Hacker News new | ask | show | jobs
by bcook 1059 days ago
I worry about the loss of the implicit firewall that NAT offers.

Network security audits of dual-stack networks far too often show practically no open ports on IPv4, because of NAT, while IPv6 exposes everything. The security through obscurity of the practically unscannable IPv6 address space is not a firewall.
2 comments
justsomehnguy 1059 days ago
> but the default configuration on many ISP-supplied routers has no firewalling beyond what NAT offers

Repeat after me: NAT does not provide firewalling in any way.

What you think as 'firewalling' is just inability to route packets to your LAN[0] for someone further than your immediate gateway and this is true only until you have no active inbound NAT sessions.

If for some reason there is a session what allows anyone to contact the machine on your LAN (ie Full Cone NAT) then... anyone can contact your machine behind the NAT. I'm not sure there any router or appliance what would do that automatically anymore (because by default outbound session would create a thing called Address and Port Restricted NAT in TFA) but it's quite easy to do this by misconfiguration or some automatic mechanism, like UPnP.

If the problem is in the 'default configuration of many ISP-supplied routers' then you really should address that and not treat NAT as a firewall.

And last, but not least: every modern OS comes with a built-in firewall. Even Windows' one is pretty decent to block anything not explicitly allowed. There is no network scanning in IPv6, it's pointless or requires to sit on the wire to listen for NDP - and at this point NAT wouldn't help, too.

[0] or sometimes the packets are routed pretty fine in, it's just the absence of the state and/or proper rules what forbids the answer to be routed back. If you ever needed to troubleshoot an assymetric NAT you would know this.

ADD: this should had been a reply for your further comment, of course, but I leave it here.

link
bcook 1059 days ago
The scenerio I commonly see is a dual-stack (IPv4 & IPv6) router blocking all unsolicited incoming IPv4 packets (because of NAT), while all IPv6 LAN hosts will unintentionally be globally accessible through the internet.

This is why I worry about more IPv6 deployment. Too many people are ignorantly relying on IPv4 NAT as a layer of protection.

link
justsomehnguy 1059 days ago
> Too many people are ignorantly relying on IPv4 NAT as a layer of protection.

Too many people think pulling out works every time, too many people think what not using the seat belts because they aren't going far or fast is safe, yada, yada.

What the attack scenario? For the most part the machine is firewalled anyway by built-in firewall (if we talking about any modern Windows and Linux) by default. Most attacks need the actual vulnerable software and this is the browser nowadays => it's client initiated anyway.

Sure, a properly configured router would block the incoming traffic (with or without NAT, there are routed IPv4 too, you know? I have five /24 there and a bunch of smaller ones, no NAT on them), but again, the onus here on the default configuration of the router. There are still 'DMZ' buttons in some routers what would DNAT everything to the machine, there are people who do that without understanding what this opens up their machine (despite being behind the NAT) ie 'make it globally routable'..

I didn't touch home/soho routers for almost a decade so I can't say anything about that, except what Zyxels have the sane defaults and what Mikrotik is shipped with IPv6 disabled altogether.

Don't forget, most of the 'hacks' are happening by scanning the IPv4 subnet and then meticulously probing everything. It's easy with IPv4 (hell, /16 is only 65k hosts), with IPv6 this is...

Here: 2a10:1fc0:6::/48

I have a machine there, go, find it.

The only feasible way for someone to find your globally addressable machine is for the 'victim' is to first trigger something, eg by accessing some website. Yes, in this case the owner of the site (or the malware which infected the site) would know your IP. But same applies to IPv4 and in both cases you need something which is:

  vulnerable
  accepting packets from anywhere
  not firewalled
And you still need to lure the victim to your site first.

You would have more chances with sending Nigerian prince letters and you would be way more profitable.

link
avidiax 1058 days ago
> And you still need to lure the victim to your site first.

You don't need to lure anything. Hack some websites. Plenty have publicly accessible analytics or logs. That gives you full IPv6 addresses to target. Ideally, it might give you a username as well.

What if someone gets the logs of an IOT cloud provider with IPv6 enabled IOT devices?

How many of those addresses have SSH, Samba, APFS, Telnet, or a DNS server running? How many have a username + password combo that's in a leak? How many have an IOT Restful API endpoint with unpatched vulnerabilities?

IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised. Device firewalls don't work where the devices themselves provide services, which is increasingly common.

link
bcook 1058 days ago
> You don't need to lure anything.

Right. For example, in 2016, Shodan had sneakily infiltrated the NTP.org pool to harvest IPv6 IPs. The methods have obviously gotten more sophisticated and more prevalent since then.

https://netpatterns.blogspot.com/2016/01/the-rising-sophisti...

https://seclists.org/oss-sec/2016/q1/239

link
justsomehnguy 1058 days ago
> IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised

    DENY from ANY to ANY
on the WAN port works with both IPv4 and IPv6 and allows people to have a strong security internally in the network.

Here, one simple solution, works on both IP versions, does not rely on NAT or hoping everything would be fine.

> How many of those addresses have SSH, Samba, APFS, Telnet, or a DNS server running?

Ah, yes, some idiots have the telnet and APFS running and open to the whole world that's why NAT to the rescue! Instead of, you know, having a brain and, at least, firewalling. At The Router.

You all NAT apologists somehow do have the router with NAT and firewall for IPv4, but at the same time there is only luminiferous æther for IPv6 with nothing between the poor, young and defenseless IoT device and the 3vi1 h4x0r somewhere on the other side of the planet. Come on.

> What if someone gets the logs of an IOT cloud provider with IPv6 enabled IOT devices?

What if someone gets in your house and find your nudes? Should we ban cameras everywhere, because someone might do that?

link
Dagger2 1058 days ago
Thanks to privacy extensions most of those logged addresses will have expired and be useless. Also most people don't permit connections from the Internet to privacy addresses in the first place, they only add firewall exceptions for the base addresses, so even if you're running a server on the same machine you make an outbound connection from, the servers you connect to don't learn the IP needed to make an inbound connection on.

> IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised.

No, it doesn't. This is allowed by having a firewall on the router, exactly the same as in v6. NAT doesn't block connections, so it doesn't contribute to this security.

Device firewalls do work, but connections will generally be rejected by the router's firewall before they even get that far.

link
justsomehnguy 1059 days ago
> I worry about the loss of the implicit firewall that NAT offers.

... NAT does not offer 'implicit firewall'

It's just what Average Hacker somewhere on the net can't route easily into your local network. If this is no longer an Average Hacker or he is sitting on your wire then the only thing what your NAT 'offers' is your false sense of security.

And by the way, nobody, noone forbade you from having explicit firewall rules denying anything from anywhere, not explicitly allowed. Just like it is done in a proper IPv4 configuration.

link
bcook 1059 days ago
> And by the way, nobody, noone forbade you from having explicit firewall rules denying anything from anywhere, not explicitly allowed. Just like it is done in a proper IPv4 configuration.

Sure, in a perfect world, migrating to IPv6 should be safe, but the default configuration on many ISP-supplied routers has no firewalling beyond what NAT offers.

link
Dagger2 1059 days ago
Which is nothing. NAT offers zero firewalling.

I won't say there aren't ISP routers without firewalling, but for the most part they're pretty decent at having it. It's just that the firewalling is a completely separate thing to NAT.

link