[pilif]

After I switched ISP to one that supports native IPv6 (and generally is pure awesome), I noticed that my traffic at home went to about 50% IPv6, also thanks to YouTube supporting V6.

I also casually noticed that all but one address in my "Account Activity" view in Gmail are IPv6 addresses (ironically, the mobile phone got the one single IPv4 address in that list over 4G).

V6 works nicely and totally transparent causing zero trouble for me, even though there are some application protocols that don't handle V6 properly yet (Apple Remote Desktop and Air Video to give two examples).

One thing that's tricky about V6 is the fact that without NAT all your boxes are internet-reachable unless you have a firewall. That's easily added of course, but whereas we have protocols like upnp and nat-pmp to reconfigure NAT routers, there's nothing equivalent for various applications to tell the router to forward some V6 traffic.

So this is actually a step back what connectivity behind LANs is concerned.

I would love for applications to be able to ask the OS for their very own application specific v6 address. Then they could just listen on that instead of all interfaces (and listening on all interfaces would not include these application specific interfaces).

That way, I could theoretically get away without a restrictive firewall while still giving applications a way to be directly connected to. An attacker would have to scan a /48 (in my case) or a /64 (in the worst case) in order to find an open port given a known remote address.

[vegardx]

While having an unique address per application can be cool, I don't like the premise that this is used as some sort of security layer.

We have firewalls. We know how they work and how to implement them well. For all intents and purposes a typical NAT-setup is bascially wide open from the inside and out. You can do the same with a few simple rules on a firewall.

[pilif]

I know we have firewalls, but in the normal desktop use-case, there are some applications that you want to be able for external clients to connect to.

Skype (or other VoIP clients), Bittorrent, Game servers, etc all work better with or flat-out require external connectivity.

In the V4 world, we have upnp or NAP-PMP to allow applications to open a port on the router and to have the router then forward the packets to a client behind the router.

In the V6 world there's no equivalent protocol even though the work needed would be smaller (forwarding to a given host/port combination is enough - no port mapping).

It's bizarre that at the moment, servers on my various machines at home get better connectivity over IPv4 (thanks to NAP-PMP) than over IPv6 (thanks to my firewall).

Having application specific addresses would provide more than enough security for many simpler LANs (good luck guessing a 64 or even 80 bit number in order to get the one where the "juicy" ports are open) to use in absence of a v6 compatible NAP-PMP equivalent.

I would totally trust the 80 bits of pool size as a sufficient security boundary and I'd disable the IPv6 firewall for my home network if this concept of application specific addresses would exist.

This would also be much closer to the ideal of the old times where every machine was assumed to be connectible without additional configuration anywhere.

[kalleboo]

Isn't it easy enough to just have a local firewall on each machine where you open up ports for the apps you want to be public?

[pilif]

The firewall on a local machine might suffer from exploits, thus still allowing access.

Or I might want some services open to my lan and only a smaller subset opened to the public (something the personal firewalls built into many OSes can't do)

[kalleboo]

> The firewall on a local machine might suffer from exploits, thus still allowing access.

Is a updated firewall from Apple, Microsoft or ipfw more or less likely to suffer from exploits than a cut-rate device from ASUS, Netgear or Linksys that hasn't been updated in years?

> Or I might want some services open to my lan and only a smaller subset opened to the public (something the personal firewalls built into many OSes can't do)

That may be fair enough but that's just a reason to improve the firewalls in the OSes. As soon as you tether to your phone or use public WiFi you're going to want a solid local firewall anyhow.

[justincormack]

The idea is that it can be turned off from the machine itself, so eg if you get hacked via a website or email, your firewall might get disabled, while another box would also need to be hacked. (Of course things like UPNP give the machines control over the router so making this moot, which is why I dodnt run them).

[vegardx]

I don't really think they get better connectivity. If you can establish a connection from the inside things works as intended for basically everything. Peer-to-peer is a little different.

Personally I find it a little scary that we allow applications to just open up inbound ports as they see fit. Would you, say, install MySQL locally and have it listen on such an address because it's so unlikely that anyone will ever find it anyway?

[ay]

If you install MySQL locally, you should not have it listen on any address other than the loopback by default.

And when you do expose it, if you care about security, you should configure the appropriate iptables along the way there and then, rather than relying on a magic box somewhere upstream filtering the packets.

This can be doubly useful if the box in question your laptop which you carry around in various, potentially hostile, environments.

[vegardx]

I was just using MySQL as a hypothetical example, as they listen on all interfaces by default with packages supplied by Oracle. Next time you're on a tech conference, do a scan on the local network.

My point was that by his standard he would just let it listen on all interfaces because in his own word, nobody would find it. Which sounds very naive.

[ay]

Okay then I think we were in violent agreement.

I was arguing the whole "listen on all interfaces by default" is wrong - if one needs to expose the app, they should do so explicitly, and you did the same.

[gonzo]

> We have firewalls. We know how they work and how to implement them well. For all intents and purposes a typical NAT-setup is bascially wide open from the inside and out.

Now consider source routing.

Yup.

[lmm]

> One thing that's tricky about V6 is the fact that without NAT all your boxes are internet-reachable unless you have a firewall. That's easily added of course, but whereas we have protocols like upnp and nat-pmp to reconfigure NAT routers, there's nothing equivalent for various applications to tell the router to forward some V6 traffic.

Is there any reason the same approach shouldn't work? All the application needs to tell the router is "please open this inbound port on this address", right? Like, in theory couldn't a router just follow the existing uPNP/nat-pmp standards and do the right thing with those messages?

> That way, I could theoretically get away without a restrictive firewall while still giving applications a way to be directly connected to. An attacker would have to scan a /48 (in my case) or a /64 (in the worst case) in order to find an open port given a known remote address.

I think that's a terrible idea. An attacker could e.g. sniff packets inbound towards your network to figure out the address. Addresses are not designed to be secret or a security feature.

[IgorPartola]

All you need is a firewall. NAT is not a security feature: it just has security implications. In IPv4 land, it's the firewall that does all the port forwarding, etc. anyways.

If you are running IPv6, get a nice OpenWRT router, where the firewall is enabled by default.

[jrochkind1]

What are the implications of using a laptop on a public Wifi where you don't control the router? (Or a friend's house, or anywhere else where the router isn't yours).

OS-level firewall, I guess? Which maybe you should probably have anyway?

[Alupis]

I think a lot of people don't trust the OS firewall due to many years of using Windows firewall. Windows firewall hasn't always been good, and is confusing still to this day for a lot of users (when I search for Firewall in my Windows 7 start menu, I get no less than 4 different options which all present me with different context menus, etc). Not to mention security product vendors still try to peddle their 3rd party firewall as being superior to the built-in firewall, which is rubbish other than maybe a usability standpoint (you either block something or you don't).

Compounded by the fact that most Windows boxes are "leaky" over the network and often have services talking without the user's knowledge.

This is changing, but it will take time to change user's minds. In the *nix world (which includes OSX), the desktop firewalls in my experience have been good for a very long time.

[lmm]

Windows gives you the choice when you connect to the Wifi - a kind of "is this network trusted?" dialogue.

Honestly the thing that makes sense is smarter applications. If you only need local connectivity, only listen on the loopback interface. If you open a port then you should expect to receive public requests on this port, and should have appropriate authentication in place.

[skrause]

The protocol you're looking for is PCP which is the NAT-PMP successor that also works with IPv6: https://en.wikipedia.org/wiki/Port_Control_Protocol

Unfortunately it's going to take a while until it's widely supported.

[api]

"One thing that's tricky about V6 is the fact that without NAT all your boxes are internet-reachable unless you have a firewall."

Maybe OSes will need to stop assuming their underbellies can be soft and implement some real host security.

Naaahhh... hell will freeze over first.