number generation. This document describes an extension to
| IPv6 stateless address autoconfiguration for
| interfaces whose interface identifier is derived
| from an IEEE identifier. Use of the extension
| causes nodes to generate global scope addresses from
| interface identifiers that change over time, even in
| cases where the interface contains an embedded IEEE
| identifier. Changing the interface identifier (and
| the global scope addresses generated from it) over
| time makes it more difficult for eavesdroppers and other
| information collectors to identify when different
| addresses used in different transactions actually
| correspond to the same node.
|
| * https://datatracker.ietf.org/doc/html/rfc4941
| This document describes an extension to IPv6 Stateless
| Address Autoconfiguration that causes hosts to
| generate temporary addresses with randomized
| interface identifiers for each prefix advertised with
| autoconfiguration enabled. Changing addresses over time
| limits the window of time during which eavesdroppers
| and other information collectors may trivially
| perform address-based network-activity correlation
| when the same address is employed for multiple
| transactions by the same host. Additionally, it reduces
| the window of exposure of a host as being accessible
| via an address that becomes revealed as a result of
| active communication. This document obsoletes RFC
| 4941.
|
| * https://datatracker.ietf.org/doc/html/rfc8981
|
| * https://en.wikipedia.org/wiki/IPv6_address#Stateless_addr
| ess...
| zokier wrote:
| As I understand it, the idea is to use many addresses per host.
| I.e. you don't need to use same addresses for internal
| networking as global networking.
| gerdesj wrote:
| "will not provide a stable prefix"
|
| This is pretty horrific. You could investigate ULA which is a
| bit like RFC1918 addresses for IPv6. You could attach ULA
| addresses to a few devices such as a local DNS server, printers
| and the like.
|
| NPT would enable you to route your ULA addressed gear to the
| internets if they don't have a globally routable address.
| throw0101a wrote:
| > _NPT would enable you to route your ULA addressed gear to
| the internets if they don 't have a globally routable
| address._
|
| One convenient thing about ULA+NPTv6 is that, unlike IPv4
| NAT, is that an external IPv6 address is basically 1:1
| 'equivalent' to an internal IPv6 address. The NPTv6 is
| stateless so that, firewall rules allowing, a connection can
| come right in without all sorts of contortions for port
| mapping.
|
| Most (residential) gateways by default block incoming
| requests unless they're a reply to a previous outgoing
| connection. I know I can _ping6_ the iMac I 'm typing this
| on, but attempts to (e.g.) SSH in are blocked by default.
| gerdesj wrote:
| To spell that out a bit more - a ULA to NPT address is IP
| based and not port based and is way more useful.
|
| When you do a IPv4 "pinhole" port map you get precisely one
| mapping and it will timeout eventually, which can lead to
| all sorts of exciting debugging opportunities.
|
| IPv4 does have 1:1 NAT but there are so few IPs so whilst I
| have a /24, 2 x /28 and 2 x /29 to play with and others, I
| doubt most do.
|
| NPTv6 maps an entire address space from A->B and is
| actually not designed to deal with NATv4 anyway. It is for
| outbound connections.
| throw0101a wrote:
| > _To spell that out a bit more - a ULA to NPT address is
| IP based and not port based and is way more useful._
|
| This is implementation specific: on my Asus I can specify
| to allow in all ports from in via a NPTv6-ULA hole, a
| port range, or even a single port.
|
| If I want to only allow tcp/25 in to a particular IP I
| can do that, if I want 5900-5910 I can do that too, as
| well as 1-65535.
| throw0101a wrote:
| See also "Reaction of IPv6 Stateless Address Autoconfiguration
| (SLAAC) to Flash-Renumbering Events": In
| scenarios where network configuration information related to
| IPv6 prefixes becomes invalid without any explicit and
| reliable signaling of that condition (such as when a
| Customer Edge router crashes and reboots without
| knowledge of the previously employed prefixes), hosts on
| the local network may continue using stale prefixes for an
| unacceptably long time (on the order of several days), thus
| resulting in connectivity problems. This document
| describes this issue and discusses operational
| workarounds that may help to improve network robustness.
| Additionally, it highlights areas where further work may
| be needed.
|
| * https://datatracker.ietf.org/doc/html/rfc8978
| nomel wrote:
| > Which will probably be never.
|
| Wouldn't this be like static bluetooth IDs, where you could be
| tracked wherever you go? I imagine that's a rare desire,
| amongst the internet population.
|
| I could see requesting static IPs for particular devices, like
| you used to be able to do.
