[yonz]

Slightly off topic but IPV6 is a massive security hole for regular consumers. NATs sucked when you trying to connect to your favorite MMO but that is because they created a default drop rule for all special inbound ports.

I was shocked to see that as soon as your ISP switched to IPV6, your host is now directly addressed. As a by product of skipping NAT you are now relying on every machine having proper firewall settings. [UPDATE: or the router drops incoming IPV6 connections w/ it's firewall]

Just think about how many windows machines out there have Remote desktop enabled but were only safe because they were not publicly accessible or the hospital machines that are still running windows XP. God help us.

[throw0101c]

> I was shocked to see that as soon as your ISP switched to IPV6, your host is now directly addressed. As a by product of skipping NAT you are now relying on every machine having proper firewall settings.

When my ISP started handing out IPv6 addresses, my Asus RT-AC68U by default blocked incoming IPv6 connections unless they were replies to previous outgoing connections.

That is to say: stateful firewalls exist in the IPv6 world just like they do in the IPv4 work.

Just because your laptop or desktop gets a globally routable address does not mean that anyone can hit it.

[yonz]

Thanks for sharing that, good data point for drop incoming.

I had a nighthawk, I ended up setting up the ipv6 rules.

The TLDR on the debate so far is if router shipped over the last 20 years have both drop IPV4 and drop IPV6 incoming.

In my opinion, NAT was an added layer on top of firewall rules because inbound ports had to be mapped to a particular host and port since the router would not know which host to send to. This created a default opt out experience because for a port on your machine to get accessed, a packet must pass inbound rules and match a port map table entry.

[throw0101c]

> In my opinion, NAT was an added layer on top of firewall rules because […]

… there were not enough IPv4 addresses to go around, and so you only got one, and if you had more than one system at home, too bad… until NAT got invented.

Back in the dial-up days, you had only one system connected to the Internet—the one that was connected to the modem—and it got the the IP address directly. It was only later with the always-on nature of cable and DSL ISPs that sharing a connection became a thing. IIRC, you used to connect your computer directly to the {cable, DSL} modem without an intervening router, sometimes using USB, as computers having built-in (Ethernet or Wifi) networking wasn't really a thing:

* https://support.dlink.ca/ProductInfo.aspx?m=DSL-2320B

[wjholden]

I'm not so concerned.

For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

Another, computers today do come with firewalls that are enabled by default and tricky to disable.

Third, the industry really had to start taking memory safety and attack surface seriously after the Blaster/Sasser/MyDoom days. We see another article here on HN every week about another company categorically solving memory problems by adopting Rust.

Finally, having remote desktop shouldn't be a problem if people don't know your password, no? It's not like there is a firewall stopping baddies from guessing your Gmail password.

I realize that a NAT/PAT device does incidentally serve as a stateful firewall for many homes, but I think it is less important with modern OS's than one might think.

Now for the hospitals still using Windows XP...yeah you're right about that. I'd like to see regulators start fining companies for using obsolete hardware and software.

[somerandomqaguy]

>For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

Eh...

-----

We have outlined a number of techniques that scanning worms can use in an IPv6 Internet to locate potential targets. These techniques are equally applicable to the current IPv4 Internet, albeit not as efficient as random scanning. Although “conventional” address-space scanning is prohibitively expensive in that environment, we believe that the diversity of sources we discussed (which is by no means exhaustive) guarantees a rich target set for worms.

---

https://www.cs.columbia.edu/~smb/papers/v6worms.pdf

A lot of them do rely on getting that first host infected though, but that's not exactly dissimilar to IPv4 networks as well.

>Finally, having remote desktop shouldn't be a problem if people don't know your password, no? It's not like there is a firewall stopping baddies from guessing your Gmail password.

That actually begs an interesting point. IPv4 allows for services to block use IP profiling to limit an attacker's attempts to brute-force / semi-brute-force a password or other attacks like a DDoS. What would be IT / Security processionals response when an attacker can just jump to another IPv6 address and resume the attack?

[wmf]

I think the best practice is to rate limit by /24 in IPv4 and by /48 in IPv6. That way all the attacker's IPs are treated as a single user. These have corner cases like if the attack is coming from inside the house but they're decent defaults.

[CorrectHorseBat]

>For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

/64? You should be getting at least a /56

[throw0101c]

> For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

Some math to illustrate this:

* IPv4 has 2^32 addresses

* 2^32 ≈ 4 billion

* in mathematics, a^x = a^(y+z) = a^y * a^z

* so: 2^64 = 2^32 * 2^32

* therefore: 2^64 = four billion IPv4 Internets

One IPv6 subnet can fit many, many entire IPv4 Internets.

[johnnyapol]

IPv6 not having NAT doesn’t make it incompatible with stateful firewalls. You can still have routers doing drop inbound by default.

[mnd999]

And ISP supplied devices generally are. I don’t really know why people think this is an issue.

[yonz]

Might have learned something today, I always replace the stock router from ISPs.

Easy to test, can someone on a cable box try to reach an open port on their host on IPV6 vs IPV4. My belief is that a majority of setups (maybe not HN hackers) will able to hit a host's open port on v6 and fail on v4.

NAT is definitely an added layer though.

[Symbiote]

> Might have learned something today

Yet you continue to speculate about it and spread baseless FUD.

Consumer ISPs supporting IPv6 provide routers blocking inbound access by default. The interface to open IPv6 ports is usually labelled "IPv6 Pinholes" or similar, and you'll find hundreds of web pages on ISP websites describing the functionality -- just as they have pages on IPv4 port forwarding.

The extraordinary claim that ISPs are supplying routers with such a dangerous default configuration requires evidence.

[yonz]

> extraordinary claim that ISPs are supplying routers with such a dangerous default configuration requires evidence

Its a legitimate expectation and potentially the norm to expect that I can ssh to my desktop with IPv6 w/o configuring my router.

The pitfall comes as a side effect of NAT inadvertently making port access rare.

I am looking for data, inbound blocked ipv6 seems unlikely but I only have anecdotal evidence.

[jiggawatts]

That's not even an anecdote. You are literally just assuming something is true, then arguing vocally with people giving you evidence to the contrary.

[roamerz]

It goes beyond that. With IPV4 you have the further protection of private subnets not even routing across the public internet - it’s broke by default, no configuration necessary.

Your attack surface is primarily your firewall which admittedly might be an easy target - but not as easy as an unprotected Windows box.

[whoopdedo]

Private address ranges are a human convention and there have been instances in the past of upstream routers passing them on.[1] Relying on other people to do your filtering for you is a bad idea. I'm going to put the rules in my own router, whether those addresses are (potentially) globally routable or are designated as private.

The use of small private pools has even helped attackers who would inject browser scripts probing the well-known prefixes.[2]

[1] https://serverfault.com/questions/374126/private-ip-getting-...

[2] https://www.bleepingcomputer.com/news/security/new-behave-ex...

[yonz]

Exactly! Duplicating my point in a thread below to drive your point home:

NAT was an added layer on top of firewall rules because inbound ports had to be mapped to a particular host and port since the router would not know which host to send to. This created a default opt out experience because for a port on your machine to get accessed, a packet must pass inbound rules and match a port map table entry.

[throw0101c]

NAT was created for one reason only: because there weren't enough IPv4 addresses to go around.

Port mapping and connection tracking firewalls were invented in 1989,[1][2] while network translation was created in 1994. [3][4] The private address space was only reserved in 1996.[5] The Firewalls book was published in 1994 (which meant that it was being written in the 1992-3 timeframe).[6]

People were protecting networks before NAT.

[1] https://en.wikipedia.org/wiki/Firewall_(computing)#Connectio...

[2] https://en.wikipedia.org/wiki/Circuit-level_gateway

[3] https://www.rfc-editor.org/rfc/rfc1631

[4] https://en.wikipedia.org/wiki/Cisco_PIX

[5] https://www.rfc-editor.org/rfc/rfc1918

[6] https://en.wikipedia.org/wiki/Firewalls_and_Internet_Securit...

[throw0101c]

> it’s broke by default, no configuration necessary.

Which is why all sorts of software needs to deal with bullshit like STUN, TURN, etc, to get peer-to-peer connections working. There has to be all sorts of address discovery.

* https://en.wikipedia.org/wiki/NAT_traversal

And even that won't work once you get into CG-NAT with tends to have two layers of NAT.

How much of the centralization of the Internet has occurred because people can't just talk to each other (by simply firewall hole punching via UPnP/PCP)?

[alphazard]

It should be possible for every device on the internet to easily communicate with ever other device. A silver lining of the poor designs of the past is that it is practically very difficult to attack services listening on private network addresses. This difficulty also makes it hard to do useful things.

IPv6 is a step in the right direction, but the resolution to security issues can't be more firewalls or more network equipment. It has to start with operating systems. It is completely ridiculous that applications have access to the network and most of the filesystem by default. Operating systems need to give limited access to the filesystem and other services so that a compromised service isn't a big deal. A successful attacker doesn't own the whole system. They owned a poorly written application and the small sandbox that it's in. This is an obvious idea to most engineers, but neither windows nor macOS get this right out of the box. The iPhone's sandboxing model and fine-grained permissions are way ahead here, but there is still more improvement to be had.

And then there's the issue of most applications not requiring network access in the first place. There is no reason for Word, Photoshop, Blender, etc. to ever need access to the network. A firewall that only administrators can manipulate is also not a solution, that has to be in the users hands as well. Reasoning about a global table of rules is the wrong UX.

[somat]

Here are two rules for the openbsd packet filter. one for ip4/nat one for ip6/direct. they do the same thing.

    match out on em2 inet from ! em2 to any nat-to em2
    block in on em2 inet6 from any to any

Not many people run a openbsd firewall but the point is that with a statefull firewall preventing people from opening an ip6 connection to internal machines is just as hard as allowing ip4 internal machines a connection out.

[ZeroSolstice]

I'm not really sure its anymore of a security hole than any other device an end user would plug into their network. You can go on Shodan and look at hundreds of peoples devices exposed on the internet over IPv4. The same block in/all could be deployed for IPv6. I don't think most residential ISP's are concerned with protecting end users networks as they are trying to be mostly net neutral.

On the side of hospitals I would think most IPv6 allowances would at a minimum be managed on the edge firewalls which would be a separate device than the ISP's hand-off, host based firewalls aren't a requirement. An assumption on my part but I would doubt for those transit connections the upstream is just "turning" IPv6 on without some co-ordination. Admittedly, I don't know a lot about how hospital networks are run but i'd imagine some MSP involvement for smaller locations, possibly.

[kccqzy]

Having a globally unique address does not imply having no firewalls.

This paragraph from RFC7934 really sums it up much better than I can:

> Indeed, it could be argued that the main reason for deploying IPv6, instead of continuing to scale the Internet using only IPv4 and large-scale NAT44, is because doing so can provide all the hosts on the planet with end-to-end connectivity that is constrained not by accidental technical limitations, but only by intentional security policies.

[icedchai]

Or you could just configure firewall rules on the router and only allow outgoing connections.

[dsfghjkdfg]

thats EXTREMELY naive. depending on ISP provided cheap router for security.

most of those routers are very, very dumb.

do the following excercise. add your routers external address as a gateway for your net internal IP, now from the outside reach your computer. easy. fully standards compliant. pierce your NAT like it wasn't even there.