[snuxoll]

NAT gateways that utilize connection tracking are effectively stateful firewalls. Whether a separate set of ‘firewall’ rules does much good because most SNAT implementations by necessity duplicate this functionality is a bit ignorant, IMO.

Meanwhile, an IPv6 network behind your average Linux-based home router is 2-3 nftables rules to lock down in a similar fashion.

[fc417fc802]

It's also trivial to roll your own version of dropbox. With IPv6 it's possible to fail to configure those nftables rules. The firewall could be turned off.

In theory you could turn off IPv4 NAT as well but in practice most ISPs will only give you a single address. That makes it functionally impossible to misconfigure. I inadvertently plugged the WAN cable directly into my LAN one time and my ISP's DHCP server promptly banned my ONT entirely.

[phire]

> In theory you could turn off IPv4 NAT as well but in practice most ISPs will only give you a single address

So, I randomly discovered the other day that my ISP has given me a full /28.

But I have no idea how to actually configure my router to forward those extra IP addresses inside my network. In practice, modern routers just aren't expecting to handle this, there is no easy "turn of NAT" button.

It's possible (at least on my EdgeRouterX), but I have to configure all the routing manually, and there doesn't seem to be much documentation.

[10000truths]

You should be able to disable the firewall from the GUI or CLI for Ubiquiti routers. If you don't want to deal with configuring static IPs for each individual device, you can keep DHCP enabled in the router but set the /28 as your lease pool.

[account42]

> So, I randomly discovered the other day that my ISP has given me a full /28.

Where is this? Here new ISP customers don't even get a single IPv4 unless you beg for it.

[fc417fc802]

Not even CGNAT?

In the US many large companies (not just ISPs) still have fairly large historic IPv4 allocations. Thus most residential ISPs will hand you a single publicly routable IPv4 regardless of if you're using IPv6 or not.

We'll probably still be writing paper checks, using magnetic stripe credit cards, and routing IPv4 well past 2050 if things go how they usually do.

[zrail]

Out of curiosity how did you discover this?

[phire]

Went to double check what my static IP address was, and noticed the router was displaying it as 198.51.100.48/28 (not my real IP).

I don't think the router used to show subnets like that, but it recently got a major firmware update... Or maybe I just never noticed, I've had that static IP allocation for over 5 years. My ISP gave it to me for free after I complained about their CGNAT being broken for like the 3th time.

Guess they decided it was cheaper to just gave me a free static IPv4 address rather than actually looking at the Wireshark logs I had proving their CGNAT was doing weird things again.

Not sure if they gave me a full /28 by mistake, or as some kind of apology. Guess they have plenty of IPs now thanks to CGNAT.

[fc417fc802]

More like even if they looked at the logs they aren't about to replace an expensive box on the critical path when it's working well enough for 99% of their customers.

I once had my ISP respond to a technical problem on their end by sending out a tech. The service rep wasn't capable of diagnosing and refused to escalate to a network person. The tech that came out blamed the on premise equipment (without bothering to diagnose) and started blindly swapping it out. Only after that didn't fix the issue did he finally look into the network side of things. The entire thing was fairly absurd but I guess it must work out for them on average.

[snuxoll]

> With IPv6 it's possible to fail to configure those nftables rules. The firewall could be turned off.

So what? It's not like you get SNAT without a couple netfilter rules either.

This argument doesn't pass muster, sorry. Consumer and SOHO gear should come with a safe configuration out of the box, it's not rocket science.

[fc417fc802]

Did you even read the second paragraph of the (rather short) comment you're replying to? In most residential scenarios you literally can't turn off NAT and still have things work. Either you are running NAT or you are not connected. Meanwhile the same ISP is (typically) happy to hand out unlimited globally routable IPv6 addresses to you.

I agree though, being able to depend on a safe default deny configuration would more or less make switching a drop in replacement. That would be fantastic, and maybe things have improved to that level, but then again history has a tendency to repeat itself. Most stuff related to computing isn't exactly known for a good security track record at this point.

But that's getting rather off topic. The dispute was about whether or not NAT of IPv4 is of reasonable benefit to end user security in practice, not about whether or not typical IPv6 equipment provides a suitable alternative.

[snuxoll]

> But that's getting rather off topic. The dispute was about whether or not NAT of IPv4 is of reasonable benefit to end user security in practice, not about whether or not typical IPv6 equipment provides a suitable alternative.

And, my argument, is that the only substantial difference is the action of a netfilter rule being MASQUERADE instead of ALLOW.

This is what literally everyone here, including yourself, continues to miss. Dynamic source NAT is literally a set of stateful firewall rules that have an action to modify src_ip and src_port in a packet header, and add the mapping to a connecting tracking table so that return packets can be identified and then mapped on the way back.

There's no need to do address and port translation with IPv6, so the only difference to secure an IPv6 network is your masquerade rule turns into "accept established, related". That's it, that's the magic! There's no magical extra security from "NAT" - in fact, there are ways to implement SNAT that do not properly validate that traffic is coming from an established connection; which, ironically, we routinely rely on to make things like STUN/TURN work!

[fc417fc802]

> Dynamic source NAT is literally a set of stateful firewall rules that have an action to modify src_ip and src_port in a packet header, and add the mapping to a connecting tracking table so that return packets can be identified and then mapped on the way back.

Yes, and that _provides security_. Thus NAT provides security. You can say "well really that's a stateful firewall providing security because that's how you implement NAT" and you would be technically correct but rather missing the point that turning NAT on has provided the user with security benefits thus being forced to turn it on is preventing a less secure configuration. Thus in common parlance, IPv4 is more secure because of NAT.

I will acknowledge that NAT is not the only player here. In a world that wasn't suffering from address exhaustion ISPs wouldn't have any particular reason to force NAT on their customers thus there would be nothing stopping you from turning it off. In that scenario consumer hardware could well ship with less secure defaults (ie NAT disabled, stateful firewall disabled). So I suppose it would not be unreasonable to observe that really it is usage of IPv4 that is providing (or rather forcing) the security here due to address exhaustion. But at the end of the day the mechanism providing that security is NAT thus being forced to use NAT is increasing security.

Suppose there were vehicles that handled buckling your seatbelt for you and those that were manual (as they are today). Someone says "auto seatbelts improve safety" and someone else objects "actually it's wearing the seatbelt that improves safety, both auto and manual are themselves equivalent". That's technically correct but (as technicalities tend to go) entirely misses the point. Owning a car with an auto seatbelt means you will be forced to wear your seatbelt at all times thus you will statistically be safer because for whatever reason the people in this analogy are pretty bad about bothering to put on their seatbelts when left to their own devices.

> in fact, there are ways to implement SNAT that do not properly validate that traffic is coming from an established connection; which, ironically, we routinely rely on to make things like STUN/TURN work!

There are ways to bypass the physical lock on my front door. Nonetheless I believe locking my deadbolt increases my physical security at least somewhat, even if not by as much as I'd like to imagine it does.

[account42]

The difference is that with IPv4 you know that you have that security because there is no other way for the system to work while with the IPv6 router you need to be a network expert to make that conclusion.

[snuxoll]

Except, you don't.

Assume eth0 is WAN, eth1 is LAN

Look at this nftables setup for a standard IPv4 masquerade setup

    table ip global {
        chain inbound-wan {
            # Add rules here if external devices need to access services on the router
        }
        chain inbound-lan {
            # Add rules here to allow local devices to access DNS, DHCP, etc, that are running on the router
        }
        chain input {
            type filter hook input priority 0; policy drop
            ct state vmap { established : accept, related : accept, invalid : drop };
            iifname vmap { lo : accept, eth0 : jump inbound-wan, eth1 : jump inbound-lan };
        }
        chain forward {
            type filter hook forward priority 0; policy drop;
            iifname eth1 accept;
            ct state vmap { established : accept, related : accept, invalid : drop };
        }
        chain inbound-nat {
            type nat hook prerouting priority -100;
            # DNAT port 80 and 443 to our internal web server
            iifname eth0 tcp dport { 80, 443 } dnat to 192.168.100.10;
        }
        chain outbound-nat {
            type nat hook postrouting priority 100;
            ip saddr 192.168.0.0/16 oiname eth0 masquerade;
        }
    }

Note, we have explicit rules in the forward chain that only forward packets that either:

* Were sent to the LAN-side interface, meaning traffic from within our network that wants to go somewhere else

* Are part of an established packet flow that is tracked, that means return packets from the internet in this simple setup

Everything else is dropped. Without this rule, if I was on the same physical network segment as the WAN interface of your router, I could simply send packets to it destined to hosts on your internal network, and they would happily be forwarded on to it!

NAT itself is not providing the security here. Yes, the attack surface here is limited, because I need to be able to address this box at layer 2 (just ignore ARP, send the TCP packet with the internal dst_ip address I want addressed to the ethernet MAC of your router), but if I compromised routers from other customers on your ISP I could start fishing around quite easily.

Now, what's it look like to secure IPv6, as well?

    # The vast majority of this is the same. We're using the inet table type here
    # so there's only one set of rules for both IPv4 and IPv6.
    table inet global {
        chain inbound-wan {
            # Add rules here if external devices need to access services on the router
        }
        chain inbound-lan {
            # Add rules here to allow local devices to access DNS, DHCP, etc, that are running on the router
        }
        chain inbound-nat {
            type nat hook prerouting priority -100;
            # DNAT port 80 and 443 to our internal web server
            # Note, we now only apply this rule to IPv4 traffic
            meta nfproto ipv4 iifname eth0 tcp dport { 80, 443 } dnat to 192.168.100.10;
        }
        chain outbound-nat {
            type nat hook postrouting priority 100;
            # Note, we now only apply this rule to IPv4 traffic
            meta nfproto ipv4 ip saddr 192.168.0.0/16 oiname eth0 masquerade;
        }
        chain input {
            type filter hook input priority 0; policy drop
            ct state vmap { established : accept, related : accept, invalid : drop };
            # A new rule here to allow ICMPv6 traffic, because it's not required for IPv6 to function correctly
            icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
            iifname vmap { lo : accept, eth0 : jump inbound-wan, eth1 : jump inbound-lan };
        }
        chain forward {
            type filter hook forward priority 0; policy drop;
            iifname eth1 accept;
            # A new rule here to allow ICMPv6 traffic, because it's not required for IPv6 to function correctly
            icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded } accept;
            # We will allow access to our internal web server via IP6 even if the traffic is coming from an
            # external interface
            ip6 daddr 2602:dead:beef::1 tcp dport { 80, 443 } accept;
            ct state vmap { established : accept, related : accept, invalid : drop };
        }
    }

Note, there's only three new rules added here, the other changes are just so we can use a dual-stack table so there's no duplication of the shared rules in separate ip and ip6 tables.

* 1 & 2: We allow ICMPv6 traffic in the forward and input chains. This is technically more permissive than needs to be, we could block echo-request traffic coming from outside our network if desired. destination-unreachable, packet-too-big, and time-exceeded are mandatory for IPv6 to work correctly.

* 3: Since we don't need NAT, we just add a rule to the forward chain that allows access to our web server (2602:dead:beef::1) on port 80 and 443 regardless of what interface the traffic came in on.

None of this requires being a "network expert", the only functional difference in an actually secure IPv4 SNAT configuration and a secure IPv6 firewall is...not needing a masquerade rule to handle SNAT, and you add traffic you want to let in to forwarding rules instead of DNAT rules.

Consumers would never need to see the guts like this. This is basic shit that modern consumer routers should do for you, so all you need to think about is what you want to expose (if anything) to the public internet.