| unethical_ban wrote:
| I'm not sure what the best current practices are for mobile,
| but for residential/business/etc., the most convenient
| behavior would be for the delegated prefix to be static
| unless it is requested to be changed. That tends to be the
| case already with ISPs who grant public IPv4 to customers -
| it's DHCP whose lease stays the same unless you forcibly
| change your MAC address or let the lease expire via turning
| off your modem, and so on.
|
| Talking about IPv4 with NAT, a "consumer" with zero server-
| hosting needs could get away with a changing public IP.
| Someone with any kind of server needs, like hosting their own
| Internet-accessible IoT portal, personal VPN, website, game
| server, etc. would want a stable public IP address.
|
| Yeah, that may lead to tracking, but it's the status quo, I
| suppose is the point.
|
| In case it isn't known, IPv6 has so many addresses and is
| designed in such a way, that it is expected each "network"
| (think home network) would be given a network prefix of 56 or
| 60 bits. The "host" portion of an IPv6 address is the final
| 64 bits of the address. Therefore, each network an ISP issues
| to a client should have room for something between 16 and 256
| subnetworks, each with effectively unlimited client address
| space.
| fzfaa wrote:
| For your privacy you should be thankful that they do not
| provide a stable prefix.
| unethical_ban wrote:
| For anyone wanting to host a service at their home, you
| should be regretful not getting a stable prefix.
|
| _Ideally_ there would be a way to request a new one
| programmatically, akin to getting a new IPv4 address via DHCP
| if you change the MAC address.
| gerdesj wrote:
| Dynamic DNS is a thing.
| yardstick wrote:
| Doesn't beat a static IP.
| gerdesj wrote:
| Well yes and no.
|
| It is rather sad that the internet that we have, what
| 50-70 odd years post invention is so stifled with
| nonsense about addressing schemes and that.
|
| You seem to use the term "static IP" as a talisman. I
| have zillions (possibly gazillions) of them on IPv6 and
| roughly a few 100 or 1000 on IPv4 (I own an IT company).
|
| Dynamic DNS is a thing, so is ULA for IPv6 which looks
| quite like IPv4 RFC1918.
|
| We have the tools but you do have to use them.
| littlecranky67 wrote:
| Your internal networking should not be affected when you use
| ULA - those won't change, and IPv6 devices tend to have
| multiple IPv6. Yes, it won't allow you to address your internal
| nodes from the external network, but that is something that you
| didn't have with IPv4+NAT either.
| skimo8 wrote:
| I use a ULAs
| (https://en.wikipedia.org/wiki/Unique_local_address) for this.
| I have a private, non-routeable subnet, and another non-stable
| prefix for globally routable addresses.
|
| In effect, it's not much different than how IPv4 works with
| unstable WAN DHCP addresses from your provider, and I don't
| have the headaches that NAT brings with it.
|
| It's a different way to think about the problem, but I've
| actually found it to be pretty nice.
| josho wrote:
| Thank you for this! I've been trying to make Link Local
| Addresses work (https://en.wikipedia.org/wiki/Link-
| local_address). But, for tools like ping6 I have to specify
| the network interface like 'ping6 fe80::1%en1' otherwise
| routing doesn't work, and doing that complicates everything.
| [deleted]
| atemerev wrote:
| "Stateful packet filtering can provide the same level of security
| for IPv6"
|
| The keyword here is "can". The difference here is this: if your
| NAT is not configured properly, your network is not accessible,
| nothing works, the problem is obvious, and is going to be fixed
| ASAP. If your stateful firewall is not configured properly,
| everything works fine, except that your network is visible from
| places it wasn't supposed to be. It requires some dedicated
| checks to verify.
|
| So, the problem with NAT vs firewall security is not technical,
| it is psychological (but no less dangerous): when you have a
| working (but insecure) system by default, it is easy to miss the
| hardening step. The consequences can be catastrophic.
| collegeburner wrote:
| hot take of the day: NAT is (mostly) a shitty idea. we can give
| everything a WAN ipv6 and a private LAN address. devices should
| maintain their own firewalls and if defense in depth is required,
| the router should maintain a firewall that blocks incoming by
| default but still give everything its own address.
| ipdashc wrote:
| While I mostly agree, there's definitely the issue of
| readdressing if your ISP changes your IPv6 prefix. In NATted
| IPv4, you can maintain your own eternally consistent internal
| address scheme, regardless of what's going on "outside". But in
| IPv6, if your dynamic IP changes, all your devices get new
| addresses. I can definitely see the value in creating a stable
| internal address layout on IPv6, as this article says.
|
| Of course, I have no idea how often an ISP actually changes
| your IPv6 prefix. In an ideal world, it'd never change...
| unethical_ban wrote:
| The article's main topic is on NPTv6, which would supercede
| NAT as the tool for maintaining internal addressing.
| ipdashc wrote:
| Yeah, that's what I'm saying :) I thought the parent
| comment was saying that NAT was bad _and_ NPTv6 was bad,
| but maybe I was mistaken.
| staringback wrote:
| ULAs at least solve this problem for all networking that
| doesn't have to be internet facing
| anamax wrote:
| People change ISPs....
| ipdashc wrote:
| For sure, but that's a predictable event that you can plan
| for and get ready to renumber your network / handle the
| renumbering.
|
| A dynamic IP change can just happen without much warning,
| and enjoy possibly spending an hour befuddled before you
| realize what happened.
| asimops wrote:
| I agree that NATv6 is a bad idea, but imo we neeed firewalls on
| the router. Because on paper a endpoint firewall is a good
| idea, because you take that with you even when you change the
| network, but...
|
| then there is the Windows firewall:
|
| - Applications that punch their own holes, like steam
|
| - Windows which grants itself inbound exceptions and reenables
| them if you disable them
|
| - A non standard filtering order (deny is always defore allow,
| not in order)
|
| And then there are all those born in the 80s people that were
| told on LAN parties to "just disable the Windows firewall" and
| kept doing so.
| bob1029 wrote:
| > And then there are all those born in the 80s people that
| were told on LAN parties to "just disable the Windows
| firewall" and kept doing so.
|
| You caught me. I think a firewall on the router is absolutely
| essential regardless of NAT scenarios.
|
| With the understanding that you have an entire generation of
| computer users who equate that internet box with some degree
| of safety, you will find less friction with some tweak to
| that experience. You can still call it "port forwarding",
| block all inbound by default, and keep most of the same UX.
|
| I personally like to operate my home network like a DMZ.
| Being able to reach any computer from any other without
| screwing around with networking is very convenient to me. I
| operate with an all-or-nothing trust model on my LAN. Having
| some centralized firewall helps a lot with this.
| atemerev wrote:
| Like I have said in another thread, if you misconfigure a
| firewall, the network usually works, but not secure. If you
| misconfigure a NAT, nothing works, and your error is clearly
| visible.
|
| I don't see a way to fix this (and configuration errors are
| common).
| unethical_ban wrote:
| Fix it with user experience.
|
| Routers should have dashboards that give easy status of
| firewall configuration ala Windows firewall: Green for no
| inbound rules (or whitelisted rules) and yellow/red for non-
| checked rules.
|
| Routers could even have LEDs or status displays like some
| higher end Ubiquiti prosumer products have, showing firewall
| status.
|
| Routers could have a user-accessible API and Windows client
| that shows status on a taskbar item.
|
| The technical solutions are there, but I don't have faith
| ASUS and co will build a competent product.
| throw0101a wrote:
| > _The technical solutions are there, but I don 't have
| faith ASUS and co will build a competent product._
|
| The last time I was looking for a home router I
| specifically went for Asus because their default firmware
| is pretty good, and third-party options are available:
|
| * https://www.asuswrt-merlin.net/features
|
| Currently running an RT-AC68U.
| atemerev wrote:
| The technical solutions will not work, as there are many,
| many possibilities to make a mistake. Misleading router UI,
| copying the configuration from somewhere else and
| forgetting to update it, moving a computer to another
| network, just forgetting to enable a firewall (in many
| cases it is impossible to set up a IPv4 network without a
| NAT precisely because IPv4 addresses are rare -- but it is
| perfectly possible to do it with IPv6, and it will be
| insecure by default).
|
| Secure systems are robust against user mistakes (and even
| middlemen mistakes). A NAT is one such system. Alternatives
| do not work like that.
| autoexec wrote:
| > devices should maintain their own firewalls
|
| This is insane. I don't want to have to learn, document,
| configure, and patch a different firewall on every internet
| connected device I own. That's a total nightmare. Computers can
| have their firewalls managed at the domain level. How is that
| support to work for bluray players, game consoles, light bulbs,
| phones, echo devices, door cams, thermostats, and kitchen
| appliances?
|
| Nope. At a minimum everyone should have a stateful firewall at
| their edge making their devices impossible to reach/scan from
| the internet at large. Home routers that defaulted to using NAT
| made that dead simple.
