With IPv6 do we need to use NAT any more?

  • I'm wondering how to use NAT with IPv6. Seems that you don't even need it any more. So what exactly is the concept behind firewall configurations in IPv6 environments?

  • Tom Leek

    Tom Leek Correct answer

    8 years ago

    There is some widespread confusion about NAT.

    NAT has never been meant to be used as a security feature. However, it so happens that in most cases (not all), when a machine has access to the Internet through NAT only, then the machine is somehow "protected". It is as if the NAT system was also, inherently, a firewall.

    Let's see how it works:

    • An IP packet has a source and a destination address. Each router, upon seeing the destination address, decides to which subsequent router the packet shall be sent.
    • When a router implements NAT, it forwards outgoing packets under a guise; namely, the packets bear the router's external IP as source address, not the actual source. For incoming packets, the router does the reverse operation. The TCP/UDP port numbers are used to know to what internal host the packets relate.
    • However, from the point of view of the router, the internal hosts have (private) IP addresses which are directly reachable. NAT is for communications between the internal hosts and machines beyond the router.

    Let's take an example:

    Inner <---> HomeRouter <---> ISPRouter <---> The Internet
    

    "Inner" is your PC. "HomeRouter" is the router which does the NAT. "ISPRouter" is the router at your ISP.

    The "firewall effect" is the following: usually, even if "Inner" has an open port (it runs a remotely reachable service, e.g. a local Web server on port 80), people from "the Internet" will not be able to connect to it. The reason is the following: there are two ways by which an IP packet may be transferred by HomeRouter to Inner:

    • An incoming packet may come with HomeRouter's address as destination, and targeting a port which HomeRouter knows to be associated with an outgoing connection from Inner to somewhere on the Internet. This works only for a connection which was initiated by Inner, and this implies that the port will not match that of the server which runs on Inner.

    • An IP packet contains Inner's private IP address as destination and is somehow brought to the attention of HomeRouter. But ISPRouter does not know Inner's private IP, and would not forward an IP packet meant for that address to HomeRouter. Source routing could be used to tag a packet with Inner's private IP address as destination and HomeRouter's public IP address as intermediate host. If ISPRouter supports source routing, then such a packet will reach Inner, regardless of NAT. It so happens that almost no ISP actually supports source routing.

    Therefore, the "firewall effect" of NAT relies on two properties:

    • Attackers are far: attackers do not inject packets directly on the link between the home router and the ISP; all their attempts must go through the ISP routers.
    • ISP don't allow source routing. This is the (very) common case.

    So in practice there are a lot of machines, in private homes and small business, which could be hacked into in a matter of seconds except that they benefit from the "firewall effect" of NAT.


    So what of IPv6 ? NAT was designed and deployed (widely deployed) in order to cope with the scarcity of free IPv4 addresses. Without NAT, the IPcalypse would have already destroyed civilization (or triggered IPv6 actual usage, maybe). IPv6 uses 128-bit addresses, instead of the meagre 32-bit IPv4 addresses, precisely so that crude workarounds like NAT need not be used.

    You can use NAT with IPv6, but it makes little sense - if you can live with NAT, why would you switch to IPv6 at all ?

    However, without NAT, then no "firewall effect", flimsy as it could be. Most operating systems are now IPv6 ready, and will use it automatically if given the chance. Therefore, if an ISP decides to switch IPv6 on, just like that, then a lot of machines which were hitherto "hidden" behind a NAT will become reachable from the outside. This could well turn into a worldwide hacking orgy. It is no wonder that ISP are somewhat... reluctant.

    To switch to IPv6 nicely, you have to couple its enabling with some solid, well-thought firewalling rules, which will prevent incoming connections which were not possible in a NAT world (with the caveats explained above), but are now feasible thanks to the magic of IPv6. The operational word here is "think": this will require some time from some people, and that's not free.

    So it can be predicted that IPv4 will be used and maintained as long as it can be tolerated, and, thanks to NAT and transparent proxies, this will be a long time (especially if we succeed at containing human population below 10 billions).

    There is still very little IPv6 support in home routers. Those few I have seen which do support it, also have a default-deny incoming firewall.

    I object to "You can use NAT with IPv6, but it makes little sense". If you want BCP38 you must do SNAT to keep ICMP in allowed ranges. Else you would drop it for originators of foreign AS which live in your network, as they might legally transfer `::0/0` which would void BCP38. Well, I am still not convinced, IPv6-IPv6 NAT works here at all, but we will see.

    The difficult bit is not the actual firewall rules. The rules for forwarded traffic can be summed up in three ip6tables commands (default deny, allow from local, allow established/related). If you want to also filter local traffic to/from the it gets a bit more complicated because of ICMPv6 but it's still not terrible. The bigger problem is what happens if your firewall script fails to run at all. With NAT you notice because your internet connection is broken, with a non-nat firewall you are likely to be left wide open.

    This can be mitigated by not enabling ip forwarding until the firewall script has run successfully but it's easy to miss that.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM