[Tomdarkness]

> "The main problem is to secure an IPv6 network which is much more complicated than using a typical IPv4 network consisting of a router and several devices behind it."

Does anyone know why this is the case? I'm not a network security expert but to me I don't see how IPv4/v6 makes a different in terms of security. I'd assume that each computer on the network could most likely be assigned a public IPv6 address rather than using NAT in which case how is configuring your perimeter firewall to drop incoming connections by default any different from not having any port forwarding setup by default? Even your average domestic router has some sort of basic firewall built in.

[IgorPartola]

There is nothing special about firewalling off IPv6. NAT is not a security feature. The problem is that most consumer "routers" that people use nowadays are really: a router, a switch, a wireless access point, a firewall, and who knows what else. Here are some sample rules for firewalling off IPv4 (typed from memory, so use with caution):

  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
  iptables -A INPUT -p icmp -j ACCEPT
  iptables -A INPUT -j DROP
  
  iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
  iptables -A FORWARD -p icmp -j ACCEPT
  iptables -A FORWARD -j DROP

Here are the IPv6 rules:

  ip6tables -A INPUT -i lo -j ACCEPT
  ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  ip6tables -A INPUT -s 2001:xx:xx:xx::/64 -j ACCEPT
  ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
  ip6tables -A INPUT -j DROP
  
  ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  ip6tables -A FORWARD -s 2001:xx:xx:xx::/64 -j ACCEPT
  ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
  ip6tables -A FORWARD -j DROP

Does that look like it would be hard to do? Your router should come with these rules already. If it does not, ditch it and buy one that is supported by OpenWRT, where IPv6 support is not a second class citizen.

Edit: Naturally, IPv4 rules would have to be more complicated since you'll want to have your NAT setup in there. In this way, configuring IPv6 is actually easier :). Also, a real router would have rules set up for throttling certain types of traffic (e.g.: you don't want more than, say, 1000 ICMP messages per second). However, all those steps are identical for IPv6.

[noja]

> NAT is not a security feature.

Why?

[GauntletWizard]

Because it was never intended as such and does not necessarily need to add any. The fact that many NAT implementations do add some security (by dropping inbound connections by default) is a side effect. I've seen NAT implementations that get it precisely wrong (consumer routers that set up .2 as the default DMZ), but that's still entirely valid.

[noja]

Whether or not NAT was designed with security in mind doesn't matter.

Using NAT increases security simply by having deny by default.

[vy8vWJlco]

But that is not a feature of NAT, that is a feature of a firewall (for example, it is possible to route incoming packets via the WAN as well as masquerade outgoing ones from the LAN - most people wouldn't even know their pants are down). It is a coincidence that home routers sometimes provide both leading people to conflate their firewall with their NAT system - but if a firewall is what is wanted (and is arguably the only valuable component), NAT is not the thing to ask for. Conflating NAT with firewalls also promotes the idea that NAT has a place in any network with abundant addresses. IMHO, it does not.

[nitrogen]

NAT will always have a place, because not everyone wants to expose a uniquely routable address for every device they own (probably based on a device's MAC address) to the world.

[kiallmacinnes]

No, using a firewall increases security. It just so happens that most routers which do NAT, also have a firewall. You are, in my opinion, confusing two functions provided by one device.

I'm willing to bet that any IPv6 capable router also has a firewall.

[dspillett]

That doesn't increase security unless your baseline is broken. All NAT is potentially replacing from a security perspective is a single default drop (or default reject) rule, which should have been there to start with.

While it could be argued that NAT adds an extra layer to security-in-depth by making it harder to accidentally open things up by missing out the default drop/reject rule, but I'd argue that all the faf that NAT can create by making it difficult to arrange point-to-point connections where they are actually desirable is not worth that little bit of protection against failing to configure the firewall correctly.

[ajasmin]

What's the point of assigning an address to every node on the Internet if you can't connect to these addresses.

The advantage of IPv6 is that any computer can act as a server again. NAT makes it unnecessarily difficult to build simple peer to peer applications such as for telephony, remote access or file transfer.

[stephen_g]

I agree - that line from the article makes no sense. Not having NAT is awesome because NAT is a nasty hack that doesn't add any security.

The tunnelling scenario is valid though - because they add quite a bit of latency so you might not want to use it for everything.