[creativeembassy]

I've been looking for a summary like this for years. I'm quite comfortable with IPv4, but haven't understood IPv6 well enough to start using it in my home network. Thanks for sharing, going to read this over a few times to make sure I understand everything completely.

[psim1]

Just my experience:

The funny thing about IPv6 is that you see a lot of curmudgeonly rhetoric about it here and elsewhere, but once you dig in a little, it snaps and you think "hey, this really makes sense!" And then you wonder why others are grumbling so much.

The main thing to do is to stop thinking about IPv4. Just put the IPv4 concepts aside and start thinking about it as if IPv6 just showed up on the scene as the L3 protocol.

Forget about crusty concepts like NAT, because NAT was a kludge anyway. Just think about the big address space. Understand that firewalls examine traffic going from one side to the other and that NAT is not part of that equation (people frequently argue that NAT is valuable for network security - nonsense).

Just start fresh with it and resist the urge to hug your old IPv4 teddy bear.

[akersten]

> (people frequently argue that NAT is valuable for network security - nonsense).

Most of the devices on my home network should never be routable from the Internet. Without NAT, they suddenly are, and I have to go out of my way to configure a firewall (either on the device or an intermediary appliance) just to get back to that baseline. That is more configuration to get right and is a worse experience than when they were just impossible routes under NAT. So, I get it, NAT was not "designed" with security as a primary consideration, but when thousands of Grandma's printers are suddenly pwn'd because their 2.6.x kernels wind up answering traffic from the public Internet, it's quite devilish to say "gosh, well, they should never have relied on things continuing to work the way they always have, because it was philosophically never meant to be that way."

It's quite possible I'm missing something (because I haven't bothered to learn much about v6 yet) and consumer routers are smart enough to drop unsolicited traffic to "private" addresses (however that is determined). If that's the case I cede a little.

[foxfluff]

I don't agree with this argument at all.

If routers can enable NAT by default, they have a stateful firewall by default. The printer won't be on the internet unless you punch a hole in NAT, it won't be on the internet unless you punch a hole in that firewall. You can have that firewall without NAT.

[IshKebab]

This is true but there is still a difference. How do you know if that protection is working? With NAT, if it's online then basically the only way is if NAT was used.

With a firewall then I have no idea. I guess you have to check on the router, and maybe do some kind of online test? Can't imagine grandma doing that.

I do think a firewall is a cleaner solution but it's definitely true that NAT is way more foolproof.

[jiggawatts]

These arguments are just hogwash, but they just don't seem to go away. Literally every IPv6 topic on Reddit and YCombinator is just filled with people going on and on about NAT being essential for security, despite that being clearly false.

I wonder what can be done to educate people that NAT != Firewall, and that all IPv6 home routers also include a default-deny firewall?

It seems like the concept of NAT=>Secure and also RFC1918=>Secure isjust embedded so deeply in people's consciousness that they assume !NAT=>!Secure.

[IshKebab]

> NAT being essential for security

That's not what I said at all. Read it again. NAT is a more foolproof kind of security.

> NAT != Firewall

NAT is effectively a pretty good firewall isn't it? How would you access a device behind NAT?

[throw0101a]

> Most of the devices on my home network should never be routable from the Internet. Without NAT, they suddenly are [...]

Copy-pasting from a previous discussion a little while ago:

---

IPv4+NAT does not remove any more classes of problems than IPv6+firewall. Firewalls under IPv6 work exactly the same way as they do with IPv4.

An IP connection is started from the 'inside' to the 'outside', and the source-destination tuple is recorded. When an 'outside' packet arrives the firewall checks its parameters to see if it corresponds with an existing connection, and if it does it passes it through. If the parameters do not correspond with anything in the firewall's table(s) it assumes that someone is trying to create a new connection, which is generally not allowed by default, and therefore drops it.

The main difference is that with IPv4 and NAT the original (RFC 1918?) source address and port are changed to something corresponding to the 'outside' interface of the firewall.

With IPv6 the address/port rewriting is not done.† Only state tables are updated and checked.

New connections are not allowed past the firewall towards the inside with either protocol, and only replies to connections opened from the inside are passed through.‡

There's no magical security behind NAT: tuples and packet flags are read, looked up in a state table, allowed or not depending on either firewall rule or state presence.

The security comes from the state checking.

[…]

I have a printer with an IPv6 stack. I also have IPv6 addresses from my ISP. Yet somehow my Asus AC-68U prevents the public Internet from reaching my printer.

† It is possible to have private IPv6 addresses using ULA, and then the router/firewall uses NPTv6 to rewrite the prefix (leaving the /64 interface component alone).

‡ Just like with IPv4 (NAT), to allow unsolicited 'new' connections in you have to do do firewall hole punching with (e.g.) UPNP. But by default things are blocked.

---

* https://news.ycombinator.com/item?id=28390634

IPv6 firewall on my Asus:

* https://www.asus.com/us/support/FAQ/1013638/

[bombela]

Network Address Translation (NAT) has the side effect of ignoring incoming connections that do not match an explicit port mapping.

A firewall will block any incoming connections unless explicitly allowed.

Basically the NAT happens to overlap a bit the job of the firewall as a side effect of how it works. In practice NAT and firewall are implemented by the same system. For example look at iptables on Linux.

[theteapot]

> The main thing to do is to stop thinking about IPv4. Just put the IPv4 concepts aside and start thinking about it as if IPv6 just showed up on the scene as the L3 protocol.

That's exactly the problem with IPv6 and why its struggle to get traction as a replacement for IPv4. It's the Gnome3 of networking protocols.

[magicalhippo]

> And then you wonder why others are grumbling so much.

The core concepts of IPv6 isn't the hard part. The hard part is fighting issues like why suddenly you can't resolve anything[1], why your Android device isn't resolving this host when IPv6 is enabled on your router[2] or how the hell you're supposed to write firewall rules when your prefix changes and the firewall only supports static IPs[3].

[1]: Router hands out its global IPv6 address as DNS server to clients and router just got a new prefix. Bonus points to pfSense for not having a way to disable this...

[2]: Android refuses to use supplied IPv4 DNS server if it gets an IPv6 address...

[3]: pfSense couldn't until mere months ago: https://redmine.pfsense.org/issues/6626

[IshKebab]

Me too, this was very good. The only thing missing is how it interoperates with IPv4. Can you represent IPv4 addresses as IPv6 addresses? If so what happens when you communicate with them?