|
| On the rare occasion you really need something open to the
| entire internet it can sit in your DMZ. If I ever do make the
| move to using IPv6 on my network I'll likely continue to use
| NAT
| throw0101a wrote:
| See also "IPv6 Multihoming without Network Address Translation":
| Network Address and Port Translation (NAPT) works well for
| conserving global addresses and addressing multihoming
| requirements because an IPv4 NAPT router implements three
| functions: source address selection, next-hop resolution,
| and (optionally) DNS resolution. For IPv6 hosts, one
| approach could be the use of IPv6-to-IPv6 Network Prefix
| Translation (NPTv6). However, NAT and NPTv6 should be
| avoided, if at all possible, to permit transparent end-to-end
| connectivity. In this document, we analyze the use cases of
| multihoming. We also describe functional requirements and
| possible solutions for multihoming without the use of NAT
| in IPv6 for hosts and small IPv6 networks that would
| otherwise be unable to meet minimum IPv6-allocation
| criteria. We conclude that DHCPv6-based solutions are
| suitable to solve the multihoming issues described in this
| document, but NPTv6 may be required as an intermediate solution.
|
| * https://datatracker.ietf.org/doc/html/rfc7157
| slaymaker1907 wrote:
| Something I'm a bit fuzzy on, but can WAN/LAN address separation
| be done without NAT? I think it can, but if it can't that seems
| like a good argument in favor of keeping some form of NAT even
| for IPv6. While it definitely shouldn't be the only defense, I
| think it is a reasonable layer of defense for home networking.
| unethical_ban wrote:
| "NAT as security" can be reframed.
|
| Instead of a router coming default with NO access
| control/firewall, and inbound connections being denied by the
| technical impossibility of addressing an inbound Internet
| packet to a private address, the industry should shift to
| "default ACL of allow all outbound, allow none inbound" and
| then have users craft inbound firewall rules as needed.
| mort96 wrote:
| > and then have users craft inbound firewall rules as needed
|
| Try explaining that to non-techies. There's a reason UPnP
| exists.
|
| We would ideally want something like NAT hole punching but
| more standardized.
| Arnavion wrote:
| Depends on what you mean by "separation". My LAN devices have
| IPv6 addresses that would be reachable from the WAN if my
| router's firewall didn't block incoming packets to those
| addresses. For some of those devices that host public services,
| I enable traffic just for the relevant protocol and port to
| their IP, instead of bothering with port forwarding.
| gary_0 wrote:
| This answer is what every argument about IPv6 and NAT boils
| down to: they say "NAT" but really mean "firewall". In my
| opinion, using NAT for IPv6 networks is just a false sense of
| security to make you think LAN nodes are more protected
| because their address numbers look different, when all you're
| really trying to say is "don't route to this node from
| outside".
| tenebrisalietum wrote:
| > I think it is a reasonable layer of defense for home
| networking.
|
| Let's say Amazon won't deliver to your apartment number, just a
| central point at your apartment.
|
| - This is like thinking you can stop locking your door because
| your apartment number isn't public information.
|
| - It would be better if your apartment had a direct public
| address so you could get packages to your doorstep instead of
| having them wait in some common area.
|
| - Most people take regular, obsessive trips to application-
| level exchanges like "Facebook" to interact with others and are
| fine with it. Hopefully everything you ever want to do is OK
| with Facebook.
| LeoPanthera wrote:
| Of course. You use a firewall. Thinking of NAT as a firewall is
| a common misunderstanding. With IPv6 you will still want a
| firewall, which is often built into your external
| gateway/router.
| jimcavel888 wrote:
| gerdesj wrote:
| My work network has a /64 for WAN (yes quite a lot of addresses
| for a point to point link) and a /48 for "internal use". So WAN
| is merely a few billion IPs and VLANS - gazillions of IPs. OK
| we also have six other WANs and allocations but that is another
| story.
|
| We have no need for NAT in the traditional IPv4 sense but NPT
| is handy for failover and that is why it was invented because
| IPV6's design lacked one crucial thing: telling the clients
| which internets are available so they can select which local
| address to start out from.
|
| Perhaps everyone should run BFD(v6) by default.
| throw0101a wrote:
| > _My work network has a /64 for WAN (yes quite a lot of
| addresses for a point to point link)_ [...]
|
| Technical footnote: /127 addresses are supported (and were a
| thing for a short while) on inter-router links:
|
| * https://datatracker.ietf.org/doc/html/rfc6164
|
| Technical technical footnote: you can just use link-local
| address for inter-router links because all the router cares
| about is the next next-hop, and you don't need a globally
| routable address for that. In an IPv6
| network, it is possible to use only link-local addresses
| on infrastructure links between routers. This document
| discusses the advantages and disadvantages of this
| approach to facilitate the decision process for a
| given network.
|
| * https://datatracker.ietf.org/doc/html/rfc7404
| zamalek wrote:
| The IPv6 answer is Network Prefix Translation, the article has
| more details on what it does.
___________________________________________________________________
(page generated 2022-08-15 23:01 UTC)