On 01-25-19 23:46, Victor Sudakov wrote to All <=-
Dear All,
With the proliferation of IPv6 I hear more and more often that NAT is a great security mechanism because it hides your intranet infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because
it lacks the notion of NAT which makes IPv6 networks so very very much insecure.
Do you have good conter-arguments?
Indeed, in some corporate networks I've seen, the use of the RFC1918 address space is written into security guidelines as a requirement.
Then again, as I come to think of it, even if your IPv6 intranet has a good firewall on the border, your internal network addresses are still exposed to the Internet. Is that a problem?
With the proliferation of IPv6 I hear more and more often that NAT is
a great security mechanism because it hides your intranet
infrastructure from outsiders,
infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because it lacks the notion of NAT which makes IPv6 networks so very very much insecure.
With the proliferation of IPv6 I hear more and more often that
NAT is a great security mechanism because it hides your intranet
infrastructure from outsiders, and how unfit IPv6 is for
enterprise networks because it lacks the notion of NAT which
makes IPv6 networks so very very much insecure.
Do you have good conter-arguments?
NAT was never intended as a security mechanism,
and it does nothing
more than a goof packet filter could do.
Indeed, in some corporate networks I've seen, the use of the
RFC1918 address space is written into security guidelines as a
requirement.
Then again, as I come to think of it, even if your IPv6 intranet
has a good firewall on the border, your internal network
addresses are still exposed to the Internet. Is that a problem?
If your firewall is blocking traffic, you can hardly say you're
exposed.
NAT still creates a lot of problems, ask anyone who'd wrestled with
port forwarding, to try and get services opened to the Internet.
With the proliferation of IPv6 I hear more and more often that
NAT is a great security mechanism because it hides your intranet
infrastructure from outsiders,
There's a lot of misunderstanding of NAT and security. The typical
case is that NAT is done by a dedicated firewall or a router with
firewall features, i.e. the firewall/router does packet filtering and
NAT. So a lot of people think that NAT implies security, but it
doesn't.
NAT is exactly what the acronym says: network address
translation. An 1:1 NAT simply translates one address or subnet to another. How could that provide any security?
What you need is packet
filtering (plus proxies and so on).
infrastructure from outsiders, and how unfit IPv6 is for
enterprise networks because it lacks the notion of NAT
which makes IPv6 networks so very very much insecure.
There's also NAT for IPv6.
BTW, IPv6 has a nice feature called Privacy
Extensions to automatically change IP addresses regularly.
The security guidelines I have read don't specify "NAT must be used." They specify "RFC1918 addresses must be used in the internal
network."
A static NAT has limited usage and indeed does not provide much additional security. But the dynamic NAT and especially PAT provide a very important security feature no packet filter provides: they
*hide* the *source* *addresses* of internal hosts thus effectively
hiding the network structure from outsiders.
There's also NAT for IPv6.
Never heard of that, other than DNS64/NAT64 which are for a different purpose.
Of course it does more! No packet filter *hides* *src* *addresses* of
your internal hosts,
and that is exactly what security people love NAT for.
The security guidelines I have read don't specify "NAT must be
used." They specify "RFC1918 addresses must be used in the
internal network."
For IPv6 they could use ULA (RFC4193). ;)
A static NAT has limited usage and indeed does not provide much
additional security. But the dynamic NAT and especially PAT
provide a very important security feature no packet filter
provides: they *hide* the *source* *addresses* of internal hosts
thus effectively hiding the network structure from outsiders.
And some dumbass enables UPnP on the firewall/router. >:)
If an
organization thinks that it has to hide the internal IP addresses for security reasons it can use NAT or proxies. Anyway, they still need
much more than that to secure their network.
There's also NAT for IPv6.
Never heard of that, other than DNS64/NAT64 which are for a
different purpose.
NAT66
Of course it does more! No packet filter *hides* *src*
*addresses* of your internal hosts,
So what? A device on the LAN that communicates with the outside world
uses a public address.
In the case of IPv4 with NAT it is a public WAN
address of the router. In case of IPv6 it is a public address in the prefix range assigned to the router.
In either case the address used
is "exposed".
and that is exactly what security people love NAT for.
Hmmm... I would rather not put my faith in the hands of a "security expert" that believes in "security through obscurity"...
And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present
who have native IPv6 connectivity, what's your ISP's policy on
assigning addresses to customers?
If my ISP were going to give me one IPv6 address (a /128) or even one
/64 net, this would be too few for my purposes. For my current home network, I use five /64s, so for me it would be a /56 at least.
On 01-26-19 21:18, Victor Sudakov wrote to Tony Langdon <=-
It was not intended as a security mechanism initially, but over time,
it became one, and is required by many security guidelines. Ask some computer security specialist you trust, if you don't believe me.
Of course it does more! No packet filter *hides* *src* *addresses* of
your internal hosts, and that is exactly what security people love NAT for.
Sorry you are mistaken. Very few attacks nowdays are based on injecting malicious traffic into your network, those times are long gone. Information gathering about your intranet could be much more important than the ability to send traffic into it from outside.
NAT still creates a lot of problems, ask anyone who'd wrestled with
port forwarding, to try and get services opened to the Internet.
That's a different story, I myself have wrestled enough with IPv4 NAT.
So I would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have not heard anything new so far.
And thinking about SOHO and home routers/firewalls, what kind of
IPv6 connectivity are they going to have, what do you think?
Those present who have native IPv6 connectivity, what's your
ISP's policy on assigning addresses to customers?
My ISP assigns a /56 on a home connection
and a /48 on a bussines pro
connection. Some other ISPs in The Netherlands also offer a /48 for a
home connection as well.
A /48 should be enough for any big enterprise...
If my ISP were going to give me one IPv6 address (a /128) or even
one /64 net, this would be too few for my purposes. For my
current home network, I use five /64s, so for me it would be a
/56 at least.
If you need more than a /56 on a home network, you are doing something wrong.
It was not intended as a security mechanism initially, but over
time, it became one, and is required by many security guidelines.
Ask some computer security specialist you trust, if you don't
believe me.
Well, having compared notes, I am wary of anyone who calls themselves
a "specialist" without personal knowledge and trust of the person. :)
I've certainly heard a lot of dodgy stories about so-called
"specialists" in networking from a very trusted source over the years.
Of course it does more! No packet filter *hides* *src*
*addresses* of your internal hosts, and that is exactly what
security people love NAT for.
True, but IPv6 has mechanisms for source IP privacy without NAT.
Good point. Thank you. Maybe fc00::/7 has a chance of becoming the
new 192.168/16.
I don't think enterprise-class firewalls have UPnP, do they?
And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present
who have native IPv6 connectivity, what's your ISP's policy on
assigning addresses to customers?
Interesting. Do you know of any implementations that could translate
ULA addresses into one global /64 pool?
Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.
I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind
of globally unique local address space managed by a registry (-> B2B VPNs).
I don't think enterprise-class firewalls have UPnP, do they?
Most don't. But you never know what e-junk some company uses. >:)
And thinking about SOHO and home routers/firewalls, what kind of
IPv6 connectivity are they going to have, what do you think?
Those present who have native IPv6 connectivity, what's your
ISP's policy on assigning addresses to customers?
/64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).
Interesting. Do you know of any implementations that could
translate ULA addresses into one global /64 pool?
Cisco, Juniper, Linux, ...
However, you need to check the details for each box and firmware. For example, Linux can hide the complete LAN behind a single IPv6 address.
and that is exactly what security people love NAT for.
Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.
I'd recommend to use fd00::/8 since fc00::/8 was meant to be somefc00::/7 is from RFC4193, and where is fd00::/8 defined?
kind of globally unique local address space managed by a registry
B2B VPNs).
fc00::/7 is from RFC4193, and where is fd00::/8 defined?
If you want a static address?
My ISP assigns a /56 on a home connection
As a standard package?
and a /48 on a bussines pro connection.
If you need more than a /56 on a home network, you are doing
something wrong.
Unfortunately I don't have native IPv6 connectivity, and HE does not
offer /56s on its tunnels, only /48s so I don't have much choice.
I've tried several times to switch to Rostelecom who is rumored to
offer IPv6 connectivity, but as soon as I start talking with their salespeople they fall into stupor and promise to call later.
Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.
I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind
of globally unique local address space managed by a registry (-> B2B VPNs).
/64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).
Good point. Thank you. Maybe fc00::/7 has a chance of becoming
the new 192.168/16.
On 01-27-19 10:55, Michiel van der Vlist wrote to Victor Sudakov <=-
My ISP assigns a /56 on a home connection and a /48 on a bussines pro connection. Some other ISPs in The Netherlands also offer a /48 for a home connection as well.
If you need more than a /56 on a home network, you are doing something wrong.
On 01-27-19 18:01, Markus Reschke wrote to Victor Sudakov <=-
Then I would have to change my consumer DSL to a business one.
If you need more than a /56 on a home network, you are doing
something wrong.
Unfortunately I don't have native IPv6 connectivity, and HE does
not offer /56s on its tunnels, only /48s so I don't have much
choice.
So? Just use whatever you need from the /48 and ignore the rest. There
is no shortage of IPv6 addresses,,,
I've tried several times to switch to Rostelecom who is rumored
to offer IPv6 connectivity, but as soon as I start talking with
their salespeople they fall into stupor and promise to call
later.
Be patient. I have been pestering Ziggo for a decade before they
stopped dragging their feet on IPv6. ;-)
Sysop: | Nelgin |
---|---|
Location: | Plano, TX |
Users: | 611 |
Nodes: | 10 (1 / 9) |
Uptime: | 48:49:06 |
Calls: | 9,831 |
Files: | 16,216 |
Messages: | 1,080,335